search

roundcube / roundcubemail

The Roundcube Webmail suite
https://roundcube.net
GNU General Public License v3.0
5.8k stars 1.63k forks source link

Embedded SVG content type is text/plain #9644

Open paulmedynski opened 5 days ago

paulmedynski commented 5 days ago

Prerequisites

Describe the issue

The fetch of an embedded SVG image within an email message results in the data being returned with content-type text/plain. For example, this URL:

GET /webmail/?_task=mail&_action=get&_mbox=Foo&_uid=618&_token=<redacted>&_part=1.2&_embed=1&_mimeclass=image

Results in a response with these headers:

HTTP/1.1 200 OK
Date: Sun, 22 Sep 2024 16:37:15 GMT
Server: Apache/2.4.62 (Debian)
Expires: Sun, 22 Sep 2024 16:37:15 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sun, 22 Sep 2024 16:37:15 GMT
X-DNS-Prefetch-Control: off
Referrer-Policy: same-origin
X-Frame-Options: sameorigin
Content-Disposition: inline; filename="Part 1.2.svg"
Content-Security-Policy: default-src 'none'; img-src 'self'
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain; charset=UTF-8

As a result, the embedded images are not displayed.

What browser(s) are you seeing the problem on?

Chrome, Firefox

What version of PHP are you using?

8.3.11

What version of Roundcube are you using?

1.6.5

JavaScript errors

GET https:///webmail/?_task=mail&_action=get&_mbox=Foo&_uid=618&_token=&_part=1.9&_embed=1&_mimeclass=image 404 (Not Found)

PHP errors

Error log is empty.

pabzm commented 5 days ago

@paulmedynski Thank you for your report! Version 1.6.5 is almost one year old, could you please try if this behaviour still occurs in the latest version 1.6.9?

alecpl commented 5 days ago

Or provide a sample message so we can easily try to reproduce.

paulmedynski commented 4 days ago

roundcube 1.6.5 is the latest available via default Debian 12 repos:

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
roundcube/stable,stable-security,now 1.6.5+dfsg-1+deb12u4 all [installed]
  skinnable AJAX based webmail solution for IMAP servers - metapackage

Here's a sample email that displays fine in Thunderbird and in previous roundcube versions:

svg_sample.zip

pabzm commented 1 day ago

Thank you for noting that you're using the Debian package. Those are patched heavily, so the version number isn't really relevant.

Could you post the URL of the bug report in the Debian tracker? (Or open one, if you didn't yet.)

The Debian Changelog suggests that they picked the security fixes introduced in 89c8fe9ae, in which this line possibly introduced a bug:

            if (preg_match('~(javascript|jscript|ecmascript|xml|html|text/)~i', $ctype)) {

@alecpl Shouldn't the ending slash be put after the closing bracket? Currently this evaluates to true also for image/svg+xml – which leads to files with that content-type to be delivered as text/plain, which would explain the reported behaviour.

pabzm commented 1 day ago

Debian's patch is here: https://sources.debian.org/patches/roundcube/1.6.5%2Bdfsg-1%2Bdeb12u4/CVE-2024-42008.patch/, and contains the line unchanged. via

paulmedynski commented 12 hours ago

Thanks for looking into this! Does your analysis above indicate that there is a bug in upstream roundcube that Debian included in their security patches? Or has Debian introduced the bug into their patches? Something else? I'm not sure what action I should take here. I will open a Debian bug if they introduced the issue, but if the issue comes from roundcube proper, then I think this issue suffices. Thoughts?