From aa055c931a68547763f7bb89425a08e8ceecb749 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Thu, 22 Jan 2009 09:47:23 -0500
Subject: [PATCH] Get rid of vulnerable preg_replace eval and create_function (#1485686) + correctly handle base and link tags in html messages

---
 program/include/rcube_user.php |   18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/program/include/rcube_user.php b/program/include/rcube_user.php
index 0f0301c..b8833b3 100644
--- a/program/include/rcube_user.php
+++ b/program/include/rcube_user.php
@@ -5,7 +5,7 @@
  | program/include/rcube_user.inc                                        |
  |                                                                       |
  | This file is part of the RoundCube Webmail client                     |
- | Copyright (C) 2005-2008, RoundCube Dev. - Switzerland                 |
+ | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                 |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
@@ -78,7 +78,8 @@
    */
   function get_prefs()
   {
-    $prefs = array('language' => $this->language);
+    if (!empty($this->language))
+      $prefs = array('language' => $this->language);
     
     if ($this->ID && $this->data['preferences'])
       $prefs += (array)unserialize($this->data['preferences']);
@@ -156,7 +157,7 @@
        WHERE  del<>1
        AND    user_id=?
        $sql_add
-       ORDER BY ".$this->db->quoteIdentifier('standard')." DESC, name ASC",
+       ORDER BY ".$this->db->quoteIdentifier('standard')." DESC, name ASC, identity_id ASC",
       $this->ID);
     
     return $sql_result;
@@ -372,19 +373,22 @@
       $user_name = $user != $user_email ? $user : '';
 
       // try to resolve the e-mail address from the virtuser table
-      if ($virtuser_query = $rcmail->config->get('virtuser_query') &&
-          ($sql_result = $dbh->query(preg_replace('/%u/', $dbh->escapeSimple($user), $virtuser_query))) &&
-          ($dbh->num_rows() > 0))
+      if (($virtuser_query = $rcmail->config->get('virtuser_query'))
+    	&& ($sql_result = $dbh->query(preg_replace('/%u/', $dbh->escapeSimple($user), $virtuser_query)))
+	&& ($dbh->num_rows() > 0))
       {
+        $standard = 1;
         while ($sql_arr = $dbh->fetch_array($sql_result))
         {
           $dbh->query(
             "INSERT INTO ".get_table_name('identities')."
               (user_id, del, standard, name, email)
-             VALUES (?, 0, 1, ?, ?)",
+             VALUES (?, 0, ?, ?, ?)",
             $user_id,
+	    $standard,
             strip_newlines($user_name),
             preg_replace('/^@/', $user . '@', $sql_arr[0]));
+	  $standard = 0;
         }
       }
       else

--
Gitblit v1.9.1