diff options
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | program/include/rcube_message.php | 6 | ||||
-rw-r--r-- | program/steps/mail/func.inc | 4 | ||||
-rw-r--r-- | program/steps/mail/get.inc | 59 | ||||
-rw-r--r-- | program/steps/mail/show.inc | 2 |
5 files changed, 61 insertions, 11 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Add content filter for embedded attachments to protect from XSS on IE (#1487895) - Use strpos() instead of strstr() when possible (#1488211) - Fix handling HTML entities when converting HTML to text (#1488212) - Fix fit_string_to_size() renders browser and ui unresponsive (#1488207) diff --git a/program/include/rcube_message.php b/program/include/rcube_message.php index 0ecd86c4c..633f59be2 100644 --- a/program/include/rcube_message.php +++ b/program/include/rcube_message.php @@ -142,10 +142,10 @@ class rcube_message * @param string $mime_id Part MIME-ID * @return string URL or false if part does not exist */ - public function get_part_url($mime_id) + public function get_part_url($mime_id, $embed = false) { if ($this->mime_parts[$mime_id]) - return $this->opt['get_url'] . '&_part=' . $mime_id; + return $this->opt['get_url'] . '&_part=' . $mime_id . ($embed ? '&_embed=1' : ''); else return false; } @@ -511,7 +511,7 @@ class rcube_message $img_regexp = '/^image\/(gif|jpe?g|png|tiff|bmp|svg)/'; foreach ($this->inline_parts as $inline_object) { - $part_url = $this->get_part_url($inline_object->mime_id); + $part_url = $this->get_part_url($inline_object->mime_id, true); if ($inline_object->content_id) $a_replaces['cid:'.$inline_object->content_id] = $part_url; if ($inline_object->content_location) { diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index b06feda7e..07a3f071d 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -551,7 +551,7 @@ function rcmail_check_safe(&$message) * @param array CID map replaces (inline images) * @return string Clean HTML */ -function rcmail_wash_html($html, $p = array(), $cid_replaces) +function rcmail_wash_html($html, $p, $cid_replaces) { global $REMOTE_OBJECTS; @@ -1068,7 +1068,7 @@ function rcmail_message_body($attrib) ) { $out .= html::tag('hr') . html::p(array('align' => "center"), html::img(array( - 'src' => $MESSAGE->get_part_url($attach_prop->mime_id), + 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, true), 'title' => $attach_prop->filename, 'alt' => $attach_prop->filename, ))); diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index a0ea3e163..721c66196 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -146,11 +146,24 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) { header("Content-Disposition: $disposition; filename=\"$filename\""); - // turn off output buffering and print part content - if ($part->body) - echo $part->body; - else if ($part->size) - $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + // do content filtering to avoid XSS through fake images + if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) { + if ($part->body) + echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body; + else if ($part->size) { + $stdout = fopen('php://output', 'w'); + stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter'); + stream_filter_append($stdout, 'rcube_content'); + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout); + } + } + else { + // turn off output buffering and print part content + if ($part->body) + echo $part->body; + else if ($part->size) + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + } } exit; @@ -178,3 +191,39 @@ header('HTTP/1.1 404 Not Found'); exit; + +/** + * PHP stream filter to detect html/javascript code in attachments + */ +class rcube_content_filter extends php_user_filter +{ + private $buffer = ''; + private $cutoff = 2048; + + function onCreate() + { + $this->cutoff = rand(2048, 3027); + return true; + } + + function filter($in, $out, &$consumed, $closing) + { + while ($bucket = stream_bucket_make_writeable($in)) { + $this->buffer .= $bucket->data; + + // check for evil content and abort + if (preg_match('/<(script|iframe|object)/i', $this->buffer)) + return PSFS_ERR_FATAL; + + // keep buffer small enough + if (strlen($this->buffer) > 4096) + $this->buffer = substr($this->buffer, $this->cutoff); + + $consumed += $bucket->datalen; + stream_bucket_append($out, $bucket); + } + + return PSFS_PASS_ON; + } +} + diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 8976e863a..d928cfd68 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -132,7 +132,7 @@ function rcmail_message_attachments($attrib) $ol .= html::tag('li', null, html::a(array( - 'href' => $MESSAGE->get_part_url($attach_prop->mime_id), + 'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false), 'onclick' => sprintf( 'return %s.command(\'load-attachment\',{part:\'%s\', mimetype:\'%s\'},this)', JS_OBJECT_NAME, |