From dac6cae5b9bc55ae2faa3c31289525deb1b55378 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Tue, 22 Jan 2008 21:05:38 +0000 Subject: [PATCH 1/1] More XSS fix --- debian/changelog | 3 +- debian/patches/xss-fix.patch | 61 +++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 12 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2c6ea7e..f596c08 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,7 +3,8 @@ roundcube (0.1~rc2-6) unstable; urgency=high * Bug fix: "CVE-2007-6321: Cross-site scripting (XSS) vulnerability", thanks to Micah Anderson (Closes: #455840). The patch is from http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html and - provided by Robin Elfrink. + provided by Robin Elfrink. It has been modified with some functions + stolen from Squirrelmail. * Finnish debconf template, thanks to Esko Arajärvi (Closes: #458244). -- Vincent Bernat Sat, 29 Dec 2007 21:55:17 +0100 diff --git a/debian/patches/xss-fix.patch b/debian/patches/xss-fix.patch index 75693de..225283c 100644 --- a/debian/patches/xss-fix.patch +++ b/debian/patches/xss-fix.patch @@ -1,9 +1,48 @@ ---- roundcube/program/steps/mail/func.inc (revision 943) -+++ roundcube/program/steps/mail/func.inc (working copy) -@@ -477,6 +477,85 @@ +--- roundcube/program/steps/mail/func.inc 2007-10-17 08:50:28.000000000 +0200 ++++ roundcube/program/steps/mail/func.inc 2008-01-22 21:59:30.000000000 +0100 +@@ -481,6 +481,124 @@ + return Q($out); } - ++/* Stolen from Squirrelmail */ ++function sq_deent(&$attvalue, $regex, $hex=false){ ++ $ret_match = false; ++ preg_match_all($regex, $attvalue, $matches); ++ if (is_array($matches) && sizeof($matches[0]) > 0){ ++ $repl = Array(); ++ for ($i = 0; $i < sizeof($matches[0]); $i++){ ++ $numval = $matches[1][$i]; ++ if ($hex){ ++ $numval = hexdec($numval); ++ } ++ $repl{$matches[0][$i]} = chr($numval); ++ } ++ $attvalue = strtr($attvalue, $repl); ++ return true; ++ } else { ++ return false; ++ } ++} ++ ++/* Stolen verbatim from Squirrelmail */ ++function sq_defang(&$attvalue){ ++ /** ++ * Skip this if there aren't ampersands or backslashes. ++ */ ++ if (strpos($attvalue, '&') === false ++ && strpos($attvalue, '\\') === false){ ++ return; ++ } ++ $m = false; ++ do { ++ $m = false; ++ $m = $m || sq_deent($attvalue, '/\�*(\d+);*/s'); ++ $m = $m || sq_deent($attvalue, '/\�*((\d|[a-f])+);*/si', true); ++ $m = $m || sq_deent($attvalue, '/\\\\(\d+)/s', true); ++ } while ($m == true); ++ $attvalue = stripslashes($attvalue); ++} ++ +function rcmail_html_filter($html) + { + preg_match_all('/<\/?\w+((\s+\w+(\s*=\s*(?:".*?"|\'.*?\'|[^\'">\s]+))?)+\s*|\s*)\/?>/', $html, $tags); @@ -71,22 +110,22 @@ + $newvalue = preg_replace('/(\/\*.*\*\/)/','$2',$value); + /* Translate dangerous characters */ + $newvalue = str_replace($replace[0], $replace[1], $newvalue); ++ sq_defang($newvalue); + /* Rename dangerous CSS */ -+ $newvalue = preg_replace('/expression/i', 'expresion', $newvalue); -+ $newvalue = preg_replace('/url/i', 'urrl', $newvalue); -+ $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]); -+ $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]); ++ $newvalue = preg_replace('/expression/i', 'idiocy', $newvalue); ++ $newvalue = preg_replace('/url/i', 'idiocy', $newvalue); ++ $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]); ++ $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]); + $html = preg_replace('/'.preg_quote($tags[0][$nr], '/').'/', $newtag, $html); + } + + return $html; + } + -+ + function rcmail_print_body($part, $safe=FALSE, $plain=FALSE) { - global $IMAP, $REMOTE_OBJECTS; -@@ -528,7 +607,7 @@ +@@ -533,7 +651,7 @@ $body = preg_replace($remote_patterns, $remote_replaces, $body); } -- 2.39.2