mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-13 03:27:39 +03:00
Additional securty fixes
This commit is contained in:
parent
f2918491d6
commit
007a03b8d4
5 changed files with 35 additions and 20 deletions
|
|
@ -865,24 +865,23 @@ class HtmlUtils
|
||||||
$oElement->setAttribute('tabindex', '-1');
|
$oElement->setAttribute('tabindex', '-1');
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (array(
|
if ($oElement->hasAttributes() && isset($oElement->attributes) && $oElement->attributes)
|
||||||
'id', 'class',
|
|
||||||
'contenteditable', 'designmode', 'formaction',
|
|
||||||
'data-bind', 'data-reactid', 'xmlns', 'srcset',
|
|
||||||
'data-x-skip-style'
|
|
||||||
) as $sAttr)
|
|
||||||
{
|
{
|
||||||
@$oElement->removeAttribute($sAttr);
|
foreach ($oElement->attributes as $oAttr)
|
||||||
|
{
|
||||||
|
if ($oAttr && !empty($oAttr->nodeName))
|
||||||
|
{
|
||||||
|
$sAttrName = \trim(\strtolower($oAttr->nodeName));
|
||||||
|
if ('on' === \substr($sAttrName, 0, 2) || in_array($sAttrName, array(
|
||||||
|
'id', 'class', 'contenteditable', 'designmode', 'formaction',
|
||||||
|
'data-bind', 'data-reactid', 'xmlns', 'srcset', 'data-x-skip-style',
|
||||||
|
'fscommand', 'seeksegmenttime'
|
||||||
|
)))
|
||||||
|
{
|
||||||
|
@$oElement->removeAttribute($oAttr->nodeName);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach (array(
|
|
||||||
'load', 'blur', 'error', 'focus', 'formchange', 'change',
|
|
||||||
'click', 'dblclick', 'keydown', 'keypress', 'keyup',
|
|
||||||
'mousedown', 'mouseenter', 'mouseleave', 'mousemove', 'mouseout', 'mouseover', 'mouseup',
|
|
||||||
'move', 'resize', 'resizeend', 'resizestart', 'scroll', 'select', 'submit', 'upload'
|
|
||||||
) as $sAttr)
|
|
||||||
{
|
|
||||||
@$oElement->removeAttribute('on'.$sAttr);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($oElement->hasAttribute('href'))
|
if ($oElement->hasAttribute('href'))
|
||||||
|
|
|
||||||
|
|
@ -9182,7 +9182,8 @@ class Actions
|
||||||
*/
|
*/
|
||||||
private function mainDefaultResponse($sActionName, $mResult = false, $aAdditionalParams = array())
|
private function mainDefaultResponse($sActionName, $mResult = false, $aAdditionalParams = array())
|
||||||
{
|
{
|
||||||
$sActionName = 'Do' === substr($sActionName, 0, 2) ? substr($sActionName, 2) : $sActionName;
|
$sActionName = 'Do' === \substr($sActionName, 0, 2) ? \substr($sActionName, 2) : $sActionName;
|
||||||
|
$sActionName = \preg_replace('/[^a-zA-Z0-9_]+/', '', $sActionName);
|
||||||
|
|
||||||
$aResult = array(
|
$aResult = array(
|
||||||
'Action' => $sActionName,
|
'Action' => $sActionName,
|
||||||
|
|
|
||||||
|
|
@ -112,6 +112,10 @@ class Api
|
||||||
$sSslCapath = \RainLoop\Api::Config()->Get('ssl', 'capath', '');
|
$sSslCapath = \RainLoop\Api::Config()->Get('ssl', 'capath', '');
|
||||||
|
|
||||||
\RainLoop\Utils::$CookieDefaultPath = \RainLoop\Api::Config()->Get('labs', 'cookie_default_path', '');
|
\RainLoop\Utils::$CookieDefaultPath = \RainLoop\Api::Config()->Get('labs', 'cookie_default_path', '');
|
||||||
|
if (\RainLoop\Api::Config()->Get('labs', 'cookie_default_secure', false))
|
||||||
|
{
|
||||||
|
\RainLoop\Utils::$CookieDefaultSecure = true;
|
||||||
|
}
|
||||||
|
|
||||||
if (!empty($sSslCafile) || !empty($sSslCapath))
|
if (!empty($sSslCafile) || !empty($sSslCapath))
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -355,6 +355,7 @@ Enables caching in the system'),
|
||||||
'use_local_proxy_for_external_images' => array(false),
|
'use_local_proxy_for_external_images' => array(false),
|
||||||
'detect_image_exif_orientation' => array(true),
|
'detect_image_exif_orientation' => array(true),
|
||||||
'cookie_default_path' => array(''),
|
'cookie_default_path' => array(''),
|
||||||
|
'cookie_default_secure' => array(false),
|
||||||
'startup_url' => array(''),
|
'startup_url' => array(''),
|
||||||
'emogrifier' => array(true),
|
'emogrifier' => array(true),
|
||||||
'dev_email' => array(''),
|
'dev_email' => array(''),
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,11 @@ class Utils
|
||||||
*/
|
*/
|
||||||
static $CookieDefaultPath = '';
|
static $CookieDefaultPath = '';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var bool|null
|
||||||
|
*/
|
||||||
|
static $CookieDefaultSecure = null;
|
||||||
|
|
||||||
static $Cookies = null;
|
static $Cookies = null;
|
||||||
|
|
||||||
static $RSA = null;
|
static $RSA = null;
|
||||||
|
|
@ -530,7 +535,7 @@ class Utils
|
||||||
return isset(\RainLoop\Utils::$Cookies[$sName]) ? \RainLoop\Utils::$Cookies[$sName] : $mDefault;
|
return isset(\RainLoop\Utils::$Cookies[$sName]) ? \RainLoop\Utils::$Cookies[$sName] : $mDefault;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $sSecure = null, $bHttpOnly = true)
|
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $bSecure = null, $bHttpOnly = true)
|
||||||
{
|
{
|
||||||
if (null === \RainLoop\Utils::$Cookies)
|
if (null === \RainLoop\Utils::$Cookies)
|
||||||
{
|
{
|
||||||
|
|
@ -543,8 +548,13 @@ class Utils
|
||||||
$sPath = $sPath && 0 < \strlen($sPath) ? $sPath : null;
|
$sPath = $sPath && 0 < \strlen($sPath) ? $sPath : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (null === $bSecure)
|
||||||
|
{
|
||||||
|
$bSecure = \RainLoop\Utils::$CookieDefaultSecure;
|
||||||
|
}
|
||||||
|
|
||||||
\RainLoop\Utils::$Cookies[$sName] = $sValue;
|
\RainLoop\Utils::$Cookies[$sName] = $sValue;
|
||||||
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $sSecure, $bHttpOnly);
|
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $bSecure, $bHttpOnly);
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function ClearCookie($sName)
|
public static function ClearCookie($sName)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue