summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG9
-rw-r--r--program/blocked.gifbin0 -> 118 bytes
-rw-r--r--program/include/main.inc20
-rw-r--r--program/steps/addressbook/delete.inc4
-rw-r--r--program/steps/mail/func.inc7
-rw-r--r--program/steps/mail/sendmail.inc2
-rw-r--r--program/steps/settings/delete_identity.inc4
-rw-r--r--skins/default/mail.css9
8 files changed, 47 insertions, 8 deletions
diff --git a/CHANGELOG b/CHANGELOG
index 8566f01a0..80afee48a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,15 @@
CHANGELOG RoundCube Webmail
---------------------------
+2006/12/22 (thomasb)
+----------
+- Applied security patch to validate the submitted host value (by Kees Cook)
+- Applied security patch to validate input values when deleting contacts (by Kees Cook)
+- Applied security patch that sanitizes emoticon paths when attaching them (by Kees Cook)
+- Applied a patch to more aggressively sanitize a HTML message
+- Visualize blocked images in HTML messages
+
+
2006/12/20 (thomasb)
----------
- Fixed wrong message listing when showing search results (closes #1484131)
diff --git a/program/blocked.gif b/program/blocked.gif
new file mode 100644
index 000000000..7a4aa9f34
--- /dev/null
+++ b/program/blocked.gif
Binary files differ
diff --git a/program/include/main.inc b/program/include/main.inc
index c57aa8a9f..a1c00d340 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -450,6 +450,26 @@ function rcmail_login($user, $pass, $host=NULL)
if (!$host)
$host = $CONFIG['default_host'];
+ // Validate that selected host is in the list of configured hosts
+ if (is_array($CONFIG['default_host']))
+ {
+ $allowed = FALSE;
+ foreach ($CONFIG['default_host'] as $key => $host_allowed)
+ {
+ if (!is_numeric($key))
+ $host_allowed = $key;
+ if ($host == $host_allowed)
+ {
+ $allowed = TRUE;
+ break;
+ }
+ }
+ if (!$allowed)
+ return FALSE;
+ }
+ else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host'])
+ return FALSE;
+
// parse $host URL
$a_host = parse_url($host);
if ($a_host['host'])
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index b95988d12..3e33cd864 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -21,7 +21,7 @@
$REMOTE_REQUEST = TRUE;
-if ($_GET['_cid'])
+if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid']))
{
$DB->query("UPDATE ".get_table_name('contacts')."
SET del=1
@@ -96,4 +96,4 @@ if ($_GET['_cid'])
}
exit;
-?> \ No newline at end of file
+?>
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index f01e95bb9..57f20e57a 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -739,7 +739,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
'/url\s*\(["\']?([\.\/]+[^"\'\s]+)["\']?\)/i',
'/<script.+<\/script>/Umis');
- $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',
+ $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4',
'',
'',
'',
@@ -1210,7 +1210,8 @@ function rcmail_mod_html_body($body, $container_id)
}
// replace event handlers on any object
- $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);
+ $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body);
+ $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body);
// resolve <base href>
$base_reg = '/(<base.*href=["\']?)([hftps]{3,5}:\/{2}[^"\'\s]+)([^<]*>)/i';
@@ -1251,7 +1252,7 @@ function rcmail_alter_html_link($in)
if (stristr((string)$attrib['href'], 'mailto:'))
$attrib['onclick'] = sprintf("return %s.command('compose','%s',this)",
$GLOBALS['JS_OBJECT_NAME'],
- substr($attrib['href'], 7));
+ JQ(substr($attrib['href'], 7)));
else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
$attrib['target'] = '_blank';
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 716072a48..2d2cb33db 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message)
$image_name = substr($body,
$pos + strlen($searchstr),
$pos2 - ($pos + strlen($searchstr)));
+ // sanitize image name so resulting attachment doesn't leave images dir
+ $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name);
$body_post = substr($body, $pos2);
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc
index b8f9f526c..24bf99c43 100644
--- a/program/steps/settings/delete_identity.inc
+++ b/program/steps/settings/delete_identity.inc
@@ -21,7 +21,7 @@
$REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE;
-if ($_GET['_iid'])
+if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid']))
{
$DB->query("UPDATE ".get_table_name('identities')."
SET del=1
@@ -50,4 +50,4 @@ $_action = 'identities';
// overwrite action variable
$OUTPUT->add_script(sprintf("\n%s.set_env('action', '%s');", $JS_OBJECT_NAME, $_action));
-?> \ No newline at end of file
+?>
diff --git a/skins/default/mail.css b/skins/default/mail.css
index eb0b5250a..479fb6138 100644
--- a/skins/default/mail.css
+++ b/skins/default/mail.css
@@ -152,8 +152,15 @@ html>body*#messagecontframe
#messagepartframe
{
+ position: absolute;
+ top: 0px;
+ left: 0px;
+ right: 0px;
+ bottom: 0px;
+ width: auto;
+ height: auto;
border: 1px solid #999999;
- background-color: #F9F9F9;
+ background-color: #F9F9F9;
}