From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/groups.inc | 42 ++++++++++++++++++++++++------------------
1 files changed, 24 insertions(+), 18 deletions(-)
diff --git a/program/steps/addressbook/groups.inc b/program/steps/addressbook/groups.inc
index b7fdb2f..3b9288a 100644
--- a/program/steps/addressbook/groups.inc
+++ b/program/steps/addressbook/groups.inc
@@ -6,7 +6,10 @@
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2010, The Roundcube Dev Team |
- | Licensed under the GNU GPL |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Create/delete/rename contact groups and assign/remove contacts |
@@ -14,24 +17,22 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
+
+$source = get_input_value('_source', RCUBE_INPUT_GPC);
+$CONTACTS = rcmail_contact_source($source);
if ($CONTACTS->readonly || !$CONTACTS->groups) {
$OUTPUT->show_message('sourceisreadonly', 'warning');
$OUTPUT->send();
}
-$source = get_input_value('_source', RCUBE_INPUT_GPC);
-
if ($RCMAIL->action == 'group-addmembers') {
- if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = get_input_value('_cid', RCUBE_INPUT_POST))) {
+ if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = rcmail_get_cids($source))) {
$plugin = $RCMAIL->plugins->exec_hook('group_addmembers', array('group_id' => $gid, 'ids' => $ids, 'source' => $source));
$CONTACTS->set_group($gid);
- $num2add = count(explode(',', $plugin['ids']));
+ $num2add = count($plugin['ids']);
if (!$plugin['abort']) {
if (($maxnum = $RCMAIL->config->get('max_group_members', 0)) && ($CONTACTS->count()->count + $num2add > $maxnum)) {
@@ -46,13 +47,15 @@
if ($result)
$OUTPUT->show_message('contactaddedtogroup');
- else
+ else if ($plugin['abort'] || $CONTACTS->get_error())
$OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
+ else
+ $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'nogroupassignmentschanged');
}
}
else if ($RCMAIL->action == 'group-delmembers') {
- if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = get_input_value('_cid', RCUBE_INPUT_POST))) {
+ if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($ids = rcmail_get_cids($source))) {
$plugin = $RCMAIL->plugins->exec_hook('group_delmembers', array('group_id' => $gid, 'ids' => $ids, 'source' => $source));
if (!$plugin['abort'])
@@ -60,15 +63,18 @@
else
$result = $plugin['result'];
- if ($result)
+ if ($result) {
$OUTPUT->show_message('contactremovedfromgroup');
- else
+ $OUTPUT->command('remove_group_contacts',array('source' => $source, 'gid' => $gid));
+ }
+ else {
$OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
+ }
}
}
else if ($RCMAIL->action == 'group-create') {
- if ($name = trim(get_input_value('_name', RCUBE_INPUT_POST))) {
+ if ($name = trim(get_input_value('_name', RCUBE_INPUT_POST, true))) {
$plugin = $RCMAIL->plugins->exec_hook('group_create', array('name' => $name, 'source' => $source));
if (!$plugin['abort'])
@@ -78,9 +84,9 @@
}
if ($created && $OUTPUT->ajax_call) {
+ $created['name'] = Q($created['name']);
$OUTPUT->show_message('groupcreated', 'confirmation');
- $OUTPUT->command('insert_contact_group', array(
- 'source' => $source, 'id' => $created['id'], 'name' => $created['name']));
+ $OUTPUT->command('insert_contact_group', array('source' => $source) + $created);
}
else if (!$created) {
$OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
@@ -88,11 +94,11 @@
}
else if ($RCMAIL->action == 'group-rename') {
- if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($name = trim(get_input_value('_name', RCUBE_INPUT_POST)))) {
+ if (($gid = get_input_value('_gid', RCUBE_INPUT_POST)) && ($name = trim(get_input_value('_name', RCUBE_INPUT_POST, true)))) {
$plugin = $RCMAIL->plugins->exec_hook('group_rename', array('group_id' => $gid, 'name' => $name, 'source' => $source));
if (!$plugin['abort'])
- $newname = $CONTACTS->rename_group($gid, $plugin['name']);
+ $newname = $CONTACTS->rename_group($gid, $plugin['name'], $newgid);
else
$newname = $plugin['result'];
}
@@ -100,7 +106,7 @@
if ($newname && $OUTPUT->ajax_call) {
$OUTPUT->show_message('grouprenamed', 'confirmation');
$OUTPUT->command('update_contact_group', array(
- 'source' => $source, 'id' => $gid, 'name' => $newname));
+ 'source' => $source, 'id' => $gid, 'name' => Q($newname), 'newid' => $newgid));
}
else if (!$newname)
$OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsaving', 'error');
--
Gitblit v1.9.1