From 14c4677eede6263f26b8830917ec6e74409b80c4 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 15 Aug 2012 05:21:49 -0400
Subject: [PATCH] Fix XSS issue where plain signatures wasn't secured in HTML mode (#1488613)
---
program/steps/mail/compose.inc | 202 ++++++++++++++++++++++++++++++++++----------------
1 files changed, 137 insertions(+), 65 deletions(-)
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 6b2fa7b..2994bf0 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -29,7 +29,6 @@
define('RCUBE_COMPOSE_EDIT', 0x0109);
$MESSAGE_FORM = null;
-$MESSAGE = null;
$COMPOSE_ID = get_input_value('_id', RCUBE_INPUT_GET);
$COMPOSE = null;
@@ -119,7 +118,11 @@
}
// redirect to a unique URL with all parameters stored in session
- $OUTPUT->redirect(array('_action' => 'compose', '_id' => $COMPOSE['id']));
+ $OUTPUT->redirect(array(
+ '_action' => 'compose',
+ '_id' => $COMPOSE['id'],
+ '_search' => $_REQUEST['_search'],
+ ));
}
@@ -181,7 +184,7 @@
$MESSAGE = new rcube_message($msg_uid);
// make sure message is marked as read
- if ($MESSAGE && $MESSAGE->headers && empty($MESSAGE->headers->flags['SEEN']))
+ if ($MESSAGE->headers && empty($MESSAGE->headers->flags['SEEN']))
$RCMAIL->storage->set_flag($msg_uid, 'SEEN');
if (!empty($MESSAGE->headers->charset))
@@ -240,6 +243,9 @@
if (!empty($COMPOSE['param']['attachment']))
$MESSAGE->forward_attachment = true;
}
+}
+else {
+ $MESSAGE = new stdClass();
}
$MESSAGE->compose = array();
@@ -526,7 +532,7 @@
function rcmail_compose_header_from($attrib)
{
- global $MESSAGE, $OUTPUT;
+ global $MESSAGE, $OUTPUT, $RCMAIL, $compose_mode;
// pass the following attributes to the form class
$field_attrib = array('name' => '_from');
@@ -537,6 +543,8 @@
if (count($MESSAGE->identities))
{
$a_signatures = array();
+ $separator = $RCMAIL->config->get('sig_above')
+ && ($compose_mode == RCUBE_COMPOSE_REPLY || $compose_mode == RCUBE_COMPOSE_FORWARD) ? '---' : '-- ';
$field_attrib['onchange'] = JS_OBJECT_NAME.".change_identity(this)";
$select_from = new html_select($field_attrib);
@@ -550,13 +558,27 @@
// add signature to array
if (!empty($sql_arr['signature']) && empty($COMPOSE['param']['nosig']))
{
- $a_signatures[$identity_id]['text'] = $sql_arr['signature'];
- $a_signatures[$identity_id]['is_html'] = ($sql_arr['html_signature'] == 1) ? true : false;
- if ($a_signatures[$identity_id]['is_html'])
- {
- $h2t = new html2text($a_signatures[$identity_id]['text'], false, false);
- $a_signatures[$identity_id]['plain_text'] = trim($h2t->get_text());
+ $text = $html = $sql_arr['signature'];
+
+ if ($sql_arr['html_signature']) {
+ $h2t = new html2text($sql_arr['signature'], false, false);
+ $text = trim($h2t->get_text());
}
+ else {
+ $html = htmlentities($html, ENT_NOQUOTES, RCMAIL_CHARSET);
+ }
+
+ if (!preg_match('/^--[ -]\r?\n/m', $text)) {
+ $text = $separator . "\n" . $text;
+ $html = $separator . "<br>" . $html;
+ }
+
+ if (!$sql_arr['html_signature']) {
+ $html = "<pre>" . $html . "</pre>";
+ }
+
+ $a_signatures[$identity_id]['text'] = $text;
+ $a_signatures[$identity_id]['html'] = $html;
}
}
@@ -587,10 +609,10 @@
$html_editor = intval($RCMAIL->config->get('htmleditor'));
