From: <pdo...@us...> - 2008-09-11 01:32:21
|
Revision: 13276 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13276&view=rev Author: pdontthink Date: 2008-09-11 01:32:19 +0000 (Thu, 11 Sep 2008) Log Message: ----------- Relax restriction on image tag src URIs. Others PLEASE TEST (HTML mails with unsafe images). Per the developers mailing list, no one could show that there was any exploit here. Some code has been inserted here but commented out in case there is in fact some exploit - the code will filter image URI file extensions as before but for URIs that fail that test, SM will check the actual served content for legitimate image files (so dynamically generated images from .asp, .php, and other systems can be correctly displayed). Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/functions/mime.php Modified: branches/SM-1_4-STABLE/squirrelmail/functions/mime.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2008-09-11 00:49:51 UTC (rev 13275) +++ branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2008-09-11 01:32:19 UTC (rev 13276) @@ -1742,11 +1742,66 @@ $attvalue = $sQuote . $secremoveimg . $sQuote; } else { if (isset($aUrl['path'])) { + + // No one has been able to show that image URIs + // can be exploited, so for now, no restrictions + // are made at all. If this proves to be a problem, + // the commented-out code below can be of help. + // (One consideration is that I see nothing in this + // function that specifically says that we will + // only ever arrive here when inspecting an image + // tag, although that does seem to be the end + // result - e.g., <script src="..."> where malicious + // image URIs are in fact a problem are already + // filtered out elsewhere. + /* --------------------------------- // validate image extension. $ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.'))); if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) { - $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; + // If URI is to something other than + // a regular image file, get the contents + // and try to see if it is an image. + // Don't use Fileinfo (finfo_file()) because + // we'd need to make the admin configure the + // location of the magic.mime file (FIXME: add finfo_file() support later?) + // + $mime_type = ''; + if (function_exists('mime_content_type') + && ($FILE = @fopen($attvalue, 'rb', FALSE))) { + + // fetch file + // + $file_contents = ''; + while (!feof($FILE)) { + $file_contents .= fread($FILE, 8192); + } + fclose($FILE); + + // store file locally + // + global $attachment_dir, $username; + $hashed_attachment_dir = getHashedDir($username, $attachment_dir); + $localfilename = GenerateRandomString(32, '', 7); + $full_localfilename = "$hashed_attachment_dir/$localfilename"; + while (file_exists($full_localfilename)) { + $localfilename = GenerateRandomString(32, '', 7); + $full_localfilename = "$hashed_attachment_dir/$localfilename"; + } + $FILE = fopen("$hashed_attachment_dir/$localfilename", 'wb'); + fwrite($FILE, $file_contents); + fclose($FILE); + + // get mime type and remove file + // + $mime_type = mime_content_type("$hashed_attachment_dir/$localfilename"); + unlink("$hashed_attachment_dir/$localfilename"); + } + // debug: echo "$attvalue FILE TYPE IS $mime_type<HR>"; + if (substr(strtolower($mime_type), 0, 5) != 'image') { + $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; + } } + --------------------------------- */ } else { $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |