From 89a5dcb946fb34d39617b52572d8e9fe90d10617 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Dec 2015 06:42:17 -0500
Subject: [PATCH] Fix path traversal vulnerability in setting a skin (#1490620)
---
program/include/rcmail_output_html.php | 248 ++++++++++++++++++++++++++++++++++++++++---------
1 files changed, 202 insertions(+), 46 deletions(-)
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 6594209..2374f87 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -45,6 +45,8 @@
protected $footer = '';
protected $body = '';
protected $base_path = '';
+ protected $assets_path;
+ protected $assets_dir = RCUBE_INSTALL_PATH;
protected $devel_mode = false;
// deprecated names of templates used before 0.5
@@ -79,6 +81,8 @@
$skin = $this->config->get('skin');
$this->set_skin($skin);
$this->set_env('skin', $skin);
+
+ $this->set_assets_path($this->config->get('assets_path'), $this->config->get('assets_dir'));
if (!empty($_REQUEST['_extwin']))
$this->set_env('extwin', 1);
@@ -145,6 +149,55 @@
}
/**
+ * Parse and set assets path
+ *
+ * @param string Assets path (relative or absolute URL)
+ */
+ public function set_assets_path($path, $fs_dir = null)
+ {
+ if (empty($path)) {
+ return;
+ }
+
+ $path = rtrim($path, '/') . '/';
+
+ // handle relative assets path
+ if (!preg_match('|^https?://|', $path) && $path[0] != '/') {
+ // save the path to search for asset files later
+ $this->assets_dir = $path;
+
+ $base = preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI']);
+ $base = rtrim($base, '/');
+
+ // remove url token if exists
+ if ($len = intval($this->config->get('use_secure_urls'))) {
+ $_base = explode('/', $base);
+ $last = count($_base) - 1;
+ $length = $len > 1 ? $len : 16; // as in rcube::get_secure_url_token()
+
+ // we can't use real token here because it
+ // does not exists in unauthenticated state,
+ // hope this will not produce false-positive matches
+ if ($last > -1 && preg_match('/^[a-f0-9]{' . $length . '}$/', $_base[$last])) {
+ $path = '../' . $path;
+ }
+ }
+ }
+
+ // set filesystem path for assets
+ if ($fs_dir) {
+ if ($fs_dir[0] != '/') {
+ $fs_dir = realpath(RCUBE_INSTALL_PATH . $fs_dir);
+ }
+ // ensure the path ends with a slash
+ $this->assets_dir = rtrim($fs_dir, '/') . '/';
+ }
+
+ $this->assets_path = $path;
+ $this->set_env('assets_path', $path);
+ }
+
+ /**
* Getter for the current page title
*
* @return string The page title
@@ -172,6 +225,17 @@
*/
public function set_skin($skin)
{
+ // Sanity check to prevent from path traversal vulnerability (#1490620)
+ if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+ rcube::raise_error(array(
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => 'Invalid skin name'
+ ), true, false);
+
+ return false;
+ }
+
$valid = false;
$path = RCUBE_INSTALL_PATH . 'skins/';
@@ -186,6 +250,8 @@
}
$valid = !$skin;
}
+
+ $skin_path = rtrim($skin_path, '/');
$this->config->set('skin_path', $skin_path);
$this->base_path = $skin_path;
@@ -249,6 +315,7 @@
* @param string File name/path to resolve (starting with /)
* @param string Reference to the base path of the matching skin
* @param string Additional path to search in
+ *
* @return mixed Relative path to the requested file or False if not found
*/
public function get_skin_file($file, &$skin_path = null, $add_path = null)
@@ -259,9 +326,18 @@
}
foreach ($skin_paths as $skin_path) {
- $path = realpath($skin_path . $file);
- if (is_file($path)) {
+ $path = realpath(RCUBE_INSTALL_PATH . $skin_path . $file);
