From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/addressbook/edit.inc |   44 ++++++++++++++++++++++++++------------------
 1 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index abed2c5..7ddd3e5 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -17,9 +17,6 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id$
-
 */
 
 if ($RCMAIL->action == 'edit') {
@@ -46,16 +43,14 @@
 else {
     $source = get_input_value('_source', RCUBE_INPUT_GPC);
 
-    if (!strlen($source)) {
-        // Give priority to configured default
-        $source = $RCMAIL->config->get('default_addressbook');
+    if (strlen($source)) {
+        $CONTACTS = $RCMAIL->get_address_book($source, true);
     }
 
-    $CONTACTS = $RCMAIL->get_address_book($source, true);
-
-    // find writable addressbook
-    if (!$CONTACTS || $CONTACTS->readonly)
-        $source = rcmail_default_source(true);
+    if (!$CONTACTS || $CONTACTS->readonly) {
+        $CONTACTS = $RCMAIL->get_address_book(-1, true);
+        $source   = $RCMAIL->get_address_book_id($CONTACTS);
+    }
 
     // Initialize addressbook
     $CONTACTS = rcmail_contact_source($source, true);
@@ -119,9 +114,6 @@
     global $RCMAIL, $CONTACT_COLTYPES;
 
     $record = rcmail_get_edit_record();
-
-    // add some labels to client
-    $RCMAIL->output->add_label('noemailwarning', 'nonamewarning');
 
     // copy (parsed) address template to client
     if (preg_match_all('/\{([a-z0-9]+)\}([^{]*)/i', $RCMAIL->config->get('address_template', ''), $templ, PREG_SET_ORDER))
@@ -245,16 +237,17 @@
 {
     global $RCMAIL, $SOURCE_ID;
 
-    $sources_list = $RCMAIL->get_address_sources(true);
+    $sources_list = $RCMAIL->get_address_sources(true, true);
 
     if (count($sources_list) < 2) {
         $source = $sources_list[$SOURCE_ID];
         $hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
-        return html::span($attrib, Q($source['name']) . $hiddenfield->show());
+        return html::span($attrib, $source['name'] . $hiddenfield->show());
     }
 
-    $attrib['name'] = '_source';
-    $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+    $attrib['name']       = '_source';
+    $attrib['is_escaped'] = true;
+    $attrib['onchange']   = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
 
     $select = new html_select($attrib);
 
@@ -265,12 +258,27 @@
 }
 
 
+/**
+ * Register container as active area to drop photos onto
+ */
+function rcmail_photo_drop_area($attrib)
+{
+    global $OUTPUT;
+
+    if ($attrib['id']) {
+        $OUTPUT->add_gui_object('filedrop', $attrib['id']);
+        $OUTPUT->set_env('filedrop', array('action' => 'upload-photo', 'fieldname' => '_photo', 'single' => 1, 'filter' => '^image/.+'));
+    }
+}
+
+
 $OUTPUT->add_handlers(array(
     'contactedithead' => 'rcmail_contact_edithead',
     'contacteditform' => 'rcmail_contact_editform',
     'contactphoto'    => 'rcmail_contact_photo',
     'photouploadform' => 'rcmail_upload_photo_form',
     'sourceselector'  => 'rcmail_source_selector',
+    'filedroparea'    => 'rcmail_photo_drop_area',
 ));
 
 if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd'))

--
Gitblit v1.9.1