From c5799618997716288169b6fbcd1251f76788cd49 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Sun, 25 Nov 2007 12:34:19 -0500
Subject: [PATCH] Fixed some potential security risks + updatedd changelog
---
CHANGELOG | 13 ++++++
program/include/rcmail_template.inc | 4 +-
program/include/main.inc | 2
program/steps/addressbook/func.inc | 5 --
program/steps/mail/func.inc | 19 +++------
program/steps/mail/show.inc | 4 +-
program/include/rcube_html.inc | 8 +---
program/steps/mail/get.inc | 6 +-
program/steps/mail/sendmail.inc | 2
9 files changed, 32 insertions(+), 31 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 33a7a11..f646061 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,19 @@
CHANGELOG RoundCube Webmail
---------------------------
+2007/11/25 (thomasb)
+----------
+- Applied UID fetch patch by Glen Ogilvie
+- Applied patch for correct Postgres instructions from ticket #1484674
+- Fix overriding of session vars when register_globals is on (#1484670)
+- Fix wrong Postgres setup instructions in INSTALL (#1484674)
+- Fix bug with case-sensitive folder names (#1484245)
+- Don't create default folders by default
+- Added Georgian localization by Zaza Zviadadze
+- Updated Russian localization
+- Fixed some potential security risks (audited by Andris)
+
+
2007/11/20 (tomekp)
----------
- add Korean (kr) localization
diff --git a/program/include/main.inc b/program/include/main.inc
index 49dd2aa..f0c6030 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1432,7 +1432,7 @@
// use value from post
if (!empty($_POST[$fname]))
- $value = $_POST[$fname];
+ $value = get_input_value($fname, RCUBE_INPUT_POST);
$out = $input->show($value);
diff --git a/program/include/rcmail_template.inc b/program/include/rcmail_template.inc
index 15752f8..558bd4b 100644
--- a/program/include/rcmail_template.inc
+++ b/program/include/rcmail_template.inc
@@ -831,12 +831,12 @@
}
}
- $fields['host'] = isset($select_host) ? $select_host->show($_POST['_host']) : null;
+ $fields['host'] = isset($select_host) ? $select_host->show(get_input_value('_host', RCUBE_INPUT_POST)) : null;
}
else if (!strlen($CONFIG['default_host']))
{
$input_host = new textfield(array('name' => '_host', 'id' => 'rcmloginhost', 'size' => 30));
- $fields['host'] = $input_host->show($_POST['_host']);
+ $fields['host'] = $input_host->show(get_input_value('_host', RCUBE_INPUT_POST));
}
$form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
diff --git a/program/include/rcube_html.inc b/program/include/rcube_html.inc
index a31594a..18983a1 100644
--- a/program/include/rcube_html.inc
+++ b/program/include/rcube_html.inc
@@ -292,10 +292,6 @@
if ((strpos($key,'on')===0 && $value==''))
continue;
- // encode textarea content
- if ($key=='value')
- $value = Q($value, 'strict', FALSE);
-
// attributes with no value
if (in_array($key, array('checked', 'multiple', 'disabled', 'selected', 'nowrap')))
{
@@ -304,11 +300,11 @@
}
// don't convert size of value attribute
else if ($key=='value')
- $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $value);
+ $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), Q($value, 'strict', false));
// regular tag attributes
else
- $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case($value, 'value'));
+ $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case(Q($value), 'value'));
}
return sizeof($attrib_arr) ? ' '.implode(' ', $attrib_arr) : '';
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 574ef87..b916ad7 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -32,10 +32,7 @@
// set list properties and session vars
if (!empty($_GET['_page']))
- {
- $CONTACTS->set_page(intval($_GET['_page']));
- $_SESSION['page'] = $_GET['_page'];
- }
+ $CONTACTS->set_page(($_SESSION['page'] = intval($_GET['_page'])));
else
$CONTACTS->set_page(isset($_SESSION['page']) ?$_SESSION['page'] : 1);
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index c072c91..95deaa4 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -30,16 +30,10 @@
// set imap properties and session vars
if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
- {
- $IMAP->set_mailbox($mbox);
- $_SESSION['mbox'] = $mbox;
- }
+ $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox));
if (!empty($_GET['_page']))
- {
- $IMAP->set_page((int)$_GET['_page']);
- $_SESSION['page'] = (int)$_GET['_page'];
- }
+ $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page'])));
// set mailbox to INBOX if not set
if (empty($_SESSION['mbox']))
@@ -862,7 +856,7 @@
if (!$attrib['id'])
$attrib['id'] = 'rcmailMsgBody';
- $safe_mode = (bool)$_GET['_safe'];
+ $safe_mode = intval($_GET['_safe']);
$attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
$out = '<div '. $attrib_str . ">\n";
@@ -1197,10 +1191,11 @@
{
global $CONFIG, $IMAP, $MESSAGE;
- if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']])
+ $part = get_input_value('_part', RCUBE_INPUT_GPC);
+ if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
return '';
- $part = &$MESSAGE['parts'][$_GET['_part']];
+ $part = &$MESSAGE['parts'][$part];
$attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary'));
$out = '<table '. $attrib_str . ">\n";
@@ -1230,7 +1225,7 @@
{
global $MESSAGE;
- $part = $MESSAGE['parts'][$_GET['_part']];
+ $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)];
$ctype_primary = strtolower($part->ctype_primary);
$attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index c9e40ac..dad49d3 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -88,7 +88,7 @@
// we have to analyze the whole structure again to find inline objects
list($new_parts, $new_attachments) =
rcmail_parse_message($MESSAGE['structure'],
- array('safe' => (bool)$_GET['_safe'],
+ array('safe' => intval($_GET['_safe']),
'prefer_html' => TRUE,
'get_url' => $GET_URL.'&_part=%s'));
@@ -102,7 +102,7 @@
$part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part);
$OUTPUT = new rcube_html_page();
- $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe']));
+ $OUTPUT->write(rcmail_print_body($part, intval($_GET['_safe'])));
}
else
{
@@ -130,7 +130,7 @@
$cont = '';
list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'],
- array('safe' => (bool)$_GET['_safe'],
+ array('safe' => intval($_GET['_safe']),
'get_url' => $GET_URL.'&_part=%s'));
$cont = "<html>\n<head><title></title>\n</head>\n<body>";
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index f1fd090..d118af5 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -199,7 +199,7 @@
if (!empty($_POST['_priority']))
{
- $priority = (int)$_POST['_priority'];
+ $priority = intval($_POST['_priority']);
$a_priorities = array(1=>'highest', 2=>'high', 4=>'low', 5=>'lowest');
if ($str_priority = $a_priorities[$priority])
$headers['X-Priority'] = sprintf("%d (%s)", $priority, ucfirst($str_priority));
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index e25da03..4dcdec3 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -57,7 +57,7 @@
if ($MESSAGE['structure'] = $IMAP->get_structure($MESSAGE['UID']))
list($MESSAGE['parts'], $MESSAGE['attachments']) = rcmail_parse_message(
$MESSAGE['structure'],
- array('safe' => (bool)$_GET['_safe'],
+ array('safe' => intval($_GET['_safe']),
'prefer_html' => $CONFIG['prefer_html'],
'get_url' => $GET_URL.'&_part=%s')
);
@@ -71,7 +71,7 @@
// give message uid to the client
$OUTPUT->set_env('uid', $MESSAGE['UID']);
- $OUTPUT->set_env('safemode', (bool)$_GET['_safe']);
+ $OUTPUT->set_env('safemode', intval($_GET['_safe']));
$next = $prev = -1;
// get previous, first, next and last message UID
--
Gitblit v1.9.1