From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube_washtml.php | 31 ++++++++++++++++++-------------
1 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index e0cce68..1b39b58a 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2012, The Roundcube Dev Team |
@@ -174,6 +174,9 @@
{
$result = array();
+ // Remove unwanted white-space characters so regular expressions below work better
+ $style = preg_replace('/[\n\r\s\t]+/', ' ', $style);
+
foreach (explode(';', $style) as $declaration) {
if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) {
$cssid = $match[1];
@@ -310,7 +313,7 @@
$dump = '';
do {
- switch($node->nodeType) {
+ switch ($node->nodeType) {
case XML_ELEMENT_NODE: //Check element
$tagName = strtolower($node->tagName);
if ($callback = $this->handlers[$tagName]) {
@@ -342,14 +345,9 @@
case XML_HTML_DOCUMENT_NODE:
$dump .= $this->dumpHtml($node, $level);
break;
-
- case XML_DOCUMENT_TYPE_NODE:
- break;
-
- default:
- $dump .= '<!-- node type ' . $node->nodeType . ' -->';
}
- } while($node = $node->nextSibling);
+ }
+ while($node = $node->nextSibling);
return $dump;
}
@@ -403,16 +401,23 @@
{
// special replacements (not properly handled by washtml class)
$html_search = array(
- '/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
- '/<title[^>]*>[^<]*<\/title>/i', // PHP bug #32547 workaround: remove title tag
- '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
- '/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
+ // space(s) between <NOBR>
+ '/(<\/nobr>)(\s+)(<nobr>)/i',
+ // PHP bug #32547 workaround: remove title tag
+ '/<title[^>]*>[^<]*<\/title>/i',
+ // remove <!doctype> before BOM (#1490291)
+ '/<\!doctype[^>]+>[^<]*/im',
+ // byte-order mark (only outlook?)
+ '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',
+ // washtml/DOMDocument cannot handle xml namespaces
+ '/<html\s[^>]+>/i',
);
$html_replace = array(
'\\1'.' '.'\\3',
'',
'',
+ '',
'<html>',
);
$html = preg_replace($html_search, $html_replace, trim($html));
--
Gitblit v1.9.1