Skip to content

Commit faf99bf

Browse files
committed
Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
1 parent c59a5ca commit faf99bf

File tree

2 files changed

+3
-2
lines changed

2 files changed

+3
-2
lines changed

Diff for: CHANGELOG

+1
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ CHANGELOG Roundcube Webmail
1111
- Fix handling of custom sender addresses with names (#8106)
1212
- Fix shift + drag'n'drop menu not working in Elastic skin with Chrome browser (#8107)
1313
- Fix Firefox infinate loading display on mail screen (#8128)
14+
- Fix XSS issue in handling attachment filename extension in mimetype mismatch warning (#8193)
1415

1516
RELEASE 1.4.11
1617
--------------

Diff for: program/steps/mail/get.inc

+2-2
Original file line numberDiff line numberDiff line change
@@ -187,8 +187,8 @@ if (empty($_GET['_thumb']) && $attachment->is_valid()) {
187187
$RCMAIL->gettext(array(
188188
'name' => 'attachmentvalidationerror',
189189
'vars' => array(
190-
'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''),
191-
'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''),
190+
'expected' => $mimetype . (!empty($file_extension) ? rcube::Q(" (.{$file_extension})") : ''),
191+
'detected' => $real_mimetype . (!empty($extensions[0]) ? " (.{$extensions[0]})" : ''),
192192
)
193193
)
194194
),

0 commit comments

Comments
 (0)