Fix XSS issue in handling attachment filename extension in mimetype m…

…ismatch warning (#8193)
roundcube · Oct 5, 2021 · 7d7b1df · 7d7b1df
1 parent 54bf3d0
commit 7d7b1df
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 11 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,8 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
+
 RELEASE 1.3.16
 --------------
 - Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
@@ -184,21 +184,26 @@ if (empty($_GET['_thumb']) && $attachment->is_valid()) {
             else {  // html warning with a button to load the file anyway
                 $OUTPUT = new rcmail_html_page();
                 $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
-                    html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
-                        $RCMAIL->gettext(array(
-                            'name' => 'attachmentvalidationerror',
-                            'vars' => array(
-                                'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
-                                'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+                    html::div(
+                        array('class' => 'rcmail-inline-message rcmail-inline-warning'),
+                        $RCMAIL->gettext(
+                            array(
+                                'name' => 'attachmentvalidationerror',
+                                'vars' => array(
+                                    'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+                                    'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
+                                )
                             )
-                        ))
-                        . html::p(array('class' => 'rcmail-inline-buttons'),
-                            html::tag('button', array(
+                        )
+                    )
+                    . html::p(array('class' => 'rcmail-inline-buttons'),
+                        html::tag('button', array(
                                 'onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"
                             ),
-                            $RCMAIL->gettext('showanyway'))
+                            $RCMAIL->gettext('showanyway')
                         )
-                    ))));
+                    )
+                )));
             }
 
             exit;