Projects
Kolab:16:TestingLinked
roundcubemail
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
roundcubemail.spec
Changed
@@ -43,7 +43,7 @@ Name: roundcubemail Version: 1.2 -Release: 0.20160115.git%{?dist} +Release: 0.20160119.git%{?dist} Summary: Round Cube Webmail is a browser-based multilingual IMAP client @@ -1585,6 +1585,7 @@ # use dist files as config files %{__install} -pm 644 config/config.inc.php.sample %{buildroot}%{confdir}/config.inc.php %{__install} -pm 644 config/defaults.inc.php %{buildroot}%{confdir}/defaults.inc.php +%{__install} -pm 644 config/mimetypes.inc.php %{buildroot}%{confdir}/mimetypes.inc.php pushd %{buildroot}%{datadir} %{__ln_s} ../../..%{confdir} config @@ -2753,6 +2754,7 @@ %config(noreplace) %{_ap_sysconfdir}/conf.d/%{name}.conf %attr(0640,root,%{httpd_group}) %config(noreplace) %{confdir}/config.inc.php %attr(0640,root,%{httpd_group}) %{confdir}/defaults.inc.php +%attr(0640,root,%{httpd_group}) %{confdir}/mimetypes.inc.php %attr(0770,root,%{httpd_group}) %dir %{logdir} %attr(0770,root,%{httpd_group}) %dir %{tmpdir} %dir %{_localstatedir}/lib/rpm-state/
View file
debian.changelog
Changed
@@ -1,4 +1,4 @@ -roundcubemail (1:1.2~dev20160115-0~kolab1) unstable; urgency=low +roundcubemail (1:1.2~dev20160119-0~kolab1) unstable; urgency=low * fix secure URL regex for debian
View file
roundcubemail-1.2.tar.gz/program/lib/Roundcube/rcube_image.php
Changed
@@ -232,6 +232,10 @@ $height = intval($props'height' * $scale); $new_image = imagecreatetruecolor($width, $height); + if ($new_image === false) { + return false; + } + // Fix transparency of gif/png image if ($props'gd_type' != IMAGETYPE_JPEG) { imagealphablending($new_image, false);
View file
roundcubemail-1.2.tar.gz/program/lib/Roundcube/rcube_washtml.php
Changed
@@ -97,7 +97,20 @@ 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img', 'video', 'source', // form elements - 'button', 'input', 'textarea', 'select', 'option', 'optgroup' + 'button', 'input', 'textarea', 'select', 'option', 'optgroup', + // SVG + 'svg', 'altglyph', 'altglyphdef', 'altglyphitem', 'animate', + 'animatecolor', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', + 'ellipse', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', + 'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', + 'polygon', 'polyline', 'radialgradient', 'rect', 'set', 'stop', 'switch', 'symbol', + 'text', 'textpath', 'tref', 'tspan', 'use', 'view', 'vkern', 'filter', + // SVG Filters + 'feblend', 'fecolormatrix', 'fecomponenttransfer', 'fecomposite', + 'feconvolvematrix', 'fediffuselighting', 'fedisplacementmap', + 'feflood', 'fefunca', 'fefuncb', 'fefuncg', 'fefuncr', 'fegaussianblur', + 'feimage', 'femerge', 'femergenode', 'femorphology', 'feoffset', + 'fespecularlighting', 'fetile', 'feturbulence', ); /* Ignore these HTML tags and their content */ @@ -110,13 +123,41 @@ 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'usemap', 'shape', 'media', + 'background', 'src', 'poster', 'href', // attributes of form elements - 'type', 'rows', 'cols', 'disabled', 'readonly', 'checked', 'multiple', 'value' + 'type', 'rows', 'cols', 'disabled', 'readonly', 'checked', 'multiple', 'value', + // SVG + 'accent-height', 'accumulate', 'additive', 'alignment-baseline', 'alphabetic', + 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseprofile', + 'baseline-shift', 'begin', 'bias', 'by', 'clip', 'clip-path', 'clip-rule', + 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', + 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', + 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', + 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', + 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'from', + 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', + 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', + 'keysplines', 'keytimes', 'lengthadjust', 'letter-spacing', 'kernelmatrix', + 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', + 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', + 'maskunits', 'max', 'mask', 'mode', 'min', 'numoctaves', 'offset', 'operator', + 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', + 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', + 