From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/include/rcmail_output_html.php | 137 +++++++++++++++++++++++++++++++--------------
1 files changed, 93 insertions(+), 44 deletions(-)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 39f79d1..d325b11 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -5,7 +5,7 @@
| program/include/rcmail_output_html.php |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2006-2012, The Roundcube Dev Team |
+ | Copyright (C) 2006-2013, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -45,6 +45,7 @@
protected $footer = '';
protected $body = '';
protected $base_path = '';
+ protected $devel_mode = false;
// deprecated names of templates used before 0.5
protected $deprecated_templates = array(
@@ -64,6 +65,8 @@
{
parent::__construct();
+ $this->devel_mode = $this->config->get('devel_mode');
+
//$this->framed = $framed;
$this->set_env('task', $task);
$this->set_env('x_frame_options', $this->config->get('x_frame_options', 'sameorigin'));
@@ -80,9 +83,9 @@
$this->set_env('skin', $skin);
if (!empty($_REQUEST['_extwin']))
- $this->set_env('extwin', 1);
+ $this->set_env('extwin', 1);
if ($this->framed || !empty($_REQUEST['_framed']))
- $this->set_env('framed', 1);
+ $this->set_env('framed', 1);
// add common javascripts
$this->add_script('var '.self::JS_OBJECT_NAME.' = new rcube_webmail();', 'head_top');
@@ -116,6 +119,7 @@
public function set_env($name, $value, $addtojs = true)
{
$this->env[$name] = $value;
+
if ($addtojs || isset($this->js_env[$name])) {
$this->js_env[$name] = $value;
}
@@ -149,6 +153,17 @@
*/
public function set_skin($skin)
{
+ // Sanity check to prevent from path traversal vulnerability (#1490620)
+ if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+ rcube::raise_error(array(
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => 'Invalid skin name'
+ ), true, false);
+
+ return false;
+ }
+
$valid = false;
$path = RCUBE_INSTALL_PATH . 'skins/';
@@ -163,6 +178,8 @@
}
$valid = !$skin;
}
+
+ $skin_path = rtrim($skin_path, '/');
$this->config->set('skin_path', $skin_path);
$this->base_path = $skin_path;
@@ -310,12 +327,14 @@
*/
public function reset($all = false)
{
+ $framed = $this->framed;
$env = $all ? null : array_intersect_key($this->env, array('extwin'=>1, 'framed'=>1));
parent::reset();
// let some env variables survive
$this->env = $this->js_env = $env;
+ $this->framed = $framed || $this->env['framed'];
$this->js_labels = array();
$this->js_commands = array();
$this->script_files = array();
@@ -323,6 +342,11 @@
$this->header = '';
$this->footer = '';
$this->body = '';
+
+ // load defaults
+ if (!$all) {
+ $this->__construct();
+ }
}
/**
@@ -651,13 +675,34 @@
}
// add file modification timestamp
- if (preg_match('/\.(js|css)$/', $file)) {
- if ($fs = @filemtime($file)) {
- $file .= '?s=' . $fs;
- }
+ if (preg_match('/\.(js|css)$/', $file, $m)) {
+ $file = $this->file_mod($file);
}
return $matches[1] . '=' . $matches[2] . $file . $matches[4];
+ }
+
+ /**
+ * Modify file by adding mtime indicator
+ */
+ protected function file_mod($file)
+ {
+ $fs = false;
+ $ext = substr($file, strrpos($file, '.') + 1);
+
+ // use minified file if exists (not in development mode)
+ if (!$this->devel_mode && !preg_match('/\.min\.' . $ext . '$/', $file)) {
+ $minified_file = substr($file, 0, strlen($ext) * -1) . 'min.' . $ext;
+ if ($fs = @filemtime($minified_file)) {
+ return $minified_file . '?s=' . $fs;
+ }
+ }
+
+ if ($fs = @filemtime($file)) {
+ $file .= '?s=' . $fs;
+ }
+
+ return $file;
}
/**
@@ -838,16 +883,16 @@
$attrib['name'] = $this->eval_expression($attrib['expression']);
if ($attrib['name'] || $attrib['command']) {
- // @FIXME: 'noshow' is useless, remove?
