Whitelist configuration options (user preferences) that can be changed using save-pref command
Conflicts:
program/lib/Roundcube/rcube_plugin.php
program/lib/Roundcube/rcube_plugin_api.php
| | |
|---|
| | | CHANGELOG Roundcube Webmail |
|---|
| | | =========================== |
|---|
| | | |
|---|
| | | - Fix security issue in save-pref command |
|---|
| | | |
|---|
| | | RELEASE 0.8.5 |
|---|
| | | ------------- |
|---|
| | | - Fix #countcontrols issue in IE<=8 when text is very long (#1488890) |
|---|
| | | - Fix unwanted horizontal scrollbar in message preview header (#1488866) |
|---|
| | | - Add workaround for IE<=8 bug where Content-Disposition:inline was ignored (#1488844) |
|---|
| | |
|---|
| | | */ |
|---|
| | | public $noframe = false; |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * A list of config option names that can be modified |
|---|
| | | * by the user via user interface (with save-pref command) |
|---|
| | | * |
|---|
| | | * @var array |
|---|
| | | */ |
|---|
| | | public $allowed_prefs; |
|---|
| | | |
|---|
| | | protected $home; |
|---|
| | | protected $urlbase; |
|---|
| | | private $mytask; |
|---|
| | |
|---|
| | | public $url = 'plugins/'; |
|---|
| | | public $output; |
|---|
| | | public $config; |
|---|
| | | public $allowed_prefs = array(); |
|---|
| | | |
|---|
| | | public $handlers = array(); |
|---|
| | | private $plugins = array(); |
|---|
| | |
|---|
| | | $plugin->init(); |
|---|
| | | $this->plugins[$plugin_name] = $plugin; |
|---|
| | | } |
|---|
| | | if (!empty($plugin->allowed_prefs)) { |
|---|
| | | $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs); |
|---|
| | | } |
|---|
| | | return true; |
|---|
| | | } |
|---|
| | | } |
|---|
| | |
|---|
| | | | program/steps/utils/save_pref.inc | |
|---|
| | | | | |
|---|
| | | | This file is part of the Roundcube Webmail client | |
|---|
| | | | Copyright (C) 2005-2010, The Roundcube Dev Team | |
|---|
| | | | Copyright (C) 2005-2013, The Roundcube Dev Team | |
|---|
| | | | | |
|---|
| | | | Licensed under the GNU General Public License version 3 or | |
|---|
| | | | any later version with exceptions for skins & plugins. | |
|---|
| | |
|---|
| | | +-----------------------------------------------------------------------+ |
|---|
| | | | Author: Aleksander Machniak <alec@alec.pl> | |
|---|
| | | +-----------------------------------------------------------------------+ |
|---|
| | | |
|---|
| | | $Id$ |
|---|
| | | |
|---|
| | | */ |
|---|
| | | |
|---|
| | | $name = get_input_value('_name', RCUBE_INPUT_POST); |
|---|
| | | $value = get_input_value('_value', RCUBE_INPUT_POST); |
|---|
| | | $whitelist = array( |
|---|
| | | 'preview_pane', |
|---|
| | | 'list_cols', |
|---|
| | | 'collapsed_folders', |
|---|
| | | 'collapsed_abooks', |
|---|
| | | ); |
|---|
| | | |
|---|
| | | if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { |
|---|
| | | raise_error(array('code' => 500, 'type' => 'php', |
|---|
| | | 'file' => __FILE__, 'line' => __LINE__, |
|---|
| | | 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), |
|---|
| | | true, false); |
|---|
| | | |
|---|
| | | $OUTPUT->reset(); |
|---|
| | | $OUTPUT->send(); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // save preference value |
|---|
| | | $RCMAIL->user->save_prefs(array($name => $value)); |
|---|
| | |
|---|
| | | |
|---|
| | | $OUTPUT->reset(); |
|---|
| | | $OUTPUT->send(); |
|---|
| | | |
|---|
| | | |
|---|
