Merge branch 'release-1.0' of github.com:roundcube/roundcubemail into release-1.0

6 years ago · e252736ef1
parent b0f57a7edc 0b42424e41
commit e252736ef1
12 changed files with 82 additions and 20 deletions
--- a/13
+++ b/13
@ -1,7 +1,18 @@
 CHANGELOG Roundcube Webmail
 ===========================

- Fix XSS issue in handling of a style tag inside of an svg element
+RELEASE 1.0.12
+--------------
+- Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
+
+RELEASE 1.0.11
+--------------
+- Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
+
+RELEASE 1.0.10
+--------------
+- Strip HTML tags inside CSS style definitions
+- Fix vulnerability in handling of mail()'s 5th argument
 - Don't create multipart/alternative messages with empty text/plain part (#5283)
 - Fix XSS issue in href attribute on area tag (#5240)
 - Wash position:fixed style in HTML mail for better security (#5264)
--- a/index.php
+++ b/index.php
@ -2,7 +2,7 @@
 /*
 +-------------------------------------------------------------------------+
 | Roundcube Webmail IMAP Client                                           |
- | Version 1.0.9                                                           |
+ | Version 1.0.12                                                          |
 |                                                                         |
 | Copyright (C) 2005-2014, The Roundcube Dev Team                         |
 |                                                                         |
--- a/plugins/database_attachments/database_attachments.php
+++ b/plugins/database_attachments/database_attachments.php
@ -67,6 +67,8 @@ class database_attachments extends filesystem_attachments
            if ($args['data'] === false) {
                return $args;
            }
+
+            $args['path'] = null;
        }

        $data   = base64_encode($args['data']);
@ -113,10 +115,13 @@ class database_attachments extends filesystem_attachments
        $cache = $this->get_cache();
        $data  = $cache->read($args['id']);

-        if ($data) {
+        if ($data !== null && $data !== false) {
            $args['data'] = base64_decode($data);
            $args['status'] = true;
        }
+        else {
+            $args['status'] = false;
+        }

        return $args;
    }
--- a/plugins/filesystem_attachments/filesystem_attachments.php
+++ b/plugins/filesystem_attachments/filesystem_attachments.php
@ -7,12 +7,19 @@
 * attachments of messages currently being composed, writing attachments
 * to disk when drafts with attachments are re-opened and writing
 * attachments to disk for inline display in current html compositions.
+ * It also handles uploaded files for other uses, so not only attachments.
 *
 * Developers may wish to extend this class when creating attachment
 * handler plugins:
 *   require_once('plugins/filesystem_attachments/filesystem_attachments.php');
 *   class myCustom_attachments extends filesystem_attachments
 *
+ * Note for developers: It is plugin's responsibility to care about security.
+ * So, e.g. if the plugin is asked about some file path it should check
+ * if it's really the storage path of the plugin and not e.g. /etc/passwd.
+ * It is done by setting 'status' flag on every plugin hook it uses.
+ * Roundcube core will trust the returned path if status=true.
+ *
 * @license GNU GPLv3+
 * @author Ziba Scott <ziba@umich.edu>
 * @author Thomas Bruederli <roundcube@gmail.com>
@ -107,7 +114,7 @@ class filesystem_attachments extends rcube_plugin
     */
    function remove($args)
    {
-        $args['status'] = @unlink($args['path']);
+        $args['status'] = $this->verify_path($args['path']) && @unlink($args['path']);
        return $args;
    }

@ -118,7 +125,7 @@ class filesystem_attachments extends rcube_plugin
     */
    function display($args)
    {
-        $args['status'] = file_exists($args['path']);
+        $args['status'] = $this->verify_path($args['path']) && file_exists($args['path']);
        return $args;
    }

@ -129,6 +136,10 @@ class filesystem_attachments extends rcube_plugin
     */
    function get($args)
    {
+        if (!$this->verify_path($args['path'])) {
+            $args['path'] = null;
+        }
+
        return $args;
    }

