From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/edit.inc | 53 ++++++++++++++++++++++++++++++++---------------------
1 files changed, 32 insertions(+), 21 deletions(-)
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 1dde84a..7ddd3e5 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -6,7 +6,10 @@
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2007, The Roundcube Dev Team |
- | Licensed under the GNU GPL |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Show edit form for a contact entry or to add a new one |
@@ -14,9 +17,6 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
if ($RCMAIL->action == 'edit') {
@@ -33,8 +33,8 @@
$OUTPUT->set_env('cid', $record['ID']);
}
- // adding not allowed here
- if ($CONTACTS->readonly) {
+ // editing not allowed here
+ if ($CONTACTS->readonly || $record['readonly']) {
$OUTPUT->show_message('sourceisreadonly');
rcmail_overwrite_action('show');
return;
@@ -43,16 +43,14 @@
else {
$source = get_input_value('_source', RCUBE_INPUT_GPC);
- if (!strlen($source)) {
- // Give priority to configured default
- $source = $RCMAIL->config->get('default_addressbook');
+ if (strlen($source)) {
+ $CONTACTS = $RCMAIL->get_address_book($source, true);
}
- $CONTACTS = $RCMAIL->get_address_book($source, true);
-
- // find writable addressbook
- if (!$CONTACTS || $CONTACTS->readonly)
- $source = rcmail_default_source(true);
+ if (!$CONTACTS || $CONTACTS->readonly) {
+ $CONTACTS = $RCMAIL->get_address_book(-1, true);
+ $source = $RCMAIL->get_address_book_id($CONTACTS);
+ }
// Initialize addressbook
$CONTACTS = rcmail_contact_source($source, true);
@@ -116,9 +114,6 @@
global $RCMAIL, $CONTACT_COLTYPES;
$record = rcmail_get_edit_record();
-
- // add some labels to client
- $RCMAIL->output->add_label('noemailwarning', 'nonamewarning');
// copy (parsed) address template to client
if (preg_match_all('/\{([a-z0-9]+)\}([^{]*)/i', $RCMAIL->config->get('address_template', ''), $templ, PREG_SET_ORDER))
@@ -242,16 +237,17 @@
{
global $RCMAIL, $SOURCE_ID;
- $sources_list = $RCMAIL->get_address_sources(true);
+ $sources_list = $RCMAIL->get_address_sources(true, true);
if (count($sources_list) < 2) {
$source = $sources_list[$SOURCE_ID];
$hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
- return html::span($attrib, Q($source['name']) . $hiddenfield->show());
+ return html::span($attrib, $source['name'] . $hiddenfield->show());
}
- $attrib['name'] = '_source';
- $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+ $attrib['name'] = '_source';
+ $attrib['is_escaped'] = true;
+ $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
$select = new html_select($attrib);
@@ -262,12 +258,27 @@
}
+/**
+ * Register container as active area to drop photos onto
+ */
+function rcmail_photo_drop_area($attrib)
+{
+ global $OUTPUT;
+
+ if ($attrib['id']) {
+ $OUTPUT->add_gui_object('filedrop', $attrib['id']);
+ $OUTPUT->set_env('filedrop', array('action' => 'upload-photo', 'fieldname' => '_photo', 'single' => 1, 'filter' => '^image/.+'));
+ }
+}
+
+
$OUTPUT->add_handlers(array(
'contactedithead' => 'rcmail_contact_edithead',
'contacteditform' => 'rcmail_contact_editform',
'contactphoto' => 'rcmail_contact_photo',
'photouploadform' => 'rcmail_upload_photo_form',
'sourceselector' => 'rcmail_source_selector',
+ 'filedroparea' => 'rcmail_photo_drop_area',
));
if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd'))
--
Gitblit v1.9.1