From 21b523c29b2d022f27c5c730d3afd394aff5cd0f Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Dec 2015 06:45:46 -0500
Subject: [PATCH] Fix path traversal vulnerability in setting a skin (#1490620)

---
 CHANGELOG                              |    1 +
 program/include/rcmail_output_html.php |   11 +++++++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 81302d4..0891399 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@
 - Fix charset encoding of message/rfc822 part bodies (#1490606)
 - Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
 - Fix PDF support detection in Firefox > 19 (#1490610)
+- Fix path traversal vulnerability in setting a skin (#1490620)
 
 RELEASE 1.0.7
 -------------
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 7a0992f..d325b11 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -153,6 +153,17 @@
      */
     public function set_skin($skin)
     {
+        // Sanity check to prevent from path traversal vulnerability (#1490620)
+        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+            rcube::raise_error(array(
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => 'Invalid skin name'
+                ), true, false);
+
+            return false;
+        }
+
         $valid = false;
         $path  = RCUBE_INSTALL_PATH . 'skins/';
 

--
Gitblit v1.9.1