From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/edit.inc | 74 +++++++++++++++++++++----------------
1 files changed, 42 insertions(+), 32 deletions(-)
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index 0ad977d..7ddd3e5 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -6,7 +6,10 @@
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2007, The Roundcube Dev Team |
- | Licensed under the GNU GPL |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Show edit form for a contact entry or to add a new one |
@@ -14,9 +17,6 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
if ($RCMAIL->action == 'edit') {
@@ -33,8 +33,8 @@
$OUTPUT->set_env('cid', $record['ID']);
}
- // adding not allowed here
- if ($CONTACTS->readonly) {
+ // editing not allowed here
+ if ($CONTACTS->readonly || $record['readonly']) {
$OUTPUT->show_message('sourceisreadonly');
rcmail_overwrite_action('show');
return;
@@ -43,16 +43,14 @@
else {
$source = get_input_value('_source', RCUBE_INPUT_GPC);
- if (!strlen($source)) {
- // Give priority to configured default
- $source = $RCMAIL->config->get('default_addressbook');
+ if (strlen($source)) {
+ $CONTACTS = $RCMAIL->get_address_book($source, true);
}
- $CONTACTS = $RCMAIL->get_address_book($source, true);
-
- // find writable addressbook
- if (!$CONTACTS || $CONTACTS->readonly)
- $source = rcmail_default_source(true);
+ if (!$CONTACTS || $CONTACTS->readonly) {
+ $CONTACTS = $RCMAIL->get_address_book(-1, true);
+ $source = $RCMAIL->get_address_book_id($CONTACTS);
+ }
// Initialize addressbook
$CONTACTS = rcmail_contact_source($source, true);
@@ -95,9 +93,9 @@
'suffix' => array('size' => $i_size),
'name' => array('size' => 2*$i_size),
'nickname' => array('size' => 2*$i_size),
- 'company' => array('size' => $i_size),
- 'department' => array('size' => $i_size),
- 'jobtitle' => array('size' => $i_size),
+ 'organization' => array('size' => 2*$i_size),
+ 'department' => array('size' => 2*$i_size),
+ 'jobtitle' => array('size' => 2*$i_size),
)
)
);
@@ -117,9 +115,6 @@
$record = rcmail_get_edit_record();
- // add some labels to client
- $RCMAIL->output->add_label('noemailwarning', 'nonamewarning');
-
// copy (parsed) address template to client
if (preg_match_all('/\{([a-z0-9]+)\}([^{]*)/i', $RCMAIL->config->get('address_template', ''), $templ, PREG_SET_ORDER))
$RCMAIL->output->set_env('address_template', $templ);
@@ -130,7 +125,7 @@
$form = array(
'contact' => array(
- 'name' => rcube_label('contactproperties'),
+ 'name' => rcube_label('properties'),
'content' => array(
'email' => array('size' => $i_size, 'visible' => true),
'phone' => array('size' => $i_size, 'visible' => true),
@@ -176,9 +171,8 @@
{
global $OUTPUT;
- // add ID if not given
- if (!$attrib['id'])
- $attrib['id'] = 'rcmUploadbox';
+ // set defaults
+ $attrib += array('id' => 'rcmUploadform', 'buttons' => 'yes');
// find max filesize value
$max_filesize = parse_bytes(ini_get('upload_max_filesize'));
@@ -192,19 +186,19 @@
$button = new html_inputfield(array('type' => 'button'));
$out = html::div($attrib,
- $OUTPUT->form_tag(array('name' => 'uploadform', 'method' => 'post', 'enctype' => 'multipart/form-data'),
+ $OUTPUT->form_tag(array('id' => $attrib['id'].'Frm', 'name' => 'uploadform', 'method' => 'post', 'enctype' => 'multipart/form-data'),
$hidden->show() .
html::div(null, $input->show()) .
html::div('hint', rcube_label(array('name' => 'maxuploadsize', 'vars' => array('size' => $max_filesize)))) .
- html::div('buttons',
+ (get_boolean($attrib['buttons']) ? html::div('buttons',
$button->show(rcube_label('close'), array('class' => 'button', 'onclick' => "$('#$attrib[id]').hide()")) . ' ' .
$button->show(rcube_label('upload'), array('class' => 'button mainaction', 'onclick' => JS_OBJECT_NAME . ".command('upload-photo', this.form)"))
- )
+ ) : '')
)
);
$OUTPUT->add_label('addphoto','replacephoto');
- $OUTPUT->add_gui_object('uploadbox', $attrib['id']);
+ $OUTPUT->add_gui_object('uploadform', $attrib['id'].'Frm');
return $out;
}
@@ -243,16 +237,17 @@
{
global $RCMAIL, $SOURCE_ID;
- $sources_list = $RCMAIL->get_address_sources(true);
+ $sources_list = $RCMAIL->get_address_sources(true, true);
if (count($sources_list) < 2) {
$source = $sources_list[$SOURCE_ID];
$hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
- return html::span($attrib, Q($source['name']) . $hiddenfield->show());
+ return html::span($attrib, $source['name'] . $hiddenfield->show());
}
- $attrib['name'] = '_source';
- $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+ $attrib['name'] = '_source';
+ $attrib['is_escaped'] = true;
+ $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
$select = new html_select($attrib);
@@ -263,12 +258,27 @@
}
+/**
+ * Register container as active area to drop photos onto
+ */
+function rcmail_photo_drop_area($attrib)
+{
+ global $OUTPUT;
+
+ if ($attrib['id']) {
+ $OUTPUT->add_gui_object('filedrop', $attrib['id']);
+ $OUTPUT->set_env('filedrop', array('action' => 'upload-photo', 'fieldname' => '_photo', 'single' => 1, 'filter' => '^image/.+'));
+ }
+}
+
+
$OUTPUT->add_handlers(array(
'contactedithead' => 'rcmail_contact_edithead',
'contacteditform' => 'rcmail_contact_editform',
'contactphoto' => 'rcmail_contact_photo',
'photouploadform' => 'rcmail_upload_photo_form',
'sourceselector' => 'rcmail_source_selector',
+ 'filedroparea' => 'rcmail_photo_drop_area',
));
if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd'))
--
Gitblit v1.9.1