diff options
| author | Thomas Bruederli <thomas@roundcube.net> | 2012-11-27 18:12:31 +0100 |
|---|---|---|
| committer | Thomas Bruederli <thomas@roundcube.net> | 2012-11-27 18:12:31 +0100 |
| commit | ac88dc8d0918ac5ea6004b9ca05158b00d4bd4ed (patch) | |
| tree | cbbb71cd2e5fa154f3fef0678babdb12b4c8c3dc | |
| parent | c516e3a701b73c67501d94902ecff40970a008db (diff) | |
Don't open application/x-shockwave-flash files in browser (quick fix for XSS reported in #148882)
| -rw-r--r-- | program/steps/mail/show.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index c6c6d9636..20e76a64b 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -54,7 +54,7 @@ if ($uid = get_input_value('_uid', RCUBE_INPUT_GET)) { $OUTPUT->set_env('mailbox', $mbox_name); // mimetypes supported by the browser (default settings) - $mimetypes = $RCMAIL->config->get('client_mimetypes', 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/x-javascript,application/pdf,application/x-shockwave-flash'); + $mimetypes = $RCMAIL->config->get('client_mimetypes', 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/x-javascript,application/pdf'); $OUTPUT->set_env('mimetypes', is_string($mimetypes) ? explode(',', $mimetypes) : (array)$mimetypes); if ($CONFIG['drafts_mbox']) |