Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/roundcube/roundcubemail.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2019-08-27 14:50:09 +0300
committerAleksander Machniak <alec@alec.pl>2019-08-27 14:50:09 +0300
commit7bf868767e1662329c317e4d0aa3ca3ff99cff21 (patch)
treea05e7ca124bb376f9a77149b4c0181d096a60b16 /tests
parent14cb21c87e5d9a5221e487d149a2cf4320e424e6 (diff)
Fix security issue where it was possible to bypass the position:fixed CSS check in received messages (#6898)
Diffstat (limited to 'tests')
-rw-r--r--tests/Framework/Utils.php10
1 files changed, 8 insertions, 2 deletions
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index 03a4bd169..941c882fe 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -215,13 +215,19 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
// position: fixed (#5264)
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");
-
$mod = rcube_utils::mod_css_styles(".test { position:\nfixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (1)");
-
$mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody');
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)");
+ // position: fixed (#6898)
+ $mod = rcube_utils::mod_css_styles(".test { position : fixed; top: 0; }", 'rcmbody');
+ $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (3)");
+ $mod = rcube_utils::mod_css_styles(".test { position/**/: fixed; top: 0; }", 'rcmbody');
+ $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (4)");
+ $mod = rcube_utils::mod_css_styles(".test { position\n: fixed; top: 0; }", 'rcmbody');
+ $this->assertEquals("#rcmbody .test { position: absolute; top: 0; }", $mod, "Replace position:fixed with position:absolute (5)");
+
// allow data URIs with images (#5580)
$mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody');
$this->assertContains("#rcmbody { background-image: url(data:image/png;base64,123);", $mod, "Data URIs in url() allowed [1]");
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-28 09:04:47 +0300