From 40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 06 Jan 2016 08:10:05 -0500
Subject: [PATCH] Fix XSS issue in SVG images handling (#1490625)
---
program/steps/mail/get.inc | 188 +++++++++++++++++++++++++++++-----------------
1 files changed, 117 insertions(+), 71 deletions(-)
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 02d57c7..96cdd77 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/steps/mail/get.inc |
| |
@@ -22,7 +22,9 @@
// show loading page
if (!empty($_GET['_preload'])) {
- $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']);
+ $_get = $_GET + array('_mimewarning' => 1, '_embed' => 1);
+ unset($_get['_preload']);
+ $url = $RCMAIL->url($_get);
$message = $RCMAIL->gettext('loadingdata');
header('Content-Type: text/html; charset=' . RCUBE_CHARSET);
@@ -35,12 +37,11 @@
ob_end_clean();
-
// similar code as in program/steps/mail/show.inc
if (!empty($_GET['_uid'])) {
$uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GET);
$RCMAIL->config->set('prefer_html', true);
- $MESSAGE = new rcube_message($uid);
+ $MESSAGE = new rcube_message($uid, null, intval($_GET['_safe']));
}
// check connection status
@@ -76,21 +77,25 @@
if ($part = $MESSAGE->mime_parts[$pid]) {
$thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240);
$temp_dir = $RCMAIL->config->get('temp_dir');
- list(,$ext) = explode('/', $part->mimetype);
$mimetype = $part->mimetype;
$file_ident = $MESSAGE->headers->messageID . ':' . $part->mime_id . ':' . $part->size . ':' . $part->mimetype;
$cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size);
- $cache_file = $cache_basename . '.' . $ext;
+ $cache_file = $cache_basename . '.thumb';
// render thumbnail image if not done yet
if (!is_file($cache_file)) {
- if ($fp = fopen(($orig_name = $cache_basename . '.orig.' . $ext), 'w')) {
- $MESSAGE->get_part_content($part->mime_id, $fp);
+ if ($fp = fopen(($orig_name = $cache_basename . '.tmp'), 'w')) {
+ $MESSAGE->get_part_body($part->mime_id, false, 0, $fp);
fclose($fp);
$image = new rcube_image($orig_name);
if ($imgtype = $image->resize($thumbnail_size, $cache_file, true)) {
$mimetype = 'image/' . $imgtype;
+ unlink($orig_name);
+ }
+ else if (stripos($mimetype, 'image/svg') === 0) {
+ $content = rcmail_svg_filter(file_get_contents($orig_name));
+ file_put_contents($cache_file, $content);
unlink($orig_name);
}
else {
@@ -107,7 +112,6 @@
exit;
}
-
else if (strlen($part_id)) {
if ($part = $MESSAGE->mime_parts[$part_id]) {
$mimetype = rcmail_fix_mimetype($part->mimetype);
@@ -130,7 +134,7 @@
$extensions = rcube_mime::get_mime_extensions($mimetype);
if ($plugin['body']) {
- $part->body = $plugin['body'];
+ $body = $plugin['body'];
}
// compare file mimetype with the stated content-type headers and file extension to avoid malicious operations
@@ -138,38 +142,33 @@
$file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
// 1. compare filename suffix with expected suffix derived from mimetype
- $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
+ $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']);
// 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {
- if ($part->body) // part body is already loaded
- $body = $part->body;
- else if ($part->size && $part->size < 1024*1024) // load the entire part if it's small enough
- $body = $part->body = $MESSAGE->get_part_content($part->mime_id);
- else // fetch the first 2K of the message part
- $body = $MESSAGE->get_part_content($part->mime_id, null, true, 2048);
+ $tmp_body = $body ?: $MESSAGE->get_part_body($part->mime_id, false, 2048);
// detect message part mimetype
- $real_mimetype = rcube_mime::file_content_type($body, $part->filename, $mimetype, true, true);
+ $real_mimetype = rcube_mime::file_content_type($tmp_body, $part->filename, $mimetype, true, true);
list($real_ctype_primary, $real_ctype_secondary) = explode('/', $real_mimetype);
// accept text/plain with any extension
if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) {
- $file_extension = 'txt';
- }
-
- // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
- if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
- $real_mimetype = $mimetype;
- }
-
- // get valid file extensions
- $extensions = rcube_mime::get_mime_extensions($real_mimetype);
- $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
-
- // ignore filename extension if mimeclass matches (#1489029)
- if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
$valid_extension = true;
+ }
+ // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
+ else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
+ $real_mimetype = $mimetype;
+ $valid_extension = true;
+ }
+ // ignore filename extension if mimeclass matches (#1489029)
+ else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
+ $valid_extension = true;
+ }
+ else {
+ // get valid file extensions
+ $extensions = rcube_mime::get_mime_extensions($real_mimetype);
+ $valid_extension = !$file_extension || empty($extensions) || in_array($file_extension, (array)$extensions);
}
// fix mimetype for images wrongly declared as octet-stream
@@ -177,7 +176,10 @@
$mimetype = $real_mimetype;
}
- $valid = ($real_mimetype == $mimetype && $valid_extension);
+ // "fix" real mimetype the same way the original is before comparison
+ $real_mimetype = rcmail_fix_mimetype($real_mimetype);
+
+ $valid = $real_mimetype == $mimetype && $valid_extension;
}
else {
$real_mimetype = $mimetype;
@@ -188,10 +190,12 @@
// send blocked.gif for expected images
if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) {
// Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed.
