| | |
|---|
| | | +-----------------------------------------------------------------------+ |
|---|
| | | */ |
|---|
| | | |
|---|
| | | $name = get_input_value('_name', RCUBE_INPUT_POST); |
|---|
| | | $value = get_input_value('_value', RCUBE_INPUT_POST); |
|---|
| | | $name = get_input_value('_name', RCUBE_INPUT_POST); |
|---|
| | | $value = get_input_value('_value', RCUBE_INPUT_POST); |
|---|
| | | $sessname = get_input_value('_session', RCUBE_INPUT_POST); |
|---|
| | | |
|---|
| | | // Whitelisted preferences and session variables, others |
|---|
| | | // can be added by plugins |
|---|
| | | $whitelist = array( |
|---|
| | | 'preview_pane', |
|---|
| | | 'list_cols', |
|---|
| | | 'collapsed_folders', |
|---|
| | | 'collapsed_abooks', |
|---|
| | | ); |
|---|
| | | $whitelist_sess = array( |
|---|
| | | 'list_attrib/columns', |
|---|
| | | ); |
|---|
| | | |
|---|
| | | if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { |
|---|
| | | $whitelist = array_merge($whitelist, $RCMAIL->plugins->allowed_prefs); |
|---|
| | | $whitelist_sess = array_merge($whitelist_sess, $RCMAIL->plugins->allowed_session_prefs); |
|---|
| | | |
|---|
| | | if (!in_array($name, $whitelist) || ($sessname && !in_array($sessname, $whitelist_sess))) { |
|---|
| | | raise_error(array('code' => 500, 'type' => 'php', |
|---|
| | | 'file' => __FILE__, 'line' => __LINE__, |
|---|
| | | 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), |
|---|
| | |
|---|
| | | $RCMAIL->user->save_prefs(array($name => $value)); |
|---|
| | | |
|---|
| | | // update also session if requested |
|---|
| | | if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { |
|---|
| | | if ($sessname) { |
|---|
| | | // Support multidimensional arrays... |
|---|
| | | $vars = explode('/', $sessname); |
|---|
| | | |
|---|
| | |
|---|
| | | |
|---|
| | | $OUTPUT->reset(); |
|---|
| | | $OUTPUT->send(); |
|---|
| | | |
|---|
