Fix XSS issue in handling attachment filename extension in mimetype m…

…ismatch warning (#8193)
roundcube · Aug 31, 2021 · bdb3165 · bdb3165
1 parent 16c2a76
commit bdb3165
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@
 - Fix a couple of PHP8 warnings (#8175, #8176)
 - Fix bug where "from my contacts" and "from trusted senders" values were mixed up (#8177)
 - Fix password/token length check on OAuth login (#8178)
+- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
 
 ## Release 1.5-rc
 

diff --git a/program/actions/mail/get.php b/program/actions/mail/get.php
@@ -204,8 +204,8 @@ public function run($args = [])
                             $rcmail->gettext([
                                     'name' => 'attachmentvalidationerror',
                                     'vars' => [
-                                        'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
-                                        'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
+                                        'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
+                                        'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
                                     ]
                             ]),
                             $rcmail->gettext('showanyway'),