Roundcubemail devel
parent: 268a28ef | patch | commit | ignore whitespace
Aleksander Machniak
2013-03-27 395b74051ce974ced8a5abe378f66e9bcf0c8e34 
Whitelist configuration options (user preferences) that can be changed using save-pref command

Conflicts:

	program/lib/Roundcube/rcube_plugin.php
	program/lib/Roundcube/rcube_plugin_api.php

Conflicts:

	CHANGELOG
	program/steps/utils/save_pref.inc
4 files modified
35 ■■■■ changed files
CHANGELOG 1 ●●●● patch | view | raw | blame | history
program/include/rcube_plugin.php 8 ●●●●● patch | view | raw | blame | history
program/include/rcube_plugin_api.php 4 ●●●● patch | view | raw | blame | history
program/steps/utils/save_pref.inc 22 ●●●● patch | view | raw | blame | history 
 CHANGELOG


@@ -1,6 +1,7 @@


CHANGELOG Roundcube Webmail


===========================




- Fix security issue in save-pref command


- Fix XSS vulnerability in handling of text/enriched messages (#1488806)


- Fix compatybility with MDB2 2.5.0b4 (#1488779)


- Fix lower-casing email address on replies (#1488598)




 program/include/rcube_plugin.php


@@ -61,6 +61,14 @@


   */


  public $noframe = false;




  /**


   * A list of config option names that can be modified


   * by the user via user interface (with save-pref command)


   *


   * @var array


   */


  public $allowed_prefs;




  protected $home;


  protected $urlbase;


  private $mytask;




 program/include/rcube_plugin_api.php


@@ -32,6 +32,7 @@


  public $url = 'plugins/';


  public $output;


  public $config;


  public $allowed_prefs = array();


  


  public $handlers = array();


  private $plugins = array();


@@ -182,6 +183,9 @@


            $plugin->init();


            $this->plugins[$plugin_name] = $plugin;


          }


          if (!empty($plugin->allowed_prefs)) {


            $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs);


          }


          return true;


        }


      }




 program/steps/utils/save_pref.inc


@@ -5,7 +5,7 @@


 | program/steps/utils/save_pref.inc                                     |


 |                                                                       |


 | This file is part of the Roundcube Webmail client                     |


 | Copyright (C) 2005-2010, The Roundcube Dev Team                       |


 | Copyright (C) 2005-2013, The Roundcube Dev Team                       |


 | Licensed under the GNU GPL                                            |


 |                                                                       |


 | PURPOSE:                                                              |


@@ -14,13 +14,26 @@


 +-----------------------------------------------------------------------+


 | Author: Aleksander Machniak <alec@alec.pl>                            |


 +-----------------------------------------------------------------------+




 $Id$




*/




$name = get_input_value('_name', RCUBE_INPUT_POST);


$value = get_input_value('_value', RCUBE_INPUT_POST);


$whitelist = array(


    'preview_pane',


    'list_cols',


    'collapsed_folders',


    'collapsed_abooks',


);




if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {


    raise_error(array('code' => 500, 'type' => 'php',


        'file' => __FILE__, 'line' => __LINE__,


        'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])),


        true, false);




    $OUTPUT->reset();


    $OUTPUT->send();


}




// save preference value


$RCMAIL->user->save_prefs(array($name => $value));


@@ -41,5 +54,4 @@




$OUTPUT->reset();


$OUTPUT->send();