From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/search.inc | 29 +++++++++++++++++++----------
1 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/program/steps/addressbook/search.inc b/program/steps/addressbook/search.inc
index e4ce2d6..d153c25 100644
--- a/program/steps/addressbook/search.inc
+++ b/program/steps/addressbook/search.inc
@@ -7,7 +7,10 @@
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2011, The Roundcube Dev Team |
| Copyright (C) 2011, Kolab Systems AG |
- | Licensed under the GNU GPL |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Search action (and form) for address book contacts |
@@ -16,9 +19,6 @@
| Author: Thomas Bruederli <roundcube@gmail.com> |
| Author: Aleksander Machniak <machniak@kolabsys.com> |
+-----------------------------------------------------------------------+
-
- $Id: search.inc 456 2007-01-10 12:34:33Z thomasb $
-
*/
if ($RCMAIL->action == 'search-create') {
@@ -144,6 +144,8 @@
$sources = $RCMAIL->get_address_sources();
$search_set = array();
$records = array();
+ $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
+ $afields = $RCMAIL->config->get('contactlist_fields');
foreach ($sources as $s) {
$source = $RCMAIL->get_address_book($s['id']);
@@ -178,11 +180,11 @@
}
// get records
- $result = $source->list_records(array('name', 'email'));
+ $result = $source->list_records($afields);
while ($row = $result->next()) {
$row['sourceid'] = $s['id'];
- $key = $row['name'] . ':' . $row['sourceid'];
+ $key = rcube_addressbook::compose_contact_key($row, $sort_col);
$records[$key] = $row;
}
@@ -235,9 +237,12 @@
$OUTPUT->command('set_env', 'source', '');
$OUTPUT->command('set_env', 'group', '');
- // unselect currently selected directory/group
- if (!$sid)
+ if (!$sid) {
+ // unselect currently selected directory/group
$OUTPUT->command('unselect_directory');
+ // enable "Save search" command
+ $OUTPUT->command('enable_command', 'search-create', true);
+ }
$OUTPUT->command('update_group_commands');
// send response
@@ -252,7 +257,7 @@
$form = array(
'main' => array(
- 'name' => rcube_label('contactproperties'),
+ 'name' => rcube_label('properties'),
'content' => array(
),
),
@@ -295,9 +300,13 @@
$label = isset($colprop['label']) ? $colprop['label'] : rcube_label($col);
$category = $colprop['category'] ? $colprop['category'] : 'other';
- if ($ftype == 'text')
+ // load jquery UI datepicker for date fields
+ if ($colprop['type'] == 'date')
+ $colprop['class'] .= ($colprop['class'] ? ' ' : '') . 'datepicker';
+ else if ($ftype == 'text')
$colprop['size'] = $i_size;
+
$content = html::div('row', html::div('contactfieldlabel label', Q($label))
. html::div('contactfieldcontent', rcmail_get_edit_field('search_'.$col, '', $colprop, $ftype)));
--
Gitblit v1.9.1