'points', 'preservealpha', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', + 'repeatdur', 'restart', 'rotate', 'scale', 'seed', 'shape-rendering', 'show', 'specularconstant', + 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', + 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', + 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', + 'surfacescale', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', + 'text-rendering', 'textlength', 'to', 'u1', 'u2', 'unicode', 'values', 'viewbox', + 'visibility', 'vert-adv-y', 'version', 'vert-origin-x', 'vert-origin-y', 'word-spacing', + 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', + 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan', ); /* Elements which could be empty and be returned in short form (<tag />) */ static $void_elements = array('area', 'base', 'br', 'col', 'command', 'embed', 'hr', - 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr' + 'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr', ); /* State for linked objects in HTML */ @@ -143,13 +184,15 @@ /* Max nesting level */ private $max_nesting_level; + private $is_xml = false; + /** * Class constructor */ public function __construct($p = array()) { - $this->_html_elements = array_flip((array)$p'html_elements') + array_flip(self::$html_elements) ; + $this->_html_elements = array_flip((array)$p'html_elements') + array_flip(self::$html_elements); $this->_html_attribs = array_flip((array)$p'html_attribs') + array_flip(self::$html_attribs); $this->_ignore_elements = array_flip((array)$p'ignore_elements') + array_flip(self::$ignore_elements); $this->_void_elements = array_flip((array)$p'void_elements') + array_flip(self::$void_elements); @@ -186,22 +229,8 @@ foreach ($this->explode_style($str) as $val) { if (preg_match('/^url\(/i', $val)) { if (preg_match('/^url\(\s*\'"?(^\'"\)*)\'"?\s*\)/iu', $val, $match)) { - $url = $match1; - if (($src = $this->config'cid_map'$url) - || ($src = $this->config'cid_map'$this->config'base_url'.$url) - ) { - $value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')'; - } - else if (preg_match('!^(https?:)?//a-z0-9/._+-+$!i', $url, $m)) { - if ($this->config'allow_remote') { - $value .= ' url('.htmlspecialchars($m0, ENT_QUOTES).')'; - } - else { - $this->extlinks = true; - } - } - else if (preg_match('/^data:.+/i', $url)) { // RFC2397 - $value .= ' url('.htmlspecialchars($url, ENT_QUOTES).')'; + if ($url = $this->wash_uri($match1)) { + $value .= ' url(' . htmlspecialchars($url, ENT_QUOTES) . ')'; } } } @@ -232,54 +261,137 @@ */ private function wash_attribs($node) { - $t = ''; - $washed = ''; - - foreach ($node->attributes as $key => $plop) { - $key = strtolower($key); - $value = $node->getAttribute($key); - - if (isset($this->_html_attribs$key) || - ($key == 'href' && ($value = trim($value)) - && !preg_match('!^(javascript|vbscript|data:text)!i', $value) - && preg_match('!^(a-za-z0-9.+-+:|//|#).+!i', $value)) - ) { - $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; - } - else if ($key == 'style' && ($style = $this->wash_style($value))) { + $result = ''; + $washed = array(); + + foreach ($node->attributes as $name => $attr) { + $key = strtolower($name); + $value = $attr->nodeValue; + + if ($key == 'style' && ($style = $this->wash_style($value))) { // replace double quotes to prevent syntax error and XSS issues (#1490227) - $t .= ' style="' . str_replace('"', '"', $style) . '"'; + $result .= ' style="' . str_replace('"', '"', $style) . '"'; } - else if ($key == 'background' - || ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName)) - || ($key == 'poster' && strtolower($node->tagName) == 'video') - ) { - if (($src = $this->config'cid_map'$value) - || ($src = $this->config'cid_map'$this->config'base_url'.$value) - ) { - $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"'; + else if (isset($this->_html_attribs$key)) { + $value = trim($value); + $out = null; + + // in SVG to/from attribs may contain anything, including URIs + if ($key == 'to' || $key == 'from') { + $key = strtolower($node->getAttribute('attributeName')); + if ($key && !isset($this->_html_attribs$key)) { + $key = null; + } + } + + if ($this->is_image_attribute($node->tagName, $key)) { + $out = $this->wash_uri($value, true); } - else if (preg_match('/^(http|https|ftp):.