diff options
-rw-r--r-- | CHANGELOG | 9 | ||||
-rw-r--r-- | program/blocked.gif | bin | 0 -> 118 bytes | |||
-rw-r--r-- | program/include/main.inc | 20 | ||||
-rw-r--r-- | program/steps/addressbook/delete.inc | 4 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 7 | ||||
-rw-r--r-- | program/steps/mail/sendmail.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/delete_identity.inc | 4 | ||||
-rw-r--r-- | skins/default/mail.css | 9 |
8 files changed, 47 insertions, 8 deletions
@@ -1,6 +1,15 @@ CHANGELOG RoundCube Webmail --------------------------- +2006/12/22 (thomasb) +---------- +- Applied security patch to validate the submitted host value (by Kees Cook) +- Applied security patch to validate input values when deleting contacts (by Kees Cook) +- Applied security patch that sanitizes emoticon paths when attaching them (by Kees Cook) +- Applied a patch to more aggressively sanitize a HTML message +- Visualize blocked images in HTML messages + + 2006/12/20 (thomasb) ---------- - Fixed wrong message listing when showing search results (closes #1484131) diff --git a/program/blocked.gif b/program/blocked.gif Binary files differnew file mode 100644 index 000000000..7a4aa9f34 --- /dev/null +++ b/program/blocked.gif diff --git a/program/include/main.inc b/program/include/main.inc index c57aa8a9f..a1c00d340 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL) if (!$host) $host = $CONFIG['default_host']; + // Validate that selected host is in the list of configured hosts + if (is_array($CONFIG['default_host'])) + { + $allowed = FALSE; + foreach ($CONFIG['default_host'] as $key => $host_allowed) + { + if (!is_numeric($key)) + $host_allowed = $key; + if ($host == $host_allowed) + { + $allowed = TRUE; + break; + } + } + if (!$allowed) + return FALSE; + } + else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host']) + return FALSE; + // parse $host URL $a_host = parse_url($host); if ($a_host['host']) diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index b95988d12..3e33cd864 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = TRUE; -if ($_GET['_cid']) +if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid'])) { $DB->query("UPDATE ".get_table_name('contacts')." SET del=1 @@ -96,4 +96,4 @@ if ($_GET['_cid']) } exit; -?>
\ No newline at end of file +?> diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index f01e95bb9..57f20e57a 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) '/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i', '/<script.+<\/script>/Umis'); - $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4', + $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4', '', '', '', @@ -1210,7 +1210,8 @@ function rcmail_mod_html_body($body, $container_id) } // replace event handlers on any object - $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body); + $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body); + $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body); // resolve <base href> $base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i'; @@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in) if (stristr((string)$attrib['href'], 'mailto:')) $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)", $GLOBALS['JS_OBJECT_NAME'], - substr($attrib['href'], 7)); + JQ(substr($attrib['href'], 7))); else if (!empty($attrib['href']) && $attrib['href']{0}!='#') $attrib['target'] = '_blank'; diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 716072a48..2d2cb33db 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message) $image_name = substr($body, $pos + strlen($searchstr), $pos2 - ($pos + strlen($searchstr))); + // sanitize image name so resulting attachment doesn't leave images dir + $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name); $body_post = substr($body, $pos2); diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc index b8f9f526c..24bf99c43 100644 --- a/program/steps/settings/delete_identity.inc +++ b/program/steps/settings/delete_identity.inc @@ -21,7 +21,7 @@ $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE; -if ($_GET['_iid']) +if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid'])) { $DB->query("UPDATE ".get_table_name('identities')." SET del=1 @@ -50,4 +50,4 @@ $_action = 'identities'; // overwrite action variable $OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action)); -?>
\ No newline at end of file +?> diff --git a/skins/default/mail.css b/skins/default/mail.css index eb0b5250a..479fb6138 100644 --- a/skins/default/mail.css +++ b/skins/default/mail.css @@ -152,8 +152,15 @@ html>body*#messagecontframe #messagepartframe { + position: absolute; + top: 0px; + left: 0px; + right: 0px; + bottom: 0px; + width: auto; + height: auto; border: 1px solid #999999; - background-color: #F9F9F9; + background-color: #F9F9F9; } |