From 95d28926865d8a0d6fd009ebd73c0fc78c19d183 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Thu, 04 Oct 2012 10:59:37 -0400
Subject: [PATCH] Fix HTTP User-Agent XSS vulnerability (#1488737)
---
program/include/clisetup.php | 69 +++++++++++++++++++---------------
1 files changed, 38 insertions(+), 31 deletions(-)
diff --git a/program/include/clisetup.php b/program/include/clisetup.php
index fbea980..a9af90a 100644
--- a/program/include/clisetup.php
+++ b/program/include/clisetup.php
@@ -5,8 +5,11 @@
| program/include/clisetup.php |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2010, Roundcube Dev, - Switzerland |
- | Licensed under the GNU GPL |
+ | Copyright (C) 2010-2012, The Roundcube Dev Team |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Setup the command line environment and provide some utitlity |
@@ -14,48 +17,52 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
if (php_sapi_name() != 'cli') {
die('Not on the "shell" (php-cli).');
}
-require_once 'iniset.php';
+require_once INSTALL_PATH . 'program/include/iniset.php';
+// Unset max. execution time limit, set to 120 seconds in iniset.php
+@set_time_limit(0);
/**
* Parse commandline arguments into a hash array
*/
-function get_opt($aliases=array())
+function get_opt($aliases = array())
{
- $args = array();
- for ($i=1; $i<count($_SERVER['argv']); $i++)
- {
- $arg = $_SERVER['argv'][$i];
- if (substr($arg, 0, 2) == '--')
- {
- $sp = strpos($arg, '=');
- $key = substr($arg, 2, $sp - 2);
- $value = substr($arg, $sp+1);
- }
- else if ($arg{0} == '-')
- {
- $key = substr($arg, 1);
- $value = $_SERVER['argv'][++$i];
- }
- else
- continue;
+ $args = array();
- $args[$key] = preg_replace(array('/^["\']/', '/["\']$/'), '', $value);
-
- if ($alias = $aliases[$key])
- $args[$alias] = $args[$key];
- }
+ for ($i=1; $i < count($_SERVER['argv']); $i++) {
+ $arg = $_SERVER['argv'][$i];
+ $value = true;
+ $key = null;
- return $args;
+ if ($arg[0] == '-') {
+ $key = preg_replace('/^-+/', '', $arg);
+ $sp = strpos($arg, '=');
+ if ($sp > 0) {
+ $key = substr($key, 0, $sp - 2);
+ $value = substr($arg, $sp+1);
+ }
+ else if (strlen($_SERVER['argv'][$i+1]) && $_SERVER['argv'][$i+1][0] != '-') {
+ $value = $_SERVER['argv'][++$i];
+ }
+
+ $args[$key] = is_string($value) ? preg_replace(array('/^["\']/', '/["\']$/'), '', $value) : $value;
+ }
+ else {
+ $args[] = $arg;
+ }
+
+ if ($alias = $aliases[$key]) {
+ $args[$alias] = $args[$key];
+ }
+ }
+
+ return $args;
}
@@ -87,4 +94,4 @@
}
}
-?>
\ No newline at end of file
+?>
--
Gitblit v1.9.1