Roundcubemail devel
parent: 119cd17a | patch | commit | ignore whitespace
alecpl
2009-06-05 c5ee036866791ad1c5ab8281f25179169df9e042 
- fix rcmail_temp_gc() + small code cleanups


2 files modified
21 ■■■■■ changed files
program/include/main.inc 19 ●●●●● patch | view | raw | blame | history
program/steps/mail/func.inc 2 ●●● patch | view | raw | blame | history 
 program/include/main.inc


@@ -128,7 +128,9 @@


 */


function rcmail_temp_gc()


  {


  $tmp = unslashify($CONFIG['temp_dir']);


  $rcmail = rcmail::get_instance();




  $tmp = unslashify($rcmail->config->get('temp_dir'));


  $expire = mktime() - 172800;  // expire in 48 hours




  if ($dir = opendir($tmp))


@@ -564,7 +566,10 @@


    else if (isset($_COOKIE[$fname]))


      $value = $_COOKIE[$fname];


    }


  




  if (empty($value))


    return $value;




  // strip single quotes if magic_quotes_sybase is enabled


  if (ini_get('magic_quotes_sybase'))


    $value = str_replace("''", "'", $value);


@@ -723,7 +728,7 @@


  $replacements = new rcube_string_replacer;


  


  // ignore the whole block if evil styles are detected


  $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entitiy_decode($source));


  $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entity_decode($source));


  if (preg_match('/expression|behavior|url\(|import/', $stripped))


    return '/* evil! */';




@@ -764,22 +769,22 @@


 * @param string CSS content to decode


 * @return string Decoded string


 */


function rcmail_xss_entitiy_decode($content)


function rcmail_xss_entity_decode($content)


{


  $out = html_entity_decode(html_entity_decode($content));


  $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', 'rcmail_xss_entitiy_decode_callback', $out);


  $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', 'rcmail_xss_entity_decode_callback', $out);


  $out = preg_replace('#/\*.*\*/#Um', '', $out);


  return $out;


}






/**


 * preg_replace_callback callback for rcmail_xss_entitiy_decode_callback


 * preg_replace_callback callback for rcmail_xss_entity_decode_callback


 *


 * @param array matches result from preg_replace_callback


 * @return string decoded entity


 */ 


function rcmail_xss_entitiy_decode_callback($matches)


function rcmail_xss_entity_decode_callback($matches)




  return chr(hexdec($matches[1]));


}




 program/steps/mail/func.inc


@@ -861,7 +861,7 @@


      


    case 'style':


      // decode all escaped entities and reduce to ascii strings


      $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entitiy_decode($content));


      $stripped = preg_replace('/[^a-zA-Z\(:]/', '', rcmail_xss_entity_decode($content));


      


      // now check for evil strings like expression, behavior or url()


      if (!preg_match('/expression|behavior|url\(|import/', $stripped)) {