mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-08 22:18:28 +03:00
Additional securty fixes
This commit is contained in:
parent
f2918491d6
commit
007a03b8d4
5 changed files with 35 additions and 20 deletions
|
|
@ -865,24 +865,23 @@ class HtmlUtils
|
|||
$oElement->setAttribute('tabindex', '-1');
|
||||
}
|
||||
|
||||
foreach (array(
|
||||
'id', 'class',
|
||||
'contenteditable', 'designmode', 'formaction',
|
||||
'data-bind', 'data-reactid', 'xmlns', 'srcset',
|
||||
'data-x-skip-style'
|
||||
) as $sAttr)
|
||||
if ($oElement->hasAttributes() && isset($oElement->attributes) && $oElement->attributes)
|
||||
{
|
||||
@$oElement->removeAttribute($sAttr);
|
||||
}
|
||||
|
||||
foreach (array(
|
||||
'load', 'blur', 'error', 'focus', 'formchange', 'change',
|
||||
'click', 'dblclick', 'keydown', 'keypress', 'keyup',
|
||||
'mousedown', 'mouseenter', 'mouseleave', 'mousemove', 'mouseout', 'mouseover', 'mouseup',
|
||||
'move', 'resize', 'resizeend', 'resizestart', 'scroll', 'select', 'submit', 'upload'
|
||||
) as $sAttr)
|
||||
{
|
||||
@$oElement->removeAttribute('on'.$sAttr);
|
||||
foreach ($oElement->attributes as $oAttr)
|
||||
{
|
||||
if ($oAttr && !empty($oAttr->nodeName))
|
||||
{
|
||||
$sAttrName = \trim(\strtolower($oAttr->nodeName));
|
||||
if ('on' === \substr($sAttrName, 0, 2) || in_array($sAttrName, array(
|
||||
'id', 'class', 'contenteditable', 'designmode', 'formaction',
|
||||
'data-bind', 'data-reactid', 'xmlns', 'srcset', 'data-x-skip-style',
|
||||
'fscommand', 'seeksegmenttime'
|
||||
)))
|
||||
{
|
||||
@$oElement->removeAttribute($oAttr->nodeName);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($oElement->hasAttribute('href'))
|
||||
|
|
|
|||
|
|
@ -9182,7 +9182,8 @@ class Actions
|
|||
*/
|
||||
private function mainDefaultResponse($sActionName, $mResult = false, $aAdditionalParams = array())
|
||||
{
|
||||
$sActionName = 'Do' === substr($sActionName, 0, 2) ? substr($sActionName, 2) : $sActionName;
|
||||
$sActionName = 'Do' === \substr($sActionName, 0, 2) ? \substr($sActionName, 2) : $sActionName;
|
||||
$sActionName = \preg_replace('/[^a-zA-Z0-9_]+/', '', $sActionName);
|
||||
|
||||
$aResult = array(
|
||||
'Action' => $sActionName,
|
||||
|
|
|
|||
|
|
@ -112,6 +112,10 @@ class Api
|
|||
$sSslCapath = \RainLoop\Api::Config()->Get('ssl', 'capath', '');
|
||||
|
||||
\RainLoop\Utils::$CookieDefaultPath = \RainLoop\Api::Config()->Get('labs', 'cookie_default_path', '');
|
||||
if (\RainLoop\Api::Config()->Get('labs', 'cookie_default_secure', false))
|
||||
{
|
||||
\RainLoop\Utils::$CookieDefaultSecure = true;
|
||||
}
|
||||
|
||||
if (!empty($sSslCafile) || !empty($sSslCapath))
|
||||
{
|
||||
|
|
|
|||
|
|
@ -355,6 +355,7 @@ Enables caching in the system'),
|
|||
'use_local_proxy_for_external_images' => array(false),
|
||||
'detect_image_exif_orientation' => array(true),
|
||||
'cookie_default_path' => array(''),
|
||||
'cookie_default_secure' => array(false),
|
||||
'startup_url' => array(''),
|
||||
'emogrifier' => array(true),
|
||||
'dev_email' => array(''),
|
||||
|
|
|
|||
|
|
@ -9,6 +9,11 @@ class Utils
|
|||
*/
|
||||
static $CookieDefaultPath = '';
|
||||
|
||||
/**
|
||||
* @var bool|null
|
||||
*/
|
||||
static $CookieDefaultSecure = null;
|
||||
|
||||
static $Cookies = null;
|
||||
|
||||
static $RSA = null;
|
||||
|
|
@ -530,7 +535,7 @@ class Utils
|
|||
return isset(\RainLoop\Utils::$Cookies[$sName]) ? \RainLoop\Utils::$Cookies[$sName] : $mDefault;
|
||||
}
|
||||
|
||||
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $sSecure = null, $bHttpOnly = true)
|
||||
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $bSecure = null, $bHttpOnly = true)
|
||||
{
|
||||
if (null === \RainLoop\Utils::$Cookies)
|
||||
{
|
||||
|
|
@ -543,8 +548,13 @@ class Utils
|
|||
$sPath = $sPath && 0 < \strlen($sPath) ? $sPath : null;
|
||||
}
|
||||
|
||||
if (null === $bSecure)
|
||||
{
|
||||
$bSecure = \RainLoop\Utils::$CookieDefaultSecure;
|
||||
}
|
||||
|
||||
\RainLoop\Utils::$Cookies[$sName] = $sValue;
|
||||
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $sSecure, $bHttpOnly);
|
||||
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $bSecure, $bHttpOnly);
|
||||
}
|
||||
|
||||
public static function ClearCookie($sName)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue