From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/delete.inc | 223 +++++++++++++++++++++++++++++++++++--------------------
1 files changed, 142 insertions(+), 81 deletions(-)
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index 789d841..5611858 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -4,9 +4,12 @@
+-----------------------------------------------------------------------+
| program/steps/addressbook/delete.inc |
| |
- | This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005, RoundCube Dev. - Switzerland |
- | Licensed under the GNU GPL |
+ | This file is part of the Roundcube Webmail client |
+ | Copyright (C) 2005-2009, The Roundcube Dev Team |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Delete the submitted contacts (CIDs) from the users address book |
@@ -14,91 +17,149 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
-$REMOTE_REQUEST = TRUE;
+// process ajax requests only
+if (!$OUTPUT->ajax_call)
+ return;
-if ($_GET['_cid'])
- {
- $DB->query(sprintf("UPDATE %s
- SET del='1'
- WHERE user_id=%d
- AND contact_id IN (%s)",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $_GET['_cid']));
-
- $count = $DB->affected_rows();
- if (!$count)
- {
- // send error message
- exit;
- }
+$cids = rcmail_get_cids();
+$delcnt = 0;
+// remove previous deletes
+$undo_time = $RCMAIL->config->get('undo_timeout', 0);
+$RCMAIL->session->remove('contact_undo');
- // count contacts for this user
- $sql_result = $DB->query(sprintf("SELECT COUNT(contact_id) AS rows
- FROM %s
- WHERE del!='1'
- AND user_id=%d",
- get_table_name('contacts'),
- $_SESSION['user_id']));
-
- $sql_arr = $DB->fetch_assoc($sql_result);
- $rowcount = $sql_arr['rows'];
+foreach ($cids as $source => $cid)
+{
+ $CONTACTS = rcmail_contact_source($source);
- // update message count display
- $pages = ceil($rowcount/$CONFIG['pagesize']);
- $commands = sprintf("this.set_rowcount('%s');\n", rcmail_get_rowcount_text($rowcount));
- $commands .= sprintf("this.set_env('pagecount', %d);\n", $pages);
-
-
- // add new rows from next page (if any)
- if ($_GET['_from']!='show' && $pages>1 && $_SESSION['page'] < $pages)
- {
- $start_row = ($_SESSION['page'] * $CONFIG['pagesize']) - $count;
-
- // get contacts from DB
- $sql_result = $DB->query(sprintf("SELECT * FROM %s
- WHERE del!='1'
- AND user_id=%d
- ORDER BY name
- LIMIT %d, %d",
- get_table_name('contacts'),
- $_SESSION['user_id'],
- $start_row,
- $count));
-
- $commands .= rcmail_js_contacts_list($sql_result);
-
-/*
- // define list of cols to be displayed
- $a_show_cols = array('name', 'email');
-
- while ($sql_arr = $DB->fetch_assoc($sql_result))
- {
- $a_row_cols = array();
-
- // format each col
- foreach ($a_show_cols as $col)
- {
- $cont = rep_specialchars_output($sql_arr[$col]);
- $a_row_cols[$col] = $cont;
+ if ($CONTACTS->readonly) {
+ // more sources? do nothing, probably we have search results from
+ // more than one source, some of these sources can be readonly
+ if (count($cids) == 1) {
+ $OUTPUT->show_message('contactdelerror', 'error');
+ $OUTPUT->command('list_contacts');
+ $OUTPUT->send();
}
-
- $commands .= sprintf("this.add_contact_row(%s, %s);\n",
- $sql_arr['contact_id'],
- array2js($a_row_cols));
- }
-*/
+ continue;
}
- // send response
- rcube_remote_response($commands);
- }
+ $plugin = $RCMAIL->plugins->exec_hook('contact_delete', array(
