summaryrefslogtreecommitdiff
path: root/program/steps
diff options
context:
space:
mode:
Diffstat (limited to 'program/steps')
-rw-r--r--program/steps/mail/func.inc4
-rw-r--r--program/steps/mail/get.inc59
-rw-r--r--program/steps/mail/show.inc2
3 files changed, 57 insertions, 8 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 8407b06cd..c070dad3a 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -550,7 +550,7 @@ function rcmail_check_safe(&$message)
* @param array CID map replaces (inline images)
* @return string Clean HTML
*/
-function rcmail_wash_html($html, $p = array(), $cid_replaces)
+function rcmail_wash_html($html, $p, $cid_replaces)
{
global $REMOTE_OBJECTS;
@@ -1052,7 +1052,7 @@ function rcmail_message_body($attrib)
) {
$out .= html::tag('hr') . html::p(array('align' => "center"),
html::img(array(
- 'src' => $MESSAGE->get_part_url($attach_prop->mime_id),
+ 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, true),
'title' => $attach_prop->filename,
'alt' => $attach_prop->filename,
)));
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 828f8debc..aee2c4d1a 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -134,11 +134,24 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
header("Content-Disposition: $disposition; filename=\"$filename\"");
- // turn off output buffering and print part content
- if ($part->body)
- echo $part->body;
- else if ($part->size)
- $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+ // do content filtering to avoid XSS through fake images
+ if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
+ if ($part->body)
+ echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
+ else if ($part->size) {
+ $stdout = fopen('php://output', 'w');
+ stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
+ stream_filter_append($stdout, 'rcube_content');
+ $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
+ }
+ }
+ else {
+ // turn off output buffering and print part content
+ if ($part->body)
+ echo $part->body;
+ else if ($part->size)
+ $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+ }
}
exit;
@@ -166,3 +179,39 @@ header('HTTP/1.1 404 Not Found');
exit;
+
+/**
+ * PHP stream filter to detect html/javascript code in attachments
+ */
+class rcube_content_filter extends php_user_filter
+{
+ private $buffer = '';
+ private $cutoff = 2048;
+
+ function onCreate()
+ {
+ $this->cutoff = rand(2048, 3027);
+ return true;
+ }
+
+ function filter($in, $out, &$consumed, $closing)
+ {
+ while ($bucket = stream_bucket_make_writeable($in)) {
+ $this->buffer .= $bucket->data;
+
+ // check for evil content and abort
+ if (preg_match('/<(script|iframe|object)/i', $this->buffer))
+ return PSFS_ERR_FATAL;
+
+ // keep buffer small enough
+ if (strlen($this->buffer) > 4096)
+ $this->buffer = substr($this->buffer, $this->cutoff);
+
+ $consumed += $bucket->datalen;
+ stream_bucket_append($out, $bucket);
+ }
+
+ return PSFS_PASS_ON;
+ }
+}
+
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 8976e863a..d928cfd68 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -132,7 +132,7 @@ function rcmail_message_attachments($attrib)
$ol .= html::tag('li', null,
html::a(array(
- 'href' => $MESSAGE->get_part_url($attach_prop->mime_id),
+ 'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false),
'onclick' => sprintf(
'return %s.command(\'load-attachment\',{part:\'%s\', mimetype:\'%s\'},this)',
JS_OBJECT_NAME,