Roundcubemail devel
parent: 02b6e614 | patch | commit | show whitespace
thomascube
2011-02-03 3e0e9148efdcee5ab39d9712169f4c01cfb4f48f 
Prevent from relaying arbitrary requests through modcss.inc (security issue)

2 files modified
19 ■■■■ changed files
program/steps/mail/func.inc 7 ●●●●● patch | view | raw | blame | history
program/steps/utils/modcss.inc 12 ●●●● patch | view | raw | blame | history 
 program/steps/mail/func.inc


@@ -1194,15 +1194,16 @@


 */


function rcmail_alter_html_link($matches)


{


  global $EMAIL_ADDRESS_PATTERN;


  global $RCMAIL, $EMAIL_ADDRESS_PATTERN;




  $tag = $matches[1];


  $attrib = parse_attrib_string($matches[2]);


  $end = '>';




  if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) {


    $attrib['href'] = "?_task=utils&_action=modcss&u=" . urlencode($attrib['href'])


        . "&c=" . urlencode($GLOBALS['rcmail_html_container_id']);


    $tempurl = 'tmp-' . md5($attrib['href']) . '.css';


    $_SESSION['modcssurls'][$tempurl] = $attrib['href'];


    $attrib['href'] = $RCMAIL->url(array('task' => 'utils', 'action' => 'modcss', 'u' => $tempurl, 'c' => $GLOBALS['rcmail_html_container_id']));


    $end = ' />';


  }


  else if (preg_match('/^mailto:'.$EMAIL_ADDRESS_PATTERN.'(\?[^"\'>]+)?/i', $attrib['href'], $mailto)) {




 program/steps/utils/modcss.inc


@@ -5,7 +5,7 @@


 | program/steps/utils/modcss.inc                                        |


 |                                                                       |


 | This file is part of the Roundcube Webmail client                     |


 | Copyright (C) 2007-2010, The Roundcube Dev Team                       |


 | Copyright (C) 2007-2011, The Roundcube Dev Team                       |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -21,14 +21,14 @@




$source = '';




$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']);


if ($url === null) {


$url = preg_replace('![^a-z0-9.-]!i', '', $_GET['_u']);


if ($url === null || !($realurl = $_SESSION['modcssurls'][$url])) {


    header('HTTP/1.1 403 Forbidden');


    echo $error;


    echo "Unauthorized request";


    exit;


}




$a_uri = parse_url($url);


$a_uri = parse_url($realurl);


$port  = $a_uri['port'] ? $a_uri['port'] : 80;


$host  = $a_uri['host'];


$path  = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : '');


@@ -85,7 +85,7 @@


$mimetype = strtolower($headers['content-type']);


if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) {


    header('Content-Type: text/css');


    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']));


    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['_c']));


    exit;


}


else