summaryrefslogtreecommitdiff
path: root/roundcubemail/program/include
diff options
context:
space:
mode:
authorthomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>2008-12-24 14:19:27 +0000
committerthomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>2008-12-24 14:19:27 +0000
commit3e3fafb16ed867f82123931de222286bd34a05c3 (patch)
tree70bcd0c2623c2f05e86312b1366390434795b3cc /roundcubemail/program/include
parented39505e00f9db64f1f029f07a320bd2cd142ccd (diff)
Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback
git-svn-id: https://svn.roundcube.net/trunk@2187 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/include')
-rw-r--r--roundcubemail/program/include/main.inc22
1 files changed, 15 insertions, 7 deletions
diff --git a/roundcubemail/program/include/main.inc b/roundcubemail/program/include/main.inc
index 7cf739282..114e48819 100644
--- a/roundcubemail/program/include/main.inc
+++ b/roundcubemail/program/include/main.inc
@@ -612,18 +612,26 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '')
array(
'/(^\s*<!--)|(-->\s*$)/',
'/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im',
- '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/ime',
- '/<<str_replacement\[([0-9]+)\]>>/e',
- "/$container_id\s+body/i"
+ "/$container_id\s+body/i",
),
array(
'',
"\\1#$container_id \\2",
- "sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url('\\2','$base_url')), urlencode($container_id))",
- "\$a_css_values[\\1]",
- "$container_id div.rcmBody"
+ "$container_id div.rcmBody",
),
$source);
+
+ // replace all @import statements to modify the imported CSS sources too
+ $styles = preg_replace_callback(
+ '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/im',
+ create_function('$matches', "return sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url(\$matches[2],'$base_url')), urlencode('$container_id'));"),
+ $styles);
+
+ // put block contents back in
+ $styles = preg_replace_callback(
+ '/<<str_replacement\[([0-9]+)\]>>/',
+ create_function('$matches', "\$values = ".var_export($a_css_values, true)."; return \$values[\$matches[1]];"),
+ $styles);
return $styles;
}
@@ -639,7 +647,7 @@ function rcmail_mod_css_styles($source, $container_id, $base_url = '')
function rcmail_xss_entitiy_decode($content)
{
$out = html_entity_decode(html_entity_decode($content));
- $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out);
+ $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', create_function('$matches', 'return chr(hexdec($matches[1]));'), $out);
$out = preg_replace('#/\*.*\*/#Um', '', $out);
return $out;
}
generated by cgit v1.2.3 (git 2.51.0) at 2026-05-16 02:56:11 +0000