Skip to content

Commit 6ee6e7a

Browse files
committed
Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
1 parent d08d167 commit 6ee6e7a

File tree

3 files changed

+25
-5
lines changed

3 files changed

+25
-5
lines changed

Diff for: CHANGELOG.md

+1
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@
2828
- Fix PHP8 warnings (#9142, #9160)
2929
- Fix default 'mime.types' path on Windows (#9113)
3030
- Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
31+
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
3132

3233
## Release 1.6.3
3334

Diff for: program/lib/Roundcube/rcube_washtml.php

+6-5
Original file line numberDiff line numberDiff line change
@@ -428,16 +428,17 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
428428
}
429429
}
430430
else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
431+
$type = preg_replace('/\s/', '', $matches[1]);
432+
431433
// svg images can be insecure, we'll sanitize them
432-
if (stripos($matches[1], 'svg') !== false) {
434+
if (stripos($type, 'svg') !== false) {
433435
$svg = $matches[2];
434436

435-
if (stripos($matches[1], ';base64') !== false) {
436-
$svg = base64_decode($svg);
437-
$type = $matches[1];
437+
if (stripos($type, ';base64') !== false) {
438+
$svg = base64_decode($svg);
438439
}
439440
else {
440-
$type = $matches[1] . ';base64';
441+
$type .= ';base64';
441442
}
442443

443444
$washer = new self($this->config);

Diff for: tests/Framework/Washtml.php

+18
Original file line numberDiff line numberDiff line change
@@ -455,6 +455,24 @@ function data_wash_svg_tests()
455455
'<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
456456
'<svg><text x="20" y="20">XSS</text></svg>'
457457
],
458+
[
459+
'<html><svg><use href="data:image/s vg+xml;base64,' // space
460+
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
461+
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
462+
'<svg><use x-washed="href"></use></svg>'
463+
],
464+
[
465+
'<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
466+
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
467+
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
468+
'<svg><use x-washed="href"></use></svg>'
469+
],
470+
[
471+
'<html><svg><use href="data:image/s vg+xml;base64,' // tab
472+
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
473+
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
474+
'<svg><use x-washed="href"></use></svg>'
475+
],
458476
];
459477
}
460478

0 commit comments

Comments
 (0)