Skip to content

Commit 7d7b1df

Browse files
committed
Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
1 parent 54bf3d0 commit 7d7b1df

File tree

2 files changed

+18
-11
lines changed

2 files changed

+18
-11
lines changed

Diff for: CHANGELOG

+2
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
CHANGELOG Roundcube Webmail
22
===========================
33

4+
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
5+
46
RELEASE 1.3.16
57
--------------
68
- Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730]

Diff for: program/steps/mail/get.inc

+16-11
Original file line numberDiff line numberDiff line change
@@ -184,21 +184,26 @@ if (empty($_GET['_thumb']) && $attachment->is_valid()) {
184184
else { // html warning with a button to load the file anyway
185185
$OUTPUT = new rcmail_html_page();
186186
$OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
187-
html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
188-
$RCMAIL->gettext(array(
189-
'name' => 'attachmentvalidationerror',
190-
'vars' => array(
191-
'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
192-
'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
187+
html::div(
188+
array('class' => 'rcmail-inline-message rcmail-inline-warning'),
189+
$RCMAIL->gettext(
190+
array(
191+
'name' => 'attachmentvalidationerror',
192+
'vars' => array(
193+
'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
194+
'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
195+
)
193196
)
194-
))
195-
. html::p(array('class' => 'rcmail-inline-buttons'),
196-
html::tag('button', array(
197+
)
198+
)
199+
. html::p(array('class' => 'rcmail-inline-buttons'),
200+
html::tag('button', array(
197201
'onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"
198202
),
199-
$RCMAIL->gettext('showanyway'))
203+
$RCMAIL->gettext('showanyway')
200204
)
201-
))));
205+
)
206+
)));
202207
}
203208

204209
exit;

0 commit comments

Comments
 (0)