Index: functions/mime.php =================================================================== RCS file: /cvsroot/squirrelmail/squirrelmail/functions/mime.php,v retrieving revision 1.265.2.70 diff -u -F^f -r1.265.2.70 mime.php --- functions/mime.php 2 Dec 2006 15:10:13 -0000 1.265.2.70 +++ functions/mime.php 3 Dec 2006 20:48:23 -0000 @@ -1027,6 +1027,75 @@ function sq_unspace(&$attvalue){ } /** + * Translate all dangerous Unicode or Shift_JIS characters which are acepted by + * IE as regular characters. + * + * @param attvalue The attribute value before dangerous characters are translated. + * @return attvalue Nothing, modifies a reference value. + * @author Marc Groot Koerkamp. + */ +function sq_fixIE_idiocy(&$attvalue) { + // remove NUL + $attvalue = str_replace("\0", "", $attvalue); + // remove comments + $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue); + + // IE has the evil habit of excepting every possible value for the attribute expression + // The table below contain characters which are valid in IE if they are used in the "expression" + // attribute value. + $aDangerousCharsReplacementTable = array( + array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ + 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ + 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ + 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ + 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ + 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ + 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ + 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ + 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */ + 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ + 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */ + 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ + 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */ + 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ + 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */ + 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ + 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */ + 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ + 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */ + 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ + 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */ + 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ + 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ + 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ + '艤', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some chinese char range + '芅', /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ + '艷', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ + '芘', /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ + '良', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ + '芐', /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ + '艱', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ + '芒', /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ + '色', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ + '芓', /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ + '艨', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ + '芉', /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ + '艮', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ + '芏', /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ + '艭', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ + '芎'), /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ + array('l', 'l', 'r','r','n','n', + 'E','E','e','e','X','X','x','x','P','P','p','p','S','S','s','s','I','I', + 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n', + 'E','e','X','x','P','p','S','s','I','i','O','o','N','n')); + $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue); + + // Escapes are usefull for special characters like "{}[]()'&. In other cases they are + // used for XSS + $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue); +} + +/** * This function returns the final tag out of the tag name, an array * of attributes, and the type of the tag. This function is called by * sq_sanitize internally. @@ -1492,10 +1561,23 @@ function sq_fixatts($tagname, } } } + + /** + * Workaround for IE quirks + */ + sq_fixIE_idiocy($attvalue); + /** * Remove any backslashes, entities, and extraneous whitespace. */ + $oldattvalue = $attvalue; sq_defang($attvalue); + if ($attname == 'style' && $attvalue !== $oldattvalue) { + // entities are used in the attribute value. In 99% of the cases it's there as XSS + // i.e.
+ $attvalue = "idiocy"; + $attary{$attname} = $attvalue; + } sq_unspace($attvalue); /** @@ -1616,6 +1698,9 @@ function sq_fixstyle($body, $pos, $messa // possible comment if (isset($body{$i+2}) && substr($body,$i,3) == '!--') { $i = strpos($body,'-->',$i+3); + if ($i === false) { // no end comment + $i = strlen($body); + } $sToken = ''; } } else { @@ -1643,12 +1728,18 @@ function sq_fixstyle($body, $pos, $messa */ $content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content); $secremoveimg = '../images/' . _("sec_remove_eng.png"); + + // IE Sucks hard. We have a special function for it. + sq_fixIE_idiocy($content); + + // remove @import line + $content = preg_replace("/^\s*(@import.*)$/mi","\n\n",$content); + /** * Fix url('blah') declarations. */ - // remove NUL - $content = str_replace("\0", "", $content); // translate ur\l and variations into url (IE parses that) + // TODO check if the sq_fixIE_idiocy function already handles this. $content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",'url', $content); // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { @@ -1707,11 +1798,13 @@ function sq_fixstyle($body, $pos, $messa * in IE. */ $match = Array('/\/\*.*\*\//', - '/expression/i', - '/behaviou*r/i', - '/binding/i', - '/include-source/i'); - $replace = Array('', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + '/expression/i', + '/behaviou*r/i', + '/binding/i', + '/include-source/i', + '/javascript/i', + '/script/i'); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { // insecure css declarations are used. From now on we don't care