Fixing what I broke.

[squirrelmail.git] / functions / mime.php

diff --git a/functions/mime.php b/functions/mime.php
index c631666db712880e51f72ba3694c0e4e9331ef5d..9ed7c844db023cecc17c48440e87edea6499ba95 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -1340,9 +1340,9 @@ function sq_fixstyle($message, $id, $content){
      * Fix stupid css declarations which lead to vulnerabilities
      * in IE.
      */
-    $match   = Array('/expression/si',
-                     '/behaviou*r/si',
-                     '/binding/si');
+    $match   = Array('/expression/i',
+                     '/behaviou*r/i',
+                     '/binding/i');
     $replace = Array('idiocy', 'idiocy', 'idiocy');
     $content = preg_replace($match, $replace, $content);
     return $content;
@@ -1644,10 +1644,10 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                 "/^src|background/i" =>
                     Array(
                           Array(
-                                "|^([\'\"])\s*\.\./.*([\'\"])|i",
-                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/i",
-                                "/^([\'\"])\s*mocha\s*:*.*([\'\"])/i",
-                                "/^([\'\"])\s*about\s*:.*([\'\"])/i"
+                                "|^([\'\"])\s*\.\./.*([\'\"])|si",
+                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+                                "/^([\'\"])\s*mocha\s*:*.*([\'\"])/si",
+                                "/^([\'\"])\s*about\s*:.*([\'\"])/si"
                                 ),
                           Array(
                                 "\\1$secremoveimg\\2",
@@ -1659,10 +1659,10 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                 "/^href|action/i" =>
                     Array(
                           Array(
-                                "|^([\'\"])\s*\.\./.*([\'\"])|i",
-                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/i",
-                                "/^([\'\"])\s*mocha\s*:*.*([\'\"])/i",
-                                "/^([\'\"])\s*about\s*:.*([\'\"])/i"
+                                "|^([\'\"])\s*\.\./.*([\'\"])|si",
+                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+                                "/^([\'\"])\s*mocha\s*:*.*([\'\"])/si",
+                                "/^([\'\"])\s*about\s*:.*([\'\"])/si"
                                 ),
                           Array(
                                 "\\1#\\2",
@@ -1671,16 +1671,16 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                                 "\\1#\\2"
                                 )
                         ),
-                "/^style/si" =>
+                "/^style/i" =>
                     Array(
                           Array(
-                                "/expression/si",
-                                "/binding/si",
-                                "/behaviou*r/si",
-                                "|url\(([\'\"])\s*\.\./.*([\'\"])\)|i",
-                                "/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/i",
-                                "/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/i",
-                                "/url\(([\'\"])\s*about\s*:.*([\'\"])\)/i"
+                                "/expression/i",
+                                "/binding/i",
+                                "/behaviou*r/i",
+                                "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
+                                "/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/si",
+                                "/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/si",
+                                "/url\(([\'\"])\s*about\s*:.*([\'\"])\)/si"
                                ),
                           Array(
                                 "idiocy",
@@ -1703,7 +1703,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
          * to false.
          */
          array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[0],
-                    '/^([\'\"])\s*https*:.*([\'\"])/i');
+                    '/^([\'\"])\s*https*:.*([\'\"])/si');
          array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1],
                     "\\1$secremoveimg\\2");
          array_push($bad_attvals{'/.*/'}{'/^style/i'}[0],
@@ -1713,7 +1713,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
     }
 
     $add_attr_to_tag = Array(
-                             "/^a$/si" => Array('target'=>'"_new"')
+                             "/^a$/i" => Array('target'=>'"_new"')
                              );
     $trusted = sq_sanitize($body, 
                            $tag_list, 
@@ -1727,7 +1727,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX') {
                            $id,
                            $mailbox
                            );
-    if (preg_match("|$secremoveimg|si", $trusted)){
+    if (preg_match("|$secremoveimg|i", $trusted)){
         $has_unsafe_images = true;
     } 
     return $trusted;