From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/vcard_attachments/vcardattach.js |   21 +++++++++++++++++----
 1 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/plugins/vcard_attachments/vcardattach.js b/plugins/vcard_attachments/vcardattach.js
index e03e508..29bc1a6 100644
--- a/plugins/vcard_attachments/vcardattach.js
+++ b/plugins/vcard_attachments/vcardattach.js
@@ -1,10 +1,23 @@
-
+/*
+ * vcard_attachments plugin script
+ * @version @package_version@
+ */
 function plugin_vcard_save_contact(mime_id)
 {
-  rcmail.set_busy(true, 'loading');
-  rcmail.http_post('plugin.savevcard', '_uid='+rcmail.env.uid+'&_mbox='+urlencode(rcmail.env.mailbox)+'&_part='+urlencode(mime_id), true);
-  
+  var lock = rcmail.set_busy(true, 'loading');
+  rcmail.http_post('plugin.savevcard', { _uid: rcmail.env.uid, _mbox: rcmail.env.mailbox, _part: mime_id }, lock);
+
   return false;
 }
 
+function plugin_vcard_insertrow(data)
+{
+  var ctype = data.row.ctype;
+  if (ctype == 'text/vcard' || ctype == 'text/x-vcard' || ctype == 'text/directory') {
+    $('#rcmrow'+data.uid+' > td.attachment').html('<img src="'+rcmail.env.vcard_icon+'" alt="" />');
+  }
+}
 
+if (window.rcmail && rcmail.gui_objects.messagelist) {
+  rcmail.addEventListener('insertrow', function(data, evt) { plugin_vcard_insertrow(data); });
+}

--
Gitblit v1.9.1