From 21b523c29b2d022f27c5c730d3afd394aff5cd0f Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Dec 2015 06:45:46 -0500 Subject: [PATCH] Fix path traversal vulnerability in setting a skin (#1490620) --- CHANGELOG | 1 + program/include/rcmail_output_html.php | 11 +++++++++++ 2 files changed, 12 insertions(+), 0 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 81302d4..0891399 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ - Fix charset encoding of message/rfc822 part bodies (#1490606) - Fix handling of message/rfc822 attachments on replies and forwards (#1490607) - Fix PDF support detection in Firefox > 19 (#1490610) +- Fix path traversal vulnerability in setting a skin (#1490620) RELEASE 1.0.7 ------------- diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 7a0992f..d325b11 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -153,6 +153,17 @@ */ public function set_skin($skin) { + // Sanity check to prevent from path traversal vulnerability (#1490620) + if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) { + rcube::raise_error(array( + 'file' => __FILE__, + 'line' => __LINE__, + 'message' => 'Invalid skin name' + ), true, false); + + return false; + } + $valid = false; $path = RCUBE_INSTALL_PATH . 'skins/'; -- Gitblit v1.9.1