[jan] Fix XSS vulnerability in Open Document mime viewer (Reported by…

…: Simon Scannell, SonarSource <simon.scannell@sonarsource.com>).
horde · Mar 1, 2022 · 86f4f26 · 86f4f26
1 parent 3fcdd27
commit 86f4f26
Show file tree

Hide file tree

Showing 11 changed files with 99 additions and 76 deletions.
diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,7 @@ nbproject/
 *.swp
 *.kdev4
 .kdev4/*
+.idea/
 
 # Ignore ALL config files
 conf.php

diff --git a/.horde.yml b/.horde.yml
@@ -7,6 +7,12 @@ list: dev
 type: library
 homepage: https://www.horde.org/libraries/Horde_Mime_Viewer
 authors:
+  -
+    name: Jan Schneider
+    user: yunosh
+    email: jan@horde.org
+    active: true
+    role: lead
   -
     name: Michael Slusarz
     user: slusarz
@@ -39,3 +45,7 @@ dependencies:
   optional:
     pear:
       pear.php.net/Net_DNS2: '*'
+    ext:
+      dom: '*'
+      libxml: '*'
+      xsl: '*'
diff --git a/composer.json b/composer.json
@@ -5,14 +5,19 @@
     "homepage": "https://www.horde.org/libraries/Horde_Mime_Viewer",
     "license": "LGPL-2.1",
     "authors": [
+        {
+            "name": "Jan Schneider",
+            "email": "jan@horde.org",
+            "role": "lead"
+        },
         {
             "name": "Michael Slusarz",
             "email": "slusarz@horde.org",
             "role": "lead"
         }
     ],
     "version": "2.2.3",
-    "time": "2017-11-14",
+    "time": "2022-03-01",
     "repositories": [
         {
             "type": "pear",
@@ -32,7 +37,10 @@
         "ext-xml": "*"
     },
     "suggest": {
-        "pear-pear.php.net/Net_DNS2": "*"
+        "pear-pear.php.net/Net_DNS2": "*",
+        "ext-dom": "*",
+        "ext-libxml": "*",
+        "ext-xsl": "*"
     },
     "replace": {
         "pear-pear.horde.org/Horde_Mime_Viewer": "2.*",
@@ -43,4 +51,4 @@
             "Horde_Mime_Viewer": "lib/"
         }
     }
-}
+}
diff --git a/doc/Horde/Mime/Viewer/changelog.yml b/doc/Horde/Mime/Viewer/changelog.yml
@@ -8,7 +8,8 @@
   license:
     identifier: LGPL-2.1
     uri: http://www.horde.org/licenses/lgpl21
-  notes:
+  notes: |
+    [jan] Fix XSS vulnerability in Open Document mime viewer (Reported by: Simon Scannell, SonarSource <simon.scannell@sonarsource.com>).
 2.2.2:
   api: 2.1.0
   state:

diff --git a/lib/Horde/Mime/Viewer/Ooo.php b/lib/Horde/Mime/Viewer/Ooo.php
@@ -123,7 +123,9 @@ protected function _render()
         $xml = new DOMDocument();
         $xml->load(realpath($tmpdir . 'content.xml'));
         $result = $xslt->transformToXml($xml);
-        if (!$result) {
+        if ($result) {
+            $result = Horde_Text_Filter::filter($result, 'xss');
+        } else {
             $result = libxml_get_last_error()->message;
         }
 

