Fix cross-site scripting (XSS) vulnerability in handling of SVG in HT…

…ML messages (#9168)
roundcube · Oct 14, 2023 · 41756cc · 41756cc
1 parent ca41c16
commit 41756cc
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Fix PHP8 warnings (#9142, #9160)
 - Fix default 'mime.types' path on Windows (#9113)
 - Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139)
+- Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168)
 
 ## Release 1.6.3
 

diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
@@ -428,16 +428,17 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
             }
         }
         else if ($is_image && preg_match('/^data:image\/([^,]+),(.+)$/is', $uri, $matches)) { // RFC2397
+            $type = preg_replace('/\s/', '', $matches[1]);
+
             // svg images can be insecure, we'll sanitize them
-            if (stripos($matches[1], 'svg') !== false) {
+            if (stripos($type, 'svg') !== false) {
                 $svg = $matches[2];
 
-                if (stripos($matches[1], ';base64') !== false) {
-                    $svg  = base64_decode($svg);
-                    $type = $matches[1];
+                if (stripos($type, ';base64') !== false) {
+                    $svg = base64_decode($svg);
                 }
                 else {
-                    $type = $matches[1] . ';base64';
+                    $type .= ';base64';
                 }
 
                 $washer = new self($this->config);

diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
@@ -455,6 +455,24 @@ function data_wash_svg_tests()
                 '<svg><script href="data:text/javascript,alert(1)" /><text x="20" y="20">XSS</text></svg>',
                 '<svg><text x="20" y="20">XSS</text></svg>'
             ],
+            [
+                '<html><svg><use href="data:image/s vg+xml;base64,' // space
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s' . "\n" . 'vg+xml;base64,' // new-line
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
+            [
+                '<html><svg><use href="data:image/s	vg+xml;base64,' // tab
+                    . 'PHN2ZyBpZD0ieCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4gPGltYWdlIGhy'
+                    . 'ZWY9IngiIG9uZXJyb3I9ImFsZXJ0KCcxJykiLz48L3N2Zz4=#x"></svg></html>',
+                '<svg><use x-washed="href"></use></svg>'
+            ],
         ];
     }