From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/vcard_attachments/vcard_attachments.php |   46 ++++++++++++++++++++++++++++++++++++++--------
 1 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/plugins/vcard_attachments/vcard_attachments.php b/plugins/vcard_attachments/vcard_attachments.php
index c9f843f..e7f7d5f 100644
--- a/plugins/vcard_attachments/vcard_attachments.php
+++ b/plugins/vcard_attachments/vcard_attachments.php
@@ -69,19 +69,24 @@
             $vcards = rcube_vcard::import($this->message->get_part_content($part, null, true));
 
             // successfully parsed vcards?
-            if (empty($vcards))
+            if (empty($vcards)) {
                 continue;
+            }
 
             // remove part's body
-            if (in_array($part, $this->vcard_bodies))
+            if (in_array($part, $this->vcard_bodies)) {
                 $p['content'] = '';
+            }
 
             foreach ($vcards as $idx => $vcard) {
-                $display = $vcard->displayname;
-                if ($vcard->email[0])
-                    $display .= ' <'.$vcard->email[0].'>';
+                // skip invalid vCards
+                if (empty($vcard->email) || empty($vcard->email[0])) {
+                    continue;
+                }
 
-                // add box below messsage body
+                $display = $vcard->displayname . ' <'.$vcard->email[0].'>';
+
+                // add box below message body
                 $p['content'] .= html::p(array('class' => 'vcardattachment'),
                     html::a(array(
                         'href' => "#",
@@ -108,7 +113,7 @@
      */
     function save_vcard()
     {
-	    $this->add_texts('localization', true);
+        $this->add_texts('localization', true);
 
         $uid = get_input_value('_uid', RCUBE_INPUT_POST);
         $mbox = get_input_value('_mbox', RCUBE_INPUT_POST);
@@ -128,7 +133,7 @@
         if ($part && ($vcards = rcube_vcard::import($part))
             && ($vcard = $vcards[$index]) && $vcard->displayname && $vcard->email
         ) {
-            $CONTACTS = $rcmail->get_address_book(null, true);
+            $CONTACTS = $this->get_address_book();
             $email    = $vcard->email[0];
             $contact  = $vcard->get_assoc();
             $valid    = true;
@@ -195,4 +200,29 @@
             )
         );
     }
+
+    /**
+     * Getter for default (writable) addressbook
+     */
+    private function get_address_book()
+    {
+        if ($this->abook) {
+            return $this->abook;
+        }
+
+        $rcmail = rcmail::get_instance();
+        $abook  = $rcmail->config->get('default_addressbook');
+
+        // Get configured addressbook
+        $CONTACTS = $rcmail->get_address_book($abook, true);
+
+        // Get first writeable addressbook if the configured doesn't exist
+        // This can happen when user deleted the addressbook (e.g. Kolab folder)
+        if ($abook === null || $abook === '' || !is_object($CONTACTS)) {
+            $source   = reset($rcmail->get_address_sources(true));
+            $CONTACTS = $rcmail->get_address_book($source['id'], true);
+        }
+
+        return $this->abook = $CONTACTS;
+    }
 }

--
Gitblit v1.9.1