if ($compose_mode == RCUBE_COMPOSE_DRAFT || $compose_mode == RCUBE_COMPOSE_EDIT) {
- $useHtml = $MESSAGE->has_html_part();
+ $useHtml = $MESSAGE->has_html_part(false);
}
else if ($compose_mode == RCUBE_COMPOSE_REPLY) {
- $useHtml = ($html_editor == 1 || ($html_editor == 2 && $MESSAGE->has_html_part()));
+ $useHtml = ($html_editor == 1 || ($html_editor == 2 && $MESSAGE->has_html_part(false)));
}
else { // RCUBE_COMPOSE_FORWARD or NEW
$useHtml = ($html_editor == 1);
@@ -622,40 +644,22 @@
}
// reply/edit/draft/forward
else if ($compose_mode) {
- $has_html_part = $MESSAGE->has_html_part();
$isHtml = rcmail_compose_editor_mode();
- if ($isHtml) {
- if ($has_html_part) {
- $body = $MESSAGE->first_html_part();
- }
- else {
- $body = $MESSAGE->first_text_part();
- // try to remove the signature
- if ($RCMAIL->config->get('strip_existing_sig', true))
- $body = rcmail_remove_signature($body);
- // add HTML formatting
- $body = rcmail_plain_body($body);
- if ($body)
- $body = '<pre>' . $body . '</pre>';
+ if (!empty($MESSAGE->parts)) {
+ foreach ($MESSAGE->parts as $part) {
+ // skip no-content and attachment parts (#1488557)
+ if ($part->type != 'content' || !$part->size || $MESSAGE->is_attachment($part)) {
+ continue;
+ }
+
+ if ($part_body = rcmail_compose_part_body($part, $isHtml)) {
+ $body .= ($body ? ($isHtml ? '<br/>' : "\n") : '') . $part_body;
+ }
}
}
else {
- if ($has_html_part) {
- // use html part if it has been used for message (pre)viewing
- // decrease line length for quoting
- $len = $compose_mode == RCUBE_COMPOSE_REPLY ? $LINE_LENGTH-2 : $LINE_LENGTH;
- $txt = new html2text($MESSAGE->first_html_part(), false, true, $len);
- $body = $txt->get_text();
- }
- else {
- $body = $MESSAGE->first_text_part($part);
- if ($body && $part && $part->ctype_secondary == 'plain'
- && $part->ctype_parameters['format'] == 'flowed'
- ) {
- $body = rcube_mime::unfold_flowed($body);
- }
- }
+ $body = rcmail_compose_part_body($MESSAGE, $isHtml);
}
// compose reply-body
@@ -681,15 +685,79 @@
if ($isHtml && preg_match('#<img src="\./program/blocked\.gif"#', $body)) {
if ($attachment = rcmail_save_image('program/blocked.gif', 'image/gif')) {
$COMPOSE['attachments'][$attachment['id']] = $attachment;
- $body = preg_replace('#\./program/blocked\.gif#',
- $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'],
- $body);
+ $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
+ $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
+ $body = preg_replace('#\./program/blocked\.gif#', $url, $body);
}
}
$HTML_MODE = $isHtml;
return $body;
+}
+
+function rcmail_compose_part_body($part, $isHtml = false)
+{
+ global $RCMAIL, $MESSAGE, $compose_mode;
+
+ // Check if we have enough memory to handle the message in it
+ // #1487424: we need up to 10x more memory than the body
+ if (!rcmail_mem_check($part->size * 10)) {
+ return '';
+ }
+
+ if (empty($part->ctype_parameters) || empty($part->ctype_parameters['charset'])) {
+ $part->ctype_parameters['charset'] = $MESSAGE->headers->charset;
+ }
+
+ // fetch part if not available
+ if (!isset($part->body)) {
