Whitelist configuration options (user preferences) that can be changed using save-pref command
Conflicts:
program/lib/Roundcube/rcube_plugin.php
program/lib/Roundcube/rcube_plugin_api.php
Conflicts:
CHANGELOG
program/steps/utils/save_pref.inc
| | |
| | | CHANGELOG Roundcube Webmail |
| | | =========================== |
| | | |
| | | - Fix security issue in save-pref command |
| | | - Fix XSS vulnerability in handling of text/enriched messages (#1488806) |
| | | - Fix compatybility with MDB2 2.5.0b4 (#1488779) |
| | | - Fix lower-casing email address on replies (#1488598) |
| | |
| | | */ |
| | | public $noframe = false; |
| | | |
| | | /** |
| | | * A list of config option names that can be modified |
| | | * by the user via user interface (with save-pref command) |
| | | * |
| | | * @var array |
| | | */ |
| | | public $allowed_prefs; |
| | | |
| | | protected $home; |
| | | protected $urlbase; |
| | | private $mytask; |
| | |
| | | public $url = 'plugins/'; |
| | | public $output; |
| | | public $config; |
| | | public $allowed_prefs = array(); |
| | | |
| | | public $handlers = array(); |
| | | private $plugins = array(); |
| | |
| | | $plugin->init(); |
| | | $this->plugins[$plugin_name] = $plugin; |
| | | } |
| | | if (!empty($plugin->allowed_prefs)) { |
| | | $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs); |
| | | } |
| | | return true; |
| | | } |
| | | } |
| | |
| | | | program/steps/utils/save_pref.inc | |
| | | | | |
| | | | This file is part of the Roundcube Webmail client | |
| | | | Copyright (C) 2005-2010, The Roundcube Dev Team | |
| | | | Copyright (C) 2005-2013, The Roundcube Dev Team | |
| | | | Licensed under the GNU GPL | |
| | | | | |
| | | | PURPOSE: | |
| | |
| | | +-----------------------------------------------------------------------+ |
| | | | Author: Aleksander Machniak <alec@alec.pl> | |
| | | +-----------------------------------------------------------------------+ |
| | | |
| | | $Id$ |
| | | |
| | | */ |
| | | |
| | | $name = get_input_value('_name', RCUBE_INPUT_POST); |
| | | $value = get_input_value('_value', RCUBE_INPUT_POST); |
| | | $whitelist = array( |
| | | 'preview_pane', |
| | | 'list_cols', |
| | | 'collapsed_folders', |
| | | 'collapsed_abooks', |
| | | ); |
| | | |
| | | if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { |
| | | raise_error(array('code' => 500, 'type' => 'php', |
| | | 'file' => __FILE__, 'line' => __LINE__, |
| | | 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), |
| | | true, false); |
| | | |
| | | $OUTPUT->reset(); |
| | | $OUTPUT->send(); |
| | | } |
| | | |
| | | // save preference value |
| | | $RCMAIL->user->save_prefs(array($name => $value)); |
| | |
| | | |
| | | $OUTPUT->reset(); |
| | | $OUTPUT->send(); |
| | | |
| | | |