Hi,
We fixed our bullseye installations with the attached patch for
roundcube 1.4.15+dfsg.1-1+deb11u4, based on
https://github.com/roundcube/roundcubemail/pull/9865/files (but skipping
the tests).
Maybe this is helpful to someone.
Marco
--- usr/share/roundcube/program/steps/settings/upload.inc.orig 2023-10-14 18:34:32.000000000 +0200
+++ usr/share/roundcube/program/steps/settings/upload.inc 2025-06-03 13:37:00.257331562 +0200
@@ -20,6 +20,13 @@
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_GET);
$type = preg_replace('/(add|edit)-/', '', $from);
+// Validate URL input.
+if (!rcube_utils::is_simple_string($type)) {
+ $RCMAIL->write_log('errors', 'The URL parameter "_from" contains disallowed characters and the request is thus rejected.');
+ $OUTPUT->command('display_message', 'Invalid input', 'error');
+ $OUTPUT->send('iframe');
+}
+
// Plugins in Settings may use this file for some uploads (#5694)
// Make sure it does not contain a dot, which is a special character
// when using rcube_session::append() below
--- usr/share/roundcube/program/lib/Roundcube/rcube_utils.php.orig 2024-08-08 23:48:56.000000000 +0200
+++ usr/share/roundcube/program/lib/Roundcube/rcube_utils.php 2025-06-03 13:23:51.328614618 +0200
@@ -243,6 +243,22 @@
}
/**
+ * Check if input value is a "simple" string.
+ * "Simple" is defined as a non-empty string containing only
+ * - "word" characters (alphanumeric plus underscore),
+ * - dots,
+ * - dashes.
+ *
+ * @param mixed $input The value to test
+ *
+ * @return bool
+ */
+ public static function is_simple_string($input)
+ {
+ return is_string($input) && (bool) preg_match('/^[\w.-]+$/i', $input);
+ }
+
+ /**
* Read input value and convert it for internal use
* Performs stripslashes() and charset conversion if necessary
*
