From 7adcd62f62a1315838b716fb3612815f4c0eae89 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 28 Jul 2013 09:03:07 +0200 Subject: - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 188e01a5a..a6553100a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) - Fix identity-selection using Return-Path headers (#1489241) - Fix parsing of links with ... in URL (#1489192) - Fix compose priority selector when opening in new window (#1489257) -- cgit v1.2.3 From dfaf8c5b8c5f1152275a2201b6b44c29fa10397c Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 28 Jul 2013 14:27:18 +0200 Subject: - Fix rewrite rule in .htaccess (#1489240) --- .htaccess | 2 +- CHANGELOG | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/.htaccess b/.htaccess index 481bd091a..345d26dba 100644 --- a/.htaccess +++ b/.htaccess @@ -30,7 +30,7 @@ php_value mbstring.func_overload 0 RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico # security rules -RewriteRule .git - [F] +RewriteRule \.git - [F] RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ - [F] RewriteRule ^/?(SQL|bin) - [F] diff --git a/CHANGELOG b/CHANGELOG index a6553100a..8d163def1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) - Fix identity-selection using Return-Path headers (#1489241) - Fix parsing of links with ... in URL (#1489192) -- cgit v1.2.3 From 276ea5fcaec2e9fd79a5c1d90ab78104252b35b5 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 1 Aug 2013 14:49:55 +0200 Subject: Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing" Conflicts: CHANGELOG --- CHANGELOG | 1 + program/steps/mail/compose.inc | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 8d163def1..1729d36f9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) - Fix identity-selection using Return-Path headers (#1489241) diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 73a7f34ac..5d588ab51 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -980,10 +980,14 @@ function rcmail_create_draft_body($body, $bodyIsHtml) && count($MESSAGE->mime_parts) > 0) { $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); + } + + // clean up html tags - XSS prevention (#1489251) + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); - // replace cid with href in inline images links - if ($cid_map) - $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + // replace cid with href in inline images links + if ($cid_map) { + $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); } return $body; -- cgit v1.2.3 From 5591a63d70775f2995611ae3d29dd55e8f4a1695 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 3 Aug 2013 09:29:16 +0200 Subject: Fix colorspace issue on image conversion using ImageMagick (#1489270) - s/RGB/sRGB/ --- CHANGELOG | 1 + program/lib/Roundcube/rcube_image.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 1729d36f9..38610a0f8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php index 735a0df01..ffcfd4b1d 100644 --- a/program/lib/Roundcube/rcube_image.php +++ b/program/lib/Roundcube/rcube_image.php @@ -120,7 +120,7 @@ class rcube_image $p['-opts'] = array('-resize' => $p['size'].'>'); if (in_array($type, explode(',', $p['types']))) { // Valid type? - $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace RGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); } if ($result === '') { @@ -222,7 +222,7 @@ class rcube_image $p['out'] = $filename; $p['type'] = self::$extensions[$type]; - $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -quality 75 {in} {type}:{out}', $p); if ($result === '') { @chmod($filename, 0600); -- cgit v1.2.3 From 6d26369021d24f19528de59f79f668b745b1322b Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 4 Aug 2013 12:41:30 +0200 Subject: Fix XSS vulnerability when saving HTML signatures (#1489251) Conflicts: CHANGELOG --- CHANGELOG | 1 + program/steps/settings/edit_identity.inc | 3 ++- program/steps/settings/save_identity.inc | 46 ++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 38610a0f8..d9adf9e7d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail =========================== - Fix colorspace issue on image conversion using ImageMagick (#1489270) +- Fix XSS vulnerability when saving HTML signatures (#1489251) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index d70a7aef7..edd4ba60d 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -77,7 +77,7 @@ function rcube_identity_form($attrib) 'signature' => array( 'name' => rcube_label('signature'), 'content' => array( - 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, + 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, 'spellcheck' => true), 'html_signature' => array('type' => 'checkbox', 'label' => rcube_label('htmlsignature'), 'onclick' => 'return rcmail_toggle_editor(this, \'rcmfd_signature\');'), @@ -138,6 +138,7 @@ function rcube_identity_form($attrib) $label = !empty($colprop['label']) ? $colprop['label'] : rcube_label(str_replace('-', '', $col)); + $value = !empty($colprop['value']) ? $colprop['value'] : rcmail_get_edit_field($col, $IDENTITY_RECORD[$col], $colprop, $colprop['type']); diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 34d8be268..d3b132f8b 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -76,6 +76,15 @@ foreach ($email_checks as $email) { } } +// XSS protection in HTML signature (#1489251) +if (!empty($save_data['signature']) && !empty($save_data['html_signature'])) { + $save_data['signature'] = rcmail_wash_html($save_data['signature']); + + // clear POST data of signature, we want to use safe content + // when the form is displayed again + unset($_POST['_signature']); +} + // update an existing contact if ($_POST['_iid']) { $iid = get_input_value('_iid', RCUBE_INPUT_POST); @@ -167,3 +176,40 @@ if (!empty($_REQUEST['_framed'])) { } else rcmail_overwrite_action('identities'); + + +/** + * Sanity checks/cleanups on HTML body of signature + */ +function rcmail_wash_html($html) +{ + // Add header with charset spec., washtml cannot work without that + $html = '' + . '' + . '' . $html . ''; + + // clean HTML with washhtml by Frederic Motte + $wash_opts = array( + 'show_washed' => false, + 'allow_remote' => 1, + 'charset' => RCMAIL_CHARSET, + 'html_elements' => array('body', 'link'), + 'html_attribs' => array('rel', 'type'), + ); + + // initialize HTML washer + $washer = new rcube_washtml($wash_opts); + + //$washer->add_callback('form', 'rcmail_washtml_callback'); + //$washer->add_callback('style', 'rcmail_washtml_callback'); + + // Remove non-UTF8 characters (#1487813) + $html = rc_utf8_clean($html); + + $html = $washer->wash($html); + + // remove unwanted comments and tags (produced by washtml) + $html = preg_replace(array('//', '/<\/?body>/'), '', $html); + + return $html; +} -- cgit v1.2.3 From 17f11330f8effc12f6aeef1c46dec86bd1c2b492 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 7 Aug 2013 13:48:07 +0200 Subject: Fix wrong handling of links with '|' character (#1489276) Conflicts: CHANGELOG tests/Framework/StringReplacer.php --- CHANGELOG | 1 + program/lib/Roundcube/rcube_string_replacer.php | 2 +- tests/Framework/StringReplacer.php | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index d9adf9e7d..a169faba7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when saving HTML signatures (#1489251) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php index acdc4e317..bd26f8e7d 100644 --- a/program/lib/Roundcube/rcube_string_replacer.php +++ b/program/lib/Roundcube/rcube_string_replacer.php @@ -36,7 +36,7 @@ class rcube_string_replacer // Support unicode/punycode in top-level domain part $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})'; $url1 = '.:;,'; - $url2 = 'a-zA-Z0-9%=#$@+?!&\\/_~\\[\\]\\(\\){}\*-'; + $url2 = 'a-zA-Z0-9%=#$@+?|!&\\/_~\\[\\]\\(\\){}\*-'; $this->link_pattern = "/([\w]+:\/\/|\W[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)($utf_domain([$url1]*[$url2]+)*)/"; $this->mailto_pattern = "/(" diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php index f2643f838..5008e3f84 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php @@ -41,6 +41,7 @@ class Framework_StringReplacer extends PHPUnit_Framework_TestCase array('http://', 'http://'), array('1@1.com www.domain.tld', '1@1.com www.domain.tld'), array(' www.domain.tld ', ' www.domain.tld '), + array(' www.domain.tld/#!download|856p1|2 ', ' www.domain.tld/#!download|856p1|2 '), ); } -- cgit v1.2.3 From 216fdb891a6840269ed0a68fb6194f787af9c2bb Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 7 Aug 2013 14:24:00 +0200 Subject: Fix base URL resolving on attribute values with no quotes (#1489275) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_base_replacer.php | 4 ++-- tests/Framework/BaseReplacer.php | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index a169faba7..91f550c84 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix base URL resolving on attribute values with no quotes (#1489275) - Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when saving HTML signatures (#1489251) diff --git a/program/lib/Roundcube/rcube_base_replacer.php b/program/lib/Roundcube/rcube_base_replacer.php index fcd85c2c8..aaaa2028c 100644 --- a/program/lib/Roundcube/rcube_base_replacer.php +++ b/program/lib/Roundcube/rcube_base_replacer.php @@ -44,8 +44,8 @@ class rcube_base_replacer public function replace($body) { return preg_replace_callback(array( - '/(src|background|href)=(["\']?)([^"\'\s]+)(\2|\s|>)/Ui', - '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/Ui', + '/(src|background|href)=(["\']?)([^"\'\s>]+)(\2|\s|>)/i', + '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/i', ), array($this, 'callback'), $body); } diff --git a/tests/Framework/BaseReplacer.php b/tests/Framework/BaseReplacer.php index e00b9e5eb..44a9604ac 100644 --- a/tests/Framework/BaseReplacer.php +++ b/tests/Framework/BaseReplacer.php @@ -17,4 +17,18 @@ class Framework_BaseReplacer extends PHPUnit_Framework_TestCase $this->assertInstanceOf('rcube_base_replacer', $object, "Class constructor"); } + + /** + * Test replace() + */ + function test_replace() + { + $base = 'http://thisshouldntbetheurl.bob.com/'; + $html = 'Test URL'; + + $replacer = new rcube_base_replacer($base); + $response = $replacer->replace($html); + + $this->assertSame('Test URL', $response); + } } -- cgit v1.2.3 From f4ba655a41bad1d2f833e36dd3fbe7cb2a5582ee Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 13 Aug 2013 08:30:14 +0200 Subject: Fix purge action in folder manager (#1489280) Conflicts: CHANGELOG --- CHANGELOG | 1 + program/js/app.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 91f550c84..a0b47d5fe 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix purge action in folder manager (#1489280) - Fix base URL resolving on attribute values with no quotes (#1489275) - Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) diff --git a/program/js/app.js b/program/js/app.js index 8e6a6fff3..73612381f 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -388,7 +388,7 @@ function rcube_webmail() } else if (this.env.action == 'edit-folder' && this.gui_objects.editform) { this.enable_command('save', 'folder-size', true); - parent.rcmail.env.messagecount = this.env.messagecount; + parent.rcmail.env.exists = this.env.messagecount; parent.rcmail.enable_command('purge', this.env.messagecount); $("input[type='text']").first().select(); } -- cgit v1.2.3