Skip to content

Commit

Permalink
Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT…
Browse files Browse the repository at this point in the history
…ML messages (#9168)
  • Loading branch information
alecpl committed Oct 14, 2023
1 parent ca41c16 commit 41756cc
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
- Fix PHP8 warnings (#9142, #9160)
- Fix default 'mime.types' path on Windows (#9113)
- Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)

## Release 1.6.3

Expand Down
11 changes: 6 additions & 5 deletions program/lib/Roundcube/rcube_washtml.php
Original file line number Diff line number Diff line change
Expand Up @@ -428,16 +428,17 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
}
}
else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
$type = preg_replace('/\s/', '', $matches[1]);

// svg images can be insecure, we'll sanitize them
if (stripos($matches[1], 'svg') !== false) {
if (stripos($type, 'svg') !== false) {
$svg = $matches[2];

if (stripos($matches[1], ';base64') !== false) {
$svg = base64_decode($svg);
$type = $matches[1];
if (stripos($type, ';base64') !== false) {
$svg = base64_decode($svg);
}
else {
$type = $matches[1] . ';base64';
$type .= ';base64';
}

$washer = new self($this->config);
Expand Down
18 changes: 18 additions & 0 deletions tests/Framework/Washtml.php
Original file line number Diff line number Diff line change
Expand Up @@ -455,6 +455,24 @@ function data_wash_svg_tests()
'<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
'<svg><text x="20" y="20">XSS</text></svg>'
],
[
'<html><svg><use href="data:image/s vg+xml;base64,' // space
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
'<svg><use x-washed="href"></use></svg>'
],
[
'<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
'<svg><use x-washed="href"></use></svg>'
],
[
'<html><svg><use href="data:image/s vg+xml;base64,' // tab
. 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
. 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
'<svg><use x-washed="href"></use></svg>'
],
];
}

Expand Down

0 comments on commit 41756cc

Please sign in to comment.