Skip to content

Commit 884eb61

Browse files
committed
Security: Fix cross-site scripting (XSS) via malicious XML attachment
1 parent fc97dc2 commit 884eb61

File tree

5 files changed

+19
-7
lines changed

5 files changed

+19
-7
lines changed

Diff for: CHANGELOG

+5-3
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,13 @@
11
CHANGELOG Roundcube Webmail
22
===========================
33

4+
- Security: Fix cross-site scripting (XSS) via malicious XML attachment
5+
46
RELEASE 1.3.12
57
--------------
6-
- Security: Better fix for CVE-2020-12641
7-
- Security: Fix XSS issue in template object 'username' (#7406)
8-
- Security: Fix couple of XSS issues in Installer (#7406)
8+
- Security: Better fix for CVE-2020-12641
9+
- Security: Fix XSS issue in template object 'username' (#7406)
10+
- Security: Fix couple of XSS issues in Installer (#7406)
911

1012
RELEASE 1.3.11
1113
--------------

Diff for: config/defaults.inc.php

+6-3
Original file line numberDiff line numberDiff line change
@@ -589,9 +589,12 @@
589589
$config['identity_image_size'] = 64;
590590

591591
// Mimetypes supported by the browser.
592-
// attachments of these types will open in a preview window
593-
// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
594-
$config['client_mimetypes'] = null; # null == default
592+
// Attachments of these types will open in a preview window.
593+
// Either a comma-separated list or an array. Default list includes:
594+
// text/plain,text/html,
595+
// image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
596+
// application/x-javascript,application/pdf,application/x-shockwave-flash
597+
$config['client_mimetypes'] = null;
595598

596599
// Path to a local mime magic database file for PHPs finfo extension.
597600
// Set to null if the default path should be used.

Diff for: program/lib/Roundcube/rcube_config.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -397,7 +397,7 @@ public function get($name, $def = null)
397397
}
398398
else if ($name == 'client_mimetypes') {
399399
if (!$result && !$def) {
400-
$result = 'text/plain,text/html,text/xml'
400+
$result = 'text/plain,text/html'
401401
. ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
402402
. ',application/x-javascript,application/pdf,application/x-shockwave-flash';
403403
}

Diff for: program/steps/mail/func.inc

+5
Original file line numberDiff line numberDiff line change
@@ -2359,6 +2359,11 @@ function rcmail_supported_mimetypes()
23592359
unset($mimetypes[$key]);
23602360
}
23612361

2362+
// We cannot securely preview XML files as we do not have a proper parser
2363+
if (($key = array_search('text/xml', $mimetypes)) !== false) {
2364+
unset($mimetypes[$key]);
2365+
}
2366+
23622367
foreach (array('tiff', 'webp') as $type) {
23632368
if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
23642369
// can we convert it to jpeg?

Diff for: program/steps/mail/show.inc

+2
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,8 @@ if ($uid) {
7272
$OUTPUT->set_env('mailbox', $mbox_name);
7373
$OUTPUT->set_env('username', $RCMAIL->get_user_name());
7474
$OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
75+
$OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
76+
$OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
7577

7678
if ($MESSAGE->headers->get('list-post', false)) {
7779
$OUTPUT->set_env('list_post', true);

0 commit comments

Comments
 (0)