Changeset 2324 in subversion


Ignore:
Timestamp:
Mar 2, 2009 12:34:18 PM (4 years ago)
Author:
thomasb
Message:

Revert r2322; this is done in rcmail_html4inline() and now secured + fix tests

Location:
trunk/roundcubemail
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/roundcubemail/program/include/rcmail.php

    r2237 r2324  
    4848   * This implements the 'singleton' design pattern 
    4949   * 
    50    * @return object qvert The one and only instance 
     50   * @return object rcmail The one and only instance 
    5151   */ 
    5252  static function get_instance() 

  • trunk/roundcubemail/program/steps/mail/func.inc

    r2322 r2324  
    2222require_once('include/rcube_smtp.inc'); 
    2323 
    24 $EMAIL_ADDRESS_PATTERN = '/([a-z0-9][a-z0-9\-\.\+\_]*@[a-z0-9]([a-z0-9\-][.]?)*[a-z0-9]\\.[a-z]{2,5})/i'; 
     24$EMAIL_ADDRESS_PATTERN = '([a-z0-9][a-z0-9\-\.\+\_]*@[a-z0-9]([a-z0-9\-][.]?)*[a-z0-9]\\.[a-z]{2,5})'; 
    2525 
    2626// actions that do not require imap connection 
     
    708708     
    709709  $washer = new washtml($wash_opts); 
    710   $washer->add_callback('a', 'rcmail_washtml_callback'); 
    711710  $washer->add_callback('form', 'rcmail_washtml_callback'); 
    712711 
     
    819818    case 'form': 
    820819      $out = html::div('form', $content); 
    821       break; 
    822        
    823     case 'a': 
    824       if ($attrib) $attrib .= ' target="_blank"'; 
    825       $out = '<a'.$attrib.'>' . $content . '</a>'; 
    826820      break; 
    827821       
     
    10411035 
    10421036  // modify HTML links to open a new window if clicked 
    1043   $body = preg_replace('/<(a|link)\s+([^>]+)>/Uie', "rcmail_alter_html_link('\\1','\\2', '$container_id');", $body); 
     1037  $GLOBALS['rcmail_html_container_id'] = $container_id; 
     1038  $body = preg_replace_callback('/<(a|link)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body); 
     1039  unset($GLOBALS['rcmail_html_container_id']); 
    10441040 
    10451041  // add comments arround html and other tags 
     
    10691065 * parse link attributes and set correct target 
    10701066 */ 
    1071 function rcmail_alter_html_link($tag, $attrs, $container_id) 
     1067function rcmail_alter_html_link($matches) 
    10721068{ 
    1073   $attrib = parse_attrib_string($attrs); 
     1069  global $EMAIL_ADDRESS_PATTERN; 
     1070   
     1071  $tag = $matches[1]; 
     1072  $attrib = parse_attrib_string($matches[2]); 
    10741073  $end = '>'; 
    10751074 
    10761075  if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) { 
    1077     $attrib['href'] = "./bin/modcss.php?u=" . urlencode($attrib['href']) . "&amp;c=" . urlencode($container_id); 
     1076    $attrib['href'] = "./bin/modcss.php?u=" . urlencode($attrib['href']) . "&amp;c=" . urlencode($GLOBALS['rcmail_html_container_id']); 
    10781077    $end = ' />'; 
    10791078  } 
    1080   else if (stristr((string)$attrib['href'], 'mailto:')) { 
     1079  else if (preg_match("/^mailto:$EMAIL_ADDRESS_PATTERN/i", $attrib['href'], $mailto)) { 
     1080    $attrib['href'] = $mailto[0]; 
    10811081    $attrib['onclick'] = sprintf( 
    10821082      "return %s.command('compose','%s',this)", 
    10831083      JS_OBJECT_NAME, 
    1084       JQ(substr($attrib['href'], 7))); 
     1084      JQ($mailto[1])); 
    10851085  } 
    10861086  else if (!empty($attrib['href']) && $attrib['href'][0] != '#') { 
     
    11131113      $out .= sprintf('%s &lt;%s&gt;', Q($part['name']), $part['mailto']); 
    11141114    } 
    1115     else if (preg_match($EMAIL_ADDRESS_PATTERN, $part['mailto'])) { 
     1115    else if (preg_match("/$EMAIL_ADDRESS_PATTERN/i", $part['mailto'])) { 
    11161116      if ($linked) { 
    11171117        $out .= html::a(array( 

  • trunk/roundcubemail/tests/mailfunc.php

    r2323 r2324  
    2020     
    2121    require_once 'steps/mail/func.inc'; 
     22     
     23    $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN; 
    2224  } 
    2325 
     
    4446     
    4547    // render HTML in normal mode 
    46     $html = rcmail_print_body($part, array('safe' => false)); 
     48    $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo'); 
    4749 
    4850    $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image"); 
     
    7274    $part = $this->get_html_part('src/htmlxss.txt'); 
    7375    $washed = rcmail_print_body($part, array('safe' => true)); 
    74  
     76     
    7577    $this->assertNoPattern('/src="skins/', $washed, "Remove local references"); 
    76     $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes"); 
    77     $this->assertNoPattern('/alert/', $wahsed, "Remove alerts"); 
     78    $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes"); 
     79     
     80    $html = rcmail_html4inline($washed, 'foo'); 
     81    $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links"); 
     82    $this->assertNoPattern('/alert/', $html, "Remove alerts"); 
    7883  } 
    7984 

  • trunk/roundcubemail/tests/src/htmlxss.txt

    r2323 r2324  
    44<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p> 
    55 
    6 <p><a href="javascript:alert(document.cookie)">mail me!</a> 
     6<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a> 
    77<a href="http://roundcube.net" target="_self">roundcube.net</a> 
    88<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a> 
Note: See TracChangeset for help on using the changeset viewer.