[Svn] r2187 - in trunk/roundcubemail: bin program/include

Wed Dec 24 15:19:27 CET 2008

Author: thomasb
Date: 2008-12-24 08:19:27 -0600 (Wed, 24 Dec 2008)
New Revision: 2187

Modified:
   trunk/roundcubemail/bin/html2text.php
   trunk/roundcubemail/bin/modcss.php
   trunk/roundcubemail/bin/quotaimg.php
   trunk/roundcubemail/program/include/main.inc
Log:
Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback

Modified: trunk/roundcubemail/bin/html2text.php
===================================================================

--- trunk/roundcubemail/bin/html2text.php	2008-12-22 18:27:25 UTC (rev 2186)
+++ trunk/roundcubemail/bin/html2text.php	2008-12-24 14:19:27 UTC (rev 2187)
@@ -20,11 +20,19 @@
 */
 
 define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
 
-$converter = new html2text($HTTP_RAW_POST_DATA);
+$RCMAIL = rcmail::get_instance();
 
-header('Content-Type: text/plain; charset=UTF-8');
-print trim($converter->get_text());
+if (!empty($RCMAIL->user->ID)) {
+  $converter = new html2text($HTTP_RAW_POST_DATA);
 
+  header('Content-Type: text/plain; charset=UTF-8');
+  print trim($converter->get_text());
+}
+else {
+  header("HTTP/1.0 403 Forbidden");
+  echo "Requires a valid user session";
+}
+
 ?>

Modified: trunk/roundcubemail/bin/modcss.php
===================================================================
--- trunk/roundcubemail/bin/modcss.php	2008-12-22 18:27:25 UTC (rev 2186)
+++ trunk/roundcubemail/bin/modcss.php	2008-12-24 14:19:27 UTC (rev 2187)
@@ -20,10 +20,12 @@
 */
 
 define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
 
+$RCMAIL = rcmail::get_instance();
+
 $source = "";
-if ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']))
+if (!empty($RCMAIL->user->ID) && ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u'])))
 {
 	$a_uri = parse_url($url);
 	$port = $a_uri['port'] ? $a_uri['port'] : 80;
@@ -59,7 +61,9 @@
 	header("Content-Type: text/css");
 	echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']), $url);
 }
-else
+else {
 	header("HTTP/1.0 404 Not Found");
+	echo "Requires a valid user session and source url";
+}
 
 ?>

Modified: trunk/roundcubemail/bin/quotaimg.php
===================================================================
--- trunk/roundcubemail/bin/quotaimg.php	2008-12-22 18:27:25 UTC (rev 2186)
+++ trunk/roundcubemail/bin/quotaimg.php	2008-12-24 14:19:27 UTC (rev 2187)
@@ -18,6 +18,11 @@
 
 */
 
+define('INSTALL_PATH', realpath(dirname(__FILE__).'/..') . '/');
+require INSTALL_PATH . 'program/include/iniset.php';
+
+$RCMAIL = rcmail::get_instance();
+
 $used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
 $quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
 $width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
@@ -186,11 +191,12 @@
 	imagedestroy($im);
 }
 
-if ($width > 1 && $height > 1) {
-	genQuota($used, $quota, $width, $height);  
+if (!empty($RCMAIL->user->ID) && $width > 1 && $height > 1) {
+	genQuota($used, $quota, $width, $height);
 }
 else {
-	header("HTTP/1.0 404 Not Found");
+	header("HTTP/1.0 403 Forbidden");
+	echo "Requires a valid user session and positive values";
 }
 
 exit;

Modified: trunk/roundcubemail/program/include/main.inc
===================================================================
--- trunk/roundcubemail/program/include/main.inc	2008-12-22 18:27:25 UTC (rev 2186)
+++ trunk/roundcubemail/program/include/main.inc	2008-12-24 14:19:27 UTC (rev 2187)
@@ -612,18 +612,26 @@
     array(
       '/(^\s*<!--)|(-->\s*$)/',
       '/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im',
-      '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/ime',
-      '/<<str_replacement\[([0-9]+)\]>>/e',
-      "/$container_id\s+body/i"
+      "/$container_id\s+body/i",
     ),
     array(
       '',
       "\\1#$container_id \\2",
-      "sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url('\\2','$base_url')), urlencode($container_id))",
-      "\$a_css_values[\\1]",
-      "$container_id div.rcmBody"
+      "$container_id div.rcmBody",
     ),
     $source);
+  
+  // replace all @import statements to modify the imported CSS sources too
+  $styles = preg_replace_callback(
+    '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/im',
+    create_function('$matches', "return sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url(\$matches[2],'$base_url')), urlencode('$container_id'));"),
+    $styles);
+  
+  // put block contents back in
+  $styles = preg_replace_callback(
+    '/<<str_replacement\[([0-9]+)\]>>/',
+    create_function('$matches', "\$values = ".var_export($a_css_values, true)."; return \$values[\$matches[1]];"),
+    $styles);
 
   return $styles;
   }
@@ -639,7 +647,7 @@
 function rcmail_xss_entitiy_decode($content)
 {
   $out = html_entity_decode(html_entity_decode($content));
-  $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out);
+  $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', create_function('$matches', 'return chr(hexdec($matches[1]));'), $out);
   $out = preg_replace('#/\*.*\*/#Um', '', $out);
   return $out;
 }

_______________________________________________
http://lists.roundcube.net/mailman/listinfo/svn

