Merge branch 'trunk'

config/conf.pl

@@ -515,6 +515,9 @@ $check_referrer = ''                   if ( !$check_referrer );
 $ask_user_info = 'true'                if ( !$ask_user_info );
 $use_transparent_security_image = 'true' if ( !$use_transparent_security_image );
 $display_imap_login_error = 'false'    if ( !$display_imap_login_error );
+$allow_svg_display = 'false'           if ( !$allow_svg_display );
+$block_svg_download = 'false'          if ( !$block_svg_download );
+$fix_broken_base64_encoded_messages = 'false' if ( !$fix_broken_base64_encoded_messages );
 
 if ( $ARGV[0] eq '--install-plugin' ) {
     print "Activating plugin " . $ARGV[1] . "\n";
@@ -749,6 +752,9 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) {
         print "19. Page referal requirement     : $WHT$check_referrer$NRM\n";
         print "20. Security image               : $WHT" . (lc($use_transparent_security_image) eq 'true' ? 'Transparent' : 'Textual') . "$NRM\n";
         print "21. Display login error from IMAP: $WHT$display_imap_login_error$NRM\n";
+        print "22. Show inline SVG objects      : $WHT$allow_svg_display$NRM\n";
+        print "23. Block downloading SVG objects: $WHT$block_svg_download$NRM\n";
+        print "24. Fix broken base64 messages   : $WHT$fix_broken_base64_encoded_messages$NRM\n";
         print "\n";
         print "R   Return to Main Menu\n";
     } elsif ( $menu == 5 ) {
@@ -1027,6 +1033,9 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) {
             elsif ( $command == 19 ) { $check_referrer           = command321(); }
             elsif ( $command == 20 ) { $use_transparent_security_image = command322(); }
             elsif ( $command == 21 ) { $display_imap_login_error = command323(); }
+            elsif ( $command == 22 ) { $allow_svg_display        = command324(); }
+            elsif ( $command == 23 ) { $block_svg_download       = command325(); }
+            elsif ( $command == 24 ) { $fix_broken_base64_encoded_messages = command326(); }
         } elsif ( $menu == 5 ) {
             if ( $command == 1 )     { $use_icons      = commandB3(); }
 #            elsif ( $command == 3 )  { $icon_theme_def = command53(); }
@@ -2954,7 +2963,91 @@ sub command323 {
 }
 
 
+# allow_svg_display (since 1.5.2)
+sub command324 {
+    print "Some email messages might contain SVG images or animations, however\n";
+    print "the power and dynamic nature of SVG objects may represent security or\n";
+    print "privacy vulnerabilities.\n";
+    print "\n";
+    print "Enabling this option will cause SquirrelMail to display any SVG objects\n";
+    print "included inline in email messages when they are viewed in HTML format.\n";
+    print "\n";
+
+    if ( lc($allow_svg_display) eq 'true' ) {
+        $default_value = "y";
+    } else {
+        $default_value = "n";
+    }
+    print "Show inline SVG objects? (y/n) [$WHT$default_value$NRM]: $WHT";
+    $allow_svg_display = <STDIN>;
+    if ( ( $allow_svg_display =~ /^y\n/i ) || ( ( $allow_svg_display =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+        $allow_svg_display = 'true';
+    } else {
+        $allow_svg_display = 'false';
+    }
+    return $allow_svg_display;
+}
+
+
+
+# block_svg_download (since 1.5.2)
+sub command325 {
+    print "Some email messages might contain SVG image or animation attachments,\n";
+    print "however even when downloaded, the power and dynamic nature of SVG\n";
+    print "objects may represent security or privacy vulnerabilities.\n";
+    print "\n";
+    print "Enabling this option will cause SquirrelMail to hide download links\n";
+    print "for any SVG objects attached to email messages, whereas disabling it\n";
+    print "will allow users to download such attachments as they see fit.\n";
+    print "\n";
+
+    if ( lc($block_svg_download) eq 'true' ) {
+        $default_value = "y";
+    } else {
+        $default_value = "n";
+    }
+    print "Hide download links for SVG objects? (y/n) [$WHT$default_value$NRM]: $WHT";
+    $block_svg_download = <STDIN>;
++    if ( ( $block_svg_download =~ /^y\n/i ) || ( ( $block_svg_download =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+        $block_svg_download = 'true';
+    } else {
+        $block_svg_download = 'false';
+    }
+    return $block_svg_download;
+}
+
+
+
+# fix_broken_base64_encoded_messages (since 1.5.2)
+sub command326 {
+    print "Some email messages might contain base64-encoded parts, and a very\n";
+    print "small number of unknown servers have been seen sending such\n";
+    print "messages in a malformed but recoverable manner.\n";
+    print "\n";
+    print "Enabling this option will cause SquirrelMail to detect and correct\n";
+    print "such messages at a slight cost in processing power.  Chances are\n";
+    print "somewhat low that your users would ever receive such messages.\n";
+    print "\n";
+
+    if ( lc($fix_broken_base64_encoded_messages) eq 'true' ) {
+        $default_value = "y";
+    } else {
+        $default_value = "n";
+    }
+    print "Fix broken base64-encoded messages? (y/n) [$WHT$default_value$NRM]: $WHT";
+    $fix_broken_base64_encoded_messages = <STDIN>;
+    if ( ( $fix_broken_base64_encoded_messages =~ /^y\n/i ) || ( ( $fix_broken_base64_encoded_messages =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+        $fix_broken_base64_encoded_messages = 'true';
+    } else {
+        $fix_broken_base64_encoded_messages = 'false';
+    }
+    return $fix_broken_base64_encoded_messages;
+}
+
+
 
+####################################################################################
+#### THEMES ####
 sub command_userThemes {
     print "\nDefine the user themes that you wish to use.  If you have added\n";
     print "a theme of your own, just follow the instructions (?) about\n";
@@ -5286,6 +5379,10 @@ sub save_data {
         # boolean
         print CF "\$use_transparent_security_image = $use_transparent_security_image;\n";
 
+        print CF "\$allow_svg_display = $allow_svg_display;\n";
+        print CF "\$block_svg_download = $block_svg_download;\n";
+        print CF "\$fix_broken_base64_encoded_messages = $fix_broken_base64_encoded_messages;\n";
+
         print CF "\n";
 
         # boolean

doc/ChangeLog

@@ -423,6 +423,9 @@ Version 1.5.2 - SVN
   - Added favicon and ability for admins to use their own by setting
     $head_tag_extra in config_local.php (see documentation in
     config/config_local.php)
+  - Updated SVG handling, closing several related vulnerabilities
+    (#2831) [CVE-2018-14950] [CVE-2018-14951] [CVE-2018-14952]
+    [CVE-2018-14953] [CVE-2018-14954] [CVE-2018-14955]
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

functions/mime.php

@@ -2520,7 +2520,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
     // require_once(SM_PATH . 'functions/url_parser.php');  // for $MailTo_PReg_Match
 
     global $attachment_common_show_images, $view_unsafe_images,
-           $has_unsafe_images, $block_svg_display;
+           $has_unsafe_images, $allow_svg_display;
     /**
      * Don't display attached images in HTML mode.
      *
@@ -2550,7 +2550,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
             "xmp",
             "xml",
             );
-    if ($block_svg_display)
+    if (!$allow_svg_display)
         $rm_tags_with_content[] = 'svg';
 
     $self_closing_tags =  Array(