Security: Fix cross-site scripting (XSS) via malicious XML attachment

roundcube · Jun 2, 2020 · 884eb61 · 884eb61
1 parent fc97dc2
commit 884eb61
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,11 +1,13 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
+
 RELEASE 1.3.12
 --------------
- - Security: Better fix for CVE-2020-12641
- - Security: Fix XSS issue in template object 'username' (#7406) 
- - Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Better fix for CVE-2020-12641
+- Security: Fix XSS issue in template object 'username' (#7406)
+- Security: Fix couple of XSS issues in Installer (#7406)
 
 RELEASE 1.3.11
 --------------

diff --git a/config/defaults.inc.php b/config/defaults.inc.php
@@ -589,9 +589,12 @@
 $config['identity_image_size'] = 64;
 
 // Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null;  # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
 
 // Path to a local mime magic database file for PHPs finfo extension.
 // Set to null if the default path should be used.

diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php
@@ -397,7 +397,7 @@ public function get($name, $def = null)
         }
         else if ($name == 'client_mimetypes') {
             if (!$result && !$def) {
-                $result = 'text/plain,text/html,text/xml'
+                $result = 'text/plain,text/html'
                     . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
                     . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
             }

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
@@ -2359,6 +2359,11 @@ function rcmail_supported_mimetypes()
         unset($mimetypes[$key]);
     }
 
+    // We cannot securely preview XML files as we do not have a proper parser
+    if (($key = array_search('text/xml', $mimetypes)) !== false) {
+        unset($mimetypes[$key]);
+    }
+
     foreach (array('tiff', 'webp') as $type) {
         if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
             // can we convert it to jpeg?

diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
@@ -72,6 +72,8 @@ if ($uid) {
     $OUTPUT->set_env('mailbox', $mbox_name);
     $OUTPUT->set_env('username', $RCMAIL->get_user_name());
     $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
+    $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
+    $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());
 
     if ($MESSAGE->headers->get('list-post', false)) {
         $OUTPUT->set_env('list_post', true);