From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/autologon/autologon.php |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/plugins/autologon/autologon.php b/plugins/autologon/autologon.php
index c40f2d4..63ffb94 100644
--- a/plugins/autologon/autologon.php
+++ b/plugins/autologon/autologon.php
@@ -3,9 +3,13 @@
 /**
  * Sample plugin to try out some hooks.
  * This performs an automatic login if accessed from localhost
+ *
+ * @license GNU GPLv3+
+ * @author Thomas Bruederli
  */
 class autologon extends rcube_plugin
 {
+  public $task = 'login';
 
   function init()
   {
@@ -18,7 +22,7 @@
     $rcmail = rcmail::get_instance();
 
     // change action to login
-    if ($args['task'] == 'mail' && empty($args['action']) && empty($_SESSION['user_id']) && !empty($_GET['_autologin']) && $this->is_localhost())
+    if (empty($_SESSION['user_id']) && !empty($_GET['_autologin']) && $this->is_localhost())
       $args['action'] = 'login';
 
     return $args;
@@ -30,6 +34,8 @@
       $args['user'] = 'me';
       $args['pass'] = '******';
       $args['host'] = 'localhost';
+      $args['cookiecheck'] = false;
+      $args['valid'] = true;
     }
   
     return $args;

--
Gitblit v1.9.1