From 2e30b24dbf3aebf4d201bc922eb7b7bc8ab8f4fd Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 14 Sep 2013 09:44:58 +0200 Subject: Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333) --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 85963d84f..6a93d40ce 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333) - Fix attachment icon issue when rare font/language is used (#1489326) - After message is sent refresh messages list of replied message folder (#1489249) - Add option force specified domain in user login - username_domain_forced (#1489264) -- cgit v1.2.3 From 75c7adc41b6a1fb8ba614c4c1eb34312000d80ac Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 14 Sep 2013 10:30:18 +0200 Subject: Assigned CVE identifiers --- CHANGELOG | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 6a93d40ce..a7c3f1540 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -97,8 +97,8 @@ RELEASE 0.9.3 - Fix base URL resolving on attribute values with no quotes (#1489275) - Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) -- Fix XSS vulnerability when editing a message "as new" or draft (#1489251) -- Fix XSS vulnerability when saving HTML signatures (#1489251) +- Fix XSS vulnerability when editing a message "as new" or draft [CVE-2013-5645] (#1489251) +- Fix XSS vulnerability when saving HTML signatures [CVE-2013-5645] (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) - Fix identity-selection using Return-Path headers (#1489241) @@ -318,7 +318,7 @@ RELEASE 0.8.5 - Fix #countcontrols issue in IE<=8 when text is very long (#1488890) - Fix unwanted horizontal scrollbar in message preview header (#1488866) - Add workaround for IE<=8 bug where Content-Disposition:inline was ignored (#1488844) -- Fix XSS vulnerability in vbscript: and data:text links handling (#1488850) +- Fix XSS vulnerability in vbscript: and data:text links handling [CVE-2012-6121] (#1488850) - Fix absolute positioning in HTML messages (#1488819) - Fix cache (in)validation after setting \Deleted flag - Fix keybord events on messages list in opera browser (#1488823) @@ -373,8 +373,8 @@ RELEASE 0.8.1 - Fix bug where domain name was converted to lower-case even with login_lc=false (#1488593) - Fix lower-casing email address on replies (#1488598) - Fix line separator in exported messages (#1488603) -- Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613) -- Fix XSS issue where href="javascript:" wasn't secured (#1488613) +- Fix XSS issue where plain signatures wasn't secured in HTML mode [CVE-2012-4668] (#1488613) +- Fix XSS issue where href="javascript:" wasn't secured [CVE-2012-3508] (#1488613) - Fix impossible to create message with empty plain text part (#1488610) - Fix stripped apostrophes when replying in plain text to HTML message (#1488606) - Fix inactive Save search option after advanced search (#1488607) @@ -409,7 +409,7 @@ RELEASE 0.8.0 - Fix removing contact photo using LDAP addressbook (#1488420) - Fix storing X-ANNIVERSARY date in vCard format (#1488527) - Update to Mail_Mime-1.8.5 (#1488521) -- Fix XSS vulnerability in message subject handling using Larry skin (#1488519) +- Fix XSS vulnerability in message subject handling using Larry skin [CVE-2012-3507] (#1488519) - Fix handling of links with various URI schemes e.g. "skype:" (#1488106) - Fix handling of links inside PRE elements on html to text conversion - Fix indexing of links on html to text conversion @@ -536,7 +536,7 @@ RELEASE 0.7 - Improved handling of some malformed values encoded with quoted-printable (#1488232) - Add possibility to do LDAP bind before searching for bind DN - Fix handling of empty tags in HTML messages (#1488225) -- Add content filter for embedded attachments to protect from XSS on IE (#1487895) +- Add content filter for embedded attachments to protect from XSS on IE [CVE-2012-1253] (#1487895) - Use strpos() instead of strstr() when possible (#1488211) - Fix handling HTML entities when converting HTML to text (#1488212) - Fix fit_string_to_size() renders browser and ui unresponsive (#1488207) @@ -704,7 +704,7 @@ RELEASE 0.6-beta RELEASE 0.5.4 ------------- -- Fix XSS vulnerability in UI messages (#1488030) +- Fix XSS vulnerability in UI messages [CVE-2011-2937] (#1488030) RELEASE 0.5.3 ------------- @@ -754,8 +754,8 @@ RELEASE 0.5.1 - Security: add optional referer check to prevent CSRF in GET requests - Fix email_dns_check setting not used for identities/contacts (#1487740) - Fix ICANN example addresses doesn't validate (#1487742) -- Security: protect login form submission from CSRF -- Security: prevent from relaying malicious requests through modcss.inc +- Security: protect login form submission from CSRF [CVE-2011-1491] +- Security: prevent from relaying malicious requests through modcss.inc [CVE-2011-1492] - Fix handling of