From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/include/rcmail_output_html.php | 81 ++++++++++++++++++++++++++++++----------
1 files changed, 61 insertions(+), 20 deletions(-)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 6db826e..d325b11 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -5,7 +5,7 @@
| program/include/rcmail_output_html.php |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2006-2012, The Roundcube Dev Team |
+ | Copyright (C) 2006-2013, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -45,6 +45,7 @@
protected $footer = '';
protected $body = '';
protected $base_path = '';
+ protected $devel_mode = false;
// deprecated names of templates used before 0.5
protected $deprecated_templates = array(
@@ -64,6 +65,8 @@
{
parent::__construct();
+ $this->devel_mode = $this->config->get('devel_mode');
+
//$this->framed = $framed;
$this->set_env('task', $task);
$this->set_env('x_frame_options', $this->config->get('x_frame_options', 'sameorigin'));
@@ -80,9 +83,9 @@
$this->set_env('skin', $skin);
if (!empty($_REQUEST['_extwin']))
- $this->set_env('extwin', 1);
+ $this->set_env('extwin', 1);
if ($this->framed || !empty($_REQUEST['_framed']))
- $this->set_env('framed', 1);
+ $this->set_env('framed', 1);
// add common javascripts
$this->add_script('var '.self::JS_OBJECT_NAME.' = new rcube_webmail();', 'head_top');
@@ -116,6 +119,7 @@
public function set_env($name, $value, $addtojs = true)
{
$this->env[$name] = $value;
+
if ($addtojs || isset($this->js_env[$name])) {
$this->js_env[$name] = $value;
}
@@ -149,6 +153,17 @@
*/
public function set_skin($skin)
{
+ // Sanity check to prevent from path traversal vulnerability (#1490620)
+ if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+ rcube::raise_error(array(
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => 'Invalid skin name'
+ ), true, false);
+
+ return false;
+ }
+
$valid = false;
$path = RCUBE_INSTALL_PATH . 'skins/';
@@ -163,6 +178,8 @@
}
$valid = !$skin;
}
+
+ $skin_path = rtrim($skin_path, '/');
$this->config->set('skin_path', $skin_path);
$this->base_path = $skin_path;
@@ -658,13 +675,34 @@
}
// add file modification timestamp
- if (preg_match('/\.(js|css)$/', $file)) {
- if ($fs = @filemtime($file)) {
- $file .= '?s=' . $fs;
- }
+ if (preg_match('/\.(js|css)$/', $file, $m)) {
+ $file = $this->file_mod($file);
}
return $matches[1] . '=' . $matches[2] . $file . $matches[4];
+ }
+
+ /**
+ * Modify file by adding mtime indicator
+ */
+ protected function file_mod($file)
+ {
+ $fs = false;
+ $ext = substr($file, strrpos($file, '.') + 1);
+
+ // use minified file if exists (not in development mode)
+ if (!$this->devel_mode && !preg_match('/\.min\.' . $ext . '$/', $file)) {
+ $minified_file = substr($file, 0, strlen($ext) * -1) . 'min.' . $ext;
+ if ($fs = @filemtime($minified_file)) {
+ return $minified_file . '?s=' . $fs;
+ }
+ }
+
+ if ($fs = @filemtime($file)) {
+ $file .= '?s=' . $fs;
+ }
+
+ return $file;
}
/**
@@ -845,16 +883,16 @@
$attrib['name'] = $this->eval_expression($attrib['expression']);
if ($attrib['name'] || $attrib['command']) {
- // @FIXME: 'noshow' is useless, remove?
- if ($attrib['noshow']) {
- return '';
- }
-
$vars = $attrib + array('product' => $this->config->get('product_name'));
unset($vars['name'], $vars['command']);
$label = $this->app->gettext($attrib + array('vars' => $vars));
$quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : '');
+
+ // 'noshow' can be used in skins to define new labels
+ if ($attrib['noshow']) {
+ return '';
+ }
switch ($quoting) {
case 'no':
@@ -971,7 +1009,7 @@
$content = html::quote($this->get_pagetitle());
}
else if ($object == 'pagetitle') {
- if ($this->config->get('devel_mode') && !empty($_SESSION['username']))
+ if ($this->devel_mode && !empty($_SESSION['username']))
$title = $_SESSION['username'].' :: ';
else if ($prod_name = $this->config->get('product_name'))
$title = $prod_name . ' :: ';
@@ -1191,7 +1229,7 @@
// generate html code for button
if ($btn_content) {
- $attrib_str = html::attrib_string($attrib, $link_attrib);
+ $attrib_str = html::attrib_string($attrib, array_merge($link_attrib, array('data-*')));
$out = sprintf('<a%s>%s</a>', $attrib_str, $btn_content);
}
@@ -1211,10 +1249,7 @@
public function include_script($file, $position='head')
{
if (!preg_match('|^https?://|i', $file) && $file[0] != '/') {
- $file = $this->scripts_path . $file;
- if ($fs = @filemtime($file)) {
- $file .= '?s=' . $fs;
- }
+ $file = $this->file_mod($this->scripts_path . $file);
}
if (!is_array($this->script_files[$position])) {
@@ -1607,6 +1642,12 @@
$out .= $input_host->show();
}
+ if (rcube_utils::get_boolean($attrib['submit'])) {
+ $submit = new html_inputfield(array('type' => 'submit', 'id' => 'rcmloginsubmit',
+ 'class' => 'button mainaction', 'value' => $this->app->gettext('login')));
+ $out .= html::p('formbuttons', $submit->show());
+ }
+
// surround html output with a form tag
if (empty($attrib['form'])) {
$out = $this->form_tag(array('name' => $form_name, 'method' => 'post'), $out);
@@ -1669,9 +1710,9 @@
// add form tag around text field
if (empty($attrib['form'])) {
$out = $this->form_tag(array(
- 'name' => "rcmqsearchform",
+ 'name' => "rcmqsearchform",
'onsubmit' => self::JS_OBJECT_NAME . ".command('search'); return false",
- 'style' => "display:inline"),
+ 'style' => "display:inline"),
$out);
}
--
Gitblit v1.9.1