Fix cross-site scripting (XSS) vulnerability in handling list columns…

… from user preferences Reported by Huy Nguyễn Phạm Nhật.
roundcube · May 19, 2024 · cde4522 · cde4522
1 parent 5ea9f37
commit cde4522
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Fix PHP8 warnings (#9363, #9365, #9429)
 - Fix missing field labels in CSV import, for some locales (#9393)
 - Fix command injection via crafted im_convert_path/im_identify_path on Windows
+- Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences
 
 ## Release 1.6.6
 

diff --git a/program/actions/mail/index.php b/program/actions/mail/index.php
@@ -652,6 +652,11 @@ public static function message_list_head($attrib, $a_show_cols)
         }
 
         foreach ($a_show_cols as $col) {
+            // sanity check
+            if (!preg_match('/^[a-zA-Z_-]+$/', $col)) {
+                continue;
+            }
+
             $label    = '';
             $sortable = false;
             $rel_col  = $col == 'date' && $sort_col == 'arrival' ? 'arrival' : $col;

diff --git a/program/actions/mail/list.php b/program/actions/mail/list.php
@@ -31,10 +31,12 @@ public function run($args = [])
         $rcmail        = rcmail::get_instance();
         $save_arr      = [];
         $dont_override = (array) $rcmail->config->get('dont_override');
-        $cols          = null;
 
-        // is there a sort type for this request?
         $sort = rcube_utils::get_input_string('_sort', rcube_utils::INPUT_GET);
+        $cols = rcube_utils::get_input_string('_cols', rcube_utils::INPUT_GET);
+        $layout = rcube_utils::get_input_string('_layout', rcube_utils::INPUT_GET);
+
+        // is there a sort type for this request?
         if ($sort && preg_match('/^[a-zA-Z_-]+$/', $sort)) {
             // yes, so set the sort vars
             list($sort_col, $sort_order) = explode('_', $sort);
@@ -49,15 +51,15 @@ public function run($args = [])
         }
 
         // is there a set of columns for this request?
-        if ($cols = rcube_utils::get_input_string('_cols', rcube_utils::INPUT_GET)) {
+        if ($cols && preg_match('/^[a-zA-Z_,-]+$/', $cols)) {
             $_SESSION['list_attrib']['columns'] = explode(',', $cols);
             if (!in_array('list_cols', $dont_override)) {
                 $save_arr['list_cols'] = explode(',', $cols);
             }
         }
 
         // register layout change
-        if ($layout = rcube_utils::get_input_string('_layout', rcube_utils::INPUT_GET)) {
+        if ($layout && preg_match('/^[a-zA-Z_-]+$/', $layout)) {
             $rcmail->output->set_env('layout', $layout);
             $save_arr['layout'] = $layout;
             // force header replace on layout change