From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/autocomplete.inc |   55 +++++++++++++++++++++++++++++++++----------------------
 1 files changed, 33 insertions(+), 22 deletions(-)

diff --git a/program/steps/mail/autocomplete.inc b/program/steps/mail/autocomplete.inc
index e40bb76..f9e8d71 100644
--- a/program/steps/mail/autocomplete.inc
+++ b/program/steps/mail/autocomplete.inc
@@ -7,7 +7,10 @@
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2008-2011, Roundcube Dev Team                           |
  | Copyright (C) 2011, Kolab Systems AG                                  |
- | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
  |                                                                       |
  | PURPOSE:                                                              |
  |   Perform a search on configured address books for the address        |
@@ -15,9 +18,6 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id$
-
 */
 
 if ($RCMAIL->action == 'group-expand') {
@@ -26,10 +26,12 @@
     $members = array();
     $abook->set_group($gid);
     $abook->set_pagesize(1000);  // TODO: limit number of group members by config
-    $result = $abook->list_records(array('email','name'));
+    $result = $abook->list_records($RCMAIL->config->get('contactlist_fields'));
     while ($result && ($sql_arr = $result->iterate())) {
-      foreach ((array)$sql_arr['email'] as $email)
-        $members[] = format_email_recipient($email, $sql_arr['name']);
+      foreach ((array)$sql_arr['email'] as $email) {
+        $members[] = format_email_recipient($email, rcube_addressbook::compose_list_name($sql_arr));
+        break;  // only expand one email per contact
+      }
     }
 
     $separator = trim($RCMAIL->config->get('recipients_separator', ',')) . ' ';
@@ -54,6 +56,7 @@
 
 if (!empty($book_types) && strlen($search)) {
   $contacts  = array();
+  $sort_keys = array();
   $books_num = count($book_types);
   $search_lc = mb_strtolower($search);
 
@@ -61,16 +64,18 @@
     $abook = $RCMAIL->get_address_book($id);
     $abook->set_pagesize($MAXNUM);
 
-    if ($result = $abook->search(array('email','name'), $search, $mode, true, true, 'email')) {
+    if ($result = $abook->search($RCMAIL->config->get('contactlist_fields'), $search, $mode, true, true, 'email')) {
       while ($sql_arr = $result->iterate()) {
         // Contact can have more than one e-mail address
         $email_arr = (array)$abook->get_col_values('email', $sql_arr, true);
         $email_cnt = count($email_arr);
+        $idx = 0;
         foreach ($email_arr as $email) {
           if (empty($email)) {
             continue;
           }
 
+          $sql_arr['name'] = rcube_addressbook::compose_list_name($sql_arr);
           $contact = format_email_recipient($email, $sql_arr['name']);
 
           // skip entries that don't match
@@ -80,7 +85,9 @@
 
           // skip duplicates
           if (!in_array($contact, $contacts)) {
-            $contacts[] = $contact;
+            $contacts[]  = $contact;
+            $sort_keys[] = sprintf('%s %03d', $sql_arr['name'] , $idx++);
+
             if (count($contacts) >= $MAXNUM)
               break 2;
           }
@@ -95,22 +102,27 @@
 
     // also list matching contact groups
     if ($abook->groups && count($contacts) < $MAXNUM) {
-      foreach ($abook->list_groups($search) as $group) {
+      foreach ($abook->list_groups($search, $mode) as $group) {
         $abook->reset();
         $abook->set_group($group['ID']);
         $group_prop = $abook->get_group($group['ID']);
 
         // group (distribution list) with email address(es)
         if ($group_prop['email']) {
+            $idx = 0;
             foreach ((array)$group_prop['email'] as $email) {
-                $contacts[] = format_email_recipient($email, $group['name']);
+                $contacts[]  = format_email_recipient($email, $group['name']);
+                $sort_keys[] = sprintf('%s %03d', $group['name'] , $idx++);
+
                 if (count($contacts) >= $MAXNUM)
                   break 2;
             }
         }
         // show group with count
         else if (($result = $abook->count()) && $result->count) {
-          $contacts[] = array('name' => $group['name'] . ' (' . intval($result->count) . ')', 'id' => $group['ID'], 'source' => $id);
+          $contacts[]  = array('name' => $group['name'] . ' (' . intval($result->count) . ')', 'id' => $group['ID'], 'source' => $id);
+          $sort_keys[] = $group['name'];
+
           if (count($contacts) >= $MAXNUM)
             break;
         }
@@ -118,17 +130,16 @@
     }
   }
 
-  usort($contacts, 'contact_results_sort');
+  if (count($contacts)) {
+    // sort contacts index
+    asort($sort_keys, SORT_LOCALE_STRING);
+    // re-sort contacts according to index
+    foreach ($sort_keys as $idx => $val) {
+      $sort_keys[$idx] = $contacts[$idx];
+    }
+    $contacts = array_values($sort_keys);
+  }
 }
 
 $OUTPUT->command('ksearch_query_results', $contacts, $search, $sid);
 $OUTPUT->send();
-
-
-function contact_results_sort($a, $b)
-{
-  $name_a = is_array($a) ? $a['name'] : $a;
-  $name_b = is_array($b) ? $b['name'] : $b;
-  return strcoll(trim($name_a, '" '), trim($name_b, '" '));
-}
-

--
Gitblit v1.9.1