+++ /dev/null
-Fix CVE-2009-0413 by handling carefully background attribute.
---- roundcubemail/CHANGELOG (revision 2242)
-+++ roundcubemail/CHANGELOG (revision 2245)
-@@ -1,4 +1,8 @@
- CHANGELOG RoundCube Webmail
- ---------------------------
-+
-+2009/01/20 (thomasb)
-+----------
-+- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
-
- 2009/01/18 (alec)
---- roundcubemail/program/lib/washtml.php (revision 1811)
-+++ roundcubemail/program/lib/washtml.php (revision 2245)
-@@ -81,5 +81,5 @@
-
- /* Allowed HTML attributes */
-- static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background');
-+ static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir');
-
- /* State for linked objects in HTML */
-@@ -161,13 +161,13 @@
- $value = $node->getAttribute($key);
- if(isset($this->_html_attribs[$key]) ||
-- ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value)))
-+ ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value)))
- $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
- else if($key == 'style' && ($style = $this->wash_style($value)))
- $t .= ' style="' . $style . '"';
-- else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway
-+ else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
- if($src = $this->config['cid_map'][$value]) {
- $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"';
- }
-- else if(preg_match('/^(http|https|ftp):.*/i', $value)) {
-+ else if(preg_match('/^(http|https|ftp):.+/i', $value)) {
- if($this->config['allow_remote'])
- $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
-@@ -175,5 +175,5 @@
- $this->extlinks = true;
- if ($this->config['blocked_src'])
-- $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
-+ $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
- }
- }
+++ roundcube-0.1~rc2/program/steps/mail/sendmail.inc 2007-11-26 11:44:04.000000000 +0100
@@ -123,7 +123,7 @@
- // sanitize image name so resulting attachment doesn't leave images dir
- $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name);
-- $img_file = INSTALL_PATH . '/' . $searchstr . $image_name;
-+ $img_file = '/usr/share/tinymce/www/plugins/emotions/img/' . $image_name;
+ // sanitize image name so resulting attachment doesn't leave images dir
+ $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i', '', $image_name);
+- $img_file = INSTALL_PATH . '/' . $searchstr . $image_name;
++ $img_file = '/usr/share/tinymce/www/plugins/emotions/img/' . $image_name;
- if (! in_array($image_name, $included_images))
- {
+ if (! in_array($image_name, $included_images)) {
+ // add the image to the MIME message