From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/addressbook/show.inc | 280 +++++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 225 insertions(+), 55 deletions(-)
diff --git a/program/steps/addressbook/show.inc b/program/steps/addressbook/show.inc
index 9317645..494f06a 100644
--- a/program/steps/addressbook/show.inc
+++ b/program/steps/addressbook/show.inc
@@ -4,9 +4,12 @@
+-----------------------------------------------------------------------+
| program/steps/addressbook/show.inc |
| |
- | This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005, RoundCube Dev. - Switzerland |
- | All rights reserved. |
+ | This file is part of the Roundcube Webmail client |
+ | Copyright (C) 2005-2012, The Roundcube Dev Team |
+ | |
+ | Licensed under the GNU General Public License version 3 or |
+ | any later version with exceptions for skins & plugins. |
+ | See the README file for a full license statement. |
| |
| PURPOSE: |
| Show contact details |
@@ -14,68 +17,235 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id$
-
*/
+// Get contact ID and source ID from request
+$cids = rcmail_get_cids();
+$source = key($cids);
+$cid = $cids ? array_shift($cids[$source]) : null;
-if ($_GET['_cid'] || $_POST['_cid'])
- {
- $cid = $_POST['_cid'] ? $_POST['_cid'] : $_GET['_cid'];
- $DB->query(sprintf("SELECT * FROM %s
- WHERE contact_id=%d
- AND user_id=%d
- AND del!='1'",
- get_table_name('contacts'),
- $cid,
- $_SESSION['user_id']));
-
- $CONTACT_RECORD = $DB->fetch_assoc();
-
- if (is_array($CONTACT_RECORD))
- $OUTPUT->add_script(sprintf("%s.set_env('cid', '%s');", $JS_OBJECT_NAME, $CONTACT_RECORD['contact_id']));
- }
+// Initialize addressbook source
+$CONTACTS = rcmail_contact_source($source, true);
+$SOURCE_ID = $source;
+// read contact record
+if ($cid && ($record = $CONTACTS->get_record($cid, true))) {
+ $OUTPUT->set_env('readonly', $CONTACTS->readonly || $record['readonly']);
+ $OUTPUT->set_env('cid', $record['ID']);
+ $OUTPUT->set_env('compose_extwin', $RCMAIL->config->get('compose_extwin',false));
+}
+
+// get address book name (for display)
+rcmail_set_sourcename($CONTACTS);
+
+// return raw photo of the given contact
+if ($RCMAIL->action == 'photo') {
+ // search for contact first
+ if (!$record && ($email = get_input_value('_email', RCUBE_INPUT_GPC))) {
+ foreach ($RCMAIL->get_address_sources() as $s) {
+ $abook = $RCMAIL->get_address_book($s['id']);
+ $result = $abook->search(array('email'), $email, 1, true, true, 'photo');
+ while ($result && ($record = $result->iterate())) {
+ if ($record['photo'])
+ break 2;
+ }
+ }
+ }
+
+ // read the referenced file
+ if (($file_id = get_input_value('_photo', RCUBE_INPUT_GPC)) && ($tempfile = $_SESSION['contacts']['files'][$file_id])) {
+ $tempfile = $RCMAIL->plugins->exec_hook('attachment_display', $tempfile);
+ if ($tempfile['status']) {
+ if ($tempfile['data'])
+ $data = $tempfile['data'];
+ else if ($tempfile['path'])
+ $data = file_get_contents($tempfile['path']);
+ }
+ }
+ else if ($record['photo']) {
+ $data = is_array($record['photo']) ? $record['photo'][0] : $record['photo'];
+ if (!preg_match('![^a-z0-9/=+-]!i', $data))
+ $data = base64_decode($data, true);
+ }
+
+ // let plugins do fancy things with contact photos
+ $plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'email' => $email, 'data' => $data));
+
+ // redirect to url provided by a plugin
+ if ($plugin['url'])
+ $RCMAIL->output->redirect($plugin['url']);
+ else
+ $data = $plugin['data'];
+
+ // deliver alt image
+ if (!$data && ($alt_img = get_input_value('_alt', RCUBE_INPUT_GPC)) && is_file($alt_img))
+ $data = file_get_contents($alt_img);
+
+ // cache for one day if requested by email
+ if (!$cid && $email)
+ $RCMAIL->output->future_expire_header(86400);
+
+ header('Content-Type: ' . rc_image_content_type($data));
+ echo $data ? $data : file_get_contents('program/resources/blank.gif');
+ exit;
+}
+
+
+function rcmail_contact_head($attrib)
+{
+ global $CONTACTS, $RCMAIL;
+
+ // check if we have a valid result
+ if (!(($result = $CONTACTS->get_result()) && ($record = $result->first()))) {
+ $RCMAIL->output->show_message('contactnotfound');
+ return false;
+ }
+
+ $microformats = array('name' => 'fn', 'email' => 'email');
+
+ $form = array(
+ 'head' => array( // section 'head' is magic!
