From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/addressbook/copy.inc |   32 +++++++++++++++++++++++---------
 1 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/program/steps/addressbook/copy.inc b/program/steps/addressbook/copy.inc
index 1e4e753..59b4ffc 100644
--- a/program/steps/addressbook/copy.inc
+++ b/program/steps/addressbook/copy.inc
@@ -6,7 +6,10 @@
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2007, The Roundcube Dev Team                            |
- | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
  |                                                                       |
  | PURPOSE:                                                              |
  |   Copy a contact record from one direcotry to another                 |
@@ -14,9 +17,6 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id: copy.inc 471 2007-02-09 21:25:50Z thomasb $
-
 */
 
 // only process ajax requests
@@ -28,8 +28,9 @@
 $target       = get_input_value('_to', RCUBE_INPUT_POST);
 $target_group = get_input_value('_togid', RCUBE_INPUT_POST);
 
-$success = 0;
-$maxnum  = $RCMAIL->config->get('max_group_members', 0);
+$success  = 0;
+$errormsg = 'copyerror';
+$maxnum   = $RCMAIL->config->get('max_group_members', 0);
 
 foreach ($cids as $source => $cid)
 {
@@ -56,8 +57,18 @@
     foreach ($cid as $cid) {
         $a_record = $CONTACTS->get_record($cid, true);
 
-        // check if contact exists, if so, we'll need it's ID
-        $result = $TARGET->search('email', $a_record['email'], true, true);
+        // avoid copying groups
+        if ($a_record['_type'] == 'group')
+            continue;
+
+        // Check if contact exists, if so, we'll need it's ID
+        // Note: Some addressbooks allows empty email address field
+        if (!empty($a_record['email']))
+            $result = $TARGET->search('email', $a_record['email'], 1, true, true);
+        else if (!empty($a_record['name']))
+            $result = $TARGET->search('name', $a_record['name'], 1, true, true);
+        else
+            $result = new rcube_result_set();
 
         // insert contact record
         if (!$result->count) {
@@ -78,6 +89,7 @@
         else {
             $record = $result->first();
             $ids[] = $record['ID'];
+            $errormsg = empty($a_record['email']) ? 'contactnameexists' : 'contactexists';
         }
     }
 
@@ -101,11 +113,13 @@
         else if ($plugin['result']) {
             $success = $plugin['result'];
         }
+
+        $errormsg = $plugin['message'] ? $plugin['message'] : 'copyerror';
     }
 }
 
 if ($success == 0)
-    $OUTPUT->show_message('copyerror', 'error');
+    $OUTPUT->show_message($errormsg, 'error');
 else
     $OUTPUT->show_message('copysuccess', 'notice', array('nr' => $success));
 

--
Gitblit v1.9.1