+ $content = $RCMAIL->get_resource_content('blocked.gif');
$OUTPUT->nocacheing_headers();
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
- readfile(INSTALL_PATH . 'program/resources/blocked.gif');
+ header("Content-Length: " . strlen($content));
+ echo $content;
}
else { // html warning with a button to load the file anyway
$OUTPUT = new rcmail_html_page();
@@ -233,7 +237,7 @@
list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
if (!$plugin['download'] && $ctype_primary == 'text') {
- header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ? $part->charset : RCUBE_CHARSET));
+ header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ?: RCUBE_CHARSET));
}
else {
header("Content-Type: $mimetype");
@@ -247,19 +251,19 @@
if (!rcube_utils::mem_check($part->size * 10)) {
$out = '<body>' . $RCMAIL->gettext('messagetoobig'). ' '
. html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id
- .'&_mbox='. urlencode($RCMAIL->storage->get_folder()), $RCMAIL->gettext('download')) . '</body></html>';
+ .'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')) . '</body></html>';
}
else {
// get part body if not available
- if (!$part->body) {
- $part->body = $MESSAGE->get_part_content($part->mime_id);
+ if (!isset($body)) {
+ $body = $MESSAGE->get_part_body($part->mime_id, true);
}
// show images?
rcmail_check_safe($MESSAGE);
// render HTML body
- $out = rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));
+ $out = rcmail_print_body($body, $part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));
// insert remote objects warning into HTML body
if ($REMOTE_OBJECTS) {
@@ -280,7 +284,7 @@
}
// check connection status
- if ($part->size && empty($part->body)) {
+ if ($part->size && empty($body)) {
check_storage_status();
}
@@ -320,17 +324,17 @@
$file_path = tempnam($temp_dir, 'rcmAttmnt');
// write content to temp file
- if ($part->body) {
- $saved = file_put_contents($file_path, $part->body);
+ if ($body) {
+ $saved = file_put_contents($file_path, $body);
}
else if ($part->size) {
$fd = fopen($file_path, 'w');
- $saved = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $fd);
+ $saved = $MESSAGE->get_part_body($part->mime_id, false, 0, $fd);
fclose($fd);
}
// convert image to jpeg and send it to the browser
- if ($saved) {
+ if ($sent = $saved) {
$image = new rcube_image($file_path);
if ($image->convert(rcube_image::TYPE_JPG, $file_path)) {
header("Content-Length: " . filesize($file_path));
@@ -339,34 +343,8 @@
unlink($file_path);
}
}
- // do content filtering to avoid XSS through fake images
- else if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
- if ($part->body) {
- echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
- $sent = true;
- }
- else if ($part->size) {
- $stdout = fopen('php://output', 'w');
- stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
- stream_filter_append($stdout, 'rcube_content');
- $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
- }
- }
- // send part as-it-is
else {
- if ($part->body) {
- header("Content-Length: " . strlen($part->body));
- echo $part->body;
- $sent = true;
- }
- else if ($part->size) {
- if ($size = (int)$part->d_parameters['size']) {
- header("Content-Length: $size");
- }
-
- // 8th argument disables re-formatting of text/* parts (#1489267)
- $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true, null, false, 0, false);
- }
+ $sent = rcmail_message_part_output($body, $part, $mimetype, $plugin['download']);
}
// check connection status
@@ -478,3 +456,71 @@
return html::iframe($attrib);
}
+
+/**
+ * Output attachment body with content filtering
+ */
+function rcmail_message_part_output($body, $part, $mimetype, $download)
+{
+ global $MESSAGE, $RCMAIL;
+
+ if (!$part->size && !$body) {
+ return false;
+ }
+
+ $browser = $RCMAIL->output->browser;
+ $secure = stripos($mimetype, 'image/') === false || $download;
+
+ // Remove <script> in SVG images
+ if (!$secure && stripos($mimetype, 'image/svg') === 0) {
+ if (!$body) {
+ $body = $MESSAGE->get_part_body($part->mime_id, false);
+ if (empty($body)) {
+ return false;
+ }
+ }
+
+ echo rcmail_svg_filter($body);
+ return true;
+ }
+
+ // Remove dangerous content in images for older IE (to be removed)
+ if (!$secure && $browser->ie && $browser->ver <= 8) {
+ if ($body) {
+ echo preg_match('/<(script|iframe|object)/i', $body) ? '' : $body;
+ return true;
+ }
+ else {
+ $stdout = fopen('php://output', 'w');
+ stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
+ stream_filter_append($stdout, 'rcube_content');
+ return $MESSAGE->get_part_body($part->mime_id, true, 0, $stdout);
+ }
+ }
+
+ if ($body && !$download) {
+ header("Content-Length: " . strlen($body));
+ echo $body;
+ return true;
+ }
+
+ // Don't be tempted to set Content-Length to $part->d_parameters['size'] (#1490482)
+ // RFC2183 says "The size parameter indicates an approximate size"
+
+ return $MESSAGE->get_part_body($part->mime_id, false, 0, -1);
+}
+
+/**
+ * Remove <script> in SVG images
+ */
+function rcmail_svg_filter($body)
+{
+ $dom = new DOMDocument;
+ $dom->loadXML($body);
+
+ foreach ($dom->getElementsByTagName('script') as $node) {
+ $node->parentNode->removeChild($node);
+ }
+
+ return $dom->saveXML() ?: '';
+}
--
Gitblit v1.9.1