Security: Fix cross-site scripting (XSS) via malicious XML attachment

5 years ago · 884eb61162
5 changed files with 19 additions and 7 deletions
--- a/8
+++ b/8
@ -1,11 +1,13 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Security: Fix cross-site scripting (XSS) via malicious XML attachment
+
 RELEASE 1.3.12
 --------------
- - Security: Better fix for CVE-2020-12641
- - Security: Fix XSS issue in template object 'username' (#7406) 
- - Security: Fix couple of XSS issues in Installer (#7406)
+- Security: Better fix for CVE-2020-12641
+- Security: Fix XSS issue in template object 'username' (#7406)
+- Security: Fix couple of XSS issues in Installer (#7406)

 RELEASE 1.3.11
 --------------
--- a/config/defaults.inc.php
+++ b/config/defaults.inc.php
@ -589,9 +589,12 @@ $config['identities_level'] = 0;
 $config['identity_image_size'] = 64;

 // Mimetypes supported by the browser.
-// attachments of these types will open in a preview window
-// either a comma-separated list or an array: 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/pdf'
-$config['client_mimetypes'] = null;  # null == default
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;

 // Path to a local mime magic database file for PHPs finfo extension.
 // Set to null if the default path should be used.
--- a/program/lib/Roundcube/rcube_config.php
+++ b/program/lib/Roundcube/rcube_config.php
@ -397,7 +397,7 @@ class rcube_config
        }
        else if ($name == 'client_mimetypes') {
            if (!$result && !$def) {
-                $result = 'text/plain,text/html,text/xml'
+                $result = 'text/plain,text/html'
                    . ',image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp'
                    . ',application/x-javascript,application/pdf,application/x-shockwave-flash';
            }
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -2359,6 +2359,11 @@ function rcmail_supported_mimetypes()
        unset($mimetypes[$key]);
    }

+    // We cannot securely preview XML files as we do not have a proper parser
+    if (($key = array_search('text/xml', $mimetypes)) !== false) {
+        unset($mimetypes[$key]);
+    }
+
    foreach (array('tiff', 'webp') as $type) {
        if (empty($_SESSION['browser_caps'][$type]) && ($key = array_search('image/' . $type, $mimetypes)) !== false) {
            // can we convert it to jpeg?
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@ -72,6 +72,8 @@ if ($uid) {
    $OUTPUT->set_env('mailbox', $mbox_name);
    $OUTPUT->set_env('username', $RCMAIL->get_user_name());
    $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $msg_id, '_mbox' => $mbox_name)));
+    $OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
+    $OUTPUT->set_env('mimetypes', rcmail_supported_mimetypes());

    if ($MESSAGE->headers->get('list-post', false)) {
        $OUTPUT->set_env('list_post', true);