1 Fix CVE-2009-0413 by handling carefully background attribute.
2 --- roundcubemail/CHANGELOG (revision 2242)
3 +++ roundcubemail/CHANGELOG (revision 2245)
5 CHANGELOG RoundCube Webmail
6 ---------------------------
10 +- Fix XSS vulnerability through background attributes as reported by Julien Cayssol
13 --- roundcubemail/program/lib/washtml.php (revision 1811)
14 +++ roundcubemail/program/lib/washtml.php (revision 2245)
17 /* Allowed HTML attributes */
18 - static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir', 'background');
19 + static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', 'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', 'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', 'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', 'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', 'cellborder', 'size', 'lang', 'dir');
21 /* State for linked objects in HTML */
23 $value = $node->getAttribute($key);
24 if(isset($this->_html_attribs[$key]) ||
25 - ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.*/i', $value)))
26 + ($key == 'href' && preg_match('/^(http|https|ftp|mailto):.+/i', $value)))
27 $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
28 else if($key == 'style' && ($style = $this->wash_style($value)))
29 $t .= ' style="' . $style . '"';
30 - else if($key == 'src' && strtolower($node->tagName) == 'img') { //check tagName anyway
31 + else if($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
32 if($src = $this->config['cid_map'][$value]) {
33 $t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"';
35 - else if(preg_match('/^(http|https|ftp):.*/i', $value)) {
36 + else if(preg_match('/^(http|https|ftp):.+/i', $value)) {
37 if($this->config['allow_remote'])
38 $t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"';
40 $this->extlinks = true;
41 if ($this->config['blocked_src'])
42 - $t .= ' src="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';
43 + $t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"';