From 46f7b7096450939fe03c95aa81ce06ae4bfca89d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 28 Mar 2016 06:51:43 -0400
Subject: [PATCH] Enable reply/reply-all/forward buttons also in preview frame of message/rfc822

---
 program/include/rcmail_output_html.php |   33 ++++++++++++++++++++++-----------
 1 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 365c403..8dda8c3 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/include/rcmail_output_html.php                                |
  |                                                                       |
@@ -18,7 +18,6 @@
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
 */
-
 
 /**
  * Class to create HTML page output using a skin template
@@ -225,6 +224,17 @@
      */
     public function set_skin($skin)
     {
+        // Sanity check to prevent from path traversal vulnerability (#1490620)
+        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {
+            rcube::raise_error(array(
+                    'file'    => __FILE__,
+                    'line'    => __LINE__,
+                    'message' => 'Invalid skin name'
+                ), true, false);
+
+            return false;
+        }
+
         $valid = false;
         $path  = RCUBE_INSTALL_PATH . 'skins/';
 
@@ -263,11 +273,14 @@
         $meta = @file_get_contents(RCUBE_INSTALL_PATH . $skin_path . '/meta.json');
         $meta = @json_decode($meta, true);
 
-        $meta['path'] = $skin_path;
-        $skin_id = end(explode('/', $skin_path));
+        $meta['path']  = $skin_path;
+        $path_elements = explode('/', $skin_path);
+        $skin_id       = end($path_elements);
+
         if (!$meta['name']) {
             $meta['name'] = $skin_id;
         }
+
         $this->skins[$skin_id] = $meta;
 
         if ($meta['extends']) {
@@ -389,7 +402,7 @@
         if ($override || !$this->message) {
             if ($this->app->text_exists($message)) {
                 if (!empty($vars))
-                    $vars = array_map('Q', $vars);
+                    $vars = array_map(array('rcube','Q'), $vars);
                 $msgtext = $this->app->gettext(array('name' => $message, 'vars' => $vars));
             }
             else
@@ -503,10 +516,10 @@
         // write all javascript commands
         $this->add_script($commands, 'head_top');
 
-        // send clickjacking protection headers
+        // allow (legal) iframe content to be loaded
         $iframe = $this->framed || $this->env['framed'];
-        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) {
-            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
+        if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') {
+            header('X-Frame-Options: sameorigin', true);
         }
 
         // call super method
@@ -957,7 +970,7 @@
                 "rcube_utils::get_input_value('\\1', rcube_utils::INPUT_GPC)",
                 "\$_COOKIE['\\1']",
                 "\$browser->{'\\1'}",
-                $this->template_name,
+                "'" . $this->template_name . "'",
             ),
             $expression
         );
@@ -1257,7 +1270,6 @@
         if (!($attrib['command'] || $attrib['name'] || $attrib['href'])) {
             return '';
         }
-
 
         // try to find out the button type
         if ($attrib['type']) {
@@ -2035,5 +2047,4 @@
 
         return $content;
     }
-
 }

--
Gitblit v1.9.1