diff options
| author | Aleksander Machniak <alec@alec.pl> | 2013-08-07 13:48:07 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2013-08-07 13:48:07 +0200 |
| commit | 0bac7b32de62006e925fb0b788c757b6c23b8a5e (patch) | |
| tree | fa0eace623943da7a6e9be9dc5096aa305940fb2 | |
| parent | c9f779d036c34c9f6c1152249d1501fe49d69254 (diff) | |
Fix wrong handling of links with '|' character (#1489276)
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_string_replacer.php | 2 | ||||
| -rw-r--r-- | tests/Framework/StringReplacer.php | 1 |
3 files changed, 3 insertions, 1 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix wrong handling of links with '|' character (#1489276) - Fix XSS vulnerability when saving HTML signatures (#1489251) - Move identity selection based on non-standard headers into (new) identity_select plugin (#1488553) - Fix colorspace issue on image conversion using ImageMagick (#1489270) diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php index d1f1f4dbc..354b4596d 100644 --- a/program/lib/Roundcube/rcube_string_replacer.php +++ b/program/lib/Roundcube/rcube_string_replacer.php @@ -37,7 +37,7 @@ class rcube_string_replacer // Support unicode/punycode in top-level domain part $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})'; $url1 = '.:;,'; - $url2 = 'a-zA-Z0-9%=#$@+?!&\\/_~\\[\\]\\(\\){}\*-'; + $url2 = 'a-zA-Z0-9%=#$@+?|!&\\/_~\\[\\]\\(\\){}\*-'; $this->link_pattern = "/([\w]+:\/\/|\W[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)($utf_domain([$url1]*[$url2]+)*)/"; $this->mailto_pattern = "/(" diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php index 8f6eaf4b9..e23fb9b17 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php @@ -41,6 +41,7 @@ class Framework_StringReplacer extends PHPUnit_Framework_TestCase array('http://', 'http://'), array('1@1.com www.domain.tld', '<a href="mailto:1@1.com">1@1.com</a> <a href="http://www.domain.tld">www.domain.tld</a>'), array(' www.domain.tld ', ' <a href="http://www.domain.tld">www.domain.tld</a> '), + array(' www.domain.tld/#!download|856p1|2 ', ' <a href="http://www.domain.tld/#!download|856p1|2">www.domain.tld/#!download|856p1|2</a> '), ); } |