Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)

Aleksander Machniak

2012-08-15 14c4677eede6263f26b8830917ec6e74409b80c4

 program/steps/mail/compose.inc

@@ -29,7 +29,6 @@
define('RCUBE_COMPOSE_EDIT', 0x0109);

$MESSAGE_FORM = null;
$MESSAGE      = null;
$COMPOSE_ID   = get_input_value('_id', RCUBE_INPUT_GET);
$COMPOSE      = null;

@@ -119,7 +118,11 @@
  }

  // redirect to a unique URL with all parameters stored in session
  $OUTPUT->redirect(array('_action' => 'compose', '_id' => $COMPOSE['id']));
  $OUTPUT->redirect(array(
    '_action' => 'compose',
    '_id'     => $COMPOSE['id'],
    '_search' => $_REQUEST['_search'],
  ));
}


@@ -181,7 +184,7 @@
  $MESSAGE = new rcube_message($msg_uid);

  // make sure message is marked as read
  if ($MESSAGE && $MESSAGE->headers && empty($MESSAGE->headers->flags['SEEN']))
  if ($MESSAGE->headers && empty($MESSAGE->headers->flags['SEEN']))
    $RCMAIL->storage->set_flag($msg_uid, 'SEEN');

  if (!empty($MESSAGE->headers->charset))
@@ -240,6 +243,9 @@
    if (!empty($COMPOSE['param']['attachment']))
      $MESSAGE->forward_attachment = true;
  }
}
else {
  $MESSAGE = new stdClass();
}

$MESSAGE->compose = array();
@@ -526,7 +532,7 @@

function rcmail_compose_header_from($attrib)
{
  global $MESSAGE, $OUTPUT;
  global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;

  // pass the following attributes to the form class
  $field_attrib = array('name' => '_from');
@@ -537,6 +543,8 @@
  if (count($MESSAGE->identities))
  {
    $a_signatures = array();
    $separator    = $RCMAIL->config->get('sig_above')
      && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';

    $field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
    $select_from = new html_select($field_attrib);
@@ -550,13 +558,27 @@
      // add signature to array
      if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
      {
        $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
        $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
        if ($a_signatures[$identity_id]['is_html'])
        {
            $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
            $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
        $text = $html = $sql_arr['signature'];

        if ($sql_arr['html_signature']) {
            $h2t  = new html2text($sql_arr['signature'], false, false);
            $text = trim($h2t->get_text());
        }
        else {
            $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
        }

        if (!preg_match('/^--[ -]\r?\n/m', $text)) {
            $text = $separator . "\n" . $text;
            $html = $separator . "<br>" . $html;
        }

        if (!$sql_arr['html_signature']) {
            $html = "<pre>" . $html . "</pre>";
        }

        $a_signatures[$identity_id]['text'] = $text;
        $a_signatures[$identity_id]['html'] = $html;
      }
    }

@@ -626,7 +648,8 @@

    if (!empty($MESSAGE->parts)) {
      foreach ($MESSAGE->parts as $part) {
        if ($part->type != 'content' || !$part->size) {
        // skip no-content and attachment parts (#1488557)
        if ($part->type != 'content' || !$part->size || $MESSAGE->is_attachment($part)) {
          continue;
        }

@@ -662,9 +685,9 @@
  if ($isHtml && preg_match('#<img src="\./program/blocked\.gif"#', $body)) {
    if ($attachment = rcmail_save_image('program/blocked.gif', 'image/gif')) {
      $COMPOSE['attachments'][$attachment['id']] = $attachment;
      $body = preg_replace('#\./program/blocked\.gif#',
        $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'],
        $body);
      $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
        $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
      $body = preg_replace('#\./program/blocked\.gif#', $url, $body);
    }
  }

@@ -764,6 +787,7 @@

  // If desired, set this textarea to be editable by TinyMCE
  if ($isHtml) {
    $MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET);
    $attrib['class'] = 'mce_editor';
    $textarea = new html_textarea($attrib);
    $out .= $textarea->show($MESSAGE_BODY);
@@ -813,6 +837,9 @@
    if (!$spellcheck_langs[$lang])
      $lang = 'en';

    $OUTPUT->set_env('spell_langs', $spellcheck_langs);
    $OUTPUT->set_env('spell_lang', $lang);

    $editor_lang_set = array();
    foreach ($spellcheck_langs as $key => $name) {
      $editor_lang_set[] = ($key == $lang ? '+' : '') . JQ($name).'='.JQ($key);
@@ -830,7 +857,7 @@
      "googie.lang_learn_word = \"%s\";\n".
      "googie.setLanguages(%s);\n".
      "googie.setCurrentLanguage('%s');\n".
      "googie.setSpellContainer('spellcheck-control');\n".
      "googie.setDecoration(false);\n".
      "googie.decorateTextarea('%s');\n".
      "%s.set_env('spellcheck', googie);",
      $RCMAIL->output->get_skin_path(),
@@ -950,18 +977,18 @@
        "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
      rcube_label('subject'), Q($MESSAGE->subject),
      rcube_label('date'), Q($date),
      rcube_label('from'), htmlspecialchars(Q($MESSAGE->get_header('from'), 'replace'), ENT_COMPAT, $charset),
      rcube_label('to'), htmlspecialchars(Q($MESSAGE->get_header('to'), 'replace'), ENT_COMPAT, $charset));
      rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
      rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));

    if ($MESSAGE->headers->cc)
      $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
        rcube_label('cc'),
        htmlspecialchars(Q($MESSAGE->get_header('cc'), 'replace'), ENT_COMPAT, $charset));
        Q($MESSAGE->get_header('cc'), 'replace'));

    if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
      $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
        rcube_label('replyto'),
        htmlspecialchars(Q($MESSAGE->get_header('replyto'), 'replace'), ENT_COMPAT, $charset));
        Q($MESSAGE->get_header('replyto'), 'replace'));

    $prefix .= "</tbody></table><br>";
  }
@@ -1041,7 +1068,8 @@
      if (!$skip && ($attachment = rcmail_save_attachment($message, $pid))) {
        $COMPOSE['attachments'][$attachment['id']] = $attachment;
        if ($bodyIsHtml && ($part->content_id || $part->content_location)) {
          $url = $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'];
          $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
            $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
          if ($part->content_id)
            $cid_map['cid:'.$part->content_id] = $url;
          else
@@ -1066,7 +1094,8 @@
    if (($part->content_id || $part->content_location) && $part->filename) {
      if ($attachment = rcmail_save_attachment($message, $pid)) {
        $COMPOSE['attachments'][$attachment['id']] = $attachment;
        $url = $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'];
          $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
            $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
        if ($part->content_id)
          $cid_map['cid:'.$part->content_id] = $url;
        else
@@ -1393,7 +1422,7 @@
  $attrib['value'] = '1';
  $checkbox = new html_checkbox($attrib);

  if ($MESSAGE && in_array($compose_mode, array(RCUBE_COMPOSE_DRAFT, RCUBE_COMPOSE_EDIT)))
  if (in_array($compose_mode, array(RCUBE_COMPOSE_DRAFT, RCUBE_COMPOSE_EDIT)))
    $mdn_default = (bool) $MESSAGE->headers->mdn_to;
  else
    $mdn_default = $RCMAIL->config->get('mdn_default');