From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
plugins/archive/archive.php | 97 ++++++++++++++++++++++++++++--------------------
1 files changed, 56 insertions(+), 41 deletions(-)
diff --git a/plugins/archive/archive.php b/plugins/archive/archive.php
index 2bd1adc..0a298cb 100644
--- a/plugins/archive/archive.php
+++ b/plugins/archive/archive.php
@@ -6,7 +6,8 @@
* Plugin that adds a new button to the mailbox toolbar
* to move messages to a (user selectable) archive folder.
*
- * @version 1.4
+ * @version @package_version@
+ * @license GNU GPLv3+
* @author Andre Rodier, Thomas Bruederli
*/
class archive extends rcube_plugin
@@ -15,20 +16,27 @@
function init()
{
- $this->register_action('plugin.archive', array($this, 'request_action'));
-
- # There is no "Archived flags"
- # $GLOBALS['IMAP_FLAGS']['ARCHIVED'] = 'Archive';
-
$rcmail = rcmail::get_instance();
- if ($rcmail->task == 'mail' && ($rcmail->action == '' || $rcmail->action == 'show') && ($archive_folder = $rcmail->config->get('archive_mbox'))) {
+
+ // There is no "Archived flags"
+ // $GLOBALS['IMAP_FLAGS']['ARCHIVED'] = 'Archive';
+ if ($rcmail->task == 'mail' && ($rcmail->action == '' || $rcmail->action == 'show')
+ && ($archive_folder = $rcmail->config->get('archive_mbox'))) {
+ $skin_path = $this->local_skin_path();
+ if (is_file($this->home . "/$skin_path/archive.css"))
+ $this->include_stylesheet("$skin_path/archive.css");
+
$this->include_script('archive.js');
$this->add_texts('localization', true);
$this->add_button(
array(
+ 'type' => 'link',
+ 'label' => 'buttontext',
'command' => 'plugin.archive',
- 'imagepas' => 'archive_pas.png',
- 'imageact' => 'archive_act.png',
+ 'class' => 'button buttonPas archive disabled',
+ 'classact' => 'button archive',
+ 'width' => 32,
+ 'height' => 32,
'title' => 'buttontitle',
'domain' => $this->ID,
),
@@ -40,18 +48,17 @@
// set env variable for client
$rcmail->output->set_env('archive_folder', $archive_folder);
- // add archive folder to the list of defailt mailboxes
- if (($default_folders = $rcmail->config->get('default_imap_folders')) && !in_array($archive_folder, $default_folders)) {
+ // add archive folder to the list of default mailboxes
+ if (($default_folders = $rcmail->config->get('default_folders')) && !in_array($archive_folder, $default_folders)) {
$default_folders[] = $archive_folder;
- $rcmail->config->set('default_imap_folders', $default_folders);
- }
-
+ $rcmail->config->set('default_folders', $default_folders);
+ }
}
else if ($rcmail->task == 'settings') {
$dont_override = $rcmail->config->get('dont_override', array());
if (!in_array('archive_mbox', $dont_override)) {
- $this->add_hook('user_preferences', array($this, 'prefs_table'));
- $this->add_hook('save_preferences', array($this, 'save_prefs'));
+ $this->add_hook('preferences_list', array($this, 'prefs_table'));
+ $this->add_hook('preferences_save', array($this, 'save_prefs'));
}
}
}
@@ -60,41 +67,47 @@
{
$rcmail = rcmail::get_instance();
$archive_folder = $rcmail->config->get('archive_mbox');
-
- // set localized name for the configured arcive folder
- if ($archive_folder && $p['list'][$archive_folder])
- $p['list'][$archive_folder]['name'] = $this->gettext('archivefolder');
-
+ $localize_name = $rcmail->config->get('archive_localize_name', true);
+
+ // set localized name for the configured archive folder
+ if ($archive_folder && $localize_name) {
+ if (isset($p['list'][$archive_folder]))
+ $p['list'][$archive_folder]['name'] = $this->gettext('archivefolder');
+ else // search in subfolders
+ $this->_mod_folder_name($p['list'], $archive_folder, $this->gettext('archivefolder'));
+ }
+
return $p;
}
- function request_action()
+ function _mod_folder_name(&$list, $folder, $new_name)
{
- $this->add_texts('localization');
-
- $uids = get_input_value('_uid', RCUBE_INPUT_POST);
- $mbox = get_input_value('_mbox', RCUBE_INPUT_POST);
-
- $rcmail = rcmail::get_instance();
-
- # There is no "Archive flags", but I left this line in case it may be useful
- # $rcmail->imap->set_flag($uids, 'ARCHIVE');
-
- if (($archive_mbox = $rcmail->config->get('archive_mbox')) && $mbox != $archive_mbox) {
- $rcmail->output->command('move_messages', $archive_mbox);
- $rcmail->output->command('display_message', $this->gettext('archived'), 'confirmation');
+ foreach ($list as $idx => $item) {
+ if ($item['id'] == $folder) {
+ $list[$idx]['name'] = $new_name;
+ return true;
+ } else if (!empty($item['folders']))
+ if ($this->_mod_folder_name($list[$idx]['folders'], $folder, $new_name))
+ return true;
}
-
- $rcmail->output->send();
+ return false;
}
function prefs_table($args)
{
+ global $CURR_SECTION;
+
if ($args['section'] == 'folders') {
$this->add_texts('localization');
-
+
$rcmail = rcmail::get_instance();
- $select = rcmail_mailbox_select(array('noselection' => '---', 'realnames' => true, 'maxlength' => 30));
+
+ // load folders list when needed
+ if ($CURR_SECTION)
+ $select = rcmail_mailbox_select(array('noselection' => '---', 'realnames' => true,
+ 'maxlength' => 30, 'exceptions' => array('INBOX'), 'folder_filter' => 'mail', 'folder_rights' => 'w'));
+ else
+ $select = new html_select();
$args['blocks']['main']['options']['archive_mbox'] = array(
'title' => $this->gettext('archivefolder'),
@@ -107,8 +120,10 @@
function save_prefs($args)
{
- $args['prefs']['archive_mbox'] = get_input_value('_archive_mbox', RCUBE_INPUT_POST);
- return $args;
+ if ($args['section'] == 'folders') {
+ $args['prefs']['archive_mbox'] = get_input_value('_archive_mbox', RCUBE_INPUT_POST);
+ return $args;
+ }
}
}
--
Gitblit v1.9.1