CVE-2010-0463 incomplete horde fixes

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
from the CVE id description:
| Horde IMP 4.3.6 and earlier does not request that the web browser
| avoid DNS prefetching of domain names contained in e-mail messages,
| which makes it easier for remote attackers to determine the network
| location of the webmail user by logging DNS requests.
Additionally: https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail

In order to fix this horde upstream added:
// Build filter stack. Starts with HTML markup and tab expansion.
$filters = array(
    'text2html' => array(
        'charset' => Horde_Nls::getCharset(),
        // See Ticket #8836
        'noprefetch' => ($GLOBALS['browser']->isBrowser('mozilla') && !$GLOBALS['browser']->usingSSLConnection()),
        'parselevel' => Horde_Text_Filter_Text2html::MICRO
    ),
    'tabs2spaces' => array(),
);

If the noprefetch option is set imp will add <meta http-equiv="x-dns-prefetch-control" value="off" />
to the page.
The problem with the above fix is that it is only triggered if the browser is mozilla and the
connection is not using SSL. I think this comes from a misunderstanding of the above
blog post which states "Using HTTPS rather than HTTP disables DNS prefetching."

From my understanding this fix is incomplete because other browsers (e.g. Chrome) do
DNS prefetching as well and the assumption that this is disabled using HTTPS is also
for mozilla only true in the default configuration.

JFYI...

Cheers
Nico
P.S. Cced upstream

Attachment: _bin
Description: