From a79017e662273c519a2c50d10ef12c11885d2d87 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 7 Aug 2013 14:24:00 +0200
Subject: Fix base URL resolving on attribute values with no quotes (#1489275)

---
 CHANGELOG                                     |  1 +
 program/lib/Roundcube/rcube_base_replacer.php |  4 ++--
 tests/Framework/BaseReplacer.php              | 14 ++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f50c0a3f8..702fa4942 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix base URL resolving on attribute values with no quotes (#1489275)
 - Fix wrong handling of links with '|' character (#1489276)
 - Fix XSS vulnerability when saving HTML signatures (#1489251)
 - Move identity selection based on non-standard headers into (new) identity_select plugin (#1488553)
diff --git a/program/lib/Roundcube/rcube_base_replacer.php b/program/lib/Roundcube/rcube_base_replacer.php
index e41ccb1d9..a59bba926 100644
--- a/program/lib/Roundcube/rcube_base_replacer.php
+++ b/program/lib/Roundcube/rcube_base_replacer.php
@@ -44,8 +44,8 @@ class rcube_base_replacer
     public function replace($body)
     {
         return preg_replace_callback(array(
-            '/(src|background|href)=(["\']?)([^"\'\s]+)(\2|\s|>)/Ui',
-            '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/Ui',
+            '/(src|background|href)=(["\']?)([^"\'\s>]+)(\2|\s|>)/i',
+            '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/i',
         ),
         array($this, 'callback'), $body);
     }
diff --git a/tests/Framework/BaseReplacer.php b/tests/Framework/BaseReplacer.php
index e00b9e5eb..44a9604ac 100644
--- a/tests/Framework/BaseReplacer.php
+++ b/tests/Framework/BaseReplacer.php
@@ -17,4 +17,18 @@ class Framework_BaseReplacer extends PHPUnit_Framework_TestCase
 
         $this->assertInstanceOf('rcube_base_replacer', $object, "Class constructor");
     }
+
+    /**
+     * Test replace()
+     */
+    function test_replace()
+    {
+        $base = 'http://thisshouldntbetheurl.bob.com/';
+        $html = '<A href=http://shouldbethislink.com>Test URL</A>';
+
+        $replacer = new rcube_base_replacer($base);
+        $response = $replacer->replace($html);
+
+        $this->assertSame('<A href="http://shouldbethislink.com">Test URL</A>', $response);
+    }
 }
-- 
cgit v1.2.3