Open paulmedynski opened 5 days ago
@paulmedynski Thank you for your report! Version 1.6.5 is almost one year old, could you please try if this behaviour still occurs in the latest version 1.6.9?
Or provide a sample message so we can easily try to reproduce.
roundcube 1.6.5 is the latest available via default Debian 12 repos:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
roundcube/stable,stable-security,now 1.6.5+dfsg-1+deb12u4 all [installed]
skinnable AJAX based webmail solution for IMAP servers - metapackage
Here's a sample email that displays fine in Thunderbird and in previous roundcube versions:
Thank you for noting that you're using the Debian package. Those are patched heavily, so the version number isn't really relevant.
Could you post the URL of the bug report in the Debian tracker? (Or open one, if you didn't yet.)
The Debian Changelog suggests that they picked the security fixes introduced in 89c8fe9ae, in which this line possibly introduced a bug:
if (preg_match('~(javascript|jscript|ecmascript|xml|html|text/)~i', $ctype)) {
@alecpl Shouldn't the ending slash be put after the closing bracket? Currently this evaluates to true also for image/svg+xml
– which leads to files with that content-type to be delivered as text/plain
, which would explain the reported behaviour.
Debian's patch is here: https://sources.debian.org/patches/roundcube/1.6.5%2Bdfsg-1%2Bdeb12u4/CVE-2024-42008.patch/, and contains the line unchanged. via
Thanks for looking into this! Does your analysis above indicate that there is a bug in upstream roundcube that Debian included in their security patches? Or has Debian introduced the bug into their patches? Something else? I'm not sure what action I should take here. I will open a Debian bug if they introduced the issue, but if the issue comes from roundcube proper, then I think this issue suffices. Thoughts?
Prerequisites
Describe the issue
The fetch of an embedded SVG image within an email message results in the data being returned with content-type text/plain. For example, this URL:
GET /webmail/?_task=mail&_action=get&_mbox=Foo&_uid=618&_token=<redacted>&_part=1.2&_embed=1&_mimeclass=image
Results in a response with these headers:
As a result, the embedded images are not displayed.
What browser(s) are you seeing the problem on?
Chrome, Firefox
What version of PHP are you using?
8.3.11
What version of Roundcube are you using?
1.6.5
JavaScript errors
GET https:///webmail/?_task=mail&_action=get&_mbox=Foo&_uid=618&_token=&_part=1.9&_embed=1&_mimeclass=image 404 (Not Found)
PHP errors
Error log is empty.