Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)

pull/7075/head
Aleksander Machniak 5 years ago
parent f2e610dbe5
commit d0d8c1ace5

@ -17,6 +17,7 @@ RELEASE 1.3.10
- Fix bug in converting multi-page Tiff images to Jpeg (#6824)
- Fix wrong messages order after returning to a multi-folder search result (#6836)
- Fix PHP 7.4 deprecation: implode() wrong parameter order (#6866)
- Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)
RELEASE 1.3.9
-------------

@ -399,7 +399,7 @@ class rcube_utils
$styles = substr($source, $pos+1, $length);
// Convert position:fixed to position:absolute (#5264)
$styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position: absolute', $styles);
$styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i', 'position: absolute', $styles);
// check every line of a style block...
if ($allow_remote) {

@ -215,13 +215,19 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
// position: fixed (#5264)
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");
$mod = rcube_utils::mod_css_styles(".test { position:\nfixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (1)");
$mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)");
// position: fixed (#6898)
$mod = rcube_utils::mod_css_styles(".test { position : fixed; top: 0; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (3)");
$mod = rcube_utils::mod_css_styles(".test { position/**/: fixed; top: 0; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (4)");
$mod = rcube_utils::mod_css_styles(".test { position\n: fixed; top: 0; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (5)");
// allow data URIs with images (#5580)
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");

Loading…
Cancel
Save