From 7adcd62f62a1315838b716fb3612815f4c0eae89 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 28 Jul 2013 09:03:07 +0200 Subject: - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) --- program/lib/Roundcube/rcube_charset.php | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'program') diff --git a/program/lib/Roundcube/rcube_charset.php b/program/lib/Roundcube/rcube_charset.php index a7f26a3f4..19dbf6cbc 100644 --- a/program/lib/Roundcube/rcube_charset.php +++ b/program/lib/Roundcube/rcube_charset.php @@ -674,23 +674,27 @@ class rcube_charset // Prioritize charsets according to current language (#1485669) switch ($language) { - case 'ja_JP': // for Japanese + case 'ja_JP': $prio = array('ISO-2022-JP', 'JIS', 'UTF-8', 'EUC-JP', 'eucJP-win', 'SJIS', 'SJIS-win'); break; - case 'zh_CN': // for Chinese (Simplified) - case 'zh_TW': // for Chinese (Traditional) + case 'zh_CN': + case 'zh_TW': $prio = array('UTF-8', 'BIG-5', 'GB2312', 'EUC-TW'); break; - case 'ko_KR': // for Korean + case 'ko_KR': $prio = array('UTF-8', 'EUC-KR', 'ISO-2022-KR'); break; - case 'ru_RU': // for Russian + case 'ru_RU': $prio = array('UTF-8', 'WINDOWS-1251', 'KOI8-R'); break; + case 'tr_TR': + $prio = array('UTF-8', 'ISO-8859-9', 'WINDOWS-1254'); + break; + default: $prio = array('UTF-8', 'SJIS', 'GB2312', 'ISO-8859-1', 'ISO-8859-2', 'ISO-8859-3', 'ISO-8859-4', -- cgit v1.2.3 From a67ad15d2f0b2f2e8aec9e5f0cff07f48447f287 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 31 Jul 2013 11:10:40 +0200 Subject: Support special Return-Path form used on some (PEAR) mailing list (#1489241) --- program/steps/mail/func.inc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'program') diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 16a9f495d..28e6baadf 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1803,8 +1803,14 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r // Try Return-Path if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) { foreach ($identities as $idx => $ident) { + // Return-Path header contains an email address, but on some mailing list + // it can be e.g. + // where local@domain.tld is the address we're looking for (#1489241) + $ident1 = $ident['email_ascii']; + $ident2 = str_replace('@', '=', $ident1); + foreach ((array)$return_path as $path) { - if (stripos($path, $ident['email_ascii']) !== false) { + if (stripos($path, $ident1) !== false || stripos($path, $ident2)) { $from_idx = $idx; break 2; } -- cgit v1.2.3 From 276ea5fcaec2e9fd79a5c1d90ab78104252b35b5 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 1 Aug 2013 14:49:55 +0200 Subject: Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - added HTML content "washing" Conflicts: CHANGELOG --- CHANGELOG | 1 + program/steps/mail/compose.inc | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index 8d163def1..1729d36f9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) - Fix identity-selection using Return-Path headers (#1489241) diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 73a7f34ac..5d588ab51 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -980,10 +980,14 @@ function rcmail_create_draft_body($body, $bodyIsHtml) && count($MESSAGE->mime_parts) > 0) { $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); + } + + // clean up html tags - XSS prevention (#1489251) + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); - // replace cid with href in inline images links - if ($cid_map) - $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + // replace cid with href in inline images links + if ($cid_map) { + $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); } return $body; -- cgit v1.2.3 From f2d12f4363568a8690920241023c93aea8a1b63d Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 1 Aug 2013 14:52:59 +0200 Subject: Fix fatal error when opening non-existing message in compose window --- program/steps/mail/compose.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'program') diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 5d588ab51..e04986a76 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -198,7 +198,10 @@ if (!empty($msg_uid) && empty($COMPOSE['as_attachment'])) if (!empty($MESSAGE->headers->charset)) $RCMAIL->storage->set_charset($MESSAGE->headers->charset); - if ($compose_mode == RCUBE_COMPOSE_REPLY) { + if (!$MESSAGE->headers) { + // error + } + else if ($compose_mode == RCUBE_COMPOSE_REPLY) { $COMPOSE['reply_uid'] = $msg_uid; $COMPOSE['reply_msgid'] = $MESSAGE->headers->messageID; $COMPOSE['references'] = trim($MESSAGE->headers->references . " " . $MESSAGE->headers->messageID); -- cgit v1.2.3 From 254af68cd8e27880276473d1583d18d221f8504d Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 2 Aug 2013 08:35:31 +0200 Subject: Fix broken (in 93b0a30c1c8aa29d862b587b31e52bcc344b8d16) text/plain body of a message when using "edit as new" --- program/steps/mail/compose.inc | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'program') diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index e04986a76..fb76b9abb 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -985,12 +985,17 @@ function rcmail_create_draft_body($body, $bodyIsHtml) $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); } - // clean up html tags - XSS prevention (#1489251) - $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); + // clean up HTML tags - XSS prevention (#1489251) + if ($bodyIsHtml) { + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); - // replace cid with href in inline images links - if ($cid_map) { - $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + // remove comments (produced by washtml) + $body = preg_replace('//', '', $body); + + // replace cid with href in inline images links + if (!empty($cid_map)) { + $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + } } return $body; -- cgit v1.2.3 From 5591a63d70775f2995611ae3d29dd55e8f4a1695 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 3 Aug 2013 09:29:16 +0200 Subject: Fix colorspace issue on image conversion using ImageMagick (#1489270) - s/RGB/sRGB/ --- CHANGELOG | 1 + program/lib/Roundcube/rcube_image.php | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index 1729d36f9..38610a0f8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php index 735a0df01..ffcfd4b1d 100644 --- a/program/lib/Roundcube/rcube_image.php +++ b/program/lib/Roundcube/rcube_image.php @@ -120,7 +120,7 @@ class rcube_image $p['-opts'] = array('-resize' => $p['size'].'>'); if (in_array($type, explode(',', $p['types']))) { // Valid type? - $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace RGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); } if ($result === '') { @@ -222,7 +222,7 @@ class rcube_image $p['out'] = $filename; $p['type'] = self::$extensions[$type]; - $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -quality 75 {in} {type}:{out}', $p); if ($result === '') { @chmod($filename, 0600); -- cgit v1.2.3 From 6d26369021d24f19528de59f79f668b745b1322b Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 4 Aug 2013 12:41:30 +0200 Subject: Fix XSS vulnerability when saving HTML signatures (#1489251) Conflicts: CHANGELOG --- CHANGELOG | 1 + program/steps/settings/edit_identity.inc | 3 ++- program/steps/settings/save_identity.inc | 46 ++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index 38610a0f8..d9adf9e7d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail =========================== - Fix colorspace issue on image conversion using ImageMagick (#1489270) +- Fix XSS vulnerability when saving HTML signatures (#1489251) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) - Fix rewrite rule in .htaccess (#1489240) - Fix detecting Turkish language in ISO-8859-9 encoding (#1489252) diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index d70a7aef7..edd4ba60d 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -77,7 +77,7 @@ function rcube_identity_form($attrib) 'signature' => array( 'name' => rcube_label('signature'), 'content' => array( - 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, + 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, 'spellcheck' => true), 'html_signature' => array('type' => 'checkbox', 'label' => rcube_label('htmlsignature'), 'onclick' => 'return rcmail_toggle_editor(this, \'rcmfd_signature\');'), @@ -138,6 +138,7 @@ function rcube_identity_form($attrib) $label = !empty($colprop['label']) ? $colprop['label'] : rcube_label(str_replace('-', '', $col)); + $value = !empty($colprop['value']) ? $colprop['value'] : rcmail_get_edit_field($col, $IDENTITY_RECORD[$col], $colprop, $colprop['type']); diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 34d8be268..d3b132f8b 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -76,6 +76,15 @@ foreach ($email_checks as $email) { } } +// XSS protection in HTML signature (#1489251) +if (!empty($save_data['signature']) && !empty($save_data['html_signature'])) { + $save_data['signature'] = rcmail_wash_html($save_data['signature']); + + // clear POST data of signature, we want to use safe content + // when the form is displayed again + unset($_POST['_signature']); +} + // update an existing contact if ($_POST['_iid']) { $iid = get_input_value('_iid', RCUBE_INPUT_POST); @@ -167,3 +176,40 @@ if (!empty($_REQUEST['_framed'])) { } else rcmail_overwrite_action('identities'); + + +/** + * Sanity checks/cleanups on HTML body of signature + */ +function rcmail_wash_html($html) +{ + // Add header with charset spec., washtml cannot work without that + $html = '' + . '' + . '' . $html . ''; + + // clean HTML with washhtml by Frederic Motte + $wash_opts = array( + 'show_washed' => false, + 'allow_remote' => 1, + 'charset' => RCMAIL_CHARSET, + 'html_elements' => array('body', 'link'), + 'html_attribs' => array('rel', 'type'), + ); + + // initialize HTML washer + $washer = new rcube_washtml($wash_opts); + + //$washer->add_callback('form', 'rcmail_washtml_callback'); + //$washer->add_callback('style', 'rcmail_washtml_callback'); + + // Remove non-UTF8 characters (#1487813) + $html = rc_utf8_clean($html); + + $html = $washer->wash($html); + + // remove unwanted comments and tags (produced by washtml) + $html = preg_replace(array('//', '/<\/?body>/'), '', $html); + + return $html; +} -- cgit v1.2.3 From 17f11330f8effc12f6aeef1c46dec86bd1c2b492 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 7 Aug 2013 13:48:07 +0200 Subject: Fix wrong handling of links with '|' character (#1489276) Conflicts: CHANGELOG tests/Framework/StringReplacer.php --- CHANGELOG | 1 + program/lib/Roundcube/rcube_string_replacer.php | 2 +- tests/Framework/StringReplacer.php | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index d9adf9e7d..a169faba7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when saving HTML signatures (#1489251) - Fix XSS vulnerability when editing a message "as new" or draft (#1489251) diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php index acdc4e317..bd26f8e7d 100644 --- a/program/lib/Roundcube/rcube_string_replacer.php +++ b/program/lib/Roundcube/rcube_string_replacer.php @@ -36,7 +36,7 @@ class rcube_string_replacer // Support unicode/punycode in top-level domain part $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})'; $url1 = '.:;,'; - $url2 = 'a-zA-Z0-9%=#$@+?!&\\/_~\\[\\]\\(\\){}\*-'; + $url2 = 'a-zA-Z0-9%=#$@+?|!&\\/_~\\[\\]\\(\\){}\*-'; $this->link_pattern = "/([\w]+:\/\/|\W[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)($utf_domain([$url1]*[$url2]+)*)/"; $this->mailto_pattern = "/(" diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php index f2643f838..5008e3f84 100644 --- a/tests/Framework/StringReplacer.php +++ b/tests/Framework/StringReplacer.php @@ -41,6 +41,7 @@ class Framework_StringReplacer extends PHPUnit_Framework_TestCase array('http://', 'http://'), array('1@1.com www.domain.tld', '1@1.com www.domain.tld'), array(' www.domain.tld ', ' www.domain.tld '), + array(' www.domain.tld/#!download|856p1|2 ', ' www.domain.tld/#!download|856p1|2 '), ); } -- cgit v1.2.3 From 216fdb891a6840269ed0a68fb6194f787af9c2bb Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 7 Aug 2013 14:24:00 +0200 Subject: Fix base URL resolving on attribute values with no quotes (#1489275) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_base_replacer.php | 4 ++-- tests/Framework/BaseReplacer.php | 14 ++++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index a169faba7..91f550c84 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix base URL resolving on attribute values with no quotes (#1489275) - Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) - Fix XSS vulnerability when saving HTML signatures (#1489251) diff --git a/program/lib/Roundcube/rcube_base_replacer.php b/program/lib/Roundcube/rcube_base_replacer.php index fcd85c2c8..aaaa2028c 100644 --- a/program/lib/Roundcube/rcube_base_replacer.php +++ b/program/lib/Roundcube/rcube_base_replacer.php @@ -44,8 +44,8 @@ class rcube_base_replacer public function replace($body) { return preg_replace_callback(array( - '/(src|background|href)=(["\']?)([^"\'\s]+)(\2|\s|>)/Ui', - '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/Ui', + '/(src|background|href)=(["\']?)([^"\'\s>]+)(\2|\s|>)/i', + '/(url\s*\()(["\']?)([^"\'\)\s]+)(\2)\)/i', ), array($this, 'callback'), $body); } diff --git a/tests/Framework/BaseReplacer.php b/tests/Framework/BaseReplacer.php index e00b9e5eb..44a9604ac 100644 --- a/tests/Framework/BaseReplacer.php +++ b/tests/Framework/BaseReplacer.php @@ -17,4 +17,18 @@ class Framework_BaseReplacer extends PHPUnit_Framework_TestCase $this->assertInstanceOf('rcube_base_replacer', $object, "Class constructor"); } + + /** + * Test replace() + */ + function test_replace() + { + $base = 'http://thisshouldntbetheurl.bob.com/'; + $html = 'Test URL'; + + $replacer = new rcube_base_replacer($base); + $response = $replacer->replace($html); + + $this->assertSame('Test URL', $response); + } } -- cgit v1.2.3 From f4ba655a41bad1d2f833e36dd3fbe7cb2a5582ee Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 13 Aug 2013 08:30:14 +0200 Subject: Fix purge action in folder manager (#1489280) Conflicts: CHANGELOG --- CHANGELOG | 1 + program/js/app.js | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'program') diff --git a/CHANGELOG b/CHANGELOG index 91f550c84..a0b47d5fe 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix purge action in folder manager (#1489280) - Fix base URL resolving on attribute values with no quotes (#1489275) - Fix wrong handling of links with '|' character (#1489276) - Fix colorspace issue on image conversion using ImageMagick (#1489270) diff --git a/program/js/app.js b/program/js/app.js index 8e6a6fff3..73612381f 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -388,7 +388,7 @@ function rcube_webmail() } else if (this.env.action == 'edit-folder' && this.gui_objects.editform) { this.enable_command('save', 'folder-size', true); - parent.rcmail.env.messagecount = this.env.messagecount; + parent.rcmail.env.exists = this.env.messagecount; parent.rcmail.enable_command('purge', this.env.messagecount); $("input[type='text']").first().select(); } -- cgit v1.2.3