+
+ if ($path && is_file($path)) {
return $skin_path . $file;
+ }
+
+ if ($this->assets_dir != RCUBE_INSTALL_PATH) {
+ $path = realpath($this->assets_dir . $skin_path . $file);
+
+ if ($path && is_file($path)) {
+ return $skin_path . $file;
+ }
}
}
@@ -367,14 +443,15 @@
/**
* Redirect to a certain url
*
- * @param mixed $p Either a string with the action or url parameters as key-value pairs
- * @param int $delay Delay in seconds
+ * @param mixed $p Either a string with the action or url parameters as key-value pairs
+ * @param int $delay Delay in seconds
+ * @param bool $secure Redirect to secure location (see rcmail::url())
*/
- public function redirect($p = array(), $delay = 1)
+ public function redirect($p = array(), $delay = 1, $secure = false)
{
if ($this->env['extwin'])
$p['extwin'] = 1;
- $location = $this->app->url($p);
+ $location = $this->app->url($p, false, false, $secure);
header('Location: ' . $location);
exit;
}
@@ -419,15 +496,6 @@
*/
public function write($template = '')
{
- // unlock interface after iframe load
- $unlock = preg_replace('/[^a-z0-9]/i', '', $_REQUEST['_unlock']);
- if ($this->framed) {
- array_unshift($this->js_commands, array('iframe_loaded', $unlock));
- }
- else if ($unlock) {
- array_unshift($this->js_commands, array('hide_message', $unlock));
- }
-
if (!empty($this->script_files)) {
$this->set_env('request_token', $this->app->get_request_token());
}
@@ -439,6 +507,8 @@
if ($framed) {
$this->scripts = array();
$this->script_files = array();
+ $this->header = '';
+ $this->footer = '';
}
// write all javascript commands
@@ -467,6 +537,8 @@
{
$plugin = false;
$realname = $name;
+ $plugin_skin_paths = array();
+
$this->template_name = $realname;
$temp = explode('.', $name, 2);
@@ -476,7 +548,6 @@
$skin_dir = $plugin . '/skins/' . $this->config->get('skin');
// apply skin search escalation list to plugin directory
- $plugin_skin_paths = array();
foreach ($this->skin_paths as $skin_path) {
$plugin_skin_paths[] = $this->app->plugins->url . $plugin . '/' . $skin_path;
}
@@ -487,18 +558,18 @@
$plugin_skin_paths[] = $this->app->plugins->url . $skin_dir;
}
- // add plugin skin paths to search list
+ // prepend plugin skin paths to search list
$this->skin_paths = array_merge($plugin_skin_paths, $this->skin_paths);
}
// find skin template
$path = false;
foreach ($this->skin_paths as $skin_path) {
- $path = "$skin_path/templates/$name.html";
+ $path = RCUBE_INSTALL_PATH . "$skin_path/templates/$name.html";
// fallback to deprecated template names
if (!is_readable($path) && $this->deprecated_templates[$realname]) {
- $path = "$skin_path/templates/" . $this->deprecated_templates[$realname] . ".html";
+ $path = RCUBE_INSTALL_PATH . "$skin_path/templates/" . $this->deprecated_templates[$realname] . ".html";
if (is_readable($path)) {
rcube::raise_error(array(
@@ -524,12 +595,14 @@
// read template file
if (!$path || ($templ = @file_get_contents($path)) === false) {
rcube::raise_error(array(
- 'code' => 501,
+ 'code' => 404,
'type' => 'php',
'line' => __LINE__,
'file' => __FILE__,
'message' => 'Error loading template for '.$realname
), true, $write);
+
+ $this->skin_paths = array_slice($this->skin_paths, count($plugin_skin_paths));
return false;
}
@@ -554,6 +627,9 @@
$output = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $output);
$this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+ // remove plugin skin paths from current context
