From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
installer/rcube_install.php | 16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/installer/rcube_install.php b/installer/rcube_install.php
index 2e12987..bbb519d 100644
--- a/installer/rcube_install.php
+++ b/installer/rcube_install.php
@@ -217,10 +217,12 @@
// save change
$this->config[$prop] = $value;
+ $dump = self::_dump_var($value, $prop);
+
// replace the matching line in config file
$out = preg_replace(
- '/(\$rcmail_config\[\''.preg_quote($prop).'\'\])\s+=\s+(.+);/Uie',
- "'\\1 = ' . rcube_install::_dump_var(\$value, \$prop) . ';'",
+ '/(\$rcmail_config\[\''.preg_quote($prop).'\'\])\s+=\s+(.+);/Ui',
+ "\\1 = $dump;",
$out);
}
@@ -455,7 +457,8 @@
'0.6-beta', '0.6',
'0.7-beta', '0.7', '0.7.1', '0.7.2', '0.7.3', '0.7.4',
'0.8-beta', '0.8-rc', '0.8.0', '0.8.1', '0.8.2', '0.8.3', '0.8.4', '0.8.5', '0.8.6',
- '0.9-beta', '0.9-rc', '0.9-rc2', '0.9.0',
+ '0.9-beta', '0.9-rc', '0.9-rc2',
+ // Note: Do not add newer versions here
));
return $select;
}
@@ -494,10 +497,13 @@
* @param string Test name
* @param string Error message
* @param string URL for details
+ * @param bool Do not count this failure
*/
- function fail($name, $message = '', $url = '')
+ function fail($name, $message = '', $url = '', $optional=false)
{
- $this->failures++;
+ if (!$optional) {
+ $this->failures++;
+ }
echo Q($name) . ': <span class="fail">NOT OK</span>';
$this->_showhint($message, $url);
--
Gitblit v1.9.1