From d3b98eb4dcb2b7eb867ae21108e64d0b2769e920 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 21 Jan 2016 10:28:29 -0500
Subject: [PATCH] Fix (again) security issue in DBMail driver of password plugin [CVE-2015-2181] (#1490643)

---
 plugins/database_attachments/database_attachments.php |   25 ++++++++++++++++++-------
 1 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/plugins/database_attachments/database_attachments.php b/plugins/database_attachments/database_attachments.php
index f908074..31747b3 100644
--- a/plugins/database_attachments/database_attachments.php
+++ b/plugins/database_attachments/database_attachments.php
@@ -13,14 +13,16 @@
  * @author Aleksander Machniak <alec@alec.pl>
  * @version @package_version@
  */
-require_once('plugins/filesystem_attachments/filesystem_attachments.php');
+
+require_once INSTALL_PATH . 'plugins/filesystem_attachments/filesystem_attachments.php';
+
 class database_attachments extends filesystem_attachments
 {
     // Cache object
     protected $cache;
 
     // A prefix for the cache key used in the session and in the key field of the cache table
-    protected $prefix = "db_attach";
+    const PREFIX = "ATTACH";
 
     /**
      * Save a newly uploaded attachment
@@ -41,9 +43,9 @@
         $status = $cache->write($key, $data);
 
         if ($status) {
-            $args['id'] = $key;
+            $args['id']     = $key;
             $args['status'] = true;
-            unset($args['path']);
+            $args['path']   = null;
         }
 
         return $args;
@@ -124,8 +126,10 @@
      */
     function cleanup($args)
     {
-        $cache = $this->get_cache();
-        $cache->remove($args['group'], true);
+        // check if cache object exist, it may be empty on session_destroy (#1489726)
+        if ($cache = $this->get_cache()) {
+            $cache->remove($args['group'], true);
+        }
     }
 
     /**
@@ -149,9 +153,16 @@
             $ttl    = 12 * 60 * 60; // default: 12 hours
             $ttl    = $rcmail->config->get('database_attachments_cache_ttl', $ttl);
             $type   = $rcmail->config->get('database_attachments_cache', 'db');
+            $prefix = self::PREFIX;
+
+            // Add session identifier to the prefix to prevent from removing attachments
+            // in other sessions of the same user (#1490542)
+            if ($id = session_id()) {
+                $prefix .= $id;
+            }
 
             // Init SQL cache (disable cache data serialization)
-            $this->cache = $rcmail->get_cache($this->prefix, 'db', $ttl, false);
+            $this->cache = $rcmail->get_cache($prefix, $type, $ttl, false);
         }
 
         return $this->cache;

--
Gitblit v1.9.1