From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/steps/utils/modcss.inc | 93 ++++++++++++++--------------------------------
1 files changed, 29 insertions(+), 64 deletions(-)
diff --git a/program/steps/utils/modcss.inc b/program/steps/utils/modcss.inc
index 7817795..c8a7cb5 100644
--- a/program/steps/utils/modcss.inc
+++ b/program/steps/utils/modcss.inc
@@ -5,94 +5,59 @@
| program/steps/utils/modcss.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2007-2010, Roundcube Dev. - Switzerland |
- | Licensed under the GNU GPL |
+ | Copyright (C) 2007-2012, The Roundcube Dev Team |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Modify CSS source from a URL |
| |
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+ | Author: Aleksander Machniak <alec@alec.pl> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
-$source = '';
+$url = preg_replace('![^a-z0-9.-]!i', '', $_GET['_u']);
-$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']);
-if ($url === null) {
+if ($url === null || !($realurl = $_SESSION['modcssurls'][$url])) {
header('HTTP/1.1 403 Forbidden');
- echo $error;
- exit;
+ exit("Unauthorized request");
}
-
-$a_uri = parse_url($url);
-$port = $a_uri['port'] ? $a_uri['port'] : 80;
-$host = $a_uri['host'];
-$path = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : '');
// don't allow any other connections than http(s)
-if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') {
+if (!preg_match('~^(https?)://~i', $realurl, $matches)) {
header('HTTP/1.1 403 Forbidden');
- echo "Invalid URL";
- exit;
+ exit("Invalid URL");
}
-// try to open socket connection
-if (!($fp = fsockopen($host, $port, $errno, $error, 15))) {
- header('HTTP/1.1 500 Internal Server Error');
- echo $error;
- exit;
+if (!ini_get('allow_url_fopen')) {
+ header('HTTP/1.1 403 Forbidden');
+ exit("HTTP connections disabled");
}
-// set timeout for socket
-stream_set_timeout($fp, 30);
+$scheme = strtolower($matches[1]);
+$options = array(
+ $scheme => array(
+ 'method' => 'GET',
+ 'timeout' => 15,
+ )
+);
-// send request
-$out = "GET $path HTTP/1.0\r\n";
-$out .= "Host: $host\r\n";
-$out .= "Connection: Close\r\n\r\n";
-fwrite($fp, $out);
+$context = stream_context_create($options);
+$source = @file_get_contents($realurl, false, $context);
-// read response
-$header = true;
-$headers = array();
-while (!feof($fp)) {
- $line = trim(fgets($fp, 4048));
+// php.net/manual/en/reserved.variables.httpresponseheader.php
+$headers = implode("\n", (array)$http_response_header);
+$ctype = '~Content-Type:\s+text/(css|plain)~i';
- if ($header) {
- if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs)
- && intval($regs[1]) != 200) {
- break;
- }
- else if (empty($line)) {
- $header = false;
- }
- else {
- list($key, $value) = explode(': ', $line);
- $headers[strtolower($key)] = $value;
- }
- }
- else {
- $source .= "$line\n";
- }
-}
-fclose($fp);
-
-// check content-type header and mod styles
-$mimetype = strtolower($headers['content-type']);
-if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) {
+if ($source !== false && preg_match($ctype, $headers)) {
header('Content-Type: text/css');
- echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']));
+ echo rcube_utils::mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['_c']));
exit;
}
-else
- $error = "Invalid response returned by server";
header('HTTP/1.0 404 Not Found');
-echo $error;
-exit;
-
-
+exit("Invalid response returned by server");
--
Gitblit v1.9.1