From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/vcard_attachments/vcardattach.js |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/plugins/vcard_attachments/vcardattach.js b/plugins/vcard_attachments/vcardattach.js
new file mode 100644
index 0000000..29bc1a6
--- /dev/null
+++ b/plugins/vcard_attachments/vcardattach.js
@@ -0,0 +1,23 @@
+/*
+ * vcard_attachments plugin script
+ * @version @package_version@
+ */
+function plugin_vcard_save_contact(mime_id)
+{
+  var lock = rcmail.set_busy(true, 'loading');
+  rcmail.http_post('plugin.savevcard', { _uid: rcmail.env.uid, _mbox: rcmail.env.mailbox, _part: mime_id }, lock);
+
+  return false;
+}
+
+function plugin_vcard_insertrow(data)
+{
+  var ctype = data.row.ctype;
+  if (ctype == 'text/vcard' || ctype == 'text/x-vcard' || ctype == 'text/directory') {
+    $('#rcmrow'+data.uid+' > td.attachment').html('<img src="'+rcmail.env.vcard_icon+'" alt="" />');
+  }
+}
+
+if (window.rcmail && rcmail.gui_objects.messagelist) {
+  rcmail.addEventListener('insertrow', function(data, evt) { plugin_vcard_insertrow(data); });
+}

--
Gitblit v1.9.1