From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)

---
 program/include/rcmail_output_html.php |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 850075f..d325b11 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -153,6 +153,17 @@
      */
     public function set_skin($skin)
     {
+        // Sanity check to prevent from path traversal vulnerability (#1490620)
+        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+            rcube::raise_error(array(
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => 'Invalid skin name'
+                ), true, false);
+
+            return false;
+        }
+
         $valid = false;
         $path  = RCUBE_INSTALL_PATH . 'skins/';
 
@@ -168,6 +179,8 @@
             $valid = !$skin;
         }
 
+        $skin_path = rtrim($skin_path, '/');
+
         $this->config->set('skin_path', $skin_path);
         $this->base_path = $skin_path;
 

--
Gitblit v1.9.1