From db522183372aebf81c0dd958a351f108a76efeae Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 12 Aug 2009 10:44:46 +0000 Subject: Improve security of modcss.php by setting timeouts and more sanity checks --- bin/modcss.php | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/bin/modcss.php b/bin/modcss.php index a4bd0846f..7e02e4651 100644 --- a/bin/modcss.php +++ b/bin/modcss.php @@ -33,7 +33,7 @@ if (empty($RCMAIL->user->ID)) { exit; } -$url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']); +$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']); if ($url === null) { header('HTTP/1.1 403 Forbidden'); echo $error; @@ -45,42 +45,63 @@ $port = $a_uri['port'] ? $a_uri['port'] : 80; $host = $a_uri['host']; $path = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : ''); -if (!($fp = fsockopen($host, $port, $errno, $errstr, 30))) { +// don't allow any other connections than http(s) +if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') { + header('HTTP/1.1 403 Forbidden'); + echo "Invalid URL"; + exit; +} + +// try to open socket connection +if (!($fp = fsockopen($host, $port, $errno, $error, 15))) { header('HTTP/1.1 500 Internal Server Error'); echo $error; exit; } +// set timeout for socket +stream_set_timeout($fp, 30); + +// send request $out = "GET $path HTTP/1.0\r\n"; $out .= "Host: $host\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); +// read response $header = true; +$headers = array(); while (!feof($fp)) { $line = trim(fgets($fp, 4048)); - if ($header - && preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs) - && intval($regs[1]) != 200) { - break; - } else if (empty($line) && $header) { - $header = false; - } else if (!$header) { + if ($header) { + if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs) + && intval($regs[1]) != 200) { + break; + } + else if (empty($line)) { + $header = false; + } + else { + list($key, $value) = explode(': ', $line); + $headers[strtolower($key)] = $value; + } + } + else { $source .= "$line\n"; } } fclose($fp); -if (!empty($source)) { +// check content-type header and mod styles +$mimetype = strtolower($headers['content-type']); +if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) { header('Content-Type: text/css'); - echo rcmail_mod_css_styles( - $source, - preg_replace('/[^a-z0-9]/i', '', $_GET['c']), - $url - ); + echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c'])); exit; } +else + $error = "Invalid response returned by server"; header('HTTP/1.0 404 Not Found'); echo $error; -- cgit v1.2.3