Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix cross-site scripting (XSS) via HTML messages with malicious CSS c…
…ontent

Thanks to Mateusz Szymaniec (CERT Polska) for reporting the issue.
  • Loading branch information
alecpl committed Feb 8, 2021
1 parent 1657ff4 commit 9dc276d
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 2 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG
Expand Up @@ -4,7 +4,8 @@ CHANGELOG Roundcube Webmail
- Display a nice error informing about no PHP8 support
- Elastic: Fix compatibility with Less v3 and v4 (#7813)
- Fix bug with managesieve_domains in Settings > Forwarding form (#7849)
- Fixed errors in MSSQL database update scripts (#7853)
- Fix errors in MSSQL database update scripts (#7853)
- Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

RELEASE 1.4.10
--------------
Expand Down
2 changes: 1 addition & 1 deletion program/lib/Roundcube/rcube_utils.php
Expand Up @@ -399,7 +399,7 @@ public static function mod_css_styles($source, $container_id, $allow_remote = fa
$styles = preg_replace('/position[^a-z]*:[\s\r\n]*fixed/i', 'position: absolute', $styles);

// Remove 'page' attributes (#7604)
$styles = preg_replace('/(^|[\n\s;])page:[^;]+;*/im', '', $styles);
$styles = preg_replace('/((^|[\n\s;])page:)[^;]+;*/im', '\\1 unset;', $styles);

// check every line of a style block...
if ($allow_remote) {
Expand Down
17 changes: 17 additions & 0 deletions tests/Framework/Utils.php
Expand Up @@ -237,6 +237,23 @@ function test_mod_css_styles_xss()
// Allow strict url()
$mod = rcube_utils::mod_css_styles("body { background-image: url(http://example.com); }", 'rcmbody', true);
$this->assertContains("#rcmbody { background-image: url(http://example.com);", $mod, "Strict URIs in url() allowed with \$allow_remote=true");

// XSS issue, HTML in 'content' property
$style = "body { content: '</style><img src onerror=\"alert(\'hello\');\">'; color: red; }";
$mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
$this->assertSame("#rcmbody { content: '';\n color: red;\n }", $mod);

$style = "body { content: '< page: ;/style>< page: ;img src onerror=\"alert(\'hello\');\">'; color: red; }";
$mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
$this->assertSame(
"#rcmbody { content: '< page: unset;/style>< page: unset;img src onerror=\"alert('hello');\">'; color: red; }",
str_replace("\n", '', $mod)
);

// Removing page: property
$style = "body { page: test; color: red; }";
$mod = rcube_utils::mod_css_styles($style, 'rcmbody', true);
$this->assertSame("#rcmbody { page: unset;\n color: red;\n }", $mod);
}

/**
Expand Down

0 comments on commit 9dc276d

Please sign in to comment.