From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
plugins/archive/archive.php | 70 +++++++++++++++-------------------
1 files changed, 31 insertions(+), 39 deletions(-)
diff --git a/plugins/archive/archive.php b/plugins/archive/archive.php
index 7750160..0a298cb 100644
--- a/plugins/archive/archive.php
+++ b/plugins/archive/archive.php
@@ -6,7 +6,8 @@
* Plugin that adds a new button to the mailbox toolbar
* to move messages to a (user selectable) archive folder.
*
- * @version 1.4
+ * @version @package_version@
+ * @license GNU GPLv3+
* @author Andre Rodier, Thomas Bruederli
*/
class archive extends rcube_plugin
@@ -15,24 +16,27 @@
function init()
{
- $this->register_action('plugin.archive', array($this, 'request_action'));
+ $rcmail = rcmail::get_instance();
// There is no "Archived flags"
// $GLOBALS['IMAP_FLAGS']['ARCHIVED'] = 'Archive';
-
- $rcmail = rcmail::get_instance();
if ($rcmail->task == 'mail' && ($rcmail->action == '' || $rcmail->action == 'show')
- && ($archive_folder = $rcmail->config->get('archive_mbox'))) {
-
- $skin_path = 'skins/'.$rcmail->output->config['skin'];
+ && ($archive_folder = $rcmail->config->get('archive_mbox'))) {
+ $skin_path = $this->local_skin_path();
+ if (is_file($this->home . "/$skin_path/archive.css"))
+ $this->include_stylesheet("$skin_path/archive.css");
$this->include_script('archive.js');
$this->add_texts('localization', true);
$this->add_button(
array(
+ 'type' => 'link',
+ 'label' => 'buttontext',
'command' => 'plugin.archive',
- 'imagepas' => $skin_path.'/archive_pas.png',
- 'imageact' => $skin_path.'/archive_act.png',
+ 'class' => 'button buttonPas archive disabled',
+ 'classact' => 'button archive',
+ 'width' => 32,
+ 'height' => 32,
'title' => 'buttontitle',
'domain' => $this->ID,
),
@@ -43,19 +47,18 @@
// set env variable for client
$rcmail->output->set_env('archive_folder', $archive_folder);
- $rcmail->output->set_env('archive_folder_icon', $this->url($skin_path.'/foldericon.png'));
// add archive folder to the list of default mailboxes
- if (($default_folders = $rcmail->config->get('default_imap_folders')) && !in_array($archive_folder, $default_folders)) {
+ if (($default_folders = $rcmail->config->get('default_folders')) && !in_array($archive_folder, $default_folders)) {
$default_folders[] = $archive_folder;
- $rcmail->config->set('default_imap_folders', $default_folders);
+ $rcmail->config->set('default_folders', $default_folders);
}
}
else if ($rcmail->task == 'settings') {
$dont_override = $rcmail->config->get('dont_override', array());
if (!in_array('archive_mbox', $dont_override)) {
- $this->add_hook('user_preferences', array($this, 'prefs_table'));
- $this->add_hook('save_preferences', array($this, 'save_prefs'));
+ $this->add_hook('preferences_list', array($this, 'prefs_table'));
+ $this->add_hook('preferences_save', array($this, 'save_prefs'));
}
}
}
@@ -64,9 +67,10 @@
{
$rcmail = rcmail::get_instance();
$archive_folder = $rcmail->config->get('archive_mbox');
+ $localize_name = $rcmail->config->get('archive_localize_name', true);
// set localized name for the configured archive folder
- if ($archive_folder) {
+ if ($archive_folder && $localize_name) {
if (isset($p['list'][$archive_folder]))
$p['list'][$archive_folder]['name'] = $this->gettext('archivefolder');
else // search in subfolders
@@ -81,41 +85,29 @@
foreach ($list as $idx => $item) {
if ($item['id'] == $folder) {
$list[$idx]['name'] = $new_name;
- return true;
+ return true;
} else if (!empty($item['folders']))
if ($this->_mod_folder_name($list[$idx]['folders'], $folder, $new_name))
- return true;
+ return true;
}
return false;
}
- function request_action()
- {
- $this->add_texts('localization');
-
- $uids = get_input_value('_uid', RCUBE_INPUT_POST);
- $mbox = get_input_value('_mbox', RCUBE_INPUT_POST);
-
- $rcmail = rcmail::get_instance();
-
- // There is no "Archive flags", but I left this line in case it may be useful
- // $rcmail->imap->set_flag($uids, 'ARCHIVE');
-
- if (($archive_mbox = $rcmail->config->get('archive_mbox')) && $mbox != $archive_mbox) {
- $rcmail->output->command('move_messages', $archive_mbox);
- $rcmail->output->command('display_message', $this->gettext('archived'), 'confirmation');
- }
-
- $rcmail->output->send();
- }
-
function prefs_table($args)
{
+ global $CURR_SECTION;
+
if ($args['section'] == 'folders') {
$this->add_texts('localization');
-
+
$rcmail = rcmail::get_instance();
- $select = rcmail_mailbox_select(array('noselection' => '---', 'realnames' => true, 'maxlength' => 30));
+
+ // load folders list when needed
+ if ($CURR_SECTION)
+ $select = rcmail_mailbox_select(array('noselection' => '---', 'realnames' => true,
+ 'maxlength' => 30, 'exceptions' => array('INBOX'), 'folder_filter' => 'mail', 'folder_rights' => 'w'));
+ else
+ $select = new html_select();
$args['blocks']['main']['options']['archive_mbox'] = array(
'title' => $this->gettext('archivefolder'),
--
Gitblit v1.9.1