From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/include/rcmail_output_html.php | 23 ++++++++++++++++++-----
1 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index d4f9185..d325b11 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -153,6 +153,17 @@
*/
public function set_skin($skin)
{
+ // Sanity check to prevent from path traversal vulnerability (#1490620)
+ if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+ rcube::raise_error(array(
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => 'Invalid skin name'
+ ), true, false);
+
+ return false;
+ }
+
$valid = false;
$path = RCUBE_INSTALL_PATH . 'skins/';
@@ -167,6 +178,8 @@
}
$valid = !$skin;
}
+
+ $skin_path = rtrim($skin_path, '/');
$this->config->set('skin_path', $skin_path);
$this->base_path = $skin_path;
@@ -870,17 +883,17 @@
$attrib['name'] = $this->eval_expression($attrib['expression']);
if ($attrib['name'] || $attrib['command']) {
- // @FIXME: 'noshow' is useless, remove?
- if ($attrib['noshow']) {
- return '';
- }
-
$vars = $attrib + array('product' => $this->config->get('product_name'));
unset($vars['name'], $vars['command']);
$label = $this->app->gettext($attrib + array('vars' => $vars));
$quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : '');
+ // 'noshow' can be used in skins to define new labels
+ if ($attrib['noshow']) {
+ return '';
+ }
+
switch ($quoting) {
case 'no':
case 'raw':
--
Gitblit v1.9.1