+ 'content' => array(
+ 'prefix' => array('type' => 'text'),
+ 'firstname' => array('type' => 'text'),
+ 'middlename' => array('type' => 'text'),
+ 'surname' => array('type' => 'text'),
+ 'suffix' => array('type' => 'text'),
+ ),
+ ),
+ );
+
+ unset($attrib['name']);
+ return rcmail_contact_form($form, $record, $attrib);
+}
function rcmail_contact_details($attrib)
- {
- global $CONTACT_RECORD, $JS_OBJECT_NAME;
+{
+ global $CONTACTS, $RCMAIL, $CONTACT_COLTYPES;
- if (!$CONTACT_RECORD)
- return show_message('contactnotfound');
-
- // a specific part is requested
- if ($attrib['part'])
- return rep_specialchars_output($CONTACT_RECORD[$attrib['part']]);
-
-
- // return the complete address record as table
- $out = "<table>\n\n";
-
- $a_show_cols = array('name', 'firstname', 'surname', 'email');
- foreach ($a_show_cols as $col)
- {
- if ($col=='email' && $CONTACT_RECORD[$col])
- $value = sprintf('<a href="#compose" onclick="%s.command(\'compose\', %d)" title="%s">%s</a>',
- $JS_OBJECT_NAME,
- $CONTACT_RECORD['contact_id'],
- rcube_label('composeto'),
- $CONTACT_RECORD[$col]);
- else
- $value = rep_specialchars_output($CONTACT_RECORD[$col]);
-
- $title = rcube_label($col);
- $out .= sprintf("<tr><td class=\"title\">%s</td><td>%s</td></tr>\n", $title, $value);
+ // check if we have a valid result
+ if (!(($result = $CONTACTS->get_result()) && ($record = $result->first()))) {
+ //$RCMAIL->output->show_message('contactnotfound');
+ return false;
}
+ $i_size = !empty($attrib['size']) ? $attrib['size'] : 40;
- $out .= "\n</table>";
-
- return $out;
- }
+ $form = array(
+ 'contact' => array(
+ 'name' => rcube_label('properties'),
+ 'content' => array(
+ 'email' => array('size' => $i_size, 'render_func' => 'rcmail_render_email_value'),
+ 'phone' => array('size' => $i_size),
+ 'address' => array(),
+ 'website' => array('size' => $i_size, 'render_func' => 'rcmail_render_url_value'),
+ 'im' => array('size' => $i_size),
+ ),
+ ),
+ 'personal' => array(
+ 'name' => rcube_label('personalinfo'),
+ 'content' => array(
+ 'gender' => array('size' => $i_size),
+ 'maidenname' => array('size' => $i_size),
+ 'birthday' => array('size' => $i_size),
+ 'anniversary' => array('size' => $i_size),
+ 'manager' => array('size' => $i_size),
+ 'assistant' => array('size' => $i_size),
+ 'spouse' => array('size' => $i_size),
+ ),
+ ),
+ );
+
+ if (isset($CONTACT_COLTYPES['notes'])) {
+ $form['notes'] = array(
+ 'name' => rcube_label('notes'),
+ 'content' => array(
+ 'notes' => array('type' => 'textarea', 'label' => false),
+ ),
+ );
+ }
+
+ if ($CONTACTS->groups) {
+ $form['groups'] = array(
+ 'name' => rcube_label('groups'),
+ 'content' => rcmail_contact_record_groups($record['ID']),
+ );
+ }
+
+ return rcmail_contact_form($form, $record);
+}
-parse_template('showcontact');
-?>
\ No newline at end of file
+function rcmail_render_email_value($email, $col)
+{
+ return html::a(array(
+ 'href' => 'mailto:' . $email,
+ 'onclick' => sprintf("return %s.command('compose','%s',this)", JS_OBJECT_NAME, JQ($email)),
+ 'title' => rcube_label('composeto'),
+ 'class' => 'email',
+ ), Q($email));
+}
+
+
+function rcmail_render_url_value($url, $col)
+{
+ $prefix = preg_match('!^(http|ftp)s?://!', $url) ? '' : 'http://';
+ return html::a(array(
+ 'href' => $prefix . $url,
+ 'target' => '_blank',
+ 'class' => 'url',
+ ), Q($url));
+}
+
+
+function rcmail_contact_record_groups($contact_id)
+{
+ global $RCMAIL, $CONTACTS, $GROUPS;
+
+ $GROUPS = $CONTACTS->list_groups();
+
+ if (empty($GROUPS)) {
+ return '';
+ }
+
+ $table = new html_table(array('cols' => 2, 'cellspacing' => 0, 'border' => 0));
+
+ $members = $CONTACTS->get_record_groups($contact_id);
+ $checkbox = new html_checkbox(array('name' => '_gid[]',
+ 'class' => 'groupmember', 'disabled' => $CONTACTS->readonly));
+
+ foreach (array_merge($GROUPS, $members) as $group) {
+ $gid = $group['ID'];
+ if ($seen[$gid]++)
+ continue;
+
+ $table->add(null, $checkbox->show($members[$gid] ? $gid : null,
+ array('value' => $gid, 'id' => 'ff_gid' . $gid)));
+ $table->add(null, html::label('ff_gid' . $gid, Q($group['name'])));
+ }
+
+ $hiddenfields = new html_hiddenfield(array('name' => '_source', 'value' => get_input_value('_source', RCUBE_INPUT_GPC)));
+ $hiddenfields->add(array('name' => '_cid', 'value' => $contact_id));
+
+ $form_start = $RCMAIL->output->request_form(array(
+ 'name' => "form", 'method' => "post",
+ 'task' => $RCMAIL->task, 'action' => 'save',
+ 'request' => 'save.'.intval($contact_id),
+ 'noclose' => true), $hiddenfields->show());
+ $form_end = '</form>';
+
+ $RCMAIL->output->add_gui_object('editform', 'form');
+ $RCMAIL->output->add_label('addingmember', 'removingmember');
+
+ return $form_start . html::tag('fieldset', 'contactfieldgroup contactgroups', $table->show()) . $form_end;
+}
+
+
+$OUTPUT->add_handlers(array(
+ 'contacthead' => 'rcmail_contact_head',
+ 'contactdetails' => 'rcmail_contact_details',
+ 'contactphoto' => 'rcmail_contact_photo',
+));
+
+$OUTPUT->send('contact');
--
Gitblit v1.9.1