[dev] Recent Bugfix in Mime_Viewer: Follow-up needed?

Jan Schneider jan at horde.org
Wed Mar 2 20:39:32 UTC 2022


Zitat von Mahdi Pasche <pasche at b1-systems.de>:

> Hello,
>
> there was a recent xss vulnerability fix for the Mime_Viewer lib [1].
> It seems like the same issue exists in the code path that is executed
> when the xsl extension is not installed [2]. My question is wether this
> path is ever used in deployments or if the existence of the xsl
> extenion is always assumed / enforced.
> If not, is there anything speaking against using the same filter there
> [2] for the $content variable as well?
>
> [1]
> https://github.com/horde/Mime_Viewer/commit/820aeddfe9ea1203a3c18d1e98e56ae3167cf8ef#diff-918c21401143f590536e0f042103090ef13f9f7d24188b5420327147525dd00eR126
>
> [2]
> https://github.com/horde/Mime_Viewer/blob/master/lib/Horde/Mime/Viewer/Ooo.php#L101

Good catch! I'm gonna release a follow-up fix for this code path.

-- 
Jan Schneider
The Horde Project
https://www.horde.org/



More information about the dev mailing list