From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/addressbook/groups.inc |   39 +++++++++++++++++++++++----------------
 1 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/program/steps/addressbook/groups.inc b/program/steps/addressbook/groups.inc
index b70bbf2..3b9288a 100644
--- a/program/steps/addressbook/groups.inc
+++ b/program/steps/addressbook/groups.inc
@@ -6,7 +6,10 @@
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2010, The Roundcube Dev Team                            |
- | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
  |                                                                       |
  | PURPOSE:                                                              |
  |   Create/delete/rename contact groups and assign/remove contacts      |
@@ -14,24 +17,22 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id$
-
 */
+
+$source = get_input_value('_source', RCUBE_INPUT_GPC);
+$CONTACTS = rcmail_contact_source($source);
 
 if ($CONTACTS->readonly || !$CONTACTS->groups) {
   $OUTPUT->show_message('sourceisreadonly', 'warning');
   $OUTPUT->send();
 }
 
-$source = get_input_value('_source', RCUBE_INPUT_GPC);
-
 if ($RCMAIL->action == 'group-addmembers') {
-  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = get_input_value('_cid', RCUBE_INPUT_POST))) {
+  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = rcmail_get_cids($source))) {
     $plugin = $RCMAIL->plugins->exec_hook('group_addmembers', array('group_id' => $gid, 'ids' => $ids, 'source' => $source));
 
     $CONTACTS->set_group($gid);
-    $num2add = count(explode(',', $plugin['ids']));
+    $num2add = count($plugin['ids']);
 
     if (!$plugin['abort']) {
       if (($maxnum = $RCMAIL->config->get('max_group_members', 0)) && ($CONTACTS->count()->count + $num2add > $maxnum)) {
@@ -46,13 +47,15 @@
 
     if ($result)
       $OUTPUT->show_message('contactaddedtogroup');
-    else
+    else if ($plugin['abort'] || $CONTACTS->get_error())
       $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
+    else
+      $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'nogroupassignmentschanged');
   }
 }
 
 else if ($RCMAIL->action == 'group-delmembers') {
-  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = get_input_value('_cid', RCUBE_INPUT_POST))) {
+  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = rcmail_get_cids($source))) {
     $plugin = $RCMAIL->plugins->exec_hook('group_delmembers', array('group_id' => $gid, 'ids' => $ids, 'source' => $source));
 
     if (!$plugin['abort'])
@@ -60,15 +63,18 @@
     else
       $result = $plugin['result'];
 
-    if ($result)
+    if ($result) {
       $OUTPUT->show_message('contactremovedfromgroup');
-    else
+      $OUTPUT->command('remove_group_contacts',array('source' => $source, 'gid' => $gid));
+    }
+    else {
       $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
+    }
   }
 }
 
 else if ($RCMAIL->action == 'group-create') {
-  if ($name = trim(get_input_value('_name', RCUBE_INPUT_POST))) {
+  if ($name = trim(get_input_value('_name', RCUBE_INPUT_POST, true))) {
     $plugin = $RCMAIL->plugins->exec_hook('group_create', array('name' => $name, 'source' => $source));
 
     if (!$plugin['abort'])
@@ -78,6 +84,7 @@
   }
 
   if ($created && $OUTPUT->ajax_call) {
+    $created['name'] = Q($created['name']);
     $OUTPUT->show_message('groupcreated', 'confirmation');
     $OUTPUT->command('insert_contact_group', array('source' => $source) + $created);
   }
@@ -87,11 +94,11 @@
 }
 
 else if ($RCMAIL->action == 'group-rename') {
-  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($name = trim(get_input_value('_name', RCUBE_INPUT_POST)))) {
+  if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($name = trim(get_input_value('_name', RCUBE_INPUT_POST, true)))) {
     $plugin = $RCMAIL->plugins->exec_hook('group_rename', array('group_id' => $gid, 'name' => $name, 'source' => $source));
 
     if (!$plugin['abort'])
-      $newname = $CONTACTS->rename_group($gid, $plugin['name']);
+      $newname = $CONTACTS->rename_group($gid, $plugin['name'], $newgid);
     else
       $newname = $plugin['result'];
   }
@@ -99,7 +106,7 @@
   if ($newname && $OUTPUT->ajax_call) {
     $OUTPUT->show_message('grouprenamed', 'confirmation');
     $OUTPUT->command('update_contact_group', array(
-      'source' => $source, 'id' => $gid, 'name' => $newname));
+      'source' => $source, 'id' => $gid, 'name' => Q($newname), 'newid' => $newgid));
   }
   else if (!$newname)
     $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');

--
Gitblit v1.9.1