From 95d28926865d8a0d6fd009ebd73c0fc78c19d183 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Thu, 04 Oct 2012 10:59:37 -0400
Subject: [PATCH] Fix HTTP User-Agent XSS vulnerability (#1488737)
---
program/include/rcube_contacts.php | 98 ++++++++++++++++++++++++++----------------------
1 files changed, 53 insertions(+), 45 deletions(-)
diff --git a/program/include/rcube_contacts.php b/program/include/rcube_contacts.php
index ab3b181..534a65c 100644
--- a/program/include/rcube_contacts.php
+++ b/program/include/rcube_contacts.php
@@ -5,8 +5,11 @@
| program/include/rcube_contacts.php |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2006-2011, The Roundcube Dev Team |
- | Licensed under the GNU GPL |
+ | Copyright (C) 2006-2012, The Roundcube Dev Team |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Interface to the local address book database |
@@ -14,9 +17,6 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
@@ -31,11 +31,12 @@
protected $db_name = 'contacts';
protected $db_groups = 'contactgroups';
protected $db_groupmembers = 'contactgroupmembers';
+ protected $vcard_fieldmap = array();
/**
* Store database connection.
*
- * @var rcube_mdb2
+ * @var rcube_db
*/
private $db = null;
private $user_id = 0;
@@ -149,7 +150,7 @@
$sql_filter = $search ? " AND " . $this->db->ilike('name', '%'.$search.'%') : '';
$sql_result = $this->db->query(
- "SELECT * FROM ".get_table_name($this->db_groups).
+ "SELECT * FROM ".$this->db->table_name($this->db_groups).
" WHERE del<>1".
" AND user_id=?".
$sql_filter.
@@ -174,7 +175,7 @@
function get_group($group_id)
{
$sql_result = $this->db->query(
- "SELECT * FROM ".get_table_name($this->db_groups).
+ "SELECT * FROM ".$this->db->table_name($this->db_groups).
" WHERE del<>1".
" AND contactgroup_id=?".
" AND user_id=?",
@@ -210,17 +211,28 @@
$length = $subset != 0 ? abs($subset) : $this->page_size;
if ($this->group_id)
- $join = " LEFT JOIN ".get_table_name($this->db_groupmembers)." AS m".
+ $join = " LEFT JOIN ".$this->db->table_name($this->db_groupmembers)." AS m".
" ON (m.contact_id = c.".$this->primary_key.")";
+ $order_col = (in_array($this->sort_col, $this->table_cols) ? $this->sort_col : 'name');
+ $order_cols = array('c.'.$order_col);
+ if ($order_col == 'firstname')
+ $order_cols[] = 'c.surname';
+ else if ($order_col == 'surname')
+ $order_cols[] = 'c.firstname';
+ if ($order_col != 'name')
+ $order_cols[] = 'c.name';
+ $order_cols[] = 'c.email';
+
$sql_result = $this->db->limitquery(
- "SELECT * FROM ".get_table_name($this->db_name)." AS c" .
+ "SELECT * FROM ".$this->db->table_name($this->db_name)." AS c" .
$join .
" WHERE c.del<>1" .
" AND c.user_id=?" .
($this->group_id ? " AND m.contactgroup_id=?" : "").
($this->filter ? " AND (".$this->filter.")" : "") .
- " ORDER BY ". $this->db->concat('c.name', 'c.email'),
+ " ORDER BY ". $this->db->concat($order_cols) .
+ " " . $this->sort_order,
$start_row,
$length,
$this->user_id,
@@ -237,13 +249,6 @@
else {
$sql_arr['email'] = explode(self::SEPARATOR, $sql_arr['email']);
$sql_arr['email'] = array_map('trim', $sql_arr['email']);
- }
-
- // make sure we have a name to display
- if (empty($sql_arr['name'])) {
- if (empty($sql_arr['email']))
- $sql_arr['email'] = $this->get_col_values('email', $sql_arr, true);
- $sql_arr['name'] = $sql_arr['email'][0];
}
$this->result->add($sql_arr);
@@ -305,7 +310,7 @@
// fulltext search in all fields
else if ($col == '*') {
$words = array();
- foreach (explode($WS, self::normalize_string($value)) as $word) {
+ foreach (explode($WS, rcube_utils::normalize_string($value)) as $word) {
switch ($mode) {
case 1: // strict
$words[] = '(' . $this->db->ilike('words', $word . '%')
@@ -344,7 +349,7 @@
// vCard field
else {
if (in_array($col, $this->fulltext_cols)) {
- foreach (explode(" ", self::normalize_string($val)) as $word) {
+ foreach (rcube_utils::normalize_string($val, true) as $word) {
switch ($mode) {
case 1: // strict
$words[] = '(' . $this->db->ilike('words', $word . $WS . '%')
@@ -480,13 +485,13 @@
private function _count()
{
if ($this->group_id)
- $join = " LEFT JOIN ".get_table_name($this->db_groupmembers)." AS m".