non-image attachments in multipart/related messages (#1487750) - Fix IDNA support when IDN/INTL modules are in use (#1487742) - Fix handling of invalid HTML comments in messages (#1487759) @@ -1198,7 +1198,7 @@ RELEASE 0.3-RC1 --------------- - Fix import of vCard entries with params (#1485453) - Fix HTML messages output with empty block elements (#1485974) -- Use request tokens to protect POST requests from CSRF +- Use request tokens to protect POST requests from CSRF [CVE-2009-4076, CVE-2009-4077] - Added hook when killing a session - Added hook to write_log function (#1485971) - Performance improvements by use UID commands (#1485690) @@ -1325,7 +1325,7 @@ RELEASE 0.2.1 - Fix large search results on server without SORT capability (#1485668) - Get rid of preg_replace() with eval modifier and create_function usage (#1485686) - Bring back and tags in HTML messages -- Fix XSS vulnerability through background attributes as reported by Julien Cayssol +- Fix XSS vulnerability through background attributes [CVE-2009-0413] - Fix problems with backslash as IMAP hierarchy delimiter (#1484467) - Secure vcard export by getting rid of preg's 'e' modifier use (#1485689) - Fix authentication when submitting form with existing session (#1485679) -- cgit v1.2.3 From 2efe332b495787dc5be77c3191ff319a62a56fca Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 15 Sep 2013 13:43:13 +0200 Subject: Display full attachment name using title attribute when name is too long to display (#1489320) --- CHANGELOG | 1 + program/js/app.js | 13 +++++++++---- program/steps/mail/attachments.inc | 5 ++++- program/steps/mail/compose.inc | 24 ++++++++++++++++++------ program/steps/mail/show.inc | 5 +++-- skins/classic/templates/message.html | 2 +- skins/classic/templates/messagepreview.html | 2 +- 7 files changed, 37 insertions(+), 15 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index a7c3f1540..f18d10d94 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Display full attachment name using title attribute when name is too long to display (#1489320) - Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333) - Fix attachment icon issue when rare font/language is used (#1489326) - After message is sent refresh messages list of replied message folder (#1489249) diff --git a/program/js/app.js b/program/js/app.js index 1d1c65172..24aaca055 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -1881,7 +1881,7 @@ function rcube_webmail() html = expando; else if (c == 'subject') { if (bw.ie) { - col.onmouseover = function() { rcube_webmail.long_subject_title_ie(this, message.depth+1); }; + col.onmouseover = function() { rcube_webmail.long_subject_title_ex(this, message.depth+1); }; if (bw.ie8) tree = '' + tree; // #1487821 } @@ -3639,7 +3639,12 @@ function rcube_webmail() att.html = '' + (this.env.cancelicon ? '' : this.get_label('cancel')) + '' + att.html; - var indicator, li = $('
  • ').attr('id', name).addClass(att.classname).html(att.html); + var indicator, li = $('
  • '); + + li.attr('id', name) + .addClass(att.classname) + .html(att.html) + .on('mouseover', function() { rcube_webmail.long_subject_title_ex(this, 0); }); // replace indicator's li if (upload_id && (indicator = document.getElementById(upload_id))) { @@ -6986,11 +6991,11 @@ rcube_webmail.long_subject_title = function(elem, indent) if (!elem.title) { var $elem = $(elem); if ($elem.width() + indent * 15 > $elem.parent().width()) - elem.title = $elem.html(); + elem.title = $elem.text(); } }; -rcube_webmail.long_subject_title_ie = function(elem, indent) +rcube_webmail.long_subject_title_ex = function(elem, indent) { if (!elem.title) { var $elem = $(elem), diff --git a/program/steps/mail/attachments.inc b/program/steps/mail/attachments.inc index f83f6892e..85aa9542b 100644 --- a/program/steps/mail/attachments.inc +++ b/program/steps/mail/attachments.inc @@ -118,9 +118,12 @@ if (is_array($_FILES['_attachments']['tmp_name'])) { 'alt' => rcube_label('delete') )); } - else { + else if ($COMPOSE['textbuttons']) { $button = Q(rcube_label('delete')); } + else { + $button = ''; + } $content = html::a(array( 'href' => "#delete", diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index e9f638cb1..39dca3b03 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -1370,8 +1370,9 @@ function rcmail_compose_attachment_list($attrib) if (!$attrib['id']) $attrib['id'] = 'rcmAttachmentList'; - $out = "\n"; + $out = "\n"; $jslist = array(); + $button = ''; if (is_array($COMPOSE['attachments'])) { if ($attrib['deleteicon']) { @@ -1380,27 +1381,38 @@ function rcmail_compose_attachment_list($attrib) 'alt' => rcube_label('delete') )); } - else + else if (rcube_utils::get_boolean($attrib['textbuttons'])) { $button = Q(rcube_label('delete')); + } foreach ($COMPOSE['attachments'] as $id => $a_prop) { if (empty($a_prop)) continue; - $out .