[Svn] r2853 - trunk/roundcubemail/bin

trac at roundcube.net trac at roundcube.net
Wed Aug 12 12:44:46 CEST 2009


Author: thomasb
Date: 2009-08-12 05:44:46 -0500 (Wed, 12 Aug 2009)
New Revision: 2853

Modified:
   trunk/roundcubemail/bin/modcss.php
Log:
Improve security of modcss.php by setting timeouts and more sanity checks

Modified: trunk/roundcubemail/bin/modcss.php
===================================================================
--- trunk/roundcubemail/bin/modcss.php	2009-08-10 21:32:44 UTC (rev 2852)
+++ trunk/roundcubemail/bin/modcss.php	2009-08-12 10:44:46 UTC (rev 2853)
@@ -33,7 +33,7 @@
     exit;
 }
 
-$url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']);
+$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']);
 if ($url === null) {
     header('HTTP/1.1 403 Forbidden');
     echo $error;
@@ -45,42 +45,63 @@
 $host  = $a_uri['host'];
 $path  = $a_uri['path'] . ($a_uri['query'] ? '?'.$a_uri['query'] : '');
 
-if (!($fp = fsockopen($host, $port, $errno, $errstr, 30))) {
+// don't allow any other connections than http(s)
+if (strtolower(substr($a_uri['scheme'], 0, 4)) != 'http') {
+    header('HTTP/1.1 403 Forbidden');
+    echo "Invalid URL";
+    exit;
+}
+
+// try to open socket connection
+if (!($fp = fsockopen($host, $port, $errno, $error, 15))) {
     header('HTTP/1.1 500 Internal Server Error');
     echo $error;
     exit;
 }
 
+// set timeout for socket
+stream_set_timeout($fp, 30);
+
+// send request
 $out  = "GET $path HTTP/1.0\r\n";
 $out .= "Host: $host\r\n";
 $out .= "Connection: Close\r\n\r\n";
 fwrite($fp, $out);
 
+// read response
 $header = true;
+$headers = array();
 while (!feof($fp)) {
     $line = trim(fgets($fp, 4048));
 
-    if ($header
-        && preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs)
-        && intval($regs[1]) != 200) {
-        break;
-    } else if (empty($line) && $header) {
-        $header = false;
-    } else if (!$header) {
+    if ($header) {
+        if (preg_match('/^HTTP\/1\..\s+(\d+)/', $line, $regs)
+            && intval($regs[1]) != 200) {
+            break;
+        }
+        else if (empty($line)) {
+            $header = false;
+        }
+        else {
+            list($key, $value) = explode(': ', $line);
+            $headers[strtolower($key)] = $value;
+        }
+    }
+    else {
         $source .= "$line\n";
     }
 }
 fclose($fp);
 
-if (!empty($source)) {
+// check content-type header and mod styles
+$mimetype = strtolower($headers['content-type']);
+if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) {
     header('Content-Type: text/css');
-    echo rcmail_mod_css_styles(
-        $source,
-        preg_replace('/[^a-z0-9]/i', '', $_GET['c']),
-        $url
-    );
+    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']));
     exit;
 }
+else
+    $error = "Invalid response returned by server";
 
 header('HTTP/1.0 404 Not Found');
 echo $error;

_______________________________________________
http://lists.roundcube.net/mailman/listinfo/svn



More information about the Svn mailing list