From 356f7499520dfc927435a40f06541b9fccaea4f1 Mon Sep 17 00:00:00 2001 From: svncommit Date: Thu, 14 Feb 2008 08:28:41 +0000 Subject: Fix for XSS vulnerability (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=455840), thanks to Vincent Bernat. --- program/steps/mail/func.inc | 123 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 122 insertions(+), 1 deletion(-) diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 6bee8147c..5156e0232 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -482,6 +482,127 @@ function rcmail_get_messagecount_text($count=NULL, $page=NULL) } +/* Stolen from Squirrelmail */ +function sq_deent(&$attvalue, $regex, $hex=false) + { + $ret_match = false; + preg_match_all($regex, $attvalue, $matches); + if (is_array($matches) && sizeof($matches[0]) > 0) + { + $repl = Array(); + for ($i = 0; $i < sizeof($matches[0]); $i++) + { + $numval = $matches[1][$i]; + if ($hex) + $numval = hexdec($numval); + $repl{$matches[0][$i]} = chr($numval); + } + $attvalue = strtr($attvalue, $repl); + return true; + } + else + return false; + } + + +/* Stolen verbatim from Squirrelmail */ +function sq_defang(&$attvalue) + { + /* Skip this if there aren't ampersands or backslashes. */ + if ((strpos($attvalue, '&') === false) && + (strpos($attvalue, '\\') === false)) + return; + $m = false; + do + { + $m = false; + $m = $m || sq_deent($attvalue, '/\�*(\d+);*/s'); + $m = $m || sq_deent($attvalue, '/\�*((\d|[a-f])+);*/si', true); + $m = $m || sq_deent($attvalue, '/\\\\(\d+)/s', true); + } while ($m == true); + $attvalue = stripslashes($attvalue); + } + + +function rcmail_html_filter($html) + { + preg_match_all('/<\/?\w+((\s+\w+(\s*=\s*(?:".*?"|\'.*?\'|[^\'">\s]+))?)+\s*|\s*)\/?>/', $html, $tags); + + /* From Squirrelmail: Translate all dangerous Unicode or Shift_JIS characters which are accepted by + * IE as regular characters. */ + $replace = array(array('ʟ', 'ʟ', /* L UNICODE IPA Extension */ + 'ʀ', 'ʀ', /* R UNICODE IPA Extension */ + 'ɴ', 'ɴ', /* N UNICODE IPA Extension */ + 'E', 'E', /* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ + 'e', 'e', /* Unicode FULLWIDTH LATIN SMALL LETTER E */ + 'X', 'X', /* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ + 'x', 'x', /* Unicode FULLWIDTH LATIN SMALL LETTER X */ + 'P', 'P', /* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ + 'p', 'p', /* Unicode FULLWIDTH LATIN SMALL LETTER P */ + 'R', 'R', /* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ + 'r', 'r', /* Unicode FULLWIDTH LATIN SMALL LETTER R */ + 'S', 'S', /* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ + 's', 's', /* Unicode FULLWIDTH LATIN SMALL LETTER S */ + 'I', 'I', /* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ + 'i', 'i', /* Unicode FULLWIDTH LATIN SMALL LETTER I */ + 'O', 'O', /* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ + 'o', 'o', /* Unicode FULLWIDTH LATIN SMALL LETTER O */ + 'N', 'N', /* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ + 'n', 'n', /* Unicode FULLWIDTH LATIN SMALL LETTER N */ + 'L', 'L', /* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ + 'l', 'l', /* Unicode FULLWIDTH LATIN SMALL LETTER L */ + 'U', 'U', /* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ + 'u', 'u', /* Unicode FULLWIDTH LATIN SMALL LETTER U */ + 'ⁿ', 'ⁿ' , /* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ + "\xEF\xBC\xA5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ + /* in unicode this is some Chinese char range */ + "\xEF\xBD\x85", /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ + "\xEF\xBC\xB8", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ + "\xEF\xBD\x98", /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ + "\xEF\xBC\xB0", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ + "\xEF\xBD\x90", /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ + "\xEF\xBC\xB2", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ + "\xEF\xBD\x92", /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ + "\xEF\xBC\xB3", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ + "\xEF\xBD\x93", /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ + "\xEF\xBC\xA9", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ + "\xEF\xBD\x89", /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ + "\xEF\xBC\xAF", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ + "\xEF\xBD\x8F", /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ + "\xEF\xBC\xAE", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ + "\xEF\xBD\x8E", /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ + "\xEF\xBC\xAC", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER L */ + "\xEF\xBD\x8C", /* Shift JIS FULLWIDTH LATIN SMALL LETTER L */ + "\xEF\xBC\xB5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER U */ + "\xEF\xBD\x95", /* Shift JIS FULLWIDTH LATIN SMALL LETTER U */ + "\xE2\x81\xBF", /* Shift JIS FULLWIDTH SUPERSCRIPT N */ + "\xCA\x9F", /* L UNICODE IPA Extension */ + "\xCA\x80", /* R UNICODE IPA Extension */ + "\xC9\xB4"), /* N UNICODE IPA Extension */ + array('l', 'l', 'r', 'r', 'n', 'n', 'E', 'E', 'e', 'e', 'X', 'X', 'x', 'x', + 'P', 'P', 'p', 'p', 'R', 'R', 'r', 'r', 'S', 'S', 's', 's', 'I', 'I', + 'i', 'i', 'O', 'O', 'o', 'o', 'N', 'N', 'n', 'n', 'L', 'L', 'l', 'l', + 'U', 'U', 'u', 'u', 'n', 'n', 'E', 'e', 'X', 'x', 'P', 'p', 'R', 'r', + 'S', 's', 'I', 'i', 'O', 'o', 'N', 'n', 'L', 'l', 'U', 'u', 'n', 'l', 'r', 'n')); + if ((count($tags)>3) && (count($tags[3])>0)) + foreach ($tags[3] as $nr=>$value) + { + /* Remove comments */ + $newvalue = preg_replace('/(\/\*.*\*\/)/','$2',$value); + /* Translate dangerous characters */ + $newvalue = str_replace($replace[0], $replace[1], $newvalue); + sq_defang($newvalue); + /* Rename dangerous CSS */ + $newvalue = preg_replace('/expression/i', 'idiocy', $newvalue); + $newvalue = preg_replace('/url/i', 'idiocy', $newvalue); + $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]); + $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]); + $html = preg_replace('/'.preg_quote($tags[0][$nr], '/').'/', $newtag, $html); + } + return $html; + } + + function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) { global $IMAP, $REMOTE_OBJECTS; @@ -533,7 +654,7 @@ function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) $body = preg_replace($remote_patterns, $remote_replaces, $body); } - return Q($body, 'show', FALSE); + return Q(rcmail_html_filter($body), 'show', FALSE); } // text/enriched -- cgit v1.2.3