Fix bugs where CSRF attacks were still possible on some requests
| | |
| | | - Fix possible issues in skin/skin_path config handling (#1490125) |
| | | - Fix lack of delimiter for recipient addresses in smtp_log (#1490150) |
| | | - Fix generation of Blowfish-based password hashes (#1490184) |
| | | - Fix bugs where CSRF attacks were still possible on some requests |
| | | |
| | | RELEASE 1.0.3 |
| | | ------------- |
| | |
| | | |
| | | // end session (after optional referer check) |
| | | else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) |
| | | && $RCMAIL->check_request(rcube_utils::INPUT_GET) |
| | | && (!$RCMAIL->config->get('referer_check') || rcube_utils::check_referer()) |
| | | ) { |
| | | $userdata = array( |
| | |
| | | var users = this.acl_get_usernames(); |
| | | |
| | | if (users && users.length && confirm(this.get_label('acl.deleteconfirm'))) { |
| | | this.http_request('settings/plugin.acl', '_act=delete&_user='+urlencode(users.join(',')) |
| | | + '&_mbox='+urlencode(this.env.mailbox), |
| | | this.http_post('settings/plugin.acl', { |
| | | _act: 'delete', |
| | | _user: users.join(','), |
| | | _mbox: this.env.mailbox |
| | | }, |
| | | this.set_busy(true, 'acl.deleting')); |
| | | } |
| | | } |
| | |
| | | // Save ACL data |
| | | rcube_webmail.prototype.acl_save = function() |
| | | { |
| | | var user = $('#acluser', this.acl_form).val(), rights = '', type; |
| | | var data, type, rights = '', user = $('#acluser', this.acl_form).val(); |
| | | |
| | | $((this.env.acl_advanced ? '#advancedrights :checkbox' : '#simplerights :checkbox'), this.acl_form).map(function() { |
| | | if (this.checked) |
| | |
| | | return; |
| | | } |
| | | |
| | | this.http_request('settings/plugin.acl', '_act=save' |
| | | + '&_user='+urlencode(user) |
| | | + '&_acl=' +rights |
| | | + '&_mbox='+urlencode(this.env.mailbox) |
| | | + (this.acl_id ? '&_old='+this.acl_id : ''), |
| | | this.set_busy(true, 'acl.saving')); |
| | | data = { |
| | | _act: 'save', |
| | | _user: user, |
| | | _acl: rights, |
| | | _mbox: this.env.mailbox |
| | | } |
| | | |
| | | if (this.acl_id) { |
| | | data._old = this.acl_id; |
| | | } |
| | | |
| | | this.http_post('settings/plugin.acl', data, this.set_busy(true, 'acl.saving')); |
| | | } |
| | | |
| | | // Cancel/Hide form |
| | |
| | | */ |
| | | private function action_save() |
| | | { |
| | | $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); // UTF7-IMAP |
| | | $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); |
| | | $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_GPC)); |
| | | $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_GPC)); |
| | | $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); // UTF7-IMAP |
| | | $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); |
| | | $acl = trim(rcube_utils::get_input_value('_acl', rcube_utils::INPUT_POST)); |
| | | $oldid = trim(rcube_utils::get_input_value('_old', rcube_utils::INPUT_POST)); |
| | | |
| | | $acl = array_intersect(str_split($acl), $this->rights_supported()); |
| | | $users = $oldid ? array($user) : explode(',', $user); |
| | |
| | | */ |
| | | private function action_delete() |
| | | { |
| | | $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC, true)); //UTF7-IMAP |
| | | $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_GPC)); |
| | | $mbox = trim(rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST, true)); //UTF7-IMAP |
| | | $user = trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)); |
| | | |
| | | $user = explode(',', $user); |
| | | |
| | |
| | | } |
| | | } |
| | | else if ($action == 'setact' && !$error) { |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_POST, true); |
| | | $result = $this->activate_script($script_name); |
| | | $kep14 = $this->rc->config->get('managesieve_kolab_master'); |
| | | |
| | |
| | | } |
| | | } |
| | | else if ($action == 'deact' && !$error) { |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_POST, true); |
| | | $result = $this->deactivate_script($script_name); |
| | | |
| | | if ($result === true) { |
| | |
| | | } |
| | | } |
| | | else if ($action == 'setdel' && !$error) { |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); |
| | | $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_POST, true); |
| | | $result = $this->remove_script($script_name); |
| | | |
| | | if ($result === true) { |
| | |
| | | $this->rc->output->command('managesieve_updatelist', 'list', array('list' => $result)); |
| | | } |
| | | else if ($action == 'ruleadd') { |
| | | $rid = rcube_utils::get_input_value('_rid', rcube_utils::INPUT_GPC); |
| | | $rid = rcube_utils::get_input_value('_rid', rcube_utils::INPUT_POST); |
| | | $id = $this->genid(); |
| | | $content = $this->rule_div($fid, $id, false); |
| | | |
| | | $this->rc->output->command('managesieve_rulefill', $content, $id, $rid); |
| | | } |
| | | else if ($action == 'actionadd') { |
| | | $aid = rcube_utils::get_input_value('_aid', rcube_utils::INPUT_GPC); |
| | | $aid = rcube_utils::get_input_value('_aid', rcube_utils::INPUT_POST); |
| | | $id = $this->genid(); |
| | | $content = $this->action_div($fid, $id, false); |
| | | |
| | |
| | | var url = this.get_task_url(task); |
| | | if (task == 'mail') |
| | | url += '&_mbox=INBOX'; |
| | | else if (task == 'logout' && !this.env.server_error) |
| | | else if (task == 'logout' && !this.env.server_error) { |
| | | url += '&_token=' + this.env.request_token; |
| | | this.clear_compose_data(); |
| | | } |
| | | |
| | | this.redirect(url); |
| | | }; |
| | |
| | | if (!url) |
| | | url = this.env.comm_path; |
| | | |
| | | return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task); |
| | | if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/)) |
| | | return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task); |
| | | else |
| | | return url.replace(/\?.*$/, '') + '?_task=' + task; |
| | | }; |
| | | |
| | | this.reload = function(delay) |
| | |
| | | */ |
| | | |
| | | // process ajax requests only |
| | | if (!$OUTPUT->ajax_call) |
| | | if (!$OUTPUT->ajax_call) { |
| | | return; |
| | | } |
| | | |
| | | $cids = rcmail_get_cids(); |
| | | $cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); |
| | | $delcnt = 0; |
| | | |
| | | // remove previous deletes |
| | |
| | | * |
| | | * @return array List of contact IDs per-source |
| | | */ |
| | | function rcmail_get_cids($filter = null) |
| | | function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) |
| | | { |
| | | // contact ID (or comma-separated list of IDs) is provided in two |
| | | // forms. If _source is an empty string then the ID is a string |
| | | // containing contact ID and source name in form: <ID>-<SOURCE> |
| | | |
| | | $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); |
| | | $cid = rcube_utils::get_input_value('_cid', $request_type); |
| | | $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); |
| | | |
| | | if (is_array($cid)) { |