From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Roundcube/rcube_message.php | 130 ++++++++++++++++++++++---------------------
1 files changed, 67 insertions(+), 63 deletions(-)
diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php
index 797ca18..6268228 100644
--- a/program/lib/Roundcube/rcube_message.php
+++ b/program/lib/Roundcube/rcube_message.php
@@ -168,10 +168,11 @@
* @param resource $fp File pointer to save the message part
* @param boolean $skip_charset_conv Disables charset conversion
* @param int $max_bytes Only read this number of bytes
+ * @param boolean $formatted Enables formatting of text/* parts bodies
*
* @return string Part content
*/
- public function get_part_content($mime_id, $fp = null, $skip_charset_conv = false, $max_bytes = 0)
+ public function get_part_content($mime_id, $fp = null, $skip_charset_conv = false, $max_bytes = 0, $formatted = true)
{
if ($part = $this->mime_parts[$mime_id]) {
// stored in message structure (winmail/inline-uuencode)
@@ -185,15 +186,14 @@
// get from IMAP
$this->storage->set_folder($this->folder);
- return $this->storage->get_message_part($this->uid, $mime_id, $part, NULL, $fp, $skip_charset_conv, $max_bytes);
+ return $this->storage->get_message_part($this->uid, $mime_id, $part,
+ NULL, $fp, $skip_charset_conv, $max_bytes, $formatted);
}
}
/**
* Determine if the message contains a HTML part. This must to be
- * a real part not an attachment (or its part)
- * This must to be
* a real part not an attachment (or its part)
*
* @param bool $enriched Enables checking for text/enriched parts too
@@ -211,15 +211,19 @@
}
$level = explode('.', $part->mime_id);
+ $depth = count($level);
- // Check if the part belongs to higher-level's alternative/related
+ // Check if the part belongs to higher-level's multipart part
+ // this can be alternative/related/signed/encrypted or mixed
while (array_pop($level) !== null) {
- if (!count($level)) {
+ $parent_depth = count($level);
+ if (!$parent_depth) {
return true;
}
$parent = $this->mime_parts[join('.', $level)];
- if ($parent->mimetype != 'multipart/alternative' && $parent->mimetype != 'multipart/related') {
+ if (!preg_match('/^multipart\/(alternative|related|signed|encrypted|mixed)$/', $parent->mimetype)
+ || ($parent->mimetype == 'multipart/mixed' && $parent_depth < $depth - 1)) {
continue 2;
}
}
@@ -433,17 +437,24 @@
continue;
}
+ // We've encountered (malformed) messages with more than
+ // one text/plain or text/html part here. There's no way to choose
+ // which one is better, so we'll display first of them and add
+ // others as attachments (#1489358)
+
// check if sub part is
if ($is_multipart)
$related_part = $p;
- else if ($sub_mimetype == 'text/plain')
+ else if ($sub_mimetype == 'text/plain' && !$plain_part)
$plain_part = $p;
- else if ($sub_mimetype == 'text/html')
+ else if ($sub_mimetype == 'text/html' && !$html_part)
$html_part = $p;
- else if ($sub_mimetype == 'text/enriched')
+ else if ($sub_mimetype == 'text/enriched' && !$enriched_part)
$enriched_part = $p;
- else
- $attach_part = $p;
+ else {
+ // add unsupported/unrecognized parts to attachments list
+ $this->attachments[] = $sub_part;
+ }
}
// parse related part (alternative part could be in here)
@@ -484,11 +495,6 @@
$this->parts[] = $c;
}
-
- // add unsupported/unrecognized parts to attachments list
- if ($attach_part) {
- $this->attachments[] = $structure->parts[$attach_part];
- }
}
// this is an ecrypted message -> create a plaintext body with the according message
else if ($mimetype == 'multipart/encrypted') {
@@ -519,23 +525,16 @@
$mail_part = &$structure->parts[$i];
$primary_type = $mail_part->ctype_primary;
$secondary_type = $mail_part->ctype_secondary;
+ $part_mimetype = $mail_part->mimetype;
- // real content-type of message/rfc822
- if ($mail_part->real_mimetype) {
- $part_orig_mimetype = $mail_part->mimetype;
- $part_mimetype = $mail_part->real_mimetype;
- list($primary_type, $secondary_type) = explode('/', $part_mimetype);
- }
- else
- $part_mimetype = $mail_part->mimetype;
-
- // multipart/alternative
- if ($primary_type == 'multipart') {
+ // multipart/alternative or message/rfc822
+ if ($primary_type == 'multipart' || $part_mimetype == 'message/rfc822') {
$this->parse_structure($mail_part, true);
// list message/rfc822 as attachment as well (mostly .eml)
- if ($part_orig_mimetype == 'message/rfc822' && !empty($mail_part->filename))
+ if ($primary_type == 'message' && !empty($mail_part->filename)) {
$this->attachments[] = $mail_part;
+ }
}
// part text/[plain|html] or delivery status
