Skip to content

fix(security): prevent path traversal in HTML compose img src handler [CVE-2026-58451]#85

Merged
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/compose-img-src-path-traversal
Jul 1, 2026
Merged

fix(security): prevent path traversal in HTML compose img src handler [CVE-2026-58451]#85
ralflang merged 1 commit into
FRAMEWORK_6_0from
fix/compose-img-src-path-traversal

Conversation

@ralflang

@ralflang ralflang commented Jul 1, 2026

Copy link
Copy Markdown
Member

The smiley resolver in IMP_Compose::_convertToRelated() prefix-checked
img src URLs with stripos() and rebuilt the filesystem path with
str_replace(), leaving any ../ sequences intact. A crafted
in a composed message could read arbitrary web-server-readable files
and exfiltrate them in the outgoing MIME body.

Tighten the prefix to /ckeditor/, reject dot segments, NUL bytes,
and non-allowlisted characters in the URL tail, and require
realpath() containment under the resolved ckeditor directory before
file_get_contents().

Reported by evan. Coordinated by VulnCheck.

… [CVE-2026-58451]

The smiley resolver in IMP_Compose::_convertToRelated() prefix-checked
img src URLs with stripos() and rebuilt the filesystem path with
str_replace(), leaving any ../ sequences intact. A crafted <img src>
in a composed message could read arbitrary web-server-readable files
and exfiltrate them in the outgoing MIME body.

Tighten the prefix to `/ckeditor/`, reject dot segments, NUL bytes,
and non-allowlisted characters in the URL tail, and require
realpath() containment under the resolved ckeditor directory before
file_get_contents().

Reported by evan. Coordinated by VulnCheck.
@ralflang ralflang merged commit fba972f into FRAMEWORK_6_0 Jul 1, 2026
1 check failed
@cheese1

cheese1 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

hello @ralflang
is this patch valid for v6.2.27, too?
at least it applies correctly and i dont get errors while composing "normal" mails.

thanks

@ralflang

ralflang commented Jul 2, 2026

Copy link
Copy Markdown
Member Author

Hi @cheese1 I haven't validated - I don't have any H5 / IMP 6 instances anymore. If you would care to test I would backport it but I am not sure I can create a proper pear tgz still.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants