diff --git a/CHANGELOG b/CHANGELOG index 6778dd307..3e33f756b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,7 @@ RELEASE 1.3.10 - Fix bug in converting multi-page Tiff images to Jpeg (#6824) - Fix wrong messages order after returning to a multi-folder search result (#6836) - Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866) +- Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898) RELEASE 1.3.9 ------------- diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index 5c972e6f2..1c0dec8ac 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -399,7 +399,7 @@ class rcube_utils $styles = substr($source, $pos+1, $length); // Convert position:fixed to position:absolute (#5264) - $styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position: absolute', $styles); + $styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i', 'position: absolute', $styles); // check every line of a style block... if ($allow_remote) { diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index 34f4e14ed..32c6b8f58 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -215,13 +215,19 @@ class Framework_Utils extends PHPUnit_Framework_TestCase // position: fixed (#5264) $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); - $mod = rcube_utils::mod_css_styles(".test { position:\nfixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (1)"); - $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)"); + // position: fixed (#6898) + $mod = rcube_utils::mod_css_styles(".test { position : fixed; top: 0; }", 'rcmbody'); + $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (3)"); + $mod = rcube_utils::mod_css_styles(".test { position/**/: fixed; top: 0; }", 'rcmbody'); + $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (4)"); + $mod = rcube_utils::mod_css_styles(".test { position\n: fixed; top: 0; }", 'rcmbody'); + $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (5)"); + // allow data URIs with images (#5580) $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody'); $this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");