From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/import.inc | 36 ++++++++++++++++++++++++++++--------
1 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/program/steps/addressbook/import.inc b/program/steps/addressbook/import.inc
index 15e04b8..915aac8 100644
--- a/program/steps/addressbook/import.inc
+++ b/program/steps/addressbook/import.inc
@@ -30,7 +30,7 @@
$attrib += array('id' => "rcmImportForm");
- $writable_books = $RCMAIL->get_address_sources(true);
+ $writable_books = $RCMAIL->get_address_sources(true, true);
$upload = new html_inputfield(array(
'type' => 'file',
@@ -43,7 +43,7 @@
// addressbook selector
if (count($writable_books) > 1) {
- $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget'));
+ $select = new html_select(array('name' => '_target', 'id' => 'rcmimporttarget', 'is_escaped' => true));
foreach ($writable_books as $book)
$select->add($book['name'], $book['id']);
@@ -64,7 +64,7 @@
$OUTPUT->add_label('selectimportfile','importwait');
$OUTPUT->add_gui_object('importform', $attrib['id']);
- $out = html::p(null, Q(rcube_label('importtext'), 'show'));
+ $out = html::p(null, Q(rcube_label('importdesc'), 'show'));
$out .= $OUTPUT->form_tag(array(
'action' => $RCMAIL->url('import'),
@@ -88,7 +88,7 @@
$content = html::p(null, rcube_label(array(
'name' => 'importconfirm',
- 'nr' => $IMORT_STATS->inserted,
+ 'nr' => $IMPORT_STATS->inserted,
'vars' => $vars,
)) . ($IMPORT_STATS->names ? ':' : '.'));
@@ -98,7 +98,7 @@
if ($IMPORT_STATS->skipped) {
$content .= html::p(null, rcube_label(array(
'name' => 'importconfirmskipped',
- 'nr' => $IMORT_STATS->skipped,
+ 'nr' => $IMPORT_STATS->skipped,
'vars' => $vars,
)) . ':');
$content .= html::p('em', join(', ', array_map('Q', $IMPORT_STATS->skipped_names)));
@@ -159,11 +159,22 @@
$upload_error = $err;
}
else {
+ $file_content = file_get_contents($filepath);
+
// let rcube_vcard do the hard work :-)
$vcard_o = new rcube_vcard();
$vcard_o->extend_fieldmap($CONTACTS->vcard_map);
+ $v_list = $vcard_o->import($file_content);
- $v_list = $vcard_o->import(file_get_contents($filepath));
+ if (!empty($v_list)) {
+ $vcards = array_merge($vcards, $v_list);
+ continue;
+ }
+
+ // no vCards found, try CSV
+ $csv = new rcube_csv2vcard($_SESSION['language']);
+ $csv->import($file_content);
+ $v_list = $csv->export();
if (!empty($v_list)) {
$vcards = array_merge($vcards, $v_list);
@@ -181,7 +192,7 @@
$OUTPUT->show_message('fileuploaderror', 'error');
}
else {
- $OUTPUT->show_message('importerror', 'error');
+ $OUTPUT->show_message('importformaterror', 'error');
}
}
else {
@@ -197,6 +208,15 @@
foreach ($vcards as $vcard) {
$a_record = $vcard->get_assoc();
+
+ // Generate contact's display name (must be before validation), the same we do in save.inc
+ if (empty($a_record['name'])) {
+ $a_record['name'] = rcube_addressbook::compose_display_name($a_record, true);
+ // Reset it if equals to email address (from compose_display_name())
+ if ($a_record['name'] == $a_record['email'][0]) {
+ $a_record['name'] = '';
+ }
+ }
// skip invalid (incomplete) entries
if (!$CONTACTS->validate($a_record, true)) {
@@ -239,7 +259,7 @@
if ($success) {
$IMPORT_STATS->inserted++;
- $IMPORT_STATS->names[] = $vcard->displayname ? $vcard->displayname : $email;
+ $IMPORT_STATS->names[] = $a_record['name'] ? $a_record['name'] : $email;
}
else {
$IMPORT_STATS->errors++;
--
Gitblit v1.9.1