From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/edit.inc | 187 ++++++++++++++++++++++++++++++++--------------
1 files changed, 130 insertions(+), 57 deletions(-)
diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc
index c0d5f0f..7ddd3e5 100644
--- a/program/steps/addressbook/edit.inc
+++ b/program/steps/addressbook/edit.inc
@@ -6,7 +6,10 @@
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2007, The Roundcube Dev Team |
- | Licensed under the GNU GPL |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Show edit form for a contact entry or to add a new one |
@@ -14,35 +17,70 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
+if ($RCMAIL->action == 'edit') {
+ // Get contact ID and source ID from request
+ $cids = rcmail_get_cids();
+ $source = key($cids);
+ $cid = array_shift($cids[$source]);
-if (($cid = get_input_value('_cid', RCUBE_INPUT_GPC)) && ($record = $CONTACTS->get_record($cid, true)))
- $OUTPUT->set_env('cid', $record['ID']);
+ // Initialize addressbook
+ $CONTACTS = rcmail_contact_source($source, true);
-// adding not allowed here
-if ($CONTACTS->readonly) {
- $OUTPUT->show_message('sourceisreadonly');
- rcmail_overwrite_action('show');
- return;
+ // Contact edit
+ if ($cid && ($record = $CONTACTS->get_record($cid, true))) {
+ $OUTPUT->set_env('cid', $record['ID']);
+ }
+
+ // editing not allowed here
+ if ($CONTACTS->readonly || $record['readonly']) {
+ $OUTPUT->show_message('sourceisreadonly');
+ rcmail_overwrite_action('show');
+ return;
+ }
+}
+else {
+ $source = get_input_value('_source', RCUBE_INPUT_GPC);
+
+ if (strlen($source)) {
+ $CONTACTS = $RCMAIL->get_address_book($source, true);
+ }
+
+ if (!$CONTACTS || $CONTACTS->readonly) {
+ $CONTACTS = $RCMAIL->get_address_book(-1, true);
+ $source = $RCMAIL->get_address_book_id($CONTACTS);
+ }
+
+ // Initialize addressbook
+ $CONTACTS = rcmail_contact_source($source, true);
}
+$SOURCE_ID = $source;
+rcmail_set_sourcename($CONTACTS);
+
+function rcmail_get_edit_record()
+{
+ global $RCMAIL, $CONTACTS;
+
+ // check if we have a valid result
+ if ($GLOBALS['EDIT_RECORD']) {
+ $record = $GLOBALS['EDIT_RECORD'];
+ }
+ else if ($RCMAIL->action != 'add'
+ && !(($result = $CONTACTS->get_result()) && ($record = $result->first()))
+ ) {
+ $RCMAIL->output->show_message('contactnotfound');
+ return false;
+ }
+
+ return $record;
+}
function rcmail_contact_edithead($attrib)
{
- global $RCMAIL, $CONTACTS;
-
// check if we have a valid result
- if ($RCMAIL->action != 'add'
- && !(($result = $CONTACTS->get_result()) && ($record = $result->first()))
- ) {
- $RCMAIL->output->show_message('contactnotfound');
- return false;
- }
-
+ $record = rcmail_get_edit_record();
$i_size = !empty($attrib['size']) ? $attrib['size'] : 20;
$form = array(
@@ -55,9 +93,9 @@
'suffix' => array('size' => $i_size),
'name' => array('size' => 2*$i_size),
'nickname' => array('size' => 2*$i_size),
- 'company' => array('size' => $i_size),
- 'department' => array('size' => $i_size),
- 'jobtitle' => array('size' => $i_size),
+ 'organization' => array('size' => 2*$i_size),
+ 'department' => array('size' => 2*$i_size),
+ 'jobtitle' => array('size' => 2*$i_size),
)
)
);
@@ -71,29 +109,23 @@
return $form_start . $out . $form_end;
}
-
function rcmail_contact_editform($attrib)
{
- global $RCMAIL, $CONTACTS, $CONTACT_COLTYPES;
+ global $RCMAIL, $CONTACT_COLTYPES;
- // check if we have a valid result
- if ($RCMAIL->action != 'add'
- && !(($result = $CONTACTS->get_result()) && ($record = $result->first()))
- ) {
- $RCMAIL->output->show_message('contactnotfound');
- return false;
- }
+ $record = rcmail_get_edit_record();
- // add some labels to client
- $RCMAIL->output->add_label('noemailwarning', 'nonamewarning');
+ // copy (parsed) address template to client
+ if (preg_match_all('/\{([a-z0-9]+)\}([^{]*)/i', $RCMAIL->config->get('address_template', ''), $templ, PREG_SET_ORDER))
+ $RCMAIL->output->set_env('address_template', $templ);
$i_size = !empty($attrib['size']) ? $attrib['size'] : 40;
$t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 10;
$t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40;
$form = array(
- 'info' => array(
- 'name' => rcube_label('contactproperties'),
+ 'contact' => array(
+ 'name' => rcube_label('properties'),
'content' => array(
'email' => array('size' => $i_size, 'visible' => true),
'phone' => array('size' => $i_size, 'visible' => true),
@@ -115,7 +147,7 @@
),
),
);
-
+
if (isset($CONTACT_COLTYPES['notes'])) {
$form['notes'] = array(
'name' => rcube_label('notes'),
@@ -135,14 +167,12 @@
return $form_start . $out . $form_end;
}
-
function rcmail_upload_photo_form($attrib)
{
global $OUTPUT;
- // add ID if not given
- if (!$attrib['id'])
- $attrib['id'] = 'rcmUploadbox';
+ // set defaults
+ $attrib += array('id' => 'rcmUploadform', 'buttons' => 'yes');
// find max filesize value
$max_filesize = parse_bytes(ini_get('upload_max_filesize'));
@@ -150,39 +180,40 @@
if ($max_postsize && $max_postsize < $max_filesize)
$max_filesize = $max_postsize;
$max_filesize = show_bytes($max_filesize);
-
+
$hidden = new html_hiddenfield(array('name' => '_cid', 'value' => $GLOBALS['cid']));
$input = new html_inputfield(array('type' => 'file', 'name' => '_photo', 'size' => $attrib['size']));
$button = new html_inputfield(array('type' => 'button'));
-
+
$out = html::div($attrib,
- $OUTPUT->form_tag(array('name' => 'uploadform', 'method' => 'post', 'enctype' => 'multipart/form-data'),
+ $OUTPUT->form_tag(array('id' => $attrib['id'].'Frm', 'name' => 'uploadform', 'method' => 'post', 'enctype' => 'multipart/form-data'),
$hidden->show() .
