From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/acl/acl.php |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php
index ab7c8ce..466185d 100644
--- a/plugins/acl/acl.php
+++ b/plugins/acl/acl.php
@@ -233,7 +233,8 @@
 
         // Advanced rights
         $attrib['id'] = 'advancedrights';
-        foreach ($supported as $idx => $val) {
+        foreach ($supported as $key => $val) {
+            $id = "acl$val";
             $ul .= html::tag('li', null,
                 $input->show('', array(
                     'name' => "acl[$val]", 'value' => $val, 'id' => $id))
@@ -432,8 +433,9 @@
         $acl   = trim(get_input_value('_acl', RCUBE_INPUT_GPC));
         $oldid = trim(get_input_value('_old', RCUBE_INPUT_GPC));
 
-        $acl   = array_intersect(str_split($acl), $this->rights_supported());
-        $users = $oldid ? array($user) : explode(',', $user);
+        $acl    = array_intersect(str_split($acl), $this->rights_supported());
+        $users  = $oldid ? array($user) : explode(',', $user);
+        $result = 0;
 
         foreach ($users as $user) {
             $user = trim($user);

--
Gitblit v1.9.1