Mirrors/roundcubemail
1
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2025-12-27 23:45:58 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Fix Information Disclosure vulnerability in the HTML style sanitizer
Some checks failed
tests / PHP ${{ matrix.php }}/Linux (5.5) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (5.6) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (7) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (7.1) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (7.2) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (7.3) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (7.4) (push) Has been cancelled
Details
tests / PHP ${{ matrix.php }}/Linux (8) (push) Has been cancelled
Details

Browse Source 
reported by somerandomdev
This commit is contained in:
Aleksander Machniak 2025-12-14 09:02:25 +01:00
parent f4856e3f91
commit 3cb52d6db1
4 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -3,6 +3,7 @@
## Unreleased
- Fix Cross-Site-Scripting vulnerability via SVG's animate tag
- Fix Information Disclosure vulnerability in the HTML style sanitizer
## Release 1.5.11

3
program/lib/Roundcube/rcube_utils.php
View File

@ -565,6 +565,9 @@ class rcube_utils
$value .= ' url(' . $url . ')';
}
}
} elseif (preg_match('/;.*/', $val)) {
// Invalid or evil content, ignore
continue;
} else {
// whitelist ?
$value .= ' ' . $val;

4
tests/Framework/Utils.php
View File

@ -291,9 +291,9 @@ class Framework_Utils extends PHPUnit\Framework\TestCase
$mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
$this->assertSame("#rcmbody { content: ''; color: red; }", $mod);
$style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }";
$style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\\'hello\\');\">'; color: red; }";
$mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
$this->assertSame("#rcmbody { content: '< page: ;/style>< page: ;img src onerror=\"alert('hello');\">'; color: red; }", $mod);
$this->assertSame("#rcmbody { color: red; }", $mod);
// Removing page: property
$style = "body { page: test; color: red }";

7
tests/Framework/Washtml.php
View File

@ -291,6 +291,13 @@ class Framework_Washtml extends PHPUnit\Framework\TestCase
$washed = $washer->wash($html);
$this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)");
$html = '<div style=\'content: "\0026quot;; background: url(//http.cat/418); content:""; width: 100%; height: 100%;\'>test</div>';
$washer = new \rcube_washtml();
$washed = $washer->wash($html);
$this->assertTrue(strpos($washed, '<div x-washed="style">test</div>') !== false);
}
/**