Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix local file inclusion (and code execution) via crafted 'plugins' o…
…ption
  • Loading branch information
alecpl committed Apr 26, 2020
1 parent fcfb099 commit 814eadb
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Expand Up @@ -27,6 +27,7 @@ CHANGELOG Roundcube Webmail
- Fix so Print button for PDF attachments works on Firefox >= 75 (#5125)
- Security: Fix XSS issue in handling of CDATA in HTML messages
- Security: Fix remote code execution via crafted 'im_convert_path' or 'im_identify_path' settings
- Security: Fix local file inclusion (and code execution) via crafted 'plugins' option

RELEASE 1.4.3
-------------
Expand Down
16 changes: 16 additions & 0 deletions program/lib/Roundcube/rcube_plugin_api.php
Expand Up @@ -164,6 +164,14 @@ public function load_plugin($plugin_name, $force = false, $require = true)
$plugins_dir = unslashify($dir->path);
}

// Validate the plugin name to prevent from path traversal
if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
rcube::raise_error(array('code' => 520,
'file' => __FILE__, 'line' => __LINE__,
'message' => "Invalid plugin name: $plugin_name"), true, false);
return false;
}

// plugin already loaded?
if (!$this->plugins[$plugin_name]) {
$fn = "$plugins_dir/$plugin_name/$plugin_name.php";
Expand Down Expand Up @@ -283,6 +291,14 @@ public function get_info($plugin_name)
$fn = unslashify($dir->path) . "/$plugin_name/$plugin_name.php";
$info = false;

// Validate the plugin name to prevent from path traversal
if (preg_match('/[^a-zA-Z0-9_-]/', $plugin_name)) {
rcube::raise_error(array('code' => 520,
'file' => __FILE__, 'line' => __LINE__,
'message' => "Invalid plugin name: $plugin_name"), true, false);
return false;
}

if (!class_exists($plugin_name, false)) {
if (is_readable($fn)) {
include($fn);
Expand Down

0 comments on commit 814eadb

Please sign in to comment.