From 89a5dcb946fb34d39617b52572d8e9fe90d10617 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Dec 2015 06:42:17 -0500 Subject: [PATCH] Fix path traversal vulnerability in setting a skin (#1490620) --- CHANGELOG | 1 + program/include/rcmail_output_html.php | 11 +++++++++++ 2 files changed, 12 insertions(+), 0 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4211c80..f3eb32e 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,7 @@ - Fix regression in displaying contents of message/rfc822 parts (#1490606) - Fix handling of message/rfc822 attachments on replies and forwards (#1490607) - Fix PDF support detection in Firefox > 19 (#1490610) +- Fix path traversal vulnerability in setting a skin (#1490620) RELEASE 1.1.3 ------------- diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 365c403..2374f87 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -225,6 +225,17 @@ */ public function set_skin($skin) { + // Sanity check to prevent from path traversal vulnerability (#1490620) + if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) { + rcube::raise_error(array( + 'file' => __FILE__, + 'line' => __LINE__, + 'message' => 'Invalid skin name' + ), true, false); + + return false; + } + $valid = false; $path = RCUBE_INSTALL_PATH . 'skins/'; -- Gitblit v1.9.1