From 7340360e798ac984214932d5fcd464f26392fa03 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 7 Jan 2017 09:59:42 +0100 Subject: [PATCH] Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) --- CHANGELOG | 2 ++ program/lib/Roundcube/rcube_utils.php | 2 +- program/steps/mail/func.inc | 2 +- tests/Framework/Utils.php | 4 ++++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index a679ee2170c..3c278211334 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) + RELEASE 1.3-beta ---------------- - Nicely handle contact deletion on contact edit (#5522) diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index d52c62115d7..d7d7c963e45 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -391,7 +391,7 @@ public static function mod_css_styles($source, $container_id, $allow_remote = fa // ignore the whole block if evil styles are detected $source = self::xss_entity_decode($source); $stripped = preg_replace('/[^a-z\(:;]/i', '', $source); - $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : ''); + $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : ''); if (preg_match("/$evilexpr/i", $stripped)) { return '/* evil! */'; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 2c6a8385497..4da5e5796b4 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1006,7 +1006,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml) // now check for evil strings like expression, behavior or url() if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) { - if (!$washtml->get_config('allow_remote') && stripos($stripped, 'url(')) { + if (!$washtml->get_config('allow_remote') && preg_match('/url\((?!data:image)/', $stripped)) { $washtml->extlinks = true; } else { diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index 5f70544d467..ba04e15454d 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -214,6 +214,10 @@ function test_mod_css_styles_xss() $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)"); + + // allow data URIs with images (#5580) + $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody'); + $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed"); } /**