From f90f22ffb87d296cc471c389283a7af6a87bee29 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 7 Jan 2017 09:59:42 +0100 Subject: [PATCH] Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) --- CHANGELOG | 1 + program/lib/Roundcube/rcube_utils.php | 2 +- program/steps/mail/func.inc | 2 +- tests/Framework/Utils.php | 4 ++++ 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index bf725919588..1abd7af611a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,7 @@ CHANGELOG Roundcube Webmail - Fix rsync error handling in installto.sh script (#5562) - Fix some advanced search issues with multiple addressbooks (#5572) - Fix so group/addressbook selection is retained on page refresh +- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580) RELEASE 1.2.3 ------------- diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index ba750b08034..c0d109acdab 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -396,7 +396,7 @@ public static function mod_css_styles($source, $container_id, $allow_remote = fa // ignore the whole block if evil styles are detected $source = self::xss_entity_decode($source); $stripped = preg_replace('/[^a-z\(:;]/i', '', $source); - $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\(' : ''); + $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : ''); if (preg_match("/$evilexpr/i", $stripped)) { return '/* evil! */'; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index d37825a8ab3..0e13c845382 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -969,7 +969,7 @@ function rcmail_washtml_callback($tagname, $attrib, $content, $washtml) // now check for evil strings like expression, behavior or url() if (!preg_match('/expression|behavior|javascript:|import[^a]/i', $stripped)) { - if (!$washtml->get_config('allow_remote') && stripos($stripped, 'url(')) { + if (!$washtml->get_config('allow_remote') && preg_match('/url\((?!data:image)/', $stripped)) { $washtml->extlinks = true; } else { diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index 5f70544d467..ba04e15454d 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -214,6 +214,10 @@ function test_mod_css_styles_xss() $mod = rcube_utils::mod_css_styles(".test { position:/**/fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (2)"); + + // allow data URIs with images (#5580) + $mod = rcube_utils::mod_css_styles("body { background-image: url(data:image/png;base64,123); }", 'rcmbody'); + $this->assertEquals("#rcmbody { background-image: url(data:image/png;base64,123); }", $mod, "Data URIs in url() allowed"); } /**