diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | tests/mailfunc.php | 5 |
2 files changed, 3 insertions, 3 deletions
@@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Security: prevent from relaying malicious requests through modcss.inc - Fix handling of non-image attachments in multipart/related messages (#1487750) - Fix IDNA support when IDN/INTL modules are in use (#1487742) - Fix handling of invalid HTML comments in messages (#1487759) diff --git a/tests/mailfunc.php b/tests/mailfunc.php index cc26f7743..dc25f0ce4 100644 --- a/tests/mailfunc.php +++ b/tests/mailfunc.php @@ -66,9 +66,8 @@ class rcube_test_mailfunc extends UnitTestCase $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode"); $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)"); $this->assertPattern("#url\('?http://evilsite.net/newsletter/image/bg/bg-64.jpg'?\)#", $html2, "Allow external images in CSS (safe mode)"); - - $css = '<link rel="stylesheet" type="text/css" href="?_task=utils&_action=modcss&u='.urlencode('http://anysite.net/styles/mail.css').'&c=foo"'; - $this->assertPattern('#'.preg_quote($css).'#', $html2, "Filter external styleseehts with bin/modcss.php"); + $css = '<link rel="stylesheet" .+_u=tmp-[a-z0-9]+\.css.+_action=modcss'; + $this->assertPattern('#'.$css.'#Ui', $html2, "Filter (anonymized) external styleseehts with utils/modcss.inc"); } /** |