From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/lib/Roundcube/rcube.php | 121 +++++++++++++++++++++++++++++++++++-----
1 files changed, 106 insertions(+), 15 deletions(-)
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index 0eed6cf..d5f1d59 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -2,8 +2,6 @@
/*
+-----------------------------------------------------------------------+
- | program/include/rcube.php |
- | |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2012, The Roundcube Dev Team |
| Copyright (C) 2011-2012, Kolab Systems AG |
@@ -36,7 +34,7 @@
/**
* Singleton instace of rcube
*
- * @var rcmail
+ * @var rcube
*/
static protected $instance;
@@ -379,7 +377,7 @@
{
$storage = $this->get_storage();
- $storage->set_charset($this->config->get('default_charset', RCMAIL_CHARSET));
+ $storage->set_charset($this->config->get('default_charset', RCUBE_CHARSET));
if ($default_folders = $this->config->get('default_folders')) {
$storage->set_default_folders($default_folders);
@@ -407,6 +405,7 @@
$sess_domain = $this->config->get('session_domain');
$sess_path = $this->config->get('session_path');
$lifetime = $this->config->get('session_lifetime', 0) * 60;
+ $is_secure = $this->config->get('use_https') || rcube_utils::https_check();
// set session domain
if ($sess_domain) {
@@ -421,7 +420,7 @@
ini_set('session.gc_maxlifetime', $lifetime * 2);
}
- ini_set('session.cookie_secure', rcube_utils::https_check());
+ ini_set('session.cookie_secure', $is_secure);
ini_set('session.name', $sess_name ? $sess_name : 'roundcube_sessid');
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
@@ -436,6 +435,10 @@
$this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
$this->session->set_ip_check($this->config->get('ip_check'));
+
+ if ($this->config->get('session_auth_name')) {
+ $this->session->set_cookiename($this->config->get('session_auth_name'));
+ }
// start PHP session (if not in CLI mode)
if ($_SERVER['REMOTE_ADDR']) {
@@ -894,6 +897,30 @@
/**
+ * Quote a given string.
+ * Shortcut function for rcube_utils::rep_specialchars_output()
+ *
+ * @return string HTML-quoted string
+ */
+ public static function Q($str, $mode = 'strict', $newlines = true)
+ {
+ return rcube_utils::rep_specialchars_output($str, 'html', $mode, $newlines);
+ }
+
+
+ /**
+ * Quote a given string for javascript output.
+ * Shortcut function for rcube_utils::rep_specialchars_output()
+ *
+ * @return string JS-quoted string
+ */
+ public static function JQ($str)
+ {
+ return rcube_utils::rep_specialchars_output($str, 'js');
+ }
+
+
+ /**
* Construct shell command, execute it and return output as string.
* Keywords {keyword} are replaced with arguments
*
@@ -1051,14 +1078,20 @@
{
// handle PHP exceptions
if (is_object($arg) && is_a($arg, 'Exception')) {
- $err = array(
+ $arg = array(
'type' => 'php',
'code' => $arg->getCode(),
'line' => $arg->getLine(),
'file' => $arg->getFile(),
'message' => $arg->getMessage(),
);
- $arg = $err;
+ }
+ else if (is_string($arg)) {
+ $arg = array('message' => $arg, 'type' => 'php');
+ }
+
+ if (empty($arg['code'])) {
+ $arg['code'] = 500;
}
// installer
@@ -1068,14 +1101,24 @@
return;
}
- if (($log || $terminate) && $arg['type'] && $arg['message']) {
+ $cli = php_sapi_name() == 'cli';
+
+ if (($log || $terminate) && !$cli && $arg['type'] && $arg['message']) {
$arg['fatal'] = $terminate;
self::log_bug($arg);
}
- // display error page and terminate script
- if ($terminate && is_object(self::$instance->output)) {
- self::$instance->output->raise_error($arg['code'], $arg['message']);
+ // terminate script
+ if ($terminate) {
+ // display error page
+ if (is_object(self::$instance->output)) {
+ self::$instance->output->raise_error($arg['code'], $arg['message']);
+ }
+ else if ($cli) {
+ fwrite(STDERR, 'ERROR: ' . $arg['message']);
+ }
+
+ exit(1);
}
}
@@ -1114,7 +1157,7 @@
if (!self::write_log('errors', $log_entry)) {
// send error to PHPs error handler if write_log didn't succeed
- trigger_error($arg_arr['message']);
+ trigger_error($arg_arr['message'], E_USER_WARNING);
}
}
@@ -1203,16 +1246,64 @@
if (is_object($this->user)) {
return $this->user->get_username();
}
-
- return null;
+ else if (isset($_SESSION['username'])) {
+ return $_SESSION['username'];
+ }
}
+
+
+ /**
+ * Getter for logged user email (derived from user name not identity).
+ *
+ * @return string User email address
+ */
+ public function get_user_email()
+ {
+ if (is_object($this->user)) {
+ return $this->user->get_username('mail');
+ }
+ }
+
+
+ /**
+ * Getter for logged user password.
+ *
+ * @return string User password
+ */
+ public function get_user_password()
+ {
+ if ($this->password) {
+ return $this->password;
+ }
+ else if ($_SESSION['password']) {
+ return $this->decrypt($_SESSION['password']);
+ }
+ }
+
+
+ /**
+ * Getter for logged user language code.
+ *
+ * @return string User language code
+ */
+ public function get_user_language()
+ {
+ if (is_object($this->user)) {
+ return $this->user->language;
+ }
+ else if (isset($_SESSION['language'])) {
+ return $_SESSION['language'];
+ }
+ }
+
}
/**
* Lightweight plugin API class serving as a dummy if plugins are not enabled
*
- * @package Core
+ * @package Framework
+ * @subpackage Core
*/
class rcube_dummy_plugin_api
{
--
Gitblit v1.9.1