From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/import.inc | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/program/steps/addressbook/import.inc b/program/steps/addressbook/import.inc
index df07d64..915aac8 100644
--- a/program/steps/addressbook/import.inc
+++ b/program/steps/addressbook/import.inc
@@ -88,7 +88,7 @@
$content = html::p(null, rcube_label(array(
'name' => 'importconfirm',
- 'nr' => $IMORT_STATS->inserted,
+ 'nr' => $IMPORT_STATS->inserted,
'vars' => $vars,
)) . ($IMPORT_STATS->names ? ':' : '.'));
@@ -98,7 +98,7 @@
if ($IMPORT_STATS->skipped) {
$content .= html::p(null, rcube_label(array(
'name' => 'importconfirmskipped',
- 'nr' => $IMORT_STATS->skipped,
+ 'nr' => $IMPORT_STATS->skipped,
'vars' => $vars,
)) . ':');
$content .= html::p('em', join(', ', array_map('Q', $IMPORT_STATS->skipped_names)));
@@ -209,6 +209,15 @@
foreach ($vcards as $vcard) {
$a_record = $vcard->get_assoc();
+ // Generate contact's display name (must be before validation), the same we do in save.inc
+ if (empty($a_record['name'])) {
+ $a_record['name'] = rcube_addressbook::compose_display_name($a_record, true);
+ // Reset it if equals to email address (from compose_display_name())
+ if ($a_record['name'] == $a_record['email'][0]) {
+ $a_record['name'] = '';
+ }
+ }
+
// skip invalid (incomplete) entries
if (!$CONTACTS->validate($a_record, true)) {
$IMPORT_STATS->invalid++;
@@ -250,7 +259,7 @@
if ($success) {
$IMPORT_STATS->inserted++;
- $IMPORT_STATS->names[] = $vcard->displayname ? $vcard->displayname : $email;
+ $IMPORT_STATS->names[] = $a_record['name'] ? $a_record['name'] : $email;
}
else {
$IMPORT_STATS->errors++;
--
Gitblit v1.9.1