Hello folks
Today we introduced a new validation mechanism for message attachments which are supposed to be displayed inside the browser. Mainly inspired by a recently reported XSS vulnerability [1], the mime-types and filenames extensions stated in the message part headers are now checked against the real mime-type of the effective part bodies. This also requires the filename extension (e.g. ".png") to match the real mime-type of the according attachment.
In order to reliably detect mime-types and the matching filename extensions, Roundcube and PHP need to be configured properly:
On PHP >= 5.3, we recommend to set
$rcmail_config['mime_magic'] = null;
which lets the fileinfo module of PHP use its default location for the magic numbers mapping file.
The other config option which is important for these new checks is
$rcmail_config['mime_types'] = '<path-to-apache-config>/mime.types';
This value should refer to the mime.types file used by the Apache web server to send the right mime-types for static files. If left empty, Roundcube will search for it in some default locations such as /etc/httpd/mime.types but for performance reasons, it's better to set this option right away. In case you can't find such a file on your server, especially when not running apache, you can download it from [2].
Now, with the new attachment validation in place, your users might see some yellow warnings (see attached image) because sometimes email messages are just incorrectly formatted even if all the contents are safe. Clicking the button will let the user see the attachment anyhow but since this is all new, we're seriously interested in your feedback and common problems resulting from this new check. I hope we can then fine-tune it a bit and catch some common and harmless cases.
Cheers, Thomas
[1] http://trac.roundcube.net/ticket/1488828 [2] http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