else if ((($part_mimetype == 'text/plain' || $part_mimetype == 'text/html') && $mail_part->disposition != 'attachment') ||
@@ -546,8 +545,9 @@
array('object' => $this, 'structure' => $mail_part,
'mimetype' => $part_mimetype, 'recursive' => true));
- if ($plugin['abort'])
+ if ($plugin['abort']) {
continue;
+ }
if ($part_mimetype == 'text/html' && $mail_part->size) {
$got_html_part = true;
@@ -569,14 +569,6 @@
if (!empty($mail_part->filename)) {
$this->attachments[] = $mail_part;
}
- }
- // part message/*
- else if ($primary_type == 'message') {
- $this->parse_structure($mail_part, true);
-
- // list as attachment as well (mostly .eml)
- if (!empty($mail_part->filename))
- $this->attachments[] = $mail_part;
}
// ignore "virtual" protocol parts
else if ($primary_type == 'protocol') {
@@ -601,21 +593,14 @@
// part belongs to a related message and is linked
if (preg_match('/^multipart\/(related|relative)/', $mimetype)
- && ($mail_part->headers['content-id'] || $mail_part->headers['content-location'])) {
+ && ($mail_part->headers['content-id'] || $mail_part->headers['content-location'])
+ ) {
if ($mail_part->headers['content-id'])
$mail_part->content_id = preg_replace(array('/^</', '/>$/'), '', $mail_part->headers['content-id']);
if ($mail_part->headers['content-location'])
$mail_part->content_location = $mail_part->headers['content-base'] . $mail_part->headers['content-location'];
$this->inline_parts[] = $mail_part;
- }
- // attachment encapsulated within message/rfc822 part needs further decoding (#1486743)
- else if ($part_orig_mimetype == 'message/rfc822') {
- $this->parse_structure($mail_part, true);
-
- // list as attachment as well (mostly .eml)
- if (!empty($mail_part->filename))
- $this->attachments[] = $mail_part;
}
// regular attachment with valid content type
// (content-type name regexp according to RFC4288.4.2)
@@ -632,9 +617,13 @@
$this->attachments[] = $mail_part;
}
}
- // attachment part as message/rfc822 (#1488026)
- else if ($mail_part->mimetype == 'message/rfc822') {
- $this->parse_structure($mail_part);
+ // calendar part not marked as attachment (#1490325)
+ else if ($part_mimetype == 'text/calendar') {
+ if (!$mail_part->filename) {
+ $mail_part->filename = 'calendar.ics';
+ }
+
+ $this->attachments[] = $mail_part;
}
}
@@ -758,28 +747,43 @@
}
$parts = array();
- // FIXME: line length is max.65?
- $uu_regexp = '/begin [0-7]{3,4} ([^\n]+)\n/s';
+
+ // uuencode regexp
+ $uu_regexp = '/^(begin [0-7]{3,4} ([^\n]+)\n)(([\x21-\x60]{0,65}\n){0,2})([\x21-\x60]{0,65}|`\nend)\s*\n/sm';
if (preg_match_all($uu_regexp, $part->body, $matches, PREG_SET_ORDER)) {
- // update message content-type
- $part->ctype_primary = 'multipart';
- $part->ctype_secondary = 'mixed';
- $part->mimetype = $part->ctype_primary . '/' . $part->ctype_secondary;
$uu_endstring = "`\nend\n";
// add attachments to the structure
foreach ($matches as $pid => $att) {
- $startpos = strpos($part->body, $att[1]) + strlen($att[1]) + 1; // "\n"
- $endpos = strpos($part->body, $uu_endstring);
+ // make sure we're looking at a uuencoded file, and not a false positive
+ $uu_lines = explode("\n", $att[3]);
+ foreach ($uu_lines as $uu_line) {
+ if ( strlen($uu_line) == 0 ) {
+ continue;
+ }
+ $line_len = (ord(substr($uu_line, 0, 1)) - 32) & 0x3F;
+ $max_code_len = floor( ($line_len+2)/3 ) * 4;
+ $min_code_len = ceil( $line_len/3 * 4);
+ if ( strlen($uu_line)-1 < $min_code_len
+ or strlen($uu_line)-1 > $max_code_len )
+ {
+ // illegal uuencode, break out of 'foreach $matches' loop
+ break 2;
+ }
+ }
+
+ $startpos = strpos($part->body, $att[0]) + strlen($att[1]);
+ $endpos = strpos($part->body, $uu_endstring);
$filebody = substr($part->body, $startpos, $endpos-$startpos);
// remove attachments bodies from the message body
- $part->body = substr_replace($part->body, "", $startpos, $endpos+strlen($uu_endstring)-$startpos);
-
+ $uu_startpos = $startpos - strlen($att[1]);
+ $part->body = substr_replace($part->body, "", $uu_startpos, $endpos+strlen($uu_endstring)-$uu_startpos);
+
$uupart = new rcube_message_part;
- $uupart->filename = trim($att[1]);
+ $uupart->filename = trim($att[2]);
$uupart->encoding = 'stream';
$uupart->body = convert_uudecode($filebody);
$uupart->size = strlen($uupart->body);
@@ -793,8 +797,8 @@
unset($matches[$pid]);
}
- // remove attachments bodies from the message body
- $part->body = preg_replace($uu_regexp, '', $part->body);
+ // mark body as modified so it will not be cached by rcube_imap_cache
+ $part->body_modified = true;
}
return $parts;
--
Gitblit v1.9.1