From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/addressbook/list.inc |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/program/steps/addressbook/list.inc b/program/steps/addressbook/list.inc
index 4665185..6f3a3e0 100644
--- a/program/steps/addressbook/list.inc
+++ b/program/steps/addressbook/list.inc
@@ -5,7 +5,7 @@
  | program/steps/addressbook/list.inc                                    |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2007, The Roundcube Dev Team                       |
+ | Copyright (C) 2005-2012, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
@@ -17,10 +17,9 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id$
-
 */
+
+$afields = $RCMAIL->config->get('contactlist_fields');
 
 // Use search result
 if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
@@ -34,6 +33,7 @@
         $page = isset($_SESSION['page']) ? $_SESSION['page'] : 1;
 
     $_SESSION['page'] = $page;
+    $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
 
     // Get records from all sources
     foreach ($search as $s => $set) {
@@ -45,11 +45,11 @@
         $source->set_search_set($set);
 
         // get records
-        $result = $source->list_records(array('name', 'email'));
+        $result = $source->list_records($afields);
 
         while ($row = $result->next()) {
             $row['sourceid'] = $s;
-            $key = $row['name'] . ':' . $row['sourceid'];
+            $key = rcube_addressbook::compose_contact_key($row, $sort_col);
             $records[$key] = $row;
         }
         unset($result);
@@ -75,12 +75,17 @@
     $CONTACTS = rcmail_contact_source(null, true);
 
     // get contacts for this user
-    $result = $CONTACTS->list_records(array('name'));
+    $result = $CONTACTS->list_records($afields);
 
     if (!$result->count && $result->searchonly) {
         $OUTPUT->show_message('contactsearchonly', 'notice');
         $OUTPUT->command('command', 'advanced-search');
     }
+
+    if ($CONTACTS->group_id) {
+        $OUTPUT->command('set_group_prop', array('ID' => $CONTACTS->group_id)
+            + array_intersect_key((array)$CONTACTS->get_group($CONTACTS->group_id), array('name'=>1,'email'=>1)));
+    }
 }
 
 // update message count display

--
Gitblit v1.9.1