- if ($attrib['noshow']) {
- return '';
- }
-
$vars = $attrib + array('product' => $this->config->get('product_name'));
unset($vars['name'], $vars['command']);
$label = $this->app->gettext($attrib + array('vars' => $vars));
$quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : '');
+
+ // 'noshow' can be used in skins to define new labels
+ if ($attrib['noshow']) {
+ return '';
+ }
switch ($quoting) {
case 'no':
@@ -925,16 +970,18 @@
else if ($object == 'logo') {
$attrib += array('alt' => $this->xml_command(array('', 'object', 'name="productname"')));
- if (is_array($this->config->get('skin_logo'))) {
- if (isset($attrib['type']) && array_key_exists($attrib['type'], $this->config->get('skin_logo'))) {
- $attrib['src'] = $this->config->get('skin_logo')[$attrib['type']];
- }
- elseif (array_key_exists('default', $this->config->get('skin_logo'))) {
- $attrib['src'] = $this->config->get('skin_logo')['default'];
- }
- }
- elseif ($logo = $this->config->get('skin_logo')) {
- $attrib['src'] = $logo;
+ if ($logo = $this->config->get('skin_logo')) {
+ if (is_array($logo)) {
+ if ($template_logo = $logo[$this->template_name]) {
+ $attrib['src'] = $template_logo;
+ }
+ elseif ($template_logo = $logo['*']) {
+ $attrib['src'] = $template_logo;
+ }
+ }
+ else {
+ $attrib['src'] = $logo;
+ }
}
$content = html::img($attrib);
@@ -962,7 +1009,7 @@
$content = html::quote($this->get_pagetitle());
}
else if ($object == 'pagetitle') {
- if ($this->config->get('devel_mode') && !empty($_SESSION['username']))
+ if ($this->devel_mode && !empty($_SESSION['username']))
$title = $_SESSION['username'].' :: ';
else if ($prod_name = $this->config->get('product_name'))
$title = $prod_name . ' :: ';
@@ -1053,7 +1100,7 @@
// these commands can be called directly via url
$a_static_commands = array('compose', 'list', 'preferences', 'folders', 'identities');
- if (!($attrib['command'] || $attrib['name'])) {
+ if (!($attrib['command'] || $attrib['name'] || $attrib['href'])) {
return '';
}
@@ -1163,7 +1210,7 @@
}
else if ($attrib['type'] == 'link') {
$btn_content = isset($attrib['content']) ? $attrib['content'] : ($attrib['label'] ? $attrib['label'] : $attrib['command']);
- $link_attrib = array('href', 'onclick', 'title', 'id', 'class', 'style', 'tabindex', 'target');
+ $link_attrib = array_merge(html::$common_attrib, array('href', 'onclick', 'tabindex', 'target'));
if ($attrib['innerclass'])
$btn_content = html::span($attrib['innerclass'], $btn_content);
}
@@ -1182,7 +1229,7 @@
// generate html code for button
if ($btn_content) {
- $attrib_str = html::attrib_string($attrib, $link_attrib);
+ $attrib_str = html::attrib_string($attrib, array_merge($link_attrib, array('data-*')));
$out = sprintf('<a%s>%s</a>', $attrib_str, $btn_content);
}
@@ -1201,26 +1248,17 @@
*/
public function include_script($file, $position='head')
{
- static $sa_files = array();
-
if (!preg_match('|^https?://|i', $file) && $file[0] != '/') {
- $file = $this->scripts_path . $file;
- if ($fs = @filemtime($file)) {
- $file .= '?s=' . $fs;
- }
+ $file = $this->file_mod($this->scripts_path . $file);
}
-
- if (in_array($file, $sa_files)) {
- return;
- }
-
- $sa_files[] = $file;
if (!is_array($this->script_files[$position])) {
$this->script_files[$position] = array();
}
- $this->script_files[$position][] = $file;
+ if (!in_array($file, $this->script_files[$position])) {
+ $this->script_files[$position][] = $file;
+ }
}
/**
@@ -1278,7 +1316,12 @@
*/
public function _write($templ = '', $base_path = '')
{
- $output = empty($templ) ? $this->default_template : trim($templ);
+ $output = trim($templ);
+
+ if (empty($output)) {
+ $output = $this->default_template;
+ $is_empty = true;
+ }
// set default page title
if (empty($this->pagetitle)) {
@@ -1369,8 +1412,8 @@
}
// add css files in head, before scripts, for speed up with parallel downloads
- if (!empty($this->css_files) &&
- (($pos = stripos($output, '<script ')) || ($pos = stripos($output, '</head>')))
+ if (!empty($this->css_files) && !$is_empty
+ && (($pos = stripos($output, '<script ')) || ($pos = stripos($output, '</head>')))
) {
$css = '';
foreach ($this->css_files as $file) {
@@ -1599,6 +1642,12 @@
$out .= $input_host->show();
}
+ if (rcube_utils::get_boolean($attrib['submit'])) {
+ $submit = new html_inputfield(array('type' => 'submit', 'id' => 'rcmloginsubmit',
+ 'class' => 'button mainaction', 'value' => $this->app->gettext('login')));
+ $out .= html::p('formbuttons', $submit->show());
+ }
+
// surround html output with a form tag
if (empty($attrib['form'])) {
$out = $this->form_tag(array('name' => $form_name, 'method' => 'post'), $out);
@@ -1661,9 +1710,9 @@
// add form tag around text field
if (empty($attrib['form'])) {
$out = $this->form_tag(array(
- 'name' => "rcmqsearchform",
+ 'name' => "rcmqsearchform",
'onsubmit' => self::JS_OBJECT_NAME . ".command('search'); return false",
- 'style' => "display:inline"),
+ 'style' => "display:inline"),
$out);
}
--
Gitblit v1.9.1