From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcmail.php | 97 ++++++++++++++++++++++++++++++++++--------------
1 files changed, 68 insertions(+), 29 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 3a8c62c..01f7d1c 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -56,8 +56,6 @@
private $action_map = array();
- const JS_OBJECT_NAME = 'rcmail';
-
const ERROR_STORAGE = -2;
const ERROR_INVALID_REQUEST = 1;
const ERROR_INVALID_HOST = 2;
@@ -100,7 +98,10 @@
// reset some session parameters when changing task
if ($this->task != 'utils') {
- if ($this->session && $_SESSION['task'] != $this->task)
+ // we reset list page when switching to another task
+ // but only to the main task interface - empty action (#1489076)
+ // this will prevent from unintentional page reset on cross-task requests
+ if ($this->session && $_SESSION['task'] != $this->task && empty($this->action))
$this->session->remove('page');
// set current task to session
$_SESSION['task'] = $this->task;
@@ -227,6 +228,11 @@
}
if (!$contacts) {
+ // there's no default, just return
+ if ($default) {
+ return null;
+ }
+
self::raise_error(array(
'code' => 700, 'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
@@ -247,6 +253,23 @@
}
return $contacts;
+ }
+
+
+ /**
+ * Return identifier of the address book object
+ *
+ * @param rcube_addressbook Addressbook source object
+ *
+ * @return string Source identifier
+ */
+ public function get_address_book_id($object)
+ {
+ foreach ($this->address_books as $index => $book) {
+ if ($book === $object) {
+ return $index;
+ }
+ }
}
@@ -289,7 +312,7 @@
$list[$id] = array(
'id' => $id,
'name' => html::quote($prop['name']),
- 'groups' => is_array($prop['groups']),
+ 'groups' => !empty($prop['groups']) || !empty($prop['group_filters']),
'readonly' => !$prop['writable'],
'hidden' => $prop['hidden'],
'autocomplete' => in_array($id, $autocomplete)
@@ -321,17 +344,17 @@
/**
* Init output object for GUI and add common scripts.
- * This will instantiate a rcube_output_html object and set
+ * This will instantiate a rcmail_output_html object and set
* environment vars according to the current session and configuration
*
* @param boolean True if this request is loaded in a (i)frame
- * @return rcube_output_html Reference to HTML output object
+ * @return rcube_output Reference to HTML output object
*/
public function load_gui($framed = false)
{
// init output page
- if (!($this->output instanceof rcube_output_html))
- $this->output = new rcube_output_html($this->task, $framed);
+ if (!($this->output instanceof rcmail_output_html))
+ $this->output = new rcmail_output_html($this->task, $framed);
// set refresh interval
$this->output->set_env('refresh_interval', $this->config->get('refresh_interval', 0));
@@ -357,12 +380,12 @@
/**
* Create an output object for JSON responses
*
- * @return rcube_output_json Reference to JSON output object
+ * @return rcube_output Reference to JSON output object
*/
public function json_init()
{
- if (!($this->output instanceof rcube_output_json))
- $this->output = new rcube_output_json($this->task);
+ if (!($this->output instanceof rcmail_output_json))
+ $this->output = new rcmail_output_json($this->task);
return $this->output;
}
@@ -936,15 +959,30 @@
* @param object $message Reference to Mail_MIME object
* @param string $from Sender address string
* @param array $mailto Array of recipient address strings
- * @param array $smtp_error SMTP error array (reference)
+ * @param array $error SMTP error array (reference)
* @param string $body_file Location of file with saved message body (reference),
* used when delay_file_io is enabled
- * @param array $smtp_opts SMTP options (e.g. DSN request)
+ * @param array $options SMTP options (e.g. DSN request)
*
* @return boolean Send status.