+ $this->skin_paths = array_slice($this->skin_paths, count($plugin_skin_paths));
+
if (!$write) {
return $output;
}
@@ -572,18 +648,31 @@
*/
protected function get_js_commands(&$framed = null)
{
- if (!$this->framed && !empty($this->js_env)) {
- $this->command('set_env', $this->js_env);
- }
-
- if (!empty($this->js_labels)) {
- $this->command('add_label', $this->js_labels);
- }
-
- $out = '';
+ $out = '';
$parent_commands = 0;
+ $top_commands = array();
- foreach ($this->js_commands as $i => $args) {
+ // these should be always on top,
+ // e.g. hide_message() below depends on env.framed
+ if (!$this->framed && !empty($this->js_env)) {
+ $top_commands[] = array('set_env', $this->js_env);
+ }
+ if (!empty($this->js_labels)) {
+ $top_commands[] = array('add_label', $this->js_labels);
+ }
+
+ // unlock interface after iframe load
+ $unlock = preg_replace('/[^a-z0-9]/i', '', $_REQUEST['_unlock']);
+ if ($this->framed) {
+ $top_commands[] = array('iframe_loaded', $unlock);
+ }
+ else if ($unlock) {
+ $top_commands[] = array('hide_message', $unlock);
+ }
+
+ $commands = array_merge($top_commands, $this->js_commands);
+
+ foreach ($commands as $i => $args) {
$method = array_shift($args);
$parent = $this->framed || preg_match('/^parent\./', $method);
@@ -604,7 +693,7 @@
$out .= sprintf("%s(%s);\n", $method, implode(',', $args));
}
- $framed = $parent_prefix && $parent_commands == count($this->js_commands);
+ $framed = $parent_prefix && $parent_commands == count($commands);
// make the output more compact if all commands go to parent window
if ($framed) {
@@ -653,6 +742,21 @@
exit;
}
+ /**
+ * Modify path by adding URL prefix if configured
+ */
+ public function asset_url($path)
+ {
+ // iframe content can't be in a different domain
+ // @TODO: check if assests are on a different domain
+
+ if (!$this->assets_path || in_array($path[0], array('?', '/', '.')) || strpos($path, '://')) {
+ return $path;
+ }
+
+ return $this->assets_path . $path;
+ }
+
/***** Template parsing methods *****/
@@ -690,7 +794,7 @@
}
/**
- * Callback function for preg_replace_callback in write()
+ * Callback function for preg_replace_callback in fix_paths()
*
* @return string Parsed string
*/
@@ -713,6 +817,28 @@
}
/**
+ * Correct paths of asset files according to assets_path
+ */
+ protected function fix_assets_paths($output)
+ {
+ return preg_replace_callback(
+ '!(src|href|background)=(["\']?)([a-z0-9/_.?=-]+)(["\'\s>])!i',
+ array($this, 'assets_callback'), $output);
+ }
+
+ /**
+ * Callback function for preg_replace_callback in fix_assets_paths()
+ *
+ * @return string Parsed string
+ */
+ protected function assets_callback($matches)
+ {
+ $file = $this->asset_url($matches[3]);
+
+ return $matches[1] . '=' . $matches[2] . $file . $matches[4];
+ }
+
+ /**
* Modify file by adding mtime indicator
*/
protected function file_mod($file)
@@ -723,12 +849,12 @@
// use minified file if exists (not in development mode)
if (!$this->devel_mode && !preg_match('/\.min\.' . $ext . '$/', $file)) {
$minified_file = substr($file, 0, strlen($ext) * -1) . 'min.' . $ext;
- if ($fs = @filemtime($minified_file)) {
+ if ($fs = @filemtime($this->assets_dir . $minified_file)) {
return $minified_file . '?s=' . $fs;
}
}
- if ($fs = @filemtime($file)) {
+ if ($fs = @filemtime($this->assets_dir . $file)) {
$file .= '?s=' . $fs;
}
@@ -921,16 +1047,16 @@
$attrib['name'] = $this->eval_expression($attrib['expression']);
if ($attrib['name'] || $attrib['command']) {
- // @FIXME: 'noshow' is useless, remove?