+ $join = " LEFT JOIN ".$this->db->table_name($this->db_groupmembers)." AS m".
" ON (m.contact_id=c.".$this->primary_key.")";
// count contacts for this user
$sql_result = $this->db->query(
"SELECT COUNT(c.contact_id) AS rows".
- " FROM ".get_table_name($this->db_name)." AS c".
+ " FROM ".$this->db->table_name($this->db_name)." AS c".
$join.
" WHERE c.del<>1".
" AND c.user_id=?".
@@ -528,7 +533,7 @@
return $assoc ? $first : $this->result;
$this->db->query(
- "SELECT * FROM ".get_table_name($this->db_name).
+ "SELECT * FROM ".$this->db->table_name($this->db_name).
" WHERE contact_id=?".
" AND user_id=?".
" AND del<>1",
@@ -560,8 +565,8 @@
return $results;
$sql_result = $this->db->query(
- "SELECT cgm.contactgroup_id, cg.name FROM " . get_table_name($this->db_groupmembers) . " AS cgm" .
- " LEFT JOIN " . get_table_name($this->db_groups) . " AS cg ON (cgm.contactgroup_id = cg.contactgroup_id AND cg.del<>1)" .
+ "SELECT cgm.contactgroup_id, cg.name FROM " . $this->db->table_name($this->db_groupmembers) . " AS cgm" .
+ " LEFT JOIN " . $this->db->table_name($this->db_groups) . " AS cg ON (cgm.contactgroup_id = cg.contactgroup_id AND cg.del<>1)" .
" WHERE cgm.contact_id=?",
$id
);
@@ -630,7 +635,7 @@
if (!$existing->count && !empty($a_insert_cols)) {
$this->db->query(
- "INSERT INTO ".get_table_name($this->db_name).
+ "INSERT INTO ".$this->db->table_name($this->db_name).
" (user_id, changed, del, ".join(', ', $a_insert_cols).")".
" VALUES (".intval($this->user_id).", ".$this->db->now().", 0, ".join(', ', $a_insert_values).")"
);
@@ -668,7 +673,7 @@
if (!empty($write_sql)) {
$this->db->query(
- "UPDATE ".get_table_name($this->db_name).
+ "UPDATE ".$this->db->table_name($this->db_name).
" SET changed=".$this->db->now().", ".join(', ', $write_sql).
" WHERE contact_id=?".
" AND user_id=?".
@@ -692,7 +697,7 @@
if ($sql_arr['vcard']) {
unset($sql_arr['email']);
- $vcard = new rcube_vcard($sql_arr['vcard']);
+ $vcard = new rcube_vcard($sql_arr['vcard'], RCMAIL_CHARSET, false, $this->vcard_fieldmap);
$record += $vcard->get_assoc() + $sql_arr;
}
else {
@@ -711,7 +716,7 @@
$words = '';
// copy values into vcard object
- $vcard = new rcube_vcard($record['vcard'] ? $record['vcard'] : $save_data['vcard']);
+ $vcard = new rcube_vcard($record['vcard'] ? $record['vcard'] : $save_data['vcard'], RCMAIL_CHARSET, false, $this->vcard_fieldmap);
$vcard->reset();
foreach ($save_data as $key => $values) {
list($field, $section) = explode(':', $key);
@@ -720,9 +725,9 @@
if (isset($value))
$vcard->set($field, $value, $section);
if ($fulltext && is_array($value))
- $words .= ' ' . self::normalize_string(join(" ", $value));
+ $words .= ' ' . rcube_utils::normalize_string(join(" ", $value));
else if ($fulltext && strlen($value) >= 3)
- $words .= ' ' . self::normalize_string($value);
+ $words .= ' ' . rcube_utils::normalize_string($value);
}
}
$out['vcard'] = $vcard->export(false);
@@ -764,7 +769,7 @@
// flag record as deleted (always)
$this->db->query(
- "UPDATE ".get_table_name($this->db_name).
