diff options
author | Pierre-Alain Bandinelli <pa@bandinelli.net> | 2022-04-23 16:06:11 +0300 |
---|---|---|
committer | Pierre-Alain Bandinelli <pa@bandinelli.net> | 2022-04-23 16:06:11 +0300 |
commit | ccb381827442e26d8b7ee484540c127d375dce00 (patch) | |
tree | 49294a9f90e1b69e42f7ca4ce4d7005d12e06523 | |
parent | 4d21df86233cedc8e41a1a2639e6eeb1fdf7928d (diff) |
Fixing XSS bug by using what is recommended here https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw
-rwxr-xr-x | VERSION | 2 | ||||
-rw-r--r-- | app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php | 7 | ||||
-rw-r--r-- | appinfo/info.xml | 2 | ||||
-rwxr-xr-x | appinfo/version | 2 |
4 files changed, 8 insertions, 5 deletions
@@ -1 +1 @@ -7.2.3 +7.2.4 diff --git a/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php b/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php index 2177627..effcf17 100644 --- a/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php +++ b/app/rainloop/v/1.16.0/app/libraries/MailSo/Base/HtmlUtils.php @@ -239,7 +239,9 @@ class HtmlUtils $oWrapHtml->setAttribute($sKey, $sValue);
}
- $oWrapDom = $oDom->createElement('div', '___xxx___');
+ #$oWrapDom = $oDom->createElement('div', '___xxx___');
+ $rand_str = base64_encode(random_bytes(32));
++ $oWrapDom = $oDom->createElement('div', $rand_str);
$oWrapDom->setAttribute('data-x-div-type', 'body');
foreach ($aBodylAttrs as $sKey => $sValue)
{
@@ -250,7 +252,8 @@ class HtmlUtils $sWrp = $oDom->saveHTML($oWrapHtml);
- $sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ #$sResult = \str_replace('___xxx___', $sResult, $sWrp);
+ $sResult = \str_replace($rand_str, $sResult, $sWrp);
}
$sResult = \str_replace(\MailSo\Base\HtmlUtils::$KOS, ':', $sResult);
diff --git a/appinfo/info.xml b/appinfo/info.xml index 840e90c..915e549 100644 --- a/appinfo/info.xml +++ b/appinfo/info.xml @@ -4,7 +4,7 @@ <name>RainLoop</name> <summary>RainLoop Webmail</summary> <description>Simple, modern and fast web-based email client. After enabling in Nextcloud, go to Nextcloud admin panel, "Additionnal settings" and you will see a "Rainloop webmail" section. There, click on the link to go to the Rainloop admin panel. The default user/password is admin/12345. This version is based on Rainloop 1.16.0 (2021-05).</description> - <version>7.2.3</version> + <version>7.2.4</version> <licence>agpl</licence> <author>RainLoop Team, Nextgen-Networks, Tab Fitts, Nathan Kinkade, Pierre-Alain Bandinelli</author> <namespace>RainLoop</namespace> diff --git a/appinfo/version b/appinfo/version index 429dc57..2bbaead 100755 --- a/appinfo/version +++ b/appinfo/version @@ -1 +1 @@ -7.2.3 +7.2.4 |