From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/Roundcube/rcube_string_replacer.php |   35 ++++++++++++++++++++++++++++++-----
 1 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php
index 0fe982b..bd26f8e 100644
--- a/program/lib/Roundcube/rcube_string_replacer.php
+++ b/program/lib/Roundcube/rcube_string_replacer.php
@@ -34,11 +34,11 @@
     {
         // Simplified domain expression for UTF8 characters handling
         // Support unicode/punycode in top-level domain part
-        $utf_domain = '[^?&@"\'\\/()\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})';
+        $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})';
         $url1       = '.:;,';
-        $url2       = 'a-zA-Z0-9%=#$@+?!&\\/_~\\[\\]{}\*-';
+        $url2       = 'a-zA-Z0-9%=#$@+?|!&\\/_~\\[\\]\\(\\){}\*-';
 
-        $this->link_pattern = "/([\w]+:\/\/|\W[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)($utf_domain([$url1]?[$url2]+)*)/";
+        $this->link_pattern = "/([\w]+:\/\/|\W[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)($utf_domain([$url1]*[$url2]+)*)/";
         $this->mailto_pattern = "/("
             ."[-\w!\#\$%&\'*+~\/^`|{}=]+(?:\.[-\w!\#\$%&\'*+~\/^`|{}=]+)*"  // local-part
             ."@$utf_domain"                                                 // domain-part
@@ -89,7 +89,7 @@
 
         if ($url) {
             $suffix = $this->parse_url_brackets($url);
-            $i = $this->add($prefix . html::a(array(
+            $i = $this->add(html::a(array(
                 'href'   => $url_prefix . $url,
                 'target' => '_blank'
             ), rcube::Q($url)) . $suffix);
@@ -97,7 +97,7 @@
 
         // Return valid link for recognized schemes, otherwise
         // return the unmodified string for unrecognized schemes.
-        return $i >= 0 ? $this->get_replacement($i) : $matches[0];
+        return $i >= 0 ? $prefix . $this->get_replacement($i) : $matches[0];
     }
 
     /**
@@ -161,6 +161,9 @@
         // "http://example.com/?a[b]=c". However we need to handle
         // properly situation when a bracket is placed at the end
         // of the link e.g. "[http://example.com]"
+        // Yes, this is not perfect handles correctly only paired characters
+        // but it should work for common cases
+
         if (preg_match('/(\\[|\\])/', $url)) {
             $in = false;
             for ($i=0, $len=strlen($url); $i<$len; $i++) {
@@ -182,6 +185,28 @@
             }
         }
 
+        // Do the same for parentheses
+        if (preg_match('/(\\(|\\))/', $url)) {
+            $in = false;
+            for ($i=0, $len=strlen($url); $i<$len; $i++) {
+                if ($url[$i] == '(') {
+                    if ($in)
+                        break;
+                    $in = true;
+                }
+                else if ($url[$i] == ')') {
+                    if (!$in)
+                        break;
+                    $in = false;
+                }
+            }
+
+            if ($i < $len) {
+                $suffix = substr($url, $i);
+                $url    = substr($url, 0, $i);
+            }
+        }
+
         return $suffix;
     }
 }

--
Gitblit v1.9.1