+ $part->body = $MESSAGE->get_part_content($part->mime_id);
+ }
+
+ // message is cached but not exists (#1485443), or other error
+ if ($part->body === false) {
+ return '';
+ }
+
+ $body = $part->body;
+
+ if ($isHtml) {
+ if ($part->ctype_secondary == 'html') {
+ }
+ else {
+ // try to remove the signature
+ if ($RCMAIL->config->get('strip_existing_sig', true)) {
+ $body = rcmail_remove_signature($body);
+ }
+ // add HTML formatting
+ $body = rcmail_plain_body($body);
+ if ($body) {
+ $body = '<pre>' . $body . '</pre>';
+ }
+ }
+ }
+ else {
+ if ($part->ctype_secondary == 'html') {
+ // use html part if it has been used for message (pre)viewing
+ // decrease line length for quoting
+ $len = $compose_mode == RCUBE_COMPOSE_REPLY ? $LINE_LENGTH-2 : $LINE_LENGTH;
+ $txt = new html2text($body, false, true, $len);
+ $body = $txt->get_text();
+ }
+ else {
+ if ($part->ctype_secondary == 'plain' && $part->ctype_parameters['format'] == 'flowed') {
+ $body = rcube_mime::unfold_flowed($body);
+ }
+
+ // try to remove the signature
+ if ($RCMAIL->config->get('strip_existing_sig', true)) {
+ $body = rcmail_remove_signature($body);
+ }
+ }
+ }
+
+ return $body;
}
function rcmail_compose_body($attrib)
@@ -719,6 +787,7 @@
// If desired, set this textarea to be editable by TinyMCE
if ($isHtml) {
+ $MESSAGE_BODY = htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET);
$attrib['class'] = 'mce_editor';
$textarea = new html_textarea($attrib);
$out .= $textarea->show($MESSAGE_BODY);
@@ -739,14 +808,14 @@
// include HTML editor
rcube_html_editor();
- // include GoogieSpell
+ // Set language list
if (!empty($CONFIG['enable_spellcheck'])) {
$engine = $RCMAIL->config->get('spellcheck_engine','googie');
$dictionary = (bool) $RCMAIL->config->get('spellcheck_dictionary');
$spellcheck_langs = (array) $RCMAIL->config->get('spellcheck_languages',
array('da'=>'Dansk', 'de'=>'Deutsch', 'en' => 'English', 'es'=>'Español',
'fr'=>'Français', 'it'=>'Italiano', 'nl'=>'Nederlands', 'pl'=>'Polski',
- 'pt'=>'Português', 'fi'=>'Suomi', 'sv'=>'Svenska'));
+ 'pt'=>'Português', 'ru'=>'Русский', 'fi'=>'Suomi', 'sv'=>'Svenska'));
// googie works only with two-letter codes
if ($engine == 'googie') {
@@ -768,14 +837,18 @@
if (!$spellcheck_langs[$lang])
$lang = 'en';
+ $OUTPUT->set_env('spell_langs', $spellcheck_langs);
+ $OUTPUT->set_env('spell_lang', $lang);
+
$editor_lang_set = array();
foreach ($spellcheck_langs as $key => $name) {
$editor_lang_set[] = ($key == $lang ? '+' : '') . JQ($name).'='.JQ($key);
}
+ // include GoogieSpell
$OUTPUT->include_script('googiespell.js');
$OUTPUT->add_script(sprintf(
- "var googie = new GoogieSpell('\$__skin_path/images/googiespell/','?_task=utils&_action=spell&lang=', %s);\n".
+ "var googie = new GoogieSpell('%s/images/googiespell/','%s&lang=', %s);\n".
"googie.lang_chck_spell = \"%s\";\n".
"googie.lang_rsm_edt = \"%s\";\n".
"googie.lang_close = \"%s\";\n".
@@ -784,9 +857,11 @@
"googie.lang_learn_word = \"%s\";\n".
"googie.setLanguages(%s);\n".
"googie.setCurrentLanguage('%s');\n".
- "googie.setSpellContainer('spellcheck-control');\n".
+ "googie.setDecoration(false);\n".
"googie.decorateTextarea('%s');\n".
