File roundcubemail-1.0.9-004-1e275ac-boo_1001856.patch of Package roundcubemail.openSUSE_13.1_Update

From 1e275ac13ac6222efd9dbc80118642bd2a6fe3dd Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <machniak@kolabsys.com>
Date: Sun, 29 May 2016 17:09:41 +0200
Subject: [PATCH] Wash position:fixed style in HTML mail for better security
 (#5264)

---
 program/lib/Roundcube/rcube_utils.php   |  6 +++++-
 program/lib/Roundcube/rcube_washtml.php |  9 +++++++--
 tests/Framework/Utils.php               | 10 ++++++++++
 tests/Framework/Washtml.php             | 14 ++++++++++++++
 4 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 28b16ff..adda416 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -430,10 +430,11 @@ public static function html_identifier($str, $encode=false)
 
     /**
      * Replace all css definitions with #container [def]
-     * and remove css-inlined scripting
+     * and remove css-inlined scripting, make position style safe
      *
      * @param string CSS source code
      * @param string Container ID to use as prefix
+     * @param bool   Allow remote content
      *
      * @return string Modified CSS source
      */
@@ -461,6 +462,9 @@ public static function mod_css_styles($source, $container_id, $allow_remote=fals
             $length = $pos2 - $pos - 1;
             $styles = substr($source, $pos+1, $length);
 
+            // Convert position:fixed to position:absolute (#5264)
+            $styles = preg_replace('/position:[\s\r\n]*fixed/i', 'position: absolute', $styles);
+
             // check every line of a style block...
             if ($allow_remote) {
                 $a_styles = preg_split('/;[\r\n]*/', $styles, -1, PREG_SPLIT_NO_EMPTY);
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index f5a48e8..ee992da 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -231,6 +231,11 @@ private function wash_style($style)
                         }
                     }
                     else if (!preg_match('/^(behavior|expression)/i', $val)) {
+                        // Set position:fixed to position:absolute for security (#5264)
+                        if (!strcasecmp($cssid, 'position') && !strcasecmp($val, 'fixed')) {
+                            $val = 'absolute';
+                        }
+
                         // whitelist ?
                         $value .= ' ' . $val;
 
@@ -716,10 +721,9 @@ public static function fix_broken_lists(&$html)
      */
     protected function explode_style($style)
     {
-        $style = trim($style);
+        $pos = 0;
 
         // first remove comments
-        $pos = 0;
         while (($pos = strpos($style, '/*', $pos)) !== false) {
             $end = strpos($style, '*/', $pos+2);
 
@@ -731,6 +735,7 @@ protected function explode_style($style)
             }
         }
 
+        $style  = trim($style);
         $strlen = strlen($style);
         $result = array();