Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)

9 years ago · f90f22ffb8
parent 58e63a6e70
commit f90f22ffb8
4 changed files with 7 additions and 2 deletions
--- a/1
+++ b/1
@ -8,6 +8,7 @@ CHANGELOG Roundcube Webmail
 - Fix rsync error handling in installto.sh script (#5562)
 - Fix some advanced search issues with multiple addressbooks (#5572)
 - Fix so group/addressbook selection is retained on page refresh
+- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)

 RELEASE 1.2.3
 -------------
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@ -396,7 +396,7 @@ class rcube_utils
        // ignore the whole block if evil styles are detected
        $source   = self::xss_entity_decode($source);
        $stripped = preg_replace('/[^a-z\(:;]/i', '', $source);
-        $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : '');
+        $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : '');

        if (preg_match("/$evilexpr/i", $stripped)) {
            return '/* evil! */';
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -969,7 +969,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml)

        // now check for evil strings like expression, behavior or url()
        if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) {
-            if (!$washtml->get_config('allow_remote') && stripos($stripped, 'url(')) {
+            if (!$washtml->get_config('allow_remote') && preg_match('/url\((?!data:image)/', $stripped)) {
                $washtml->extlinks = true;
            }
            else {
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@ -214,6 +214,10 @@ class Framework_Utils extends PHPUnit_Framework_TestCase

        $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody');
        $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)");
+
+        // allow data URIs with images (#5580)
+        $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
+        $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed");
    }

    /**