From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/addressbook/save.inc |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 25bfbd4..e7e5efc 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -134,11 +134,11 @@
     $record['email'] = reset($CONTACTS->get_col_values('email', $record, true));
     $record['name']  = rcube_addressbook::compose_list_name($record);
 
-    foreach (array('name', 'email') as $col)
+    foreach (array('name') as $col)
       $a_js_cols[] = Q((string)$record[$col]);
 
     // update the changed col in list
-    $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid, $source);
+    $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid, $source, $record);
 
     // show confirmation
     $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);

--
Gitblit v1.9.1