From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/lib/Roundcube/rcube_mime.php | 113 ++++++++++++++++++++++++++++++--------------------------
1 files changed, 61 insertions(+), 52 deletions(-)
diff --git a/program/lib/Roundcube/rcube_mime.php b/program/lib/Roundcube/rcube_mime.php
index 1e4fac8..572540f 100644
--- a/program/lib/Roundcube/rcube_mime.php
+++ b/program/lib/Roundcube/rcube_mime.php
@@ -127,10 +127,11 @@
* @param int $max List only this number of addresses
* @param boolean $decode Decode address strings
* @param string $fallback Fallback charset if none specified
+ * @param boolean $addronly Return flat array with e-mail addresses only
*
- * @return array Indexed list of addresses
+ * @return array Indexed list of addresses
*/
- static function decode_address_list($input, $max = null, $decode = true, $fallback = null)
+ static function decode_address_list($input, $max = null, $decode = true, $fallback = null, $addronly = false)
{
$a = self::parse_address_list($input, $decode, $fallback);
$out = array();
@@ -145,20 +146,21 @@
foreach ($a as $val) {
$j++;
$address = trim($val['address']);
- $name = trim($val['name']);
- if ($name && $address && $name != $address)
- $string = sprintf('%s <%s>', preg_match("/$special_chars/", $name) ? '"'.addcslashes($name, '"').'"' : $name, $address);
- else if ($address)
- $string = $address;
- else if ($name)
- $string = $name;
+ if ($addronly) {
+ $out[$j] = $address;
+ }
+ else {
+ $name = trim($val['name']);
+ if ($name && $address && $name != $address)
+ $string = sprintf('%s <%s>', preg_match("/$special_chars/", $name) ? '"'.addcslashes($name, '"').'"' : $name, $address);
+ else if ($address)
+ $string = $address;
+ else if ($name)
+ $string = $name;
- $out[$j] = array(
- 'name' => $name,
- 'mailto' => $address,
- 'string' => $string
- );
+ $out[$j] = array('name' => $name, 'mailto' => $address, 'string' => $string);
+ }
if ($max && $j==$max)
break;
@@ -359,6 +361,11 @@
$address = $m[1];
$name = '';
}
+ // special case (#1489092)
+ else if (preg_match('/(\s*<MAILER-DAEMON>)$/', $val, $m)) {
+ $address = 'MAILER-DAEMON';
+ $name = substr($val, 0, -strlen($m[1]));
+ }
else {
$name = $val;
}
@@ -476,9 +483,10 @@
$q_level = 0;
foreach ($text as $idx => $line) {
- if ($line[0] == '>') {
- // remove quote chars, store level in $q
- $line = preg_replace('/^>+/', '', $line, -1, $q);
+ if (preg_match('/^(>+)/', $line, $m)) {
+ // remove quote chars
+ $q = strlen($m[1]);
+ $line = preg_replace('/^>+/', '', $line);
// remove (optional) space-staffing
$line = preg_replace('/^ /', '', $line);
@@ -541,9 +549,10 @@
foreach ($text as $idx => $line) {
if ($line != '-- ') {
- if ($line[0] == '>') {
- // remove quote chars, store level in $level
- $line = preg_replace('/^>+/', '', $line, -1, $level);
+ if (preg_match('/^(>+)/', $line, $m)) {
+ // remove quote chars
+ $level = strlen($m[1]);
+ $line = preg_replace('/^>+/', '', $line);
// remove (optional) space-staffing and spaces before the line end
$line = preg_replace('/(^ | +$)/', '', $line);
$prefix = str_repeat('>', $level) . ' ';
@@ -578,23 +587,20 @@
*/
public static function wordwrap($string, $width=75, $break="\n", $cut=false, $charset=null, $wrap_quoted=true)
{
- if (!$charset) {
- $charset = RCUBE_CHARSET;
- }
+ // Note: Never try to use iconv instead of mbstring functions here
+ // Iconv's substr/strlen are 100x slower (#1489113)
- // detect available functions
- $strlen_func = function_exists('iconv_strlen') ? 'iconv_strlen' : 'mb_strlen';
- $strpos_func = function_exists('iconv_strpos') ? 'iconv_strpos' : 'mb_strpos';
