Fix cross-site scripting (XSS) vulnerability in handling of linkrefs …

…in plain text messages Thanks to Niraj Shivtarkar for the report.
roundcube · Sep 14, 2023 · c998034 · c998034
1 parent 10f4be7
commit c998034
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 9 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,6 @@
-CHANGELOG Roundcube Webmail
-===========================
+# Changelog Roundcube Webmail
 
+- Fix cross-site scripting (XSS) vulnerability in handling of linkrefs in plain text messages
 - Enigma: Fix initial synchronization of private keys
 
 RELEASE 1.4.13

diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php
@@ -59,8 +59,8 @@ function __construct($options = array())
         $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)";
 
         $this->options         = $options;
-        $this->linkref_index   = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
-        $this->linkref_pattern = '/\[([^\]#]+)\]/';
+        $this->linkref_index   = '/\[([^<>\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/';
+        $this->linkref_pattern = '/\[([^<>\]#]+)\]/';
         $this->link_pattern    = "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/";
         $this->mailto_pattern  = "/("
             . "[-\w!\#\$%&*+~\/^`|{}=]+(?:\.[-\w!\#\$%&*+~\/^`|{}=]+)*"  // local-part

diff --git a/tests/Framework/StringReplacer.php b/tests/Framework/StringReplacer.php
@@ -64,19 +64,21 @@ function test_replace($input, $output)
         $this->assertEquals($output, $result);
     }
 
+    /**
+     * Test link references
+     */
     function test_linkrefs()
     {
-        $input = "This is a sample message [1] to test the new linkref [ref0] replacement feature of [Roundcube].\n";
-        $input.= "\n";
-        $input.= "[1] http://en.wikipedia.org/wiki/Email\n";
-        $input.= "[ref0] www.link-ref.com\n";
+        $input = "This is a sample message [1] to test the linkref [ref0] replacement feature of [Roundcube].[ref<0]\n"
+            . "[1] http://en.wikipedia.org/wiki/Email\n"
+            . "[ref0] www.link-ref.com\n";
 
         $replacer = new rcube_string_replacer;
         $result = $replacer->replace($input);
         $result = $replacer->resolve($result);
 
         $this->assertContains('[<a href="http://en.wikipedia.org/wiki/Email">1</a>] to', $result, "Numeric linkref replacements");
         $this->assertContains('[<a href="http://www.link-ref.com">ref0</a>] repl', $result, "Alphanum linkref replacements");
-        $this->assertContains('of [Roundcube].', $result, "Don't touch strings wihtout an index entry");
+        $this->assertContains('of [Roundcube].[ref<0]', $result, "Don't touch strings wihtout an index entry");
     }
 }
diff --git a/tests/Framework/Text2Html.php b/tests/Framework/Text2Html.php
@@ -137,4 +137,21 @@ function test_text2html_xss()
 
         $this->assertEquals($expected, $html);
     }
+
+    /**
+     * Test XSS issue
+     */
+    function test_text2html_xss2()
+    {
+        $input = "\n[<script>evil</script>] https://google.com\n";
+        $t2h = new rcube_text2html($input);
+
+        $html = $t2h->get_html();
+
+        $expected = "<div class=\"pre\"><br>\n[&lt;script&gt;evil&lt;/script&gt;] "
+            . "<a rel=\"noreferrer\" target=\"_blank\" href=\"https://google.com\">https://google.com</a><br>\n"
+            . "</div>";
+
+        $this->assertEquals($expected, $html);
+    }
 }