+/i', $value)) { - if ($this->config'allow_remote') { - $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; + else if ($this->is_link_attribute($node->tagName, $key)) { + if (!preg_match('!^(javascript|vbscript|data:text)!i', $value) + && preg_match('!^(a-za-z0-9.+-+:|//|#).+!i', $value) + ) { + $out = $value; } - else { - $this->extlinks = true; - if ($this->config'blocked_src') { - $t .= ' ' . $key . '="' . htmlspecialchars($this->config'blocked_src', ENT_QUOTES) . '"'; + } + else if ($this->is_funciri_attribute($node->tagName, $key)) { + if (preg_match('/^a-z:*url\(/i', $val)) { + if (preg_match('/^(a-z:*url)\(\s*\'"?(^\'"\)*)\'"?\s*\)/iu', $value, $match)) { + if ($url = $this->wash_uri($match2)) { + $result .= ' ' . $attr->nodeName . '="' . $match1 . '(' . htmlspecialchars($url, ENT_QUOTES) . ')' + . substr($val, strlen($match0)) . '"'; + continue; + } } + else { + $out = $value; + } + } + else { + $out = $value; } } - else if (preg_match('/^data:.+/i', $value)) { // RFC2397 - $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; + else if ($key) { + $out = $value; + } + + if ($out !== null && $out !== '') {
View file
roundcubemail-1.2.tar.gz/program/steps/mail/get.inc
Changed
@@ -515,12 +515,20 @@ */ function rcmail_svg_filter($body) { - $dom = new DOMDocument; - $dom->loadXML($body); - - foreach ($dom->getElementsByTagName('script') as $node) { - $node->parentNode->removeChild($node); - } - - return $dom->saveXML() ?: ''; + // clean SVG with washhtml + $wash_opts = array( + 'show_washed' => false, + 'allow_remote' => false, + 'charset' => RCUBE_CHARSET, + 'html_elements' => array('title'), +// 'blocked_src' => 'program/resources/blocked.gif', + ); + + // initialize HTML washer + $washer = new rcube_washtml($wash_opts); + + // allow CSS styles, will be sanitized by rcmail_washtml_callback() + $washer->add_callback('style', 'rcmail_washtml_callback'); + + return $washer->wash($body); }
View file
roundcubemail-1.2.tar.gz/tests/Framework/Washtml.php
Changed
@@ -213,4 +213,43 @@ $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); } + + /** + * Test SVG cleanup + */ + function test_style_wash_svg() + { + $svg = '<?xml version="1.0" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://creativecommons.org/ns#" viewBox="0 0 100 100"> + <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" onmouseover="alert(1)" /> + <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle"><!CDATA410></text> + <script type="text/javascript"> + alert(document.cookie); + </script> + <text x="10" y="25" >An example text</text> + <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a> + <foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/> + <set attributeName="onmouseover" to="alert(1)"/> + <animate attributeName="onunload" to="alert(1)"/> + <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" /> +</svg>'; + + $exp = '<svg xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" version="1.1" baseProfile="full" viewBox="0 0 100 100"> + <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" x-washed="onmouseover" /> + <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle">410</text> + <!-- script not allowed --> + <text x="10" y="25">An example text</text> + <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a> + <!-- foreignObject ignored --> + <set attributeName="onmouseover" x-washed="to" /> + <animate attributeName="onunload" x-washed="to" /> + <animate attributeName="xlink:href" begin="0" x-washed="from" /> +</svg>'; + + $washer = new rcube_washtml; + $washed = $washer->wash($svg); + + $this->assertSame($washed, $exp, "SVG content"); + } }
View file
roundcubemail.dsc
Changed
@@ -2,7 +2,7 @@ Source: roundcubemail Binary: roundcubemail Architecture: all -Version: 1:1.2~dev20160115-0~kolab1 +Version: 1:1.2~dev20160119-0~kolab1 Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org> Uploaders: Vincent Bernat <bernat@debian.org>, Romain Beauxis <toots@rastageeks.org>, Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>, Paul Klos <kolab@klos2day.nl> Homepage: http://www.roundcube.net/
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.