= html::tag('li', array('id' => 'rcmfile'.$id, 'class' => rcmail_filetype2classname($a_prop['mimetype'], $a_prop['name'])), + $out .= html::tag('li', + array( + 'id' => 'rcmfile'.$id, + 'class' => rcmail_filetype2classname($a_prop['mimetype'], $a_prop['name']), + 'onmouseover' => "rcube_webmail.long_subject_title_ex(this, 0)", + ), html::a(array( 'href' => "#delete", 'title' => rcube_label('delete'), 'onclick' => sprintf("return %s.command('remove-attachment','rcmfile%s', this)", JS_OBJECT_NAME, $id), - 'class' => 'delete'), - $button) . Q($a_prop['name'])); + 'class' => 'delete' + ), + $button + ) . Q($a_prop['name']) + ); - $jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']); + $jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']); } } if ($attrib['deleteicon']) $COMPOSE['deleteicon'] = $CONFIG['skin_path'] . $attrib['deleteicon']; + else if (rcube_utils::get_boolean($attrib['textbuttons'])) + $COMPOSE['textbuttons'] = true; if ($attrib['cancelicon']) $OUTPUT->set_env('cancelicon', $CONFIG['skin_path'] . $attrib['cancelicon']); if ($attrib['loadingicon']) diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 59f4d55e1..9d85f9c8f 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -175,9 +175,9 @@ function rcmail_message_attachments($attrib) $ol .= html::tag('li', null, Q(sprintf("%s (%s)", $filename, $size))); } else { - if (mb_strlen($filename) > 50) { + if ($attrib['maxlength'] && mb_strlen($filename) > $attrib['maxlength']) { $title = $filename; - $filename = abbreviate_string($filename, 50); + $filename = abbreviate_string($filename, $attrib['maxlength']); } else { $title = ''; @@ -190,6 +190,7 @@ function rcmail_message_attachments($attrib) 'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false), 'onclick' => sprintf('return %s.command(\'load-attachment\',\'%s\',this)', JS_OBJECT_NAME, $attach_prop->mime_id), + 'onmouseover' => $title ? '' : 'rcube_webmail.long_subject_title_ex(this, 0)', 'title' => Q($title), ), Q($filename)); $ol .= html::tag('li', array('class' => $class, 'id' => $id), $link); diff --git a/skins/classic/templates/message.html b/skins/classic/templates/message.html index 757c0a635..bd4fbf277 100644 --- a/skins/classic/templates/message.html +++ b/skins/classic/templates/message.html @@ -49,7 +49,7 @@ - + diff --git a/skins/classic/templates/messagepreview.html b/skins/classic/templates/messagepreview.html index b42a06342..82414c420 100644 --- a/skins/classic/templates/messagepreview.html +++ b/skins/classic/templates/messagepreview.html @@ -20,7 +20,7 @@ - + -- cgit v1.2.3 From c1ff572e176dc930c52063e53364daa315d34666 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli Date: Mon, 16 Sep 2013 20:01:10 +0200 Subject: Touch new default font size settings: simplified + codestyle + updated changelog --- CHANGELOG | 1 + program/steps/mail/sendmail.inc | 5 ++--- program/steps/settings/func.inc | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index f18d10d94..8d5870ce4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Make default font size for HTML messages configurable (request #118) - Display full attachment name using title attribute when name is too long to display (#1489320) - Fix XSS issue in addressbook group name field [CVE-2013-5646] (#1489333) - Fix attachment icon issue when rare font/language is used (#1489326) diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 8fe149611..3f4475e46 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -473,10 +473,9 @@ $isHtml = (bool) get_input_value('_is_html', RCUBE_INPUT_POST); $message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset); if ($isHtml) { - $font = rcube_fontdefs($RCMAIL->config->get('default_font')); - $font = $font && is_string($font) ? ' '.$font : NULL; + $font_family = rcube_fontdefs($RCMAIL->config->get('default_font', 'Arial')); $font_size = $RCMAIL->config->get('default_font_size'); - $bstyle = " style='font: ".$font_size.$font.";'"; + $bstyle = ' style="font:' . $font_size . ' ' . $font_family . ';"'; // append doctype and html/body wrappers $message_body = '' . diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index b492c9644..53c98eddf 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -864,8 +864,8 @@ function rcmail_user_prefs($current = null) $blocks['main']['options']['default_font'] = array( 'title' => html::label($field_id, Q(rcube_label('defaultfont'))), - 'content' => $select_default_font_size->show($RCMAIL->config->get('default_font_size', 1)). - $select_default_font->show($RCMAIL->config->get('default_font', 1)) + 'content' => $select_default_font->show($RCMAIL->config->get('default_font', 1)) . + $select_default_font_size->show($RCMAIL->config->get('default_font_size', 1)) ); } break; -- cgit v1.2.3