- $strrpos_func = function_exists('iconv_strrpos') ? 'iconv_strrpos' : 'mb_strrpos';
- $substr_func = function_exists('iconv_substr') ? 'iconv_substr' : 'mb_substr';
+ if ($charset && $charset != RCUBE_CHARSET && function_exists('mb_internal_encoding')) {
+ mb_internal_encoding($charset);
+ }
// Convert \r\n to \n, this is our line-separator
$string = str_replace("\r\n", "\n", $string);
$separator = "\n"; // must be 1 character length
$result = array();
- while (($stringLength = $strlen_func($string, $charset)) > 0) {
- $breakPos = $strpos_func($string, $separator, 0, $charset);
+ while (($stringLength = mb_strlen($string)) > 0) {
+ $breakPos = mb_strpos($string, $separator, 0);
// quoted line (do not wrap)
if ($wrap_quoted && $string[0] == '>') {
@@ -603,7 +609,7 @@
$cutLength = null;
}
else {
- $subString = $substr_func($string, 0, $breakPos, $charset);
+ $subString = mb_substr($string, 0, $breakPos);
$cutLength = $breakPos + 1;
}
}
@@ -614,55 +620,54 @@
$cutLength = null;
}
else {
- $subString = $substr_func($string, 0, $breakPos, $charset);
+ $subString = mb_substr($string, 0, $breakPos);
$cutLength = $breakPos + 1;
}
}
else {
- $subString = $substr_func($string, 0, $width, $charset);
+ $subString = mb_substr($string, 0, $width);
// last line
- if ($subString === $string) {
+ if ($breakPos === false && $subString === $string) {
$cutLength = null;
}
else {
- $nextChar = $substr_func($string, $width, 1, $charset);
+ $nextChar = mb_substr($string, $width, 1);
if ($nextChar === ' ' || $nextChar === $separator) {
- $afterNextChar = $substr_func($string, $width + 1, 1, $charset);
+ $afterNextChar = mb_substr($string, $width + 1, 1);
if ($afterNextChar === false) {
$subString .= $nextChar;
}
- $cutLength = $strlen_func($subString, $charset) + 1;
+ $cutLength = mb_strlen($subString) + 1;
}
else {
- if ($strrpos_func[0] == 'm') {
- $spacePos = $strrpos_func($subString, ' ', 0, $charset);
- }
- else {
- $spacePos = $strrpos_func($subString, ' ', $charset);
- }
+ $spacePos = mb_strrpos($subString, ' ', 0);
if ($spacePos !== false) {
- $subString = $substr_func($subString, 0, $spacePos, $charset);
+ $subString = mb_substr($subString, 0, $spacePos);
$cutLength = $spacePos + 1;
}
+ else if ($cut === false && $breakPos === false) {
+ $subString = $string;
+ $cutLength = null;
+ }
else if ($cut === false) {
- $spacePos = $strpos_func($string, ' ', 0, $charset);
+ $spacePos = mb_strpos($string, ' ', 0);
- if ($spacePos !== false) {
- $subString = $substr_func($string, 0, $spacePos, $charset);
+ if ($spacePos !== false && $spacePos < $breakPos) {
+ $subString = mb_substr($string, 0, $spacePos);
$cutLength = $spacePos + 1;
}
else {
- $subString = $string;
- $cutLength = null;
+ $subString = mb_substr($string, 0, $breakPos);
+ $cutLength = $breakPos + 1;
}
}
else {
- $subString = $substr_func($subString, 0, $width, $charset);
+ $subString = mb_substr($subString, 0, $width);
$cutLength = $width;
}
}
@@ -672,11 +677,15 @@
$result[] = $subString;
if ($cutLength !== null) {
- $string = $substr_func($string, $cutLength, ($stringLength - $cutLength), $charset);
+ $string = mb_substr($string, $cutLength, ($stringLength - $cutLength));
}
else {
break;
}
+ }
+
+ if ($charset && $charset != RCUBE_CHARSET && function_exists('mb_internal_encoding')) {
+ mb_internal_encoding(RCUBE_CHARSET);
}
return implode($break, $result);
@@ -786,7 +795,7 @@
}
foreach ($file_paths as $fp) {
- if (is_readable($fp)) {
+ if (@is_readable($fp)) {
$lines = file($fp, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
break;
}
--
Gitblit v1.9.1