Applied security patches by Kees Cook (Ubuntu) + little visual enhancements

18 years ago · ee883ad73d
parent 8af7757525
commit ee883ad73d
8 changed files with 47 additions and 8 deletions
--- a/9
+++ b/9
@ -1,6 +1,15 @@
 CHANGELOG RoundCube Webmail
 ---------------------------

+2006/12/22 (thomasb)
+----------
+- Applied security patch to validate the submitted host value (by Kees Cook)
+- Applied security patch to validate input values when deleting contacts (by Kees Cook)
+- Applied security patch that sanitizes emoticon paths when attaching them (by Kees Cook)
+- Applied a patch to more aggressively sanitize a HTML message
+- Visualize blocked images in HTML messages
+
+
 2006/12/20 (thomasb)
 ----------
 - Fixed wrong message listing when showing search results (closes #1484131)
--- a/program/blocked.gif
+++ b/program/blocked.gif
--- a/program/include/main.inc
+++ b/program/include/main.inc
@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL)
  if (!$host)
    $host = $CONFIG['default_host'];

+  // Validate that selected host is in the list of configured hosts
+  if (is_array($CONFIG['default_host']))
+    {
+    $allowed = FALSE;
+    foreach ($CONFIG['default_host'] as $key => $host_allowed)
+      {
+      if (!is_numeric($key))
+        $host_allowed = $key;
+      if ($host == $host_allowed)
+        {
+        $allowed = TRUE;
+        break;
+        }
+      }
+    if (!$allowed)
+      return FALSE;
+    }
+  else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host'])
+    return FALSE;
+
  // parse $host URL
  $a_host = parse_url($host);
  if ($a_host['host'])
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@ -21,7 +21,7 @@

 $REMOTE_REQUEST = TRUE;

-if ($_GET['_cid'])
+if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid']))
  {
  $DB->query("UPDATE ".get_table_name('contacts')."
              SET    del=1
@ -96,4 +96,4 @@ if ($_GET['_cid'])
  }

 exit;
-?>
+?>
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
                               '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i',
                               '/<script.+<\/script>/Umis');

-      $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',
+      $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4',
                               '',
                               '',
                               '',
@ -1210,7 +1210,8 @@ function rcmail_mod_html_body($body, $container_id)
    }

  // replace event handlers on any object
-  $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body);

  // resolve <base href>
  $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i';
@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in)
  if (stristr((string)$attrib['href'], 'mailto:'))
    $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)",
                                 $GLOBALS['JS_OBJECT_NAME'],
-                                 substr($attrib['href'], 7));
+                                 JQ(substr($attrib['href'], 7)));
  else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
    $attrib['target'] = '_blank';
  
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message)
    $image_name = substr($body,
                         $pos + strlen($searchstr),
                         $pos2 - ($pos + strlen($searchstr)));
+    // sanitize image name so resulting attachment doesn't leave images dir
+    $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name);

    $body_post = substr($body, $pos2);

--- a/program/steps/settings/delete_identity.inc
+++ b/program/steps/settings/delete_identity.inc
@ -21,7 +21,7 @@

 $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE;

-if ($_GET['_iid'])
+if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid']))
  {
  $DB->query("UPDATE ".get_table_name('identities')."
              SET    del=1
@ -50,4 +50,4 @@ $_action = 'identities';

 // overwrite action variable  
 $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action));
-?>
+?>
--- a/skins/default/mail.css
+++ b/skins/default/mail.css
@ -152,8 +152,15 @@ html>body*#messagecontframe

 #messagepartframe
 {
+  position: absolute;
+  top: 0px;
+  left: 0px;
+  right: 0px;
+  bottom: 0px;
+  width: auto;
+  height: auto;
  border: 1px solid #999999;
-  background-color: #F9F9F9;  
+  background-color: #F9F9F9;
 }