+ "UPDATE ".$this->db->table_name($this->db_name).
" SET del=1, changed=".$this->db->now().
" WHERE user_id=?".
" AND contact_id IN ($ids)",
@@ -791,7 +796,7 @@
// clear deleted flag
$this->db->query(
- "UPDATE ".get_table_name($this->db_name).
+ "UPDATE ".$this->db->table_name($this->db_name).
" SET del=0, changed=".$this->db->now().
" WHERE user_id=?".
" AND contact_id IN ($ids)",
@@ -811,7 +816,7 @@
{
$this->cache = null;
- $this->db->query("UPDATE ".get_table_name($this->db_name).
+ $this->db->query("UPDATE ".$this->db->table_name($this->db_name).
" SET del=1, changed=".$this->db->now().
" WHERE user_id = ?", $this->user_id);
@@ -833,7 +838,7 @@
$name = $this->unique_groupname($name);
$this->db->query(
- "INSERT INTO ".get_table_name($this->db_groups).
+ "INSERT INTO ".$this->db->table_name($this->db_groups).
" (user_id, changed, name)".
" VALUES (".intval($this->user_id).", ".$this->db->now().", ".$this->db->quote($name).")"
);
@@ -855,7 +860,7 @@
{
// flag group record as deleted
$sql_result = $this->db->query(
- "UPDATE ".get_table_name($this->db_groups).
+ "UPDATE ".$this->db->table_name($this->db_groups).
" SET del=1, changed=".$this->db->now().
" WHERE contactgroup_id=?".
" AND user_id=?",
@@ -875,13 +880,13 @@
* @param string New name to set for this group
* @return boolean New name on success, false if no data was changed
*/
- function rename_group($gid, $newname)
+ function rename_group($gid, $newname, &$new_gid)
{
// make sure we have a unique name
$name = $this->unique_groupname($newname);
$sql_result = $this->db->query(
- "UPDATE ".get_table_name($this->db_groups).
+ "UPDATE ".$this->db->table_name($this->db_groups).
" SET name=?, changed=".$this->db->now().
" WHERE contactgroup_id=?".
" AND user_id=?",
@@ -909,7 +914,7 @@
// get existing assignments ...
$sql_result = $this->db->query(
- "SELECT contact_id FROM ".get_table_name($this->db_groupmembers).
+ "SELECT contact_id FROM ".$this->db->table_name($this->db_groupmembers).
" WHERE contactgroup_id=?".
" AND contact_id IN (".$this->db->array2list($ids, 'integer').")",
$group_id
@@ -922,14 +927,16 @@
foreach ($ids as $contact_id) {
$this->db->query(
- "INSERT INTO ".get_table_name($this->db_groupmembers).
+ "INSERT INTO ".$this->db->table_name($this->db_groupmembers).
" (contactgroup_id, contact_id, created)".
" VALUES (?, ?, ".$this->db->now().")",
$group_id,
$contact_id
);
- if (!$this->db->db_error)
+ if ($error = $this->db->is_error())
+ $this->set_error(self::ERROR_SAVING, $error);
+ else
$added++;
}
@@ -952,7 +959,7 @@
$ids = $this->db->array2list($ids, 'integer');
$sql_result = $this->db->query(
- "DELETE FROM ".get_table_name($this->db_groupmembers).
+ "DELETE FROM ".$this->db->table_name($this->db_groupmembers).
" WHERE contactgroup_id=?".
" AND contact_id IN ($ids)",
$group_id
@@ -975,7 +982,7 @@
do {
$sql_result = $this->db->query(
- "SELECT 1 FROM ".get_table_name($this->db_groups).
+ "SELECT 1 FROM ".$this->db->table_name($this->db_groups).
" WHERE del<>1".
" AND user_id=?".
" AND name=?",
@@ -983,9 +990,10 @@
$checkname);
// append number to make name unique
- if ($hit = $this->db->num_rows($sql_result))
+ if ($hit = $this->db->fetch_array($sql_result)) {
$checkname = $name . ' ' . $num++;
- } while ($hit > 0);
+ }
+ } while ($hit);
return $checkname;
}
--
Gitblit v1.9.1