[dev] Recent Bugfix in Mime_Viewer: Follow-up needed?
Mahdi Pasche
pasche at b1-systems.de
Wed Mar 2 11:03:14 UTC 2022
Hello,
there was a recent xss vulnerability fix for the Mime_Viewer lib [1].
It seems like the same issue exists in the code path that is executed
when the xsl extension is not installed [2]. My question is wether this
path is ever used in deployments or if the existence of the xsl
extenion is always assumed / enforced.
If not, is there anything speaking against using the same filter there
[2] for the $content variable as well?
[1]
https://github.com/horde/Mime_Viewer/commit/820aeddfe9ea1203a3c18d1e98e56ae3167cf8ef#diff-918c21401143f590536e0f042103090ef13f9f7d24188b5420327147525dd00eR126
[2]
https://github.com/horde/Mime_Viewer/blob/master/lib/Horde/Mime/Viewer/Ooo.php#L101
--
Mahdi Pasche
Linux Consultant
Tel.: +49 175 1959373
E-Mail: pasche at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / https://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt, HRB 3537
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part
URL: <https://lists.horde.org/archives/dev/attachments/20220302/558e8ddc/attachment.sig>
More information about the dev
mailing list