Changeset ee883ad in github

Timestamp:

Dec 22, 2006 4:45:21 PM (6 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

822e276

Parents:

8af7757

Message:

Applied security patches by Kees Cook (Ubuntu) + little visual enhancements

Files:

• CHANGELOG (modified) (1 diff)
• program/blocked.gif (added)
• program/include/main.inc (modified) (1 diff)
• program/steps/addressbook/delete.inc (modified) (1 diff)
• program/steps/mail/func.inc (modified) (3 diffs)
• program/steps/mail/sendmail.inc (modified) (1 diff)
• program/steps/settings/delete_identity.inc (modified) (1 diff)
• skins/default/mail.css (modified) (1 diff)

CHANGELOG

@@ -1 +1 @@
 CHANGELOG RoundCube Webmail
 ---------------------------
+
+2006/12/22 (thomasb)
+----------
+- Applied security patch to validate the submitted host value (by Kees Cook)
+- Applied security patch to validate input values when deleting contacts (by Kees Cook)
+- Applied security patch that sanitizes emoticon paths when attaching them (by Kees Cook)
+- Applied a patch to more aggressively sanitize a HTML message
+- Visualize blocked images in HTML messages
+
 
 2006/12/20 (thomasb)

program/include/main.inc

@@ -450 +450 @@
   if (!$host)
     $host = $CONFIG['default_host'];
+
+  // Validate that selected host is in the list of configured hosts
+  if (is_array($CONFIG['default_host']))
+    {
+    $allowed = FALSE;
+    foreach ($CONFIG['default_host'] as $key => $host_allowed)
+      {
+      if (!is_numeric($key))
+        $host_allowed = $key;
+      if ($host == $host_allowed)
+        {
+        $allowed = TRUE;
+        break;
+        }
+      }
+    if (!$allowed)
+      return FALSE;
+    }
+  else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host'])
+    return FALSE;
 
   // parse $host URL

program/steps/addressbook/delete.inc

@@ -22 +22 @@
 $REMOTE_REQUEST = TRUE;
 
-if ($_GET['_cid'])
+if ($_GET['_cid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_cid']))
   {
   $DB->query("UPDATE ".get_table_name('contacts')."

program/steps/mail/func.inc

@@ -740 +740 @@
                                '/<script.+<\/script>/Umis');
 
-      $remote_replaces = array('<img \\1src=\\2./program/blank.gif\\4',
+      $remote_replaces = array('<img \\1src=\\2./program/blocked.gif\\4',
                                '',
                                '',
@@ -1211 +1211 @@
 
   // replace event handlers on any object
-  $body = preg_replace('/\s(on[a-z]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\s(on[^=]+)=/im', ' __removed=', $body);  
+  $body = preg_replace('/\shref=["\']?(javascript:)/im', 'null:', $body);
 
   // resolve <base href>
@@ -1252 +1253 @@
     $attrib['onclick'] = sprintf("return %s.command('compose','%s',this)",
                                  $GLOBALS['JS_OBJECT_NAME'],
-                                 substr($attrib['href'], 7));
+                                 JQ(substr($attrib['href'], 7)));
   else if (!empty($attrib['href']) && $attrib['href']{0}!='#')
     $attrib['target'] = '_blank';

program/steps/mail/sendmail.inc

@@ -101 +101 @@
                          $pos + strlen($searchstr),
                          $pos2 - ($pos + strlen($searchstr)));
+    // sanitize image name so resulting attachment doesn't leave images dir
+    $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name);
 
     $body_post = substr($body, $pos2);

program/steps/settings/delete_identity.inc

@@ -22 +22 @@
 $REMOTE_REQUEST = $_GET['_remote'] ? TRUE : FALSE;
 
-if ($_GET['_iid'])
+if ($_GET['_iid'] && preg_match('/^[0-9]+(,[0-9]+)*$/',$_GET['_iid']))
   {
   $DB->query("UPDATE ".get_table_name('identities')."

skins/default/mail.css

@@ -153 +153 @@
 #messagepartframe
 {
+  position: absolute;
+  top: 0px;
+  left: 0px;
+  right: 0px;
+  bottom: 0px;
+  width: auto;
+  height: auto;
   border: 1px solid #999999;
-  background-color: #F9F9F9;  
+  background-color: #F9F9F9;
 }