[mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic …

…view from the browser's local filesystem that has a filename that contains HTML. This attack requires a filesystem that supports angled brackets in filenames (Windows does NOT; Linux does). Essentially, a user has to upload a malicious filename that they created on their own filesystem. Conflicts: imp/docs/CHANGES imp/js/compose-dimp.js imp/package.xml
horde · Oct 29, 2012 · 1550c6e · 1550c6e
1 parent 9037dfa
commit 1550c6e
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 4 deletions.
diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES
@@ -207,8 +207,10 @@ v6.0.0alpha1
 v5.0.24-git
 -----------
 
-[mms] Catch failure to add attachments because PHP's maximum allowed POST size
-      was exceeded.
+[mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from
+      the browser's local filesystem that has a filename that contains HTML.
+[mms] Catch failure to add attachments in dynamic view because PHP's maximum
+      allowed POST size was exceeded.
 [jan] Fix search link from portal if using dynamic view (Bug #11314).
 [mms] Fix regression in using Virtual Trash (Bug #11478;
       tonyb@go-concepts.com).

diff --git a/imp/js/compose-dimp.js b/imp/js/compose-dimp.js
@@ -800,7 +800,7 @@ var DimpCompose = {
         var u = $('upload');
         this.uniqueSubmit('addAttachment');
         u.up().hide();
-        $('upload_wait').update(DimpCore.text.uploading + ' (' + $F(u) + ')').show();
+        $('upload_wait').update(DimpCore.text.uploading + ' (' + $F(u).escapeHTML() + ')').show();
     },
 
     toggleCC: function(type)

diff --git a/imp/package.xml b/imp/package.xml
@@ -2574,7 +2574,8 @@
    <date>2012-07-20</date>
    <license uri="http://www.horde.org/licenses/gpl">GPL-2.0</license>
    <notes>
-* [mms] Catch failure to add attachments because PHP&apos;s maximum allowed POST size was exceeded.
+* [mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic view from the browser&apos;s local filesystem that has a filename that contains HTML.
+* [mms] Catch failure to add attachments in dynamic view because PHP&apos;s maximum allowed POST size was exceeded.
 * [jan] Fix search link from portal if using dynamic view (Bug #11314).
 * [mms] Fix regression in using Virtual Trash (Bug #11478; tonyb@go-concepts.com).
 * [mms] Fix sending MDN notifications in traditional view (Bug #11311).