diff options
| author | Aleksander Machniak <alec@alec.pl> | 2017-01-07 11:59:42 +0300 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2017-01-07 11:59:42 +0300 |
| commit | 7340360e798ac984214932d5fcd464f26392fa03 (patch) | |
| tree | 5c9226001462bc2c66d78b2e87a68793b8d244d8 | |
| parent | f65f4bbca859aeb1b10a342c2af3d9094427974c (diff) | |
Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
| -rw-r--r-- | CHANGELOG | 2 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_utils.php | 2 | ||||
| -rw-r--r-- | program/steps/mail/func.inc | 2 | ||||
| -rw-r--r-- | tests/Framework/Utils.php | 4 |
4 files changed, 8 insertions, 2 deletions
@@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) + RELEASE 1.3-beta ---------------- - Nicely handle contact deletion on contact edit (#5522) diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index d52c62115..d7d7c963e 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -391,7 +391,7 @@ class rcube_utils // ignore the whole block if evil styles are detected $source = self::xss_entity_decode($source); $stripped = preg_replace('/[^a-z\(:;]/i', '', $source); - $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : ''); + $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : ''); if (preg_match("/$evilexpr/i", $stripped)) { return '/* evil! */'; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 2c6a83854..4da5e5796 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1006,7 +1006,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml) // now check for evil strings like expression, behavior or url() if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) { - if (!$washtml->get_config('allow_remote') && stripos($stripped, 'url(')) { + if (!$washtml->get_config('allow_remote') && preg_match('/url\((?!data:image)/', $stripped)) { $washtml->extlinks = true; } else { diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index 5f70544d4..ba04e1545 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -214,6 +214,10 @@ class Framework_Utils extends PHPUnit_Framework_TestCase $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)"); + + // allow data URIs with images (#5580) + $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody'); + $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed"); } /** |