From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube_washtml.php | 35 ++++++++++++++++++++---------------
1 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 4bf189e..1b39b58a 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2012, The Roundcube Dev Team |
@@ -174,6 +174,9 @@
{
$result = array();
+ // Remove unwanted white-space characters so regular expressions below work better
+ $style = preg_replace('/[\n\r\s\t]+/', ' ', $style);
+
foreach (explode(';', $style) as $declaration) {
if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) {
$cssid = $match[1];
@@ -244,8 +247,8 @@
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
}
else if ($key == 'style' && ($style = $this->wash_style($value))) {
- $quot = strpos($style, '"') !== false ? "'" : '"';
- $t .= ' style=' . $quot . $style . $quot;
+ // replace double quotes to prevent syntax error and XSS issues (#1490227)
+ $t .= ' style="' . str_replace('"', '"', $style) . '"';
}
else if ($key == 'background'
|| ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName))
@@ -310,7 +313,7 @@
$dump = '';
do {
- switch($node->nodeType) {
+ switch ($node->nodeType) {
case XML_ELEMENT_NODE: //Check element
$tagName = strtolower($node->tagName);
if ($callback = $this->handlers[$tagName]) {
@@ -342,14 +345,9 @@
case XML_HTML_DOCUMENT_NODE:
$dump .= $this->dumpHtml($node, $level);
break;
-
- case XML_DOCUMENT_TYPE_NODE:
- break;
-
- default:
- $dump .= '<!-- node type ' . $node->nodeType . ' -->';
}
- } while($node = $node->nextSibling);
+ }
+ while($node = $node->nextSibling);
return $dump;
}
@@ -403,16 +401,23 @@
{
// special replacements (not properly handled by washtml class)
$html_search = array(
- '/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR>
- '/<title[^>]*>[^<]*<\/title>/i', // PHP bug #32547 workaround: remove title tag
- '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // byte-order mark (only outlook?)
- '/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces
+ // space(s) between <NOBR>
+ '/(<\/nobr>)(\s+)(<nobr>)/i',
+ // PHP bug #32547 workaround: remove title tag
+ '/<title[^>]*>[^<]*<\/title>/i',
+ // remove <!doctype> before BOM (#1490291)
+ '/<\!doctype[^>]+>[^<]*/im',
+ // byte-order mark (only outlook?)
+ '/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/',
+ // washtml/DOMDocument cannot handle xml namespaces
+ '/<html\s[^>]+>/i',
);
$html_replace = array(
'\\1'.' '.'\\3',
'',
'',
+ '',
'<html>',
);
$html = preg_replace($html_search, $html_replace, trim($html));
--
Gitblit v1.9.1