Skip to main content

Roundcube 1.6.14 — Embedded images in HTML signatures are stripped on save (base64 validation regex bug)

Answered
Remarkable-Guille

Product: cPanel & WHM Component: cpanel-roundcubemail (1.6.14.0-1.cp132) Severity: Bug — Feature broken for all users OS: CloudLinux 8.10 (also affects any OS with this package version)

Summary

Images inserted into HTML signatures in Roundcube webmail are silently stripped when saving. The image appears in the editor during upload, but after clicking Save the <img> tag loses its src attribute, resulting in a blank/broken signature. This affects all image formats (JPG, PNG, etc.) and all users on the server.

Steps to Reproduce

  1. Log into Roundcube webmail (via cPanel)
  2. Go to Settings → Identities → Edit an identity
  3. Enable HTML signature
  4. Insert an image into the signature (via the TinyMCE image upload dialog)
  5. The image displays correctly in the editor
  6. Click Save
  7. Re-open the identity — the image is gone

Root Cause

File: program/lib/Roundcube/rcube_washtml.php, line ~433

When saving a signature, Roundcube first converts uploaded images to data:image/...;base64,... URIs (in attach_images()), then sanitizes the HTML (in wash_html() via rcube_washtml).

The base64 validation regex in rcube_washtml::wash_uri() is:

 
 
if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
    return '';
}

The character class [^0-9a-z\s/+] does not include =, which is a valid and required base64 padding character (RFC 4648 §3.2). Since PHP's base64_encode() produces = padding for any input whose length is not a multiple of 3, virtually all encoded images are rejected as "invalid" and the src attribute is stripped.

Proof

 
 
php
$img = file_get_contents('/path/to/uploaded_signature_image.png');
$b64 = base64_encode($img);

// Current regex — REJECTS valid base64 (returns 1)
var_dump(preg_match('|[^0-9a-z\s/+]|i', $b64));   // int(1)

// Fixed regex — ACCEPTS valid base64 (returns 0)
var_dump(preg_match('|[^0-9a-z\s/+=]|i', $b64));   // int(0)

Database evidence — the saved signatures contain <img> tags with no src:

 
 
html
<p><img width="550" height="176" /></p>

Fix

Add = to the allowed base64 character set:

 
 
diff
- if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+]|i', $matches[2])) {
+ if (stripos($type, 'base64') === false || preg_match('|[^0-9a-z\s/+=]|i', $matches[2])) {

Impact

All cPanel servers running cpanel-roundcubemail-1.6.14.0 — no user can embed images in HTML signatures.

Comments

3 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  We actually just updated Roundcube to 1.6.15 last night:

    https://docs.cpanel.net/changelogs/134-change-log/

    Are you still seeing this issue there?

    0
  • Remarkable-Guille

    Hi @cPRex,Thank you for the swift response and for the quick turnaround on this fix — that's much appreciated!I can confirm that after the update to Roundcube 1.6.15, the issue is fully resolved. Embedded images in HTML signatures are now saved and displayed correctly, with no stripping occurring. Everything is working as expected.Great work to the team for addressing this so promptly. Please feel free to close this report.Best regards

    0
  • cPRex Jurassic Moderator

    Glad to hear it!!

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post