From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
plugins/acl/acl.php | 30 +++++++++++++++++++++++++++---
1 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php
index e69fa6a..466185d 100644
--- a/plugins/acl/acl.php
+++ b/plugins/acl/acl.php
@@ -233,7 +233,8 @@
// Advanced rights
$attrib['id'] = 'advancedrights';
- foreach ($supported as $idx => $val) {
+ foreach ($supported as $key => $val) {
+ $id = "acl$val";
$ul .= html::tag('li', null,
$input->show('', array(
'name' => "acl[$val]", 'value' => $val, 'id' => $id))
@@ -432,8 +433,9 @@
$acl = trim(get_input_value('_acl', RCUBE_INPUT_GPC));
$oldid = trim(get_input_value('_old', RCUBE_INPUT_GPC));
- $acl = array_intersect(str_split($acl), $this->rights_supported());
- $users = $oldid ? array($user) : explode(',', $user);
+ $acl = array_intersect(str_split($acl), $this->rights_supported());
+ $users = $oldid ? array($user) : explode(',', $user);
+ $result = 0;
foreach ($users as $user) {
$user = trim($user);
@@ -451,6 +453,9 @@
if (!$acl || !$user || !strlen($mbox)) {
continue;
}
+
+ $user = $this->mod_login($user);
+ $username = $this->mod_login($username);
if ($user != $_SESSION['username'] && $username != $_SESSION['username']) {
if ($this->rc->storage->set_acl($mbox, $user, $acl)) {
@@ -703,4 +708,23 @@
return $this->ldap->ready;
}
+
+ /**
+ * Modify user login according to 'login_lc' setting
+ */
+ protected function mod_login($user)
+ {
+ $login_lc = $this->rc->config->get('login_lc');
+
+ if ($login_lc === true || $login_lc == 2) {
+ $user = mb_strtolower($user);
+ }
+ // lowercase domain name
+ else if ($login_lc && strpos($user, '@')) {
+ list($local, $domain) = explode('@', $user);
+ $user = $local . '@' . mb_strtolower($domain);
+ }
+
+ return $user;
+ }
}
--
Gitblit v1.9.1