Changeset ce5a649 in github


Ignore:
Timestamp:
Aug 4, 2013 6:41:30 AM (13 months ago)
Author:
Aleksander Machniak <alec@…>
Children:
17239fa5
Parents:
b825f86
Message:

Fix XSS vulnerability when saving HTML signatures (#1489251)

Files:
3 edited

Legend:

Unmodified
Added
Removed
  • CHANGELOG

    rb825f86 rce5a649  
    22=========================== 
    33 
     4- Fix XSS vulnerability when saving HTML signatures (#1489251) 
    45- Move identity selection based on non-standard headers into (new) identity_select plugin (#1488553) 
    56- Fix colorspace issue on image conversion using ImageMagick (#1489270) 
  • program/steps/settings/edit_identity.inc

    r48ef133 rce5a649  
    7878      'name' => rcube_label('signature'), 
    7979      'content' => array( 
    80         'signature'          => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, 
     80        'signature'      => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, 
    8181            'spellcheck' => true), 
    8282        'html_signature' => array('type' => 'checkbox', 'label' => rcube_label('htmlsignature'), 
     
    139139        $label = !empty($colprop['label']) ? $colprop['label'] : 
    140140            rcube_label(str_replace('-', '', $col)); 
     141 
    141142        $value = !empty($colprop['value']) ? $colprop['value'] : 
    142143            rcmail_get_edit_field($col, $IDENTITY_RECORD[$col], $colprop, $colprop['type']); 
  • program/steps/settings/save_identity.inc

    r876d31d rce5a649  
    7777} 
    7878 
     79// XSS protection in HTML signature (#1489251) 
     80if (!empty($save_data['signature']) && !empty($save_data['html_signature'])) { 
     81  $save_data['signature'] = rcmail_wash_html($save_data['signature']); 
     82 
     83  // clear POST data of signature, we want to use safe content 
     84  // when the form is displayed again 
     85  unset($_POST['_signature']); 
     86} 
     87 
    7988// update an existing contact 
    8089if ($_POST['_iid']) { 
     
    168177else 
    169178  rcmail_overwrite_action('identities'); 
     179 
     180 
     181/** 
     182 * Sanity checks/cleanups on HTML body of signature 
     183 */ 
     184function rcmail_wash_html($html) 
     185{ 
     186    // Add header with charset spec., washtml cannot work without that 
     187    $html = '<html><head>' 
     188        . '<meta http-equiv="Content-Type" content="text/html; charset='.RCMAIL_CHARSET.'" />' 
     189        . '</head><body>' . $html . '</body></html>'; 
     190 
     191    // clean HTML with washhtml by Frederic Motte 
     192    $wash_opts = array( 
     193        'show_washed' => false, 
     194        'allow_remote' => 1, 
     195        'charset' => RCMAIL_CHARSET, 
     196        'html_elements' => array('body', 'link'), 
     197        'html_attribs' => array('rel', 'type'), 
     198    ); 
     199 
     200    // initialize HTML washer 
     201    $washer = new rcube_washtml($wash_opts); 
     202 
     203    //$washer->add_callback('form', 'rcmail_washtml_callback'); 
     204    //$washer->add_callback('style', 'rcmail_washtml_callback'); 
     205 
     206    // Remove non-UTF8 characters (#1487813) 
     207    $html = rc_utf8_clean($html); 
     208 
     209    $html = $washer->wash($html); 
     210 
     211    // remove unwanted comments and tags (produced by washtml) 
     212    $html = preg_replace(array('/<!--[^>]+-->/', '/<\/?body>/'), '', $html); 
     213 
     214  return $html; 
     215} 
Note: See TracChangeset for help on using the changeset viewer.