"%s.set_env('spellcheck', googie);",
+ $RCMAIL->output->get_skin_path(),
+ $RCMAIL->url(array('_task' => 'utils', '_action' => 'spell')),
!empty($dictionary) ? 'true' : 'false',
JQ(Q(rcube_label('checkspelling'))),
JQ(Q(rcube_label('resumeediting'))),
@@ -825,10 +900,6 @@
if (!$bodyIsHtml) {
$body = preg_replace('/\r?\n/', "\n", $body);
-
- // try to remove the signature
- if ($RCMAIL->config->get('strip_existing_sig', true))
- $body = rcmail_remove_signature($body);
// soft-wrap and quote message text
$body = rcmail_wrap_and_quote(rtrim($body, "\n"), $LINE_LENGTH);
@@ -906,18 +977,18 @@
"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('subject'), Q($MESSAGE->subject),
rcube_label('date'), Q($date),
- rcube_label('from'), htmlspecialchars(Q($MESSAGE->get_header('from'), 'replace'), ENT_COMPAT, $charset),
- rcube_label('to'), htmlspecialchars(Q($MESSAGE->get_header('to'), 'replace'), ENT_COMPAT, $charset));
+ rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
+ rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));
if ($MESSAGE->headers->cc)
$prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('cc'),
- htmlspecialchars(Q($MESSAGE->get_header('cc'), 'replace'), ENT_COMPAT, $charset));
+ Q($MESSAGE->get_header('cc'), 'replace'));
if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
$prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('replyto'),
- htmlspecialchars(Q($MESSAGE->get_header('replyto'), 'replace'), ENT_COMPAT, $charset));
+ Q($MESSAGE->get_header('replyto'), 'replace'));
$prefix .= "</tbody></table><br>";
}
@@ -953,7 +1024,8 @@
{
global $RCMAIL;
- $len = strlen($body);
+ $body = str_replace("\r\n", "\n", $body);
+ $len = strlen($body);
$sig_max_lines = $RCMAIL->config->get('sig_max_lines', 15);
while (($sp = strrpos($body, "-- \n", $sp ? -$len+$sp-1 : 0)) !== false) {
@@ -996,7 +1068,8 @@
if (!$skip && ($attachment = rcmail_save_attachment($message, $pid))) {
$COMPOSE['attachments'][$attachment['id']] = $attachment;
if ($bodyIsHtml && ($part->content_id || $part->content_location)) {
- $url = $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'];
+ $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
+ $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
if ($part->content_id)
$cid_map['cid:'.$part->content_id] = $url;
else
@@ -1021,7 +1094,8 @@
if (($part->content_id || $part->content_location) && $part->filename) {
if ($attachment = rcmail_save_attachment($message, $pid)) {
$COMPOSE['attachments'][$attachment['id']] = $attachment;
- $url = $RCMAIL->comm_path.'&_action=display-attachment&_file=rcmfile'.$attachment['id'].'&_id='.$COMPOSE['id'];
+ $url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
+ $RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
if ($part->content_id)
$cid_map['cid:'.$part->content_id] = $url;
else
@@ -1348,7 +1422,7 @@
$attrib['value'] = '1';
$checkbox = new html_checkbox($attrib);
- if ($MESSAGE && in_array($compose_mode, array(RCUBE_COMPOSE_DRAFT, RCUBE_COMPOSE_EDIT)))
+ if (in_array($compose_mode, array(RCUBE_COMPOSE_DRAFT, RCUBE_COMPOSE_EDIT)))
$mdn_default = (bool) $MESSAGE->headers->mdn_to;
else
$mdn_default = $RCMAIL->config->get('mdn_default');
@@ -1474,7 +1548,7 @@
}
-function rcmail_adressbook_list($attrib = array())
+function rcmail_addressbook_list($attrib = array())
{
global $RCMAIL, $OUTPUT;
@@ -1503,7 +1577,7 @@
$js_id, (!empty($source['name']) ? Q($source['name']) : Q($id)));
}
- $OUTPUT->add_gui_object('adressbookslist', $attrib['id']);
+ $OUTPUT->add_gui_object('addressbookslist', $attrib['id']);
return html::tag('ul', $attrib, $out, html::$common_attrib);
}
@@ -1539,10 +1613,8 @@
'receiptcheckbox' => 'rcmail_receipt_checkbox',
'dsncheckbox' => 'rcmail_dsn_checkbox',
'storetarget' => 'rcmail_store_target_selection',
- 'adressbooks' => 'rcmail_adressbook_list',
+ 'addressbooks' => 'rcmail_addressbook_list',
'addresslist' => 'rcmail_contacts_list',
));
$OUTPUT->send('compose');
-
-
--
Gitblit v1.9.1