Projects
Kolab:16
roundcubemail
0004-Fix-bug-where-some-escape-sequences-in-htm...
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0004-Fix-bug-where-some-escape-sequences-in-html-styles-c.patch of Package roundcubemail (Revision 36)
Currently displaying revision
36
,
Show latest
From d9eed3625bf06cd2946b0efb6d88ff9986ba4864 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Sat, 5 May 2018 17:12:18 +0200 Subject: [PATCH 4/5] Fix bug where some escape sequences in html styles could bypass security checks --- CHANGELOG | 3 ++- program/lib/Roundcube/rcube_utils.php | 3 ++- program/lib/Roundcube/rcube_washtml.php | 5 ++++- tests/Framework/Utils.php | 8 +++++++- tests/MailFunc.php | 2 +- 5 files changed, 16 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 729b4b363..21eedff5b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,7 +2,8 @@ CHANGELOG Roundcube Webmail =========================== - Fix PHP Warning: Use of undefined constant IDNA_DEFAULT on systems without php-intl (#6244) -- Fix bug where some parts of quota information could be ignored (#6280) +- Fix bug where some parts of quota information could have been ignored (#6280) +- Fix bug where some escape sequences in html styles could bypass security checks RELEASE 1.3.6 ------------- diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index 77b084a99..03de534f4 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -500,7 +500,8 @@ class rcube_utils $out = html_entity_decode(html_entity_decode($content)); $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out))); - $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i', $callback, $out); + $out = preg_replace_callback('/\\\([0-9a-f]{2,6})\s*/i', $callback, $out); + $out = preg_replace('/\\\([^0-9a-f])/i', '\\1', $out); $out = preg_replace('#/\*.*\*/#Ums', '', $out); $out = strip_tags($out); diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php index ac1af74ef..44173f0b0 100644 --- a/program/lib/Roundcube/rcube_washtml.php +++ b/program/lib/Roundcube/rcube_washtml.php @@ -242,8 +242,11 @@ class rcube_washtml // Remove unwanted white-space characters so regular expressions below work better $style = preg_replace('/[\n\r\s\t]+/', ' ', $style); + // Decode insecure character sequences + $style = rcube_utils::xss_entity_decode($style); + foreach (explode(';', $style) as $declaration) { - if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) { + if (preg_match('/^\s*([a-z\\\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) { $cssid = $match[1]; $str = $match[2]; $value = ''; diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index dc28907be..8543fe991 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -203,12 +203,15 @@ class Framework_Utils extends PHPUnit_Framework_TestCase $mod = rcube_utils::mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks"); - $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); + $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\00006c( javascript:alert('xss') )", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)"); $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)"); + $mod = rcube_utils::mod_css_styles("background: u\\r\\l('/images/img.png')", 'rcmbody'); + $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (4)"); + // position: fixed (#5264) $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); @@ -234,6 +237,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase $mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}'); $this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property"); + $mod = rcube_utils::xss_entity_decode("background: u\\r\\00006c('/images/img.png')"); + $this->assertContains("url(", $mod, "Escape sequences resolving"); + // #5747 $mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->'); $this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content"); diff --git a/tests/MailFunc.php b/tests/MailFunc.php index 69b8a3517..bccdb5f2a 100644 --- a/tests/MailFunc.php +++ b/tests/MailFunc.php @@ -215,7 +215,7 @@ class MailFunc extends PHPUnit_Framework_TestCase $body = rcmail_print_body($html, $this->get_html_part(), array('safe' => false, 'plain' => false)); $this->assertNotContains('onerror=alert(1)//">test', $body); - $this->assertContains('<a style="x: ><img src=x onerror=alert(1)//"', $body); + $this->assertContains('<a style="x: >"', $body); } /** -- 2.14.3
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.