From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/acl/acl.php |   32 ++++++++++++++++++++++++++++----
 1 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/plugins/acl/acl.php b/plugins/acl/acl.php
index 1952dad..466185d 100644
--- a/plugins/acl/acl.php
+++ b/plugins/acl/acl.php
@@ -233,7 +233,8 @@
 
         // Advanced rights
         $attrib['id'] = 'advancedrights';
-        foreach ($supported as $idx => $val) {
+        foreach ($supported as $key => $val) {
+            $id = "acl$val";
             $ul .= html::tag('li', null,
                 $input->show('', array(
                     'name' => "acl[$val]", 'value' => $val, 'id' => $id))
@@ -432,8 +433,9 @@
         $acl   = trim(get_input_value('_acl', RCUBE_INPUT_GPC));
         $oldid = trim(get_input_value('_old', RCUBE_INPUT_GPC));
 
-        $acl   = array_intersect(str_split($acl), $this->rights_supported());
-        $users = $oldid ? array($user) : explode(',', $user);
+        $acl    = array_intersect(str_split($acl), $this->rights_supported());
+        $users  = $oldid ? array($user) : explode(',', $user);
+        $result = 0;
 
         foreach ($users as $user) {
             $user = trim($user);
@@ -441,7 +443,7 @@
             if (!empty($this->specials) && in_array($user, $this->specials)) {
                 $username = $this->gettext($user);
             }
-            else {
+            else if (!empty($user)) {
                 if (!strpos($user, '@') && ($realm = $this->get_realm())) {
                     $user .= '@' . rcube_idn_to_ascii(preg_replace('/^@/', '', $realm));
                 }
@@ -451,6 +453,9 @@
             if (!$acl || !$user || !strlen($mbox)) {
                 continue;
             }
+
+            $user     = $this->mod_login($user);
+            $username = $this->mod_login($username);
 
             if ($user != $_SESSION['username'] && $username != $_SESSION['username']) {
                 if ($this->rc->storage->set_acl($mbox, $user, $acl)) {
@@ -703,4 +708,23 @@
 
         return $this->ldap->ready;
     }
+
+    /**
+     * Modify user login according to 'login_lc' setting
+     */
+    protected function mod_login($user)
+    {
+        $login_lc = $this->rc->config->get('login_lc');
+
+        if ($login_lc === true || $login_lc == 2) {
+            $user = mb_strtolower($user);
+        }
+        // lowercase domain name
+        else if ($login_lc && strpos($user, '@')) {
+            list($local, $domain) = explode('@', $user);
+            $user = $local . '@' . mb_strtolower($domain);
+        }
+
+        return $user;
+    }
 }

--
Gitblit v1.9.1