From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube_washtml.php | 43 ++++++++++++++++++++++++++-----------------
1 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 9842943..1b39b58a 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -18,7 +18,7 @@
+-----------------------------------------------------------------------+
*/
-/**
+/*
* Washtml, a HTML sanityzer.
*
* Copyright (c) 2007 Frederic Motte <fmotte@ubixis.com>
@@ -95,6 +95,7 @@
'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q',
's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table',
'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img',
+ 'video', 'source',
// form elements
'button', 'input', 'textarea', 'select', 'option', 'optgroup'
);
@@ -173,6 +174,9 @@
{
$result = array();
+ // Remove unwanted white-space characters so regular expressions below work better
+ $style = preg_replace('/[\n\r\s\t]+/', ' ', $style);
+
foreach (explode(';', $style) as $declaration) {
if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) {
$cssid = $match[1];
@@ -243,10 +247,13 @@
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
else if ($key == 'style' && ($style = $this->wash_style($value))) {
- $quot = strpos($style, '"') !== false ? "'" : '"';
- $t .= ' style=' . $quot . $style . $quot;
+ // replace double quotes to prevent syntax error and XSS issues (#1490227)
+ $t .= ' style="' . str_replace('"', '"', $style) . '"';
}
- else if ($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
+ else if ($key == 'background'
+ || ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName))
+ || ($key == 'poster' && strtolower($node->tagName) == 'video')
+ ) {
if (($src = $this->config['cid_map'][$value])
|| ($src = $this->config['cid_map'][$this->config['base_url'].$value])
) {
@@ -306,7 +313,7 @@
$dump = '';
do {
- switch($node->nodeType) {
+ switch ($node->nodeType) {
case XML_ELEMENT_NODE: //Check element
$tagName = strtolower($node->tagName);
if ($callback = $this->handlers[$tagName]) {
@@ -338,14 +345,9 @@
case XML_HTML_DOCUMENT_NODE:
$dump .= $this->dumpHtml($node, $level);
break;
-
- case XML_DOCUMENT_TYPE_NODE:
- break;
-
- default:
- $dump .= '<!-- node type ' . $node->nodeType . ' -->';
}
- } while($node = $node->nextSibling);
+ }
+ while($node = $node->nextSibling);
return $dump;
}
@@ -374,7 +376,7 @@
$this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level');
// Use optimizations if supported
- if (version_compare(PHP_VERSION, '5.4.0', '>=')) {
+ if (PHP_VERSION_ID >= 50400) {
@$node->loadHTML($html, LIBXML_PARSEHUGE | LIBXML_COMPACT);
}
else {
@@ -399,16 +401,23 @@
{
// special replacements (not properly handled by washtml class)
$html_search = array(
- '/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
- '/<title[^>]*>[^<]*<\/title>/i', // PHP bug #32547 workaround: remove title tag
- '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
- '/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
+ // space(s) between <NOBR>
+ '/(<\/nobr>)(\s+)(<nobr>)/i',
+ // PHP bug #32547 workaround: remove title tag
+ '/<title[^>]*>[^<]*<\/title>/i',
+ // remove <!doctype> before BOM (#1490291)
+ '/<\!doctype[^>]+>[^<]*/im',
+ // byte-order mark (only outlook?)
+ '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',
+ // washtml/DOMDocument cannot handle xml namespaces
+ '/<html\s[^>]+>/i',
);
$html_replace = array(
'\\1'.' '.'\\3',
'',
'',
+ '',
'<html>',
);
$html = preg_replace($html_search, $html_replace, trim($html));
--
Gitblit v1.9.1