WebSVN – Moodle – Diff – /admin/tool/messageinbound/roundcube/rcube_utils.php

+     *
      * @return string Modified CSS source
      */
     public static function mod_css_styles($source, $container_id, $allow_remote = false, $prefix = '')
+    {
-        $last_pos     = 0;
-        $replacements = new rcube_string_replacer;
-        // ignore the whole block if evil styles are detected
         $source   = self::xss_entity_decode($source);
-        $stripped = preg_replace('/[^a-z\(:;]/i', '', $source);
-        $evilexpr = 'expression|behavior|javascript:|import[^a]' . (!$allow_remote ? '|url\((?!data:image)' : '');
+        // No @import allowed
+        // TODO: We should just remove it, not invalidate the whole content
-        if (preg_match("/$evilexpr/i", $stripped)) {
+        if (stripos($source, '@import') !== false) {
             return '/* evil! */';
+        }
+        // Incomplete style expression
+        if (strpos($source, '{') === false) {
+            return '/* invalid! */';
+        }
-        }
+        // To prevent from a double-escaping tricks we consider a script with
+        // any escape sequences (after de-escaping them above) an evil script.
+        // This probably catches many valid scripts, but we\'re on the safe side.
+        if (preg_match('/\\\[0-9a-fA-F]{2}/', $source)) {
             return '/* evil! */';
         $strict_url_regexp = '!url\s*\(\s*["\']?(https?:)//[a-z0-9/._+-]+["\']?\s*\)!Uims';
+        // remove html comments
+        $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
+        $url_callback = static function ($url) use ($allow_remote) {
+            if (strpos($url, 'data:image') === 0) {
+                return $url;
+            }
+            if ($allow_remote && preg_match('|^https?://[a-z0-9/._+-]+$|i', $url)) {
+                return $url;
+            }
+        };
-        // remove html comments
+        $last_pos = 0;
-        $source = preg_replace('/(^\s*<\!--)|(-->\s*$)/m', '', $source);
+        $replacements = new rcube_string_replacer();
         // cut out all contents between { and }
         while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) {
             $nested = strpos($source, '{', $pos+1);
             if ($nested && $nested < $pos2) { // when dealing with nested blocks (e.g. @media), take the inner one
-                $pos = $nested;
-            }
-            $length = $pos2 - $pos - 1;
-            $styles = substr($source, $pos+1, $length);
+                $pos = $nested;
-            $output = '';
-            // check every css rule in the style block...
-            foreach (self::parse_css_block($styles) as $rule) {
-                // Remove 'page' attributes (#7604)
-                if ($rule[0] == 'page') {
-                    continue;
-                }
-                // Convert position:fixed to position:absolute (#5264)
-                if ($rule[0] == 'position' && strcasecmp($rule[1], 'fixed') === 0) {
-                    $rule[1] = 'absolute';
-                }
-                else if ($allow_remote) {
-                    $stripped = preg_replace('/[^a-z\(:;]/i', '', $rule[1]);
-                    // allow data:image and strict url() values only
-                    if (
-                        stripos($stripped, 'url(') !== false
-                        && stripos($stripped, 'url(data:image') === false
-                        && !preg_match($strict_url_regexp, $rule[1])
-                    ) {
-                        $rule[1] = '/* evil! */';
-                    }
-                }
+            }
             $length = $pos2 - $pos - 1;
-                $output .= sprintf(" %s: %s;", $rule[0] , $rule[1]);
+            $styles = substr($source, $pos+1, $length);
             $styles = self::sanitize_css_block($styles, $url_callback);
         return $source;
+    }
+    /**
+     * Parse and sanitize single CSS block
+     *
+     * @param string    $styles       CSS styles block
+     * @param ?callable $url_callback URL validator callback
+     *
+     * @return string
+     */
+    public static function sanitize_css_block($styles, $url_callback = null)
+    {
+        $output = [];
+        // check every css rule in the style block...
+        foreach (self::parse_css_block($styles) as $rule) {
+            $property = $rule[0];
+            $value = $rule[1];
+            if ($property == 'page') {
+                // Remove 'page' attributes (#7604)
+                continue;
+            } elseif ($property == 'position' && strcasecmp($value, 'fixed') === 0) {
+                // Convert position:fixed to position:absolute (#5264)
+                $value = 'absolute';
+            } elseif (preg_match('/expression|image-set/i', $value)) {
+                continue;
+            } else {
+                $value = '';
+                foreach (self::explode_css_property_block($rule[1]) as $val) {
+                    if ($url_callback && preg_match('/^url\s*\(/i', $val)) {
+                        if (preg_match('/^url\s*\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) {
+                            if ($url = $url_callback($match[1])) {
+                                $value .= ' url(' . $url . ')';
+                            }
+                        }
+                    } else {
+                        // whitelist ?
+                        $value .= ' ' . $val;
+                        // #1488535: Fix size units, so width:800 would be changed to width:800px
+                        if ($val
+                            && preg_match('/^(left|right|top|bottom|width|height)/i', $property)
+                            && preg_match('/^[0-9]+$/', $val)
+                        ) {
+                            $value .= 'px';
+                        }
+                    }
+                }
+            }
+            if (strlen($value)) {
+                $output[] = $property . ': ' . trim($value);
+            }
+        }
+        return count($output) > 0 ? implode('; ', $output) . ';' : '';
+    }
     /**
      * Explode css style. Property names will be lower-cased and trimmed.
      * Values will be trimmed. Invalid entries will be skipped.
+     *
         return $result;
+    }
+    /**
+     * Explode css style value
+     *
+     * @param string $style CSS style
+     *
+     * @return array List of CSS values
+     */
+    public static function explode_css_property_block($style)
+    {
+        $style = preg_replace('/\s+/', ' ', $style);
+        $result = [];
+        $strlen = strlen($style);
+        $q = false;
+        // explode value
+        for ($p = $i = 0; $i < $strlen; $i++) {
+            if (($style[$i] == '"' || $style[$i] == "'") && ($i == 0 || $style[$i - 1] != '\\')) {
+                if ($q == $style[$i]) {
+                    $q = false;
+                } elseif (!$q) {
+                    $q = $style[$i];
+                }
+            }
+            if (!$q && $style[$i] == ' ' && ($i == 0 || !preg_match('/[,\(]/', $style[$i - 1]))) {
+                $result[] = substr($style, $p, $i - $p);
+                $p = $i + 1;
+            }
+        }
+        $result[] = (string) substr($style, $p);
+        return $result;
+    }
     /**
      * Generate CSS classes from mimetype and filename extension
+     *
      * @param string $mimetype Mimetype

Proyectos de Subversion Moodle

(root)/admin/tool/messageinbound/roundcube/rcube_utils.php – Rev 1 → 1441