From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/search.inc | 15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/program/steps/addressbook/search.inc b/program/steps/addressbook/search.inc
index d31e54b..d153c25 100644
--- a/program/steps/addressbook/search.inc
+++ b/program/steps/addressbook/search.inc
@@ -184,7 +184,7 @@
while ($row = $result->next()) {
$row['sourceid'] = $s['id'];
- $key = rcmail_contact_key($row, $sort_col);
+ $key = rcube_addressbook::compose_contact_key($row, $sort_col);
$records[$key] = $row;
}
@@ -237,9 +237,12 @@
$OUTPUT->command('set_env', 'source', '');
$OUTPUT->command('set_env', 'group', '');
- // unselect currently selected directory/group
- if (!$sid)
+ if (!$sid) {
+ // unselect currently selected directory/group
$OUTPUT->command('unselect_directory');
+ // enable "Save search" command
+ $OUTPUT->command('enable_command', 'search-create', true);
+ }
$OUTPUT->command('update_group_commands');
// send response
@@ -297,9 +300,13 @@
$label = isset($colprop['label']) ? $colprop['label'] : rcube_label($col);
$category = $colprop['category'] ? $colprop['category'] : 'other';
- if ($ftype == 'text')
+ // load jquery UI datepicker for date fields
+ if ($colprop['type'] == 'date')
+ $colprop['class'] .= ($colprop['class'] ? ' ' : '') . 'datepicker';
+ else if ($ftype == 'text')
$colprop['size'] = $i_size;
+
$content = html::div('row', html::div('contactfieldlabel label', Q($label))
. html::div('contactfieldcontent', rcmail_get_edit_field('search_'.$col, '', $colprop, $ftype)));
--
Gitblit v1.9.1