From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/get.inc |   29 ++++++++++++++++++++---------
 1 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 4eccd28..06a718f 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -5,7 +5,7 @@
  | program/steps/mail/get.inc                                            |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2009, The Roundcube Dev Team                       |
+ | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
@@ -22,7 +22,7 @@
 
 // show loading page
 if (!empty($_GET['_preload'])) {
-  $url = str_replace('&_preload=1', '', $_SERVER['REQUEST_URI']);
+  $url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']);
   $message = rcube_label('loadingdata');
 
   header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
@@ -63,8 +63,6 @@
   $RCMAIL->config->set('prefer_html', true);
   $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
 }
-
-send_nocacheing_headers();
 
 // show part page
 if (!empty($_GET['_frame'])) {
@@ -136,11 +134,24 @@
 
       header("Content-Disposition: $disposition; filename=\"$filename\"");
 
-      // turn off output buffering and print part content
-      if ($part->body)
-        echo $part->body;
-      else if ($part->size)
-        $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+      // do content filtering to avoid XSS through fake images
+      if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
+        if ($part->body)
+          echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
+        else if ($part->size) {
+          $stdout = fopen('php://output', 'w');
+          stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
+          stream_filter_append($stdout, 'rcube_content');
+          $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
+        }
+      }
+      else {
+        // turn off output buffering and print part content
+        if ($part->body)
+          echo $part->body;
+        else if ($part->size)
+          $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+      }
     }
 
     exit;

--
Gitblit v1.9.1