From: Vincent Bernat <bernat@debian.org>
Date: Sat, 13 Dec 2008 13:34:09 +0000 (+0000)
Subject: Fix a vulnerability in the use of preg_replace (Closes: #508628).
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=3e422955ffdb58b07122ef99ecaf28633d8ed0c9;p=roundcube.git

Fix a vulnerability in the use of preg_replace (Closes: #508628).
---

diff --git a/debian/changelog b/debian/changelog
index a7afc15..43650f5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
-roundcube (0.2~alpha-3) UNRELEASED; urgency=low
+roundcube (0.2~alpha-3) experimental; urgency=high
 
   [ Vincent Bernat ]
+  * Fix a vulnerability in the use of preg_replace (Closes: #508628).
   * Adapt descriptions of roundcube-database packages to refer them as
     metapackages instead of virtual package (Closes: #495434).
   * Add robots.txt from upstream, even if in some configuration, it will
diff --git a/debian/patches/dont-use-preg-e-option.patch b/debian/patches/dont-use-preg-e-option.patch
new file mode 100644
index 0000000..1179a86
--- /dev/null
+++ b/debian/patches/dont-use-preg-e-option.patch
@@ -0,0 +1,121 @@
+--- roundcube-0.2~alpha/program/lib/html2text.php	2008-04-12 15:54:45.000000000 +0200
++++ roundcube-0.2~alpha/program/lib/html2text.php	2008-12-13 14:21:44.000000000 +0100
+@@ -99,6 +99,22 @@
+      */
+     var $width = 70;
+ 
++    /** 
++	 *  List of preg* regular expression patterns to search for 
++	 *  and replace using callback function. 
++	 * 
++	 *  @var array $callback_search 
++	 *  @access public 
++	 */ 
++     var $callback_search = array( 
++        '/<(h)[123456][^>]*>(.*?)<\/h[123456]>/i', // H1 - H3 
++        '/<(b)[^>]*>(.*?)<\/b>/i',                 // <b> 
++        '/<(strong)[^>]*>(.*?)<\/strong>/i',       // <strong> 
++        '/<(a) [^>]*href=("|\')([^"\']+)\2[^>]*>(.*?)<\/a>/i', 
++                                                   // <a href=""> 
++        '/<(th)[^>]*>(.*?)<\/th>/i',               // <th> and </th> 
++    ); 
++
+     /**
+      *  List of preg* regular expression patterns to search for,
+      *  used in conjunction with $replace.
+@@ -112,12 +128,8 @@
+         "/[\n\t]+/",                             // Newlines and tabs
+         '/<script[^>]*>.*?<\/script>/i',         // <script>s -- which strip_tags supposedly has problems with
+         //'/<!-- .* -->/',                         // Comments -- which strip_tags might have problem a with
+-        '/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
+-        '/<h[123][^>]*>(.+?)<\/h[123]>/ie',      // H1 - H3
+-        '/<h[456][^>]*>(.+?)<\/h[456]>/ie',      // H4 - H6
+         '/<p[^>]*>/i',                           // <P>
+         '/<br[^>]*>/i',                          // <br>
+-        '/<b[^>]*>(.+?)<\/b>/ie',                // <b>
+         '/<i[^>]*>(.+?)<\/i>/i',                 // <i>
+         '/(<ul[^>]*>|<\/ul>)/i',                 // <ul> and </ul>
+         '/(<ol[^>]*>|<\/ol>)/i',                 // <ol> and </ol>
+@@ -126,7 +138,6 @@
+         '/(<table[^>]*>|<\/table>)/i',           // <table> and </table>
+         '/(<tr[^>]*>|<\/tr>)/i',                 // <tr> and </tr>
+         '/<td[^>]*>(.+?)<\/td>/i',               // <td> and </td>
+-        '/<th[^>]*>(.+?)<\/th>/ie',              // <th> and </th>
+         '/&nbsp;/i',
+         '/&quot;/i',
+         '/&gt;/i',
+@@ -161,12 +172,8 @@
+         ' ',                                    // Newlines and tabs
+         '',                                     // <script>s -- which strip_tags supposedly has problems with
+         //'',                                  // Comments -- which strip_tags might have problem a with
+-        '$this->_build_link_list("\\2", "\\3")', // <a href="">
+-        "strtoupper(\"\n\n\\1\n\n\")",          // H1 - H3
+-        "ucwords(\"\n\n\\1\n\")",               // H4 - H6
+         "\n\n",                                 // <P>
+         "\n",                                   // <br>
+-        'strtoupper("\\1")',                    // <b>
+         '_\\1_',                                // <i>
+         "\n\n",                                 // <ul> and </ul>
+         "\n\n",                                 // <ol> and </ol>
+@@ -175,7 +182,6 @@
+         "\n\n",                                 // <table> and </table>
+         "\n",                                   // <tr> and </tr>
+         "\t\t\\1\n",                            // <td> and </td>
+-        "strtoupper(\"\t\t\\1\n\")",            // <th> and </th>
+         ' ',
+         '"',
+         '>',
+@@ -379,6 +385,7 @@
+ 
+         // Run our defined search-and-replace
+         $text = preg_replace($this->search, $this->replace, $text);
++        $text = preg_replace_callback($this->callback_search, array('html2text', '_preg_callback'), $text);
+ 
+         // Strip any other HTML tags
+         $text = strip_tags($text, $this->allowed_tags);
+@@ -446,6 +453,44 @@
+               
+       return $display . ' [' . ($index+1) . ']';
+       }
++
++    /**
++     *  Callback function for preg_replace_callback use.
++     *
++     *  @param  array PREG matches
++     *  @return string
++     *  @access private
++     */
++    function _preg_callback($matches)
++    {
++		switch($matches[1])
++		{
++	    case 'b':
++	    case 'strong':
++			return $this->_strtoupper($matches[2]);
++	    case 'hr':
++		return $this->_strtoupper("\t\t". $matches[2] ."\n");
++	    case 'h':
++			return $this->_strtoupper("\n\n". $matches[2] ."\n\n");
++	    case 'a':
++			return $this->_build_link_list($matches[3], $matches[4]);
++        }
++    }
++    
++    /**
++     *  Strtoupper multibyte wrapper function
++     *
++     *  @param  string
++     *  @return string
++     *  @access private
++     */
++    function _strtoupper($str)
++    {
++		if (function_exists('mb_strtoupper'))
++    	    return mb_strtoupper($str);
++    	else
++			return strtoupper($str);
++    }
+ }
+ 
+ ?>
+\ Pas de fin de ligne à la fin du fichier.
diff --git a/debian/patches/series b/debian/patches/series
index b2c9883..b68113a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ use_packaged_tinymce.patch
 use-db-backend.patch
 correct-magic-path.patch
 fix_login.patch
+dont-use-preg-e-option.patch