*/
- public function deliver_message(&$message, $from, $mailto, &$smtp_error, &$body_file = null, $smtp_opts = null)
+ public function deliver_message(&$message, $from, $mailto, &$error, &$body_file = null, $options = null)
{
+ $plugin = $this->plugins->exec_hook('message_before_send', array(
+ 'message' => $message,
+ 'from' => $from,
+ 'mailto' => $mailto,
+ 'options' => $options,
+ ));
+
+ if ($plugin['abort']) {
+ return isset($plugin['result']) ? $plugin['result'] : false;
+ }
+
+ $from = $plugin['from'];
+ $mailto = $plugin['mailto'];
+ $options = $plugin['options'];
+ $message = $plugin['message'];
$headers = $message->headers();
// send thru SMTP server using custom SMTP library
@@ -987,15 +1025,15 @@
$this->smtp_init(true);
}
- $sent = $this->smtp->send_mail($from, $a_recipients, $smtp_headers, $msg_body, $smtp_opts);
- $smtp_response = $this->smtp->get_response();
- $smtp_error = $this->smtp->get_error();
+ $sent = $this->smtp->send_mail($from, $a_recipients, $smtp_headers, $msg_body, $options);
+ $response = $this->smtp->get_response();
+ $error = $this->smtp->get_error();
// log error
if (!$sent) {
self::raise_error(array('code' => 800, 'type' => 'smtp',
'line' => __LINE__, 'file' => __FILE__,
- 'message' => "SMTP error: ".join("\n", $smtp_response)), TRUE, FALSE);
+ 'message' => "SMTP error: ".join("\n", $response)), TRUE, FALSE);
}
}
// send mail using PHP's mail() function
@@ -1037,7 +1075,7 @@
$subject = str_replace("\r\n", $delim, $subject);
}
- if (ini_get('safe_mode'))
+ if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
@@ -1063,7 +1101,7 @@
$this->user->get_username(),
$_SERVER['REMOTE_ADDR'],
$mailto,
- !empty($smtp_response) ? join('; ', $smtp_response) : ''));
+ !empty($response) ? join('; ', $response) : ''));
}
}
@@ -1397,6 +1435,7 @@
$js_mailboxlist = array();
$out = html::tag('ul', $attrib, $rcmail->render_folder_tree_html($a_mailboxes, $mbox_name, $js_mailboxlist, $attrib), html::$common_attrib);
+ $rcmail->output->include_script('treelist.js');
$rcmail->output->add_gui_object('mailboxlist', $attrib['id']);
$rcmail->output->set_env('mailboxes', $js_mailboxlist);
$rcmail->output->set_env('unreadwrap', $attrib['unreadwrap']);
@@ -1566,7 +1605,7 @@
$html_name = $this->Q($foldername) . ($unread ? html::span('unreadcount', sprintf($attrib['unreadwrap'], $unread)) : '');
$link_attrib = $folder['virtual'] ? array() : array(
'href' => $this->url(array('_mbox' => $folder['id'])),
- 'onclick' => sprintf("return %s.command('list','%s',this)", rcmail::JS_OBJECT_NAME, $js_name),
+ 'onclick' => sprintf("return %s.command('list','%s',this)", rcmail_output::JS_OBJECT_NAME, $js_name),
'rel' => $folder['id'],
'title' => $title,
);
@@ -1575,14 +1614,13 @@
'id' => "rcmli".$folder_id,
'class' => join(' ', $classes),
'noclose' => true),
- html::a($link_attrib, $html_name) .
- (!empty($folder['folders']) ? html::div(array(
- 'class' => ($is_collapsed ? 'collapsed' : 'expanded'),
- 'style' => "position:absolute",
- 'onclick' => sprintf("%s.command('collapse-folder', '%s')", rcmail::JS_OBJECT_NAME, $js_name)
- ), ' ') : ''));
+ html::a($link_attrib, $html_name));
- $jslist[$folder_id] = array(
+ if (!empty($folder['folders'])) {
+ $out .= html::div('treetoggle ' . ($is_collapsed ? 'collapsed' : 'expanded'), ' ');
+ }
+
+ $jslist[$folder['id']] = array(
'id' => $folder['id'],
'name' => $foldername,
'virtual' => $folder['virtual']
@@ -1917,7 +1955,8 @@
public function upload_init()
{
// Enable upload progress bar
- if (($seconds = $this->config->get('upload_progress')) && ini_get('apc.rfc1867')) {
+ $rfc1867 = filter_var(ini_get('apc.rfc1867'), FILTER_VALIDATE_BOOLEAN);
+ if ($rfc1867 && ($seconds = $this->config->get('upload_progress'))) {
if ($field_name = ini_get('apc.rfc1867_name')) {
$this->output->set_env('upload_progress_name', $field_name);
$this->output->set_env('upload_progress_time', (int) $seconds);
--
Gitblit v1.9.1