From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/compose.inc |   45 +++++++++++++++++++++++++++++----------------
 1 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index b384401..d4d08d1 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -170,6 +170,9 @@
 $config_show_sig = $RCMAIL->config->get('show_sig', 1);
 if ($compose_mode == RCUBE_COMPOSE_EDIT || $compose_mode == RCUBE_COMPOSE_DRAFT) {
   // don't add signature in draft/edit mode, we'll also not remove the old-one
+  // but only on page display, later we should be able to change identity/sig (#1489229)
+  if ($config_show_sig == 1 || $config_show_sig == 2)
+    $OUTPUT->set_env('show_sig_later', true);
 }
 else if ($config_show_sig == 1)
   $OUTPUT->set_env('show_sig', true);
@@ -195,7 +198,10 @@
   if (!empty($MESSAGE->headers->charset))
     $RCMAIL->storage->set_charset($MESSAGE->headers->charset);
 
-  if ($compose_mode == RCUBE_COMPOSE_REPLY) {
+  if (!$MESSAGE->headers) {
+    // error
+  }
+  else if ($compose_mode == RCUBE_COMPOSE_REPLY) {
     $COMPOSE['reply_uid'] = $msg_uid;
     $COMPOSE['reply_msgid'] = $MESSAGE->headers->messageID;
     $COMPOSE['references']  = trim($MESSAGE->headers->references . " " . $MESSAGE->headers->messageID);
@@ -921,10 +927,10 @@
     $prefix .= rcube_label('from')    . ': ' . $MESSAGE->get_header('from') . "\n";
     $prefix .= rcube_label('to')      . ': ' . $MESSAGE->get_header('to') . "\n";
 
-    if ($MESSAGE->headers->cc)
-      $prefix .= rcube_label('cc') . ': ' . $MESSAGE->get_header('cc') . "\n";
-    if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
-      $prefix .= rcube_label('replyto') . ': ' . $MESSAGE->get_header('replyto') . "\n";
+    if ($cc = $MESSAGE->headers->get('cc'))
+      $prefix .= rcube_label('cc') . ': ' . $cc . "\n";
+    if (($replyto = $MESSAGE->headers->get('reply-to')) && $replyto != $MESSAGE->get_header('from'))
+      $prefix .= rcube_label('replyto') . ': ' . $replyto . "\n";
 
     $prefix .= "\n";
     $body = trim($body, "\r\n");
@@ -947,15 +953,13 @@
       rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
       rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));
 
-    if ($MESSAGE->headers->cc)
+    if ($cc = $MESSAGE->headers->get('cc'))
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
-        rcube_label('cc'),
-        Q($MESSAGE->get_header('cc'), 'replace'));
+        rcube_label('cc'), Q($cc, 'replace'));
 
-    if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
+    if (($replyto = $MESSAGE->headers->get('reply-to')) && $replyto != $MESSAGE->get_header('from