+ 'id' => $cid, 'source' => $source));
-exit;
-?>
\ No newline at end of file
+ $deleted = !$plugin['abort'] ? $CONTACTS->delete($cid, $undo_time < 1) : $plugin['result'];
+
+ if (!$deleted) {
+ $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'contactdelerror', 'error');
+ $OUTPUT->command('list_contacts');
+ $OUTPUT->send();
+ }
+ else {
+ $delcnt += $deleted;
+
+ // store deleted contacts IDs in session for undo action
+ if ($undo_time > 0 && $CONTACTS->undelete) {
+ $_SESSION['contact_undo']['data'][$source] = $cid;
+ }
+ }
+}
+
+$page = isset($_SESSION['page']) ? $_SESSION['page'] : 1;
+
+// update saved search after data changed
+if (($search_request = $_REQUEST['_search']) && isset($_SESSION['search'][$search_request])) {
+ $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
+ $afields = $RCMAIL->config->get('contactlist_fields');
+ $search = (array)$_SESSION['search'][$search_request];
+ $records = array();
+
+ // Get records from all sources (refresh search)
+ foreach ($search as $s => $set) {
+ $source = $RCMAIL->get_address_book($s);
+
+ // reset page
+ $source->set_page(1);
+ $source->set_pagesize(9999);
+ $source->set_search_set($set);
+
+ // get records
+ $result = $source->list_records($afields);
+
+ if (!$result->count) {
+ unset($search[$s]);
+ continue;
+ }
+
+ while ($row = $result->next()) {
+ $row['sourceid'] = $s;
+ $key = rcube_addressbook::compose_contact_key($row, $sort_col);
+ $records[$key] = $row;
+ }
+ unset($result);
+
+ $search[$s] = $source->get_search_set();
+ }
+
+ $_SESSION['search'][$search_request] = $search;
+
+ // create resultset object
+ $count = count($records);
+ $first = ($page-1) * $PAGE_SIZE;
+ $result = new rcube_result_set($count, $first);
+
+ // get records from the next page to add to the list
+ $pages = ceil((count($records) + $delcnt) / $PAGE_SIZE);
+ if ($_GET['_from'] != 'show' && $pages > 1 && $page < $pages) {
+ // sort the records
+ ksort($records, SORT_LOCALE_STRING);
+
+ $first += $PAGE_SIZE;
+ // create resultset object
+ $res = new rcube_result_set($count, $first - $delcnt);
+
+ if ($PAGE_SIZE < $count) {
+ $records = array_slice($records, $first - $delcnt, $delcnt);
+ }
+
+ $res->records = array_values($records);
+ $records = $res;
+ }
+ else {
+ unset($records);
+ }
+}
+else {
+ // count contacts for this user
+ $result = $CONTACTS->count();
+
+ // get records from the next page to add to the list
+ $pages = ceil(($result->count + $delcnt) / $PAGE_SIZE);
+ if ($_GET['_from'] != 'show' && $pages > 1 && $page < $pages) {
+ $CONTACTS->set_page($page);
+ $records = $CONTACTS->list_records(null, -$delcnt);
+ }
+}
+
+// update message count display
+$OUTPUT->set_env('pagecount', ceil($result->count / $PAGE_SIZE));
+$OUTPUT->command('set_rowcount', rcmail_get_rowcount_text($result));
+
+if (!empty($_SESSION['contact_undo'])) {
+ $_SESSION['contact_undo']['ts'] = time();
+ $msg = html::span(null, rcube_label('contactdeleted'))
+ . ' ' . html::a(array('onclick' => JS_OBJECT_NAME.".command('undo', '', this)"), rcube_label('undo'));
+
+ $OUTPUT->show_message($msg, 'confirmation', null, true, $undo_time);
+}
+else {
+ $OUTPUT->show_message('contactdeleted', 'confirmation');
+}
+
+// add new rows from next page (if any)
+if (!empty($records)) {
+ rcmail_js_contacts_list($records);
+}
+
+// send response
+$OUTPUT->send();
--
Gitblit v1.9.1