- if ($attrib['noshow']) {
- return '';
- }
-
$vars = $attrib + array('product' => $this->config->get('product_name'));
unset($vars['name'], $vars['command']);
$label = $this->app->gettext($attrib + array('vars' => $vars));
$quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : '');
+
+ // 'noshow' can be used in skins to define new labels
+ if ($attrib['noshow']) {
+ return '';
+ }
switch ($quoting) {
case 'no':
@@ -955,7 +1081,7 @@
if (!empty($attrib['skin_path'])) $attrib['skinpath'] = $attrib['skin_path'];
if ($path = $this->get_skin_file($attrib['file'], $skin_path, $attrib['skinpath'])) {
$this->base_path = preg_replace('!plugins/\w+/!', '', $skin_path); // set base_path to core skin directory (not plugin's skin)
- $path = realpath($path);
+ $path = realpath(RCUBE_INSTALL_PATH . $path);
}
if (is_readable($path)) {
@@ -1133,7 +1259,8 @@
*/
public function button($attrib)
{
- static $s_button_count = 100;
+ static $s_button_count = 100;
+ static $disabled_actions = null;
// these commands can be called directly via url
$a_static_commands = array('compose', 'list', 'preferences', 'folders', 'identities');
@@ -1142,9 +1269,14 @@
return '';
}
+
// try to find out the button type
if ($attrib['type']) {
$attrib['type'] = strtolower($attrib['type']);
+ if ($pos = strpos($attrib['type'], '-menuitem')) {
+ $attrib['type'] = substr($attrib['type'], 0, -9);
+ $menuitem = true;
+ }
}
else {
$attrib['type'] = ($attrib['image'] || $attrib['imagepas'] || $attrib['imageact']) ? 'image' : 'link';
@@ -1152,8 +1284,21 @@
$command = $attrib['command'];
- if ($attrib['task'])
- $command = $attrib['task'] . '.' . $command;
+ if ($attrib['task']) {
+ $element = $command = $attrib['task'] . '.' . $command;
+ }
+ else {
+ $element = ($this->env['task'] ? $this->env['task'] . '.' : '') . $command;
+ }
+
+ if ($disabled_actions === null) {
+ $disabled_actions = (array) $this->config->get('disabled_actions');
+ }
+
+ // remove buttons for disabled actions
+ if (in_array($element, $disabled_actions)) {
+ return '';
+ }
if (!$attrib['image']) {
$attrib['image'] = $attrib['imagepas'] ? $attrib['imagepas'] : $attrib['imageact'];
@@ -1284,6 +1429,11 @@
if ($attrib['wrapper']) {
$out = html::tag($attrib['wrapper'], null, $out);
+ }
+
+ if ($menuitem) {
+ $class = $attrib['menuitem-class'] ? ' class="' . $attrib['menuitem-class'] . '"' : '';
+ $out = '<li role="menuitem"' . $class . '>' . $out . '</li>';
}
return $out;
@@ -1483,6 +1633,10 @@
$output = $this->parse_with_globals($this->fix_paths($output));
+ if ($this->assets_path) {
+ $output = $this->fix_assets_paths($output);
+ }
+
// trigger hook with final HTML content to be sent
$hook = $this->app->plugins->exec_hook("send_page", array('content' => $output));
if (!$hook['abort']) {
@@ -1511,12 +1665,12 @@
}
$attrib['name'] = $attrib['id'];
- $attrib['src'] = $attrib['src'] ? $this->abs_url($attrib['src'], true) : 'program/resources/blank.gif';
+ $attrib['src'] = $attrib['src'] ? $this->abs_url($attrib['src'], true) : 'program/resources/blank.gif';
// register as 'contentframe' object
if ($is_contentframe || $attrib['contentframe']) {
$this->set_env('contentframe', $attrib['contentframe'] ? $attrib['contentframe'] : $attrib['name']);
- $this->set_env('blankpage', $attrib['src']);
+ $this->set_env('blankpage', $this->asset_url($attrib['src']));
}
return html::iframe($attrib);
@@ -1728,9 +1882,11 @@
{
$images = preg_split('/[\s\t\n,]+/', $attrib['images'], -1, PREG_SPLIT_NO_EMPTY);
$images = array_map(array($this, 'abs_url'), $images);
+ $images = array_map(array($this, 'asset_url'), $images);
- if (empty($images) || $this->app->task == 'logout')
+ if (empty($images) || $_REQUEST['_task'] == 'logout') {
return;
+ }
$this->add_script('var images = ' . self::json_serialize($images) .';
for (var i=0; i<images.length; i++) {
--
Gitblit v1.9.1