Fix bug in remote content blocking on HTML image and style tags (#6178)

roundcube · Feb 14, 2018 · 9d2b303 · 9d2b303
1 parent f211fcf
commit 9d2b303
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -73,6 +73,7 @@ CHANGELOG Roundcube Webmail
 - Fix duplicated labels in Test SMTP Config section (#6166)
 - Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
 - Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
+- Fix bug in remote content blocking on HTML image and style tags (#6178)
 
 RELEASE 1.3.4
 -------------

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
@@ -514,11 +514,11 @@ public static function file2class($mimetype, $filename)
      */
     public static function xss_entity_decode($content)
     {
-        $callback = function($matches) { return chr(hexdec($matches[1])); };
+        $callback = function($matches) { return chr(hexdec(trim($matches[1]))); };
 
         $out = html_entity_decode(html_entity_decode($content));
         $out = trim(preg_replace('/(^<!--|-->$)/', '', trim($out)));
-        $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', $callback, $out);
+        $out = preg_replace_callback('/\\\([0-9a-f]{2,4})\s*/i', $callback, $out);
         $out = preg_replace('#/\*.*\*/#Ums', '', $out);
         $out = strip_tags($out);
 

diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
@@ -415,7 +415,7 @@ private function is_image_attribute($tag, $attr)
         return $attr == 'background'
             || $attr == 'color-profile' // SVG
             || ($attr == 'poster' && $tag == 'video')
-            || ($attr == 'src' && preg_match('/^(img|source|input|video|audio)$/i', $tag))
+            || ($attr == 'src' && preg_match('/^(img|image|source|input|video|audio)$/i', $tag))
             || ($tag == 'image' && $attr == 'href'); // SVG
     }
 

diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
@@ -206,6 +206,9 @@ function test_mod_css_styles_xss()
         $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert(&#039;xss&#039;) )", 'rcmbody');
         $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
 
+        $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
+        $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
+
         // position: fixed (#5264)
         $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
         $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");