diff --git a/package.xml b/package.xml
@@ -3,14 +3,20 @@
  <name>Horde_Mime_Viewer</name>
  <channel>pear.horde.org</channel>
  <summary>MIME viewer library</summary>
- <description>Provides rendering drivers for MIME data.</description>
+ <description>A library that provides rendering drivers for MIME data.</description>
+ <lead>
+  <name>Jan Schneider</name>
+  <user>yunosh</user>
+  <email>jan@horde.org</email>
+  <active>yes</active>
+ </lead>
  <lead>
   <name>Michael Slusarz</name>
   <user>slusarz</user>
   <email>slusarz@horde.org</email>
   <active>no</active>
  </lead>
- <date>2017-11-14</date>
+ <date>2022-03-01</date>
  <version>
   <release>2.2.3</release>
   <api>2.1.0</api>
@@ -410,7 +416,10 @@
     <dir name="Horde">
      <dir name="Mime">
       <dir name="Viewer">
-       <file name="url.phpt" role="test" />
+       <file name="AllTests.php" role="test" />
+       <file name="bootstrap.php" role="test" />
+       <file name="OooTest.php" role="test" />
+       <file name="xss.odt" role="test" />
       </dir> <!-- /test/Horde/Mime/Viewer -->
      </dir> <!-- /test/Horde/Mime -->
     </dir> <!-- /test/Horde -->
@@ -492,6 +501,15 @@
     <name>Net_DNS2</name>
     <channel>pear.php.net</channel>
    </package>
+   <extension>
+    <name>dom</name>
+   </extension>
+   <extension>
+    <name>libxml</name>
+   </extension>
+   <extension>
+    <name>xsl</name>
+   </extension>
   </optional>
  </dependencies>
  <usesrole>
@@ -674,7 +692,10 @@
    <install as="locale/uk/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/uk/LC_MESSAGES/Horde_Mime_Viewer.po" />
    <install as="locale/zh_CN/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/zh_CN/LC_MESSAGES/Horde_Mime_Viewer.po" />
    <install as="locale/zh_TW/LC_MESSAGES/Horde_Mime_Viewer.po" name="locale/zh_TW/LC_MESSAGES/Horde_Mime_Viewer.po" />
-   <install as="Horde/Mime/Viewer/url.phpt" name="test/Horde/Mime/Viewer/url.phpt" />
+   <install as="Horde/Mime/Viewer/AllTests.php" name="test/Horde/Mime/Viewer/AllTests.php" />
+   <install as="Horde/Mime/Viewer/bootstrap.php" name="test/Horde/Mime/Viewer/bootstrap.php" />
+   <install as="Horde/Mime/Viewer/OooTest.php" name="test/Horde/Mime/Viewer/OooTest.php" />
+   <install as="Horde/Mime/Viewer/xss.odt" name="test/Horde/Mime/Viewer/xss.odt" />
   </filelist>
  </phprelease>
  <changelog>
@@ -1130,7 +1151,7 @@
    <stability>
     <release>stable</release>
     <api>stable</api></stability>
-   <date>2017-11-14</date>
+   <date>2022-03-01</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
 * 

diff --git a/test/Horde/Mime/Viewer/AllTests.php b/test/Horde/Mime/Viewer/AllTests.php
@@ -0,0 +1,3 @@
+<?php
+require_once 'Horde/Test/AllTests.php';
+Horde_Test_AllTests::init(__FILE__)->run();
diff --git a/test/Horde/Mime/Viewer/OooTest.php b/test/Horde/Mime/Viewer/OooTest.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright 2022 Horde LLC (http://www.horde.org/)
+ *
+ * @category   Horde
+ * @copyright  2022 Horde LLC
+ * @license    http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ * @package    Mime
+ * @subpackage UnitTests
+ */
+
+/**
+ * Tests for the Horde_Mime_Viewer_Ooo class.
+ *
+ * @author     Jan Schneider <jan@horde.org>
+ * @category   Horde
+ * @copyright  2022 Horde LLC
+ * @internal
+ * @license    http://www.horde.org/licenses/lgpl21 LGPL 2.1
+ * @package    Mime
+ * @subpackage UnitTests
+ */
+class Horde_Mime_MimeTest extends \PHPUnit\Framework\TestCase
+{
+
+    public function testXssVulnerability()
+    {
+        $mimePart = new Horde_Mime_Part();
+        $mimePart->setContents(file_get_contents(__DIR__ . '/xss.odt'));
+        $viewer = new Horde_Mime_Viewer_Ooo(
+            $mimePart,
+            array('zip' => new Horde_Compress_Zip())
+        );
+        $html = current(@$viewer->render('full'));
+
+        $this->assertNotContains("<script>alert('xss demonstration');</script>", $html['data']);
+        $this->assertNotContains("javascript:alert('xss')", $html['data']);
+    }
+
+}
diff --git a/test/Horde/Mime/Viewer/bootstrap.php b/test/Horde/Mime/Viewer/bootstrap.php
@@ -0,0 +1,3 @@
+<?php
+require_once 'Horde/Test/Bootstrap.php';
+Horde_Test_Bootstrap::bootstrap(dirname(__FILE__));
diff --git a/test/Horde/Mime/Viewer/url.phpt b/test/Horde/Mime/Viewer/url.phpt
diff --git a/test/Horde/Mime/Viewer/xss.odt b/test/Horde/Mime/Viewer/xss.odt