diff options
| author | thomascube <thomas@roundcube.net> | 2011-02-03 21:12:35 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2011-02-03 21:12:35 +0000 |
| commit | 3e0e9148efdcee5ab39d9712169f4c01cfb4f48f (patch) | |
| tree | 6bd959608165c0bfde802bb848d538579e58e772 /program/steps/mail | |
| parent | 02b6e614ca7fc60dfd5e13669a1c941c0f4190e6 (diff) | |
Prevent from relaying arbitrary requests through modcss.inc (security issue)
Diffstat (limited to 'program/steps/mail')
| -rw-r--r-- | program/steps/mail/func.inc | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index b1b5d916a..fd00142d1 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1194,15 +1194,16 @@ function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null */ function rcmail_alter_html_link($matches) { - global $EMAIL_ADDRESS_PATTERN; + global $RCMAIL, $EMAIL_ADDRESS_PATTERN; $tag = $matches[1]; $attrib = parse_attrib_string($matches[2]); $end = '>'; if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) { - $attrib['href'] = "?_task=utils&_action=modcss&u=" . urlencode($attrib['href']) - . "&c=" . urlencode($GLOBALS['rcmail_html_container_id']); + $tempurl = 'tmp-' . md5($attrib['href']) . '.css'; + $_SESSION['modcssurls'][$tempurl] = $attrib['href']; + $attrib['href'] = $RCMAIL->url(array('task' => 'utils', 'action' => 'modcss', 'u' => $tempurl, 'c' => $GLOBALS['rcmail_html_container_id'])); $end = ' />'; } else if (preg_match('/^mailto:'.$EMAIL_ADDRESS_PATTERN.'(\?[^"\'>]+)?/i', $attrib['href'], $mailto)) { |