1 Fix CVE-2012-3508. Self XSS with signature.
3 https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
5 Index: roundcube/program/js/app.js.src
6 ===================================================================
7 --- roundcube.orig/program/js/app.js.src 2012-04-28 10:26:30.133307979 +0200
8 +++ roundcube/program/js/app.js.src 2012-08-26 14:19:04.611476200 +0200
10 input_message = $("[name='_message']"),
11 message = input_message.val(),
12 is_html = ($("input[name='_is_html']").val() == '1'),
13 - sig = this.env.identity,
14 - sig_separator = this.env.sig_above && (this.env.compose_mode == 'reply' || this.env.compose_mode == 'forward') ? '---' : '-- ';
15 + sig = this.env.identity;
17 // enable manual signature insert
18 if (this.env.signatures && this.env.signatures[id]) {
19 @@ -3197,25 +3196,18 @@
21 // remove the 'old' signature
22 if (show_sig && sig && this.env.signatures && this.env.signatures[sig]) {
24 - sig = this.env.signatures[sig].is_html ? this.env.signatures[sig].plain_text : this.env.signatures[sig].text;
25 + sig = this.env.signatures[sig].text;
26 sig = sig.replace(/\r\n/g, '\n');
28 - if (!sig.match(/^--[ -]\n/m))
29 - sig = sig_separator + '\n' + sig;
31 p = this.env.sig_above ? message.indexOf(sig) : message.lastIndexOf(sig);
33 message = message.substring(0, p) + message.substring(p+sig.length, message.length);
35 // add the new signature string
36 if (show_sig && this.env.signatures && this.env.signatures[id]) {
37 - sig = this.env.signatures[id]['is_html'] ? this.env.signatures[id]['plain_text'] : this.env.signatures[id]['text'];
38 + sig = this.env.signatures[id].text;
39 sig = sig.replace(/\r\n/g, '\n');
41 - if (!sig.match(/^--[ -]\n/m))
42 - sig = sig_separator + '\n' + sig;
44 if (this.env.sig_above) {
45 if (p >= 0) { // in place of removed signature
46 message = message.substring(0, p) + sig + message.substring(p, message.length);
47 @@ -3279,21 +3271,8 @@
51 - if (this.env.signatures[id]) {
52 - if (this.env.signatures[id].is_html) {
53 - sig = this.env.signatures[id].text;
54 - if (!this.env.signatures[id].plain_text.match(/^--[ -]\r?\n/m))
55 - sig = sig_separator + '<br />' + sig;
58 - sig = this.env.signatures[id].text;
59 - if (!sig.match(/^--[ -]\r?\n/m))
60 - sig = sig_separator + '\n' + sig;
61 - sig = '<pre>' + sig + '</pre>';
64 - sigElem.innerHTML = sig;
66 + if (this.env.signatures[id])
67 + sigElem.innerHTML = this.env.signatures[id].html;
70 this.env.identity = id;
71 Index: roundcube/program/steps/mail/compose.inc
72 ===================================================================
73 --- roundcube.orig/program/steps/mail/compose.inc 2012-02-04 09:18:15.186795165 +0100
74 +++ roundcube/program/steps/mail/compose.inc 2012-08-26 14:19:04.615476279 +0200
77 function rcmail_compose_header_from($attrib)
79 - global $MESSAGE, $OUTPUT;
80 + global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
82 // pass the following attributes to the form class
83 $field_attrib = array('name' => '_from');
85 if (count($MESSAGE->identities))
87 $a_signatures = array();
88 + $separator = $RCMAIL->config->get('sig_above')
89 + && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
91 $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
92 $select_from = new html_select($field_attrib);
94 // add signature to array
95 if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
97 - $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
98 - $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
99 - if ($a_signatures[$identity_id]['is_html'])
101 - $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
102 - $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
103 + $text = $html = $sql_arr['signature'];
105 + if ($sql_arr['html_signature']) {
106 + $h2t = new html2text($sql_arr['signature'], false, false);
107 + $text = trim($h2t->get_text());
110 + $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
113 + if (!preg_match('/^--[ -]\r?\n/m', $text)) {
114 + $text = $separator . "\n" . $text;
115 + $html = $separator . "<br>" . $html;
118 + if (!$sql_arr['html_signature']) {
119 + $html = "<pre>" . $html . "</pre>";
122 + $a_signatures[$identity_id]['text'] = $text;
123 + $a_signatures[$identity_id]['html'] = $html;