diff options
author | Aleksander Machniak <alec@alec.pl> | 2021-02-08 15:47:06 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2021-02-08 15:47:06 +0300 |
commit | 9dc276d5f26042db02754fa1bac6fbd683c6d596 (patch) | |
tree | db12686ea98543856dcf79d5a24eb699efdf57e7 | |
parent | 1657ff4729eb8d790d56fdf92f33dc2128633666 (diff) |
Fix cross-site scripting (XSS) via HTML messages with malicious CSS content
Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
-rw-r--r-- | CHANGELOG | 3 | ||||
-rw-r--r-- | program/lib/Roundcube/rcube_utils.php | 2 | ||||
-rw-r--r-- | tests/Framework/Utils.php | 17 |
3 files changed, 20 insertions, 2 deletions
@@ -4,7 +4,8 @@ CHANGELOG Roundcube Webmail - Display a nice error informing about no PHP8 support - Elastic: Fix compatibility with Less v3 and v4 (#7813) - Fix bug with managesieve_domains in Settings > Forwarding form (#7849) -- Fixed errors in MSSQL database update scripts (#7853) +- Fix errors in MSSQL database update scripts (#7853) +- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content RELEASE 1.4.10 -------------- diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index 80818de2f..d4273526b 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -399,7 +399,7 @@ class rcube_utils $styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i', 'position: absolute', $styles); // Remove 'page' attributes (#7604) - $styles = preg_replace('/(^|[\n\s;])page:[^;]+;*/im', '', $styles); + $styles = preg_replace('/((^|[\n\s;])page:)[^;]+;*/im', '\\1 unset;', $styles); // check every line of a style block... if ($allow_remote) { diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index 3df90ffd0..e6cf1e5d4 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -237,6 +237,23 @@ class Framework_Utils extends PHPUnit_Framework_TestCase // Allow strict url() $mod = rcube_utils::mod_css_styles("body { background-image: url(http://example.com); }", 'rcmbody', true); $this->assertContains("#rcmbody { background-image: url(http://example.com);", $mod, "Strict URIs in url() allowed with \$allow_remote=true"); + + // XSS issue, HTML in 'content' property + $style = "body { content: '</style><img src onerror=\"alert(\'hello\');\">'; color: red; }"; + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); + $this->assertSame("#rcmbody { content: '';\n color: red;\n }", $mod); + + $style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }"; + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); + $this->assertSame( + "#rcmbody { content: '< page: unset;/style>< page: unset;img src onerror=\"alert('hello');\">'; color: red; }", + str_replace("\n", '', $mod) + ); + + // Removing page: property + $style = "body { page: test; color: red; }"; + $mod = rcube_utils::mod_css_styles($style, 'rcmbody', true); + $this->assertSame("#rcmbody { page: unset;\n color: red;\n }", $mod); } /** |