From d4830b8c1c46167f9aa0ee154585e01adab11528 Mon Sep 17 00:00:00 2001 From: thomasb Date: Thu, 3 Feb 2011 21:12:35 +0000 Subject: Prevent from relaying arbitrary requests through modcss.inc (security issue) git-svn-id: https://svn.roundcube.net/trunk@4488 208e9e7b-5314-0410-a742-e7e81cd9613c --- roundcubemail/program/steps/mail/func.inc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'roundcubemail/program/steps/mail') diff --git a/roundcubemail/program/steps/mail/func.inc b/roundcubemail/program/steps/mail/func.inc index b1b5d916a..fd00142d1 100644 --- a/roundcubemail/program/steps/mail/func.inc +++ b/roundcubemail/program/steps/mail/func.inc @@ -1194,15 +1194,16 @@ function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null */ function rcmail_alter_html_link($matches) { - global $EMAIL_ADDRESS_PATTERN; + global $RCMAIL, $EMAIL_ADDRESS_PATTERN; $tag = $matches[1]; $attrib = parse_attrib_string($matches[2]); $end = '>'; if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) { - $attrib['href'] = "?_task=utils&_action=modcss&u=" . urlencode($attrib['href']) - . "&c=" . urlencode($GLOBALS['rcmail_html_container_id']); + $tempurl = 'tmp-' . md5($attrib['href']) . '.css'; + $_SESSION['modcssurls'][$tempurl] = $attrib['href']; + $attrib['href'] = $RCMAIL->url(array('task' => 'utils', 'action' => 'modcss', 'u' => $tempurl, 'c' => $GLOBALS['rcmail_html_container_id'])); $end = ' />'; } else if (preg_match('/^mailto:'.$EMAIL_ADDRESS_PATTERN.'(\?[^"\'>]+)?/i', $attrib['href'], $mailto)) { -- cgit v1.2.3