@ -147,7 +158,7 @@ class filesystem_attachments extends rcube_plugin
                }

                foreach ((array)$files as $filename) {
-                    if(file_exists($filename)) {
+                    if (file_exists($filename)) {
                        unlink($filename);
                    }
                }
@ -182,4 +193,34 @@ class filesystem_attachments extends rcube_plugin
            }
        }
    }
+
+    /**
+     * For security we'll always verify the file path stored in session,
+     * as session entries can be faked in various ways e.g. #6026.
+     * We allow only files in Roundcube temp dir
+     */
+    protected function verify_path($path)
+    {
+        if (empty($path)) {
+            return false;
+        }
+
+        $rcmail    = rcube::get_instance();
+        $temp_dir  = $rcmail->config->get('temp_dir');
+        $file_path = pathinfo($path, PATHINFO_DIRNAME);
+
+        if ($temp_dir !== $file_path) {
+            rcube::raise_error(array(
+                    'code'    => 403,
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => sprintf("%s can't read %s (not in temp_dir)",
+                        $rcmail->get_user_name(), substr($path, 0, 512))
+                ), true, false);
+
+            return false;
+        }
+
+        return true;
+    }
 }
--- a/plugins/password/drivers/sasl.php
+++ b/plugins/password/drivers/sasl.php
@ -21,7 +21,7 @@ class rcube_sasl_password
    function save($currpass, $newpass)
    {
        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';
-        $username = escapeshellcmd($_SESSION['username']);
+        $username = escapeshellarg($_SESSION['username']);
        $args     = rcmail::get_instance()->config->get('password_saslpasswd_args', '');

        if ($fh = popen("$curdir/chgsaslpasswd -p $args $username", 'w')) {
--- a/plugins/password/drivers/virtualmin.php
+++ b/plugins/password/drivers/virtualmin.php
@ -55,9 +55,9 @@ class rcube_virtualmin_password
            $domain = $rcmail->user->get_username('domain');
        }

-        $username = escapeshellcmd($username);
-        $domain   = escapeshellcmd($domain);
-        $newpass  = escapeshellcmd($newpass);
+        $username = escapeshellarg($username);
+        $domain   = escapeshellarg($domain);
+        $newpass  = escapeshellarg($newpass);
        $curdir   = RCUBE_PLUGINS_DIR . 'password/helpers';

        exec("$curdir/chgvirtualminpasswd modify-user --domain $domain --user $username --pass $newpass", $output, $returnvalue);
--- a/program/include/iniset.php
+++ b/program/include/iniset.php
@ -21,7 +21,7 @@
 */

 // application constants
-define('RCMAIL_VERSION', '1.0.9');
+define('RCMAIL_VERSION', '1.0.12');
 define('RCMAIL_START', microtime(true));

 if (!defined('INSTALL_PATH')) {
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@ -640,8 +640,9 @@ class rcmail extends rcube
            $_SESSION['password']     = $this->encrypt($pass);
            $_SESSION['login_time']   = time();

-            if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
-                $_SESSION['timezone'] = rcube_utils::get_input_value('_timezone', rcube_utils::INPUT_GPC);
+            $timezone = rcube_utils::get_input_value('_timezone', rcube_utils::INPUT_GPC);
+            if ($timezone && is_string($timezone) && $timezone != '_default_') {
+                $_SESSION['timezone'] = $timezone;
            }

            // fix some old settings according to namespace prefix
--- a/program/lib/Roundcube/bootstrap.php
+++ b/program/lib/Roundcube/bootstrap.php
@ -54,7 +54,7 @@ foreach ($config as $optname => $optval) {
 }

 // framework constants
-define('RCUBE_VERSION', '1.0.9');
+define('RCUBE_VERSION', '1.0.12');
 define('RCUBE_CHARSET', 'UTF-8');

 if (!defined('RCUBE_LIB_DIR')) {
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@ -1542,7 +1542,7 @@ class rcube
                if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
                    $sent = mail($to, $subject, $msg_body, $header_str);
                else
-                    $sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
+                    $sent = mail($to, $subject, $msg_body, $header_str, '-f ' . escapeshellarg($from));
            }
        }

--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -555,6 +555,7 @@ class rcube_utils
        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i',
            array(self, 'xss_entity_decode_callback'), $out);
        $out = preg_replace('#/\*.*\*/#Ums', '', $out);
+        $out = strip_tags($out);

        return $out;
    }
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@ -105,11 +105,14 @@ if (is_numeric($from)) {
    }
 }
 // ... if there is no identity record, this might be a custom from
-else if ($from_string = rcmail_email_input_format($from)) {
-    if (preg_match('/(\S+@\S+)/', $from_string, $m))
-        $from = trim($m[1], '<>');
-    else
-        $from = null;
+else if (($from_string = rcmail_email_input_format($from))
+    && preg_match('/(\S+@\S+)/', $from_string, $m)
+) {
+    $from = trim($m[1], '<>');
+}
+// ... otherwise it's empty or invalid
+else {
+    $from = null;
 }

 if (!$from_string && $from) {