Mirrors/roundcubemail
2
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail.git synced 2026-03-20 14:56:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix SSRF + Information Disclosure via stylesheet links to a local network hosts

Browse Source 
Reported by Georgios Tsimpidas (aka Frey), Security Researcher at https://i0.rs/
This commit is contained in:
Aleksander Machniak
2026-03-18 10:35:16 +01:00
parent 10a6d1fa8a
commit 27ec6cc9cb
7 changed files with 85 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
program/actions/utils/modcss.php
View File

@@ -47,7 +47,7 @@ class rcmail_action_utils_modcss extends rcmail_action
$ctype = null;
try {
$client = rcube::get_instance()->get_http_client();
$client = rcube::get_instance()->get_http_client(['allow_redirects' => false]);
$response = $client->get($realurl);
if (!empty($response)) {