Fixed some potential security risks + updatedd changelog
| | |
| | | CHANGELOG RoundCube Webmail |
| | | --------------------------- |
| | | |
| | | 2007/11/25 (thomasb) |
| | | ---------- |
| | | - Applied UID fetch patch by Glen Ogilvie |
| | | - Applied patch for correct Postgres instructions from ticket #1484674 |
| | | - Fix overriding of session vars when register_globals is on (#1484670) |
| | | - Fix wrong Postgres setup instructions in INSTALL (#1484674) |
| | | - Fix bug with case-sensitive folder names (#1484245) |
| | | - Don't create default folders by default |
| | | - Added Georgian localization by Zaza Zviadadze |
| | | - Updated Russian localization |
| | | - Fixed some potential security risks (audited by Andris) |
| | | |
| | | |
| | | 2007/11/20 (tomekp) |
| | | ---------- |
| | | - add Korean (kr) localization |
| | |
| | | |
| | | // use value from post |
| | | if (!empty($_POST[$fname])) |
| | | $value = $_POST[$fname]; |
| | | $value = get_input_value($fname, RCUBE_INPUT_POST); |
| | | |
| | | $out = $input->show($value); |
| | | |
| | |
| | | } |
| | | } |
| | | |
| | | $fields['host'] = isset($select_host) ? $select_host->show($_POST['_host']) : null; |
| | | $fields['host'] = isset($select_host) ? $select_host->show(get_input_value('_host', RCUBE_INPUT_POST)) : null; |
| | | } |
| | | else if (!strlen($CONFIG['default_host'])) |
| | | { |
| | | $input_host = new textfield(array('name' => '_host', 'id' => 'rcmloginhost', 'size' => 30)); |
| | | $fields['host'] = $input_host->show($_POST['_host']); |
| | | $fields['host'] = $input_host->show(get_input_value('_host', RCUBE_INPUT_POST)); |
| | | } |
| | | |
| | | $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form'; |
| | |
| | | if ((strpos($key,'on')===0 && $value=='')) |
| | | continue; |
| | | |
| | | // encode textarea content |
| | | if ($key=='value') |
| | | $value = Q($value, 'strict', FALSE); |
| | | |
| | | // attributes with no value |
| | | if (in_array($key, array('checked', 'multiple', 'disabled', 'selected', 'nowrap'))) |
| | | { |
| | |
| | | } |
| | | // don't convert size of value attribute |
| | | else if ($key=='value') |
| | | $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $value); |
| | | $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), Q($value, 'strict', false)); |
| | | |
| | | // regular tag attributes |
| | | else |
| | | $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case($value, 'value')); |
| | | $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case(Q($value), 'value')); |
| | | } |
| | | |
| | | return sizeof($attrib_arr) ? ' '.implode(' ', $attrib_arr) : ''; |
| | |
| | | |
| | | // set list properties and session vars |
| | | if (!empty($_GET['_page'])) |
| | | { |
| | | $CONTACTS->set_page(intval($_GET['_page'])); |
| | | $_SESSION['page'] = $_GET['_page']; |
| | | } |
| | | $CONTACTS->set_page(($_SESSION['page'] = intval($_GET['_page']))); |
| | | else |
| | | $CONTACTS->set_page(isset($_SESSION['page']) ?$_SESSION['page'] : 1); |
| | | |
| | |
| | | |
| | | // set imap properties and session vars |
| | | if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC)) |
| | | { |
| | | $IMAP->set_mailbox($mbox); |
| | | $_SESSION['mbox'] = $mbox; |
| | | } |
| | | $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox)); |
| | | |
| | | if (!empty($_GET['_page'])) |
| | | { |
| | | $IMAP->set_page((int)$_GET['_page']); |
| | | $_SESSION['page'] = (int)$_GET['_page']; |
| | | } |
| | | $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page']))); |
| | | |
| | | // set mailbox to INBOX if not set |
| | | if (empty($_SESSION['mbox'])) |
| | |
| | | if (!$attrib['id']) |
| | | $attrib['id'] = 'rcmailMsgBody'; |
| | | |
| | | $safe_mode = (bool)$_GET['_safe']; |
| | | $safe_mode = intval($_GET['_safe']); |
| | | $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id')); |
| | | $out = '<div '. $attrib_str . ">\n"; |
| | | |
| | |
| | | { |
| | | global $CONFIG, $IMAP, $MESSAGE; |
| | | |
| | | if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']]) |
| | | $part = get_input_value('_part', RCUBE_INPUT_GPC); |
| | | if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part]) |
| | | return ''; |
| | | |
| | | $part = &$MESSAGE['parts'][$_GET['_part']]; |
| | | $part = &$MESSAGE['parts'][$part]; |
| | | |
| | | $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary')); |
| | | $out = '<table '. $attrib_str . ">\n"; |
| | |
| | | { |
| | | global $MESSAGE; |
| | | |
| | | $part = $MESSAGE['parts'][$_GET['_part']]; |
| | | $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)]; |
| | | $ctype_primary = strtolower($part->ctype_primary); |
| | | |
| | | $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING'])); |
| | |
| | | // we have to analyze the whole structure again to find inline objects |
| | | list($new_parts, $new_attachments) = |
| | | rcmail_parse_message($MESSAGE['structure'], |
| | | array('safe' => (bool)$_GET['_safe'], |
| | | array('safe' => intval($_GET['_safe']), |
| | | 'prefer_html' => TRUE, |
| | | 'get_url' => $GET_URL.'&_part=%s')); |
| | | |
| | |
| | | $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part); |
| | | |
| | | $OUTPUT = new rcube_html_page(); |
| | | $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe'])); |
| | | $OUTPUT->write(rcmail_print_body($part, intval($_GET['_safe']))); |
| | | } |
| | | else |
| | | { |
| | |
| | | |
| | | $cont = ''; |
| | | list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'], |
| | | array('safe' => (bool)$_GET['_safe'], |
| | | array('safe' => intval($_GET['_safe']), |
| | | 'get_url' => $GET_URL.'&_part=%s')); |
| | | |
| | | $cont = "<html>\n<head><title></title>\n</head>\n<body>"; |
| | |
| | | |
| | | if (!empty($_POST['_priority'])) |
| | | { |
| | | $priority = (int)$_POST['_priority']; |
| | | $priority = intval($_POST['_priority']); |
| | | $a_priorities = array(1=>'highest', 2=>'high', 4=>'low', 5=>'lowest'); |
| | | if ($str_priority = $a_priorities[$priority]) |
| | | $headers['X-Priority'] = sprintf("%d (%s)", $priority, ucfirst($str_priority)); |
| | |
| | | if ($MESSAGE['structure'] = $IMAP->get_structure($MESSAGE['UID'])) |
| | | list($MESSAGE['parts'], $MESSAGE['attachments']) = rcmail_parse_message( |
| | | $MESSAGE['structure'], |
| | | array('safe' => (bool)$_GET['_safe'], |
| | | array('safe' => intval($_GET['_safe']), |
| | | 'prefer_html' => $CONFIG['prefer_html'], |
| | | 'get_url' => $GET_URL.'&_part=%s') |
| | | ); |
| | |
| | | |
| | | // give message uid to the client |
| | | $OUTPUT->set_env('uid', $MESSAGE['UID']); |
| | | $OUTPUT->set_env('safemode', (bool)$_GET['_safe']); |
| | | $OUTPUT->set_env('safemode', intval($_GET['_safe'])); |
| | | |
| | | $next = $prev = -1; |
| | | // get previous, first, next and last message UID |