From 6ec4658f7230424245a6441fc910108866be26ab Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Thu, 03 Feb 2011 16:21:26 -0500
Subject: [PATCH] Adapt test for modcss replacements

---
 CHANGELOG          |    1 +
 tests/mailfunc.php |    5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 6bade2a..b9d68b7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Security: prevent from relaying malicious requests through modcss.inc
 - Fix handling of non-image attachments in multipart/related messages (#1487750)
 - Fix IDNA support when IDN/INTL modules are in use (#1487742)
 - Fix handling of invalid HTML comments in messages (#1487759)
diff --git a/tests/mailfunc.php b/tests/mailfunc.php
index cc26f77..dc25f0c 100644
--- a/tests/mailfunc.php
+++ b/tests/mailfunc.php
@@ -66,9 +66,8 @@
     $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
     $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
     $this->assertPattern("#url\('?http://evilsite.net/newsletter/image/bg/bg-64.jpg'?\)#", $html2, "Allow external images in CSS (safe mode)");
-    
-    $css = '<link rel="stylesheet" type="text/css" href="?_task=utils&amp;_action=modcss&amp;u='.urlencode('http://anysite.net/styles/mail.css').'&amp;c=foo"';
-    $this->assertPattern('#'.preg_quote($css).'#', $html2, "Filter external styleseehts with bin/modcss.php");
+    $css = '<link rel="stylesheet" .+_u=tmp-[a-z0-9]+\.css.+_action=modcss';
+    $this->assertPattern('#'.$css.'#Ui', $html2, "Filter (anonymized) external styleseehts with utils/modcss.inc");
   }
 
   /**

--
Gitblit v1.9.1