diff options
| author | thomascube <thomas@roundcube.net> | 2011-11-29 10:16:42 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2011-11-29 10:16:42 +0000 |
| commit | 57486f6e58d602413b58f780bf3a94ad6d2af8ce (patch) | |
| tree | 9f538706c8b5e86cce4f00e9d3b25c343210760c /program/steps/mail/get.inc | |
| parent | 6bddd9ba44e4dcb69e8d22fcaf21ec017d78e0fc (diff) | |
Content filter for embedded attachments to protect from XSS on IE<=8 (#1487895)
Diffstat (limited to 'program/steps/mail/get.inc')
| -rw-r--r-- | program/steps/mail/get.inc | 59 |
1 files changed, 54 insertions, 5 deletions
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index a0ea3e163..721c66196 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -146,11 +146,24 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) { header("Content-Disposition: $disposition; filename=\"$filename\""); - // turn off output buffering and print part content - if ($part->body) - echo $part->body; - else if ($part->size) - $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + // do content filtering to avoid XSS through fake images + if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) { + if ($part->body) + echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body; + else if ($part->size) { + $stdout = fopen('php://output', 'w'); + stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter'); + stream_filter_append($stdout, 'rcube_content'); + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout); + } + } + else { + // turn off output buffering and print part content + if ($part->body) + echo $part->body; + else if ($part->size) + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + } } exit; @@ -178,3 +191,39 @@ header('HTTP/1.1 404 Not Found'); exit; + +/** + * PHP stream filter to detect html/javascript code in attachments + */ +class rcube_content_filter extends php_user_filter +{ + private $buffer = ''; + private $cutoff = 2048; + + function onCreate() + { + $this->cutoff = rand(2048, 3027); + return true; + } + + function filter($in, $out, &$consumed, $closing) + { + while ($bucket = stream_bucket_make_writeable($in)) { + $this->buffer .= $bucket->data; + + // check for evil content and abort + if (preg_match('/<(script|iframe|object)/i', $this->buffer)) + return PSFS_ERR_FATAL; + + // keep buffer small enough + if (strlen($this->buffer) > 4096) + $this->buffer = substr($this->buffer, $this->cutoff); + + $consumed += $bucket->datalen; + stream_bucket_append($out, $bucket); + } + + return PSFS_PASS_ON; + } +} + |