html::div(null, $input->show()) .
html::div('hint', rcube_label(array('name' => 'maxuploadsize', 'vars' => array('size' => $max_filesize)))) .
- html::div('buttons',
+ (get_boolean($attrib['buttons']) ? html::div('buttons',
$button->show(rcube_label('close'), array('class' => 'button', 'onclick' => "$('#$attrib[id]').hide()")) . ' ' .
$button->show(rcube_label('upload'), array('class' => 'button mainaction', 'onclick' => JS_OBJECT_NAME . ".command('upload-photo', this.form)"))
- )
+ ) : '')
)
);
-
+
$OUTPUT->add_label('addphoto','replacephoto');
- $OUTPUT->add_gui_object('uploadbox', $attrib['id']);
+ $OUTPUT->add_gui_object('uploadform', $attrib['id'].'Frm');
return $out;
}
-
// similar function as in /steps/settings/edit_identity.inc
function get_form_tags($attrib)
{
- global $CONTACTS, $EDIT_FORM, $RCMAIL;
+ global $CONTACTS, $EDIT_FORM, $RCMAIL, $SOURCE_ID;
$form_start = $form_end = '';
if (empty($EDIT_FORM)) {
- $hiddenfields = new html_hiddenfield(array(
- 'name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
+ $hiddenfields = new html_hiddenfield();
+
+ if ($RCMAIL->action == 'edit')
+ $hiddenfields->add(array('name' => '_source', 'value' => $SOURCE_ID));
$hiddenfields->add(array('name' => '_gid', 'value' => $CONTACTS->group_id));
if (($result = $CONTACTS->get_result()) && ($record = $result->first()))
@@ -202,13 +233,55 @@
return array($form_start, $form_end);
}
+function rcmail_source_selector($attrib)
+{
+ global $RCMAIL, $SOURCE_ID;
-$OUTPUT->add_handler('contactedithead', 'rcmail_contact_edithead');
-$OUTPUT->add_handler('contacteditform', 'rcmail_contact_editform');
-$OUTPUT->add_handler('contactphoto', 'rcmail_contact_photo');
-$OUTPUT->add_handler('photouploadform', 'rcmail_upload_photo_form');
+ $sources_list = $RCMAIL->get_address_sources(true, true);
-if (!$CONTACTS->get_result() && $OUTPUT->template_exists('contactadd'))
+ if (count($sources_list) < 2) {
+ $source = $sources_list[$SOURCE_ID];
+ $hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID));
+ return html::span($attrib, $source['name'] . $hiddenfield->show());
+ }
+
+ $attrib['name'] = '_source';
+ $attrib['is_escaped'] = true;
+ $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)";
+
+ $select = new html_select($attrib);
+
+ foreach ($sources_list as $source)
+ $select->add($source['name'], $source['id']);
+
+ return $select->show($SOURCE_ID);
+}
+
+
+/**
+ * Register container as active area to drop photos onto
+ */
+function rcmail_photo_drop_area($attrib)
+{
+ global $OUTPUT;
+
+ if ($attrib['id']) {
+ $OUTPUT->add_gui_object('filedrop', $attrib['id']);
+ $OUTPUT->set_env('filedrop', array('action' => 'upload-photo', 'fieldname' => '_photo', 'single' => 1, 'filter' => '^image/.+'));
+ }
+}
+
+
+$OUTPUT->add_handlers(array(
+ 'contactedithead' => 'rcmail_contact_edithead',
+ 'contacteditform' => 'rcmail_contact_editform',
+ 'contactphoto' => 'rcmail_contact_photo',
+ 'photouploadform' => 'rcmail_upload_photo_form',
+ 'sourceselector' => 'rcmail_source_selector',
+ 'filedroparea' => 'rcmail_photo_drop_area',
+));
+
+if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd'))
$OUTPUT->send('contactadd');
// this will be executed if no template for addcontact exists
--
Gitblit v1.9.1