More XSS fix

diff --git a/debian/changelog b/debian/changelog
index 2c6ea7e2b6f4778b7f1e579a5e451649e0adc6fa..f596c085b56d1c7361273c92b8f3e7bb74b911f1 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,7 +3,8 @@ roundcube (0.1~rc2-6) unstable; urgency=high
   * Bug fix: "CVE-2007-6321: Cross-site scripting (XSS) vulnerability",
     thanks to Micah Anderson (Closes: #455840). The patch is from
     http://lists.roundcube.net/mail-archive/dev/2007-12/0000038.html and
-    provided by Robin Elfrink.
+    provided by Robin Elfrink. It has been modified with some functions
+    stolen from Squirrelmail.
   * Finnish debconf template, thanks to Esko Arajärvi (Closes: #458244).
 
  -- Vincent Bernat <bernat@luffy.cx>  Sat, 29 Dec 2007 21:55:17 +0100

diff --git a/debian/patches/xss-fix.patch b/debian/patches/xss-fix.patch
index 75693de3a3d0471e96710c1620751bed32d5c786..225283c76f59ea70ec6a43ed7c666e76b2f5d645 100644 (file)
--- a/debian/patches/xss-fix.patch
+++ b/debian/patches/xss-fix.patch
@@ -1,9 +1,48 @@
---- roundcube/program/steps/mail/func.inc      (revision 943)
-+++ roundcube/program/steps/mail/func.inc      (working copy)
-@@ -477,6 +477,85 @@
+--- roundcube/program/steps/mail/func.inc      2007-10-17 08:50:28.000000000 +0200
++++ roundcube/program/steps/mail/func.inc      2008-01-22 21:59:30.000000000 +0100
+@@ -481,6 +481,124 @@
+   return Q($out);
    }
  
- 
++/* Stolen from Squirrelmail */
++function sq_deent(&$attvalue, $regex, $hex=false){
++    $ret_match = false;
++    preg_match_all($regex, $attvalue, $matches);
++    if (is_array($matches) && sizeof($matches[0]) > 0){
++        $repl = Array();
++        for ($i = 0; $i < sizeof($matches[0]); $i++){
++            $numval = $matches[1][$i];
++            if ($hex){
++                $numval = hexdec($numval);
++            }
++            $repl{$matches[0][$i]} = chr($numval);
++        }
++        $attvalue = strtr($attvalue, $repl);
++        return true;
++    } else {
++        return false;
++    }
++}
++
++/* Stolen verbatim from Squirrelmail */
++function sq_defang(&$attvalue){
++    /**
++     * Skip this if there aren't ampersands or backslashes.
++     */
++    if (strpos($attvalue, '&') === false
++        && strpos($attvalue, '\\') === false){
++        return;
++    }
++    $m = false;
++    do {
++        $m = false;
++        $m = $m || sq_deent($attvalue, '/\&#0*(\d+);*/s');
++        $m = $m || sq_deent($attvalue, '/\&#x0*((\d|[a-f])+);*/si', true);
++        $m = $m || sq_deent($attvalue, '/\\\\(\d+)/s', true);
++    } while ($m == true);
++    $attvalue = stripslashes($attvalue);
++}
++
 +function rcmail_html_filter($html)
 +  {
 +  preg_match_all('/<\/?\w+((\s+\w+(\s*=\s*(?:".*?"|\'.*?\'|[^\'">\s]+))?)+\s*|\s*)\/?>/', $html, $tags);
@@ -71,22 +110,22 @@
 +    $newvalue = preg_replace('/(\/\*.*\*\/)/','$2',$value);
 +    /* Translate dangerous characters */
 +    $newvalue = str_replace($replace[0], $replace[1], $newvalue);
++    sq_defang($newvalue);
 +    /* Rename dangerous CSS */
-+      $newvalue = preg_replace('/expression/i', 'expresion', $newvalue);
-+      $newvalue = preg_replace('/url/i', 'urrl', $newvalue);
-+      $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]);
-+      $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]);
++    $newvalue = preg_replace('/expression/i', 'idiocy', $newvalue);
++    $newvalue = preg_replace('/url/i', 'idiocy', $newvalue);
++    $newattrs = preg_replace('/'.preg_quote($value, '/').'$/', $newvalue, $tags[1][$nr]);
++    $newtag = preg_replace('/'.preg_quote($tags[1][$nr], '/').'/', $newattrs, $tags[0][$nr]);
 +    $html = preg_replace('/'.preg_quote($tags[0][$nr], '/').'/', $newtag, $html);
 +    }
 +
 +  return $html;
 +  }
 +
-+
+ 
  function rcmail_print_body($part, $safe=FALSE, $plain=FALSE)
    {
-   global $IMAP, $REMOTE_OBJECTS;
-@@ -528,7 +607,7 @@
+@@ -533,7 +651,7 @@
        $body = preg_replace($remote_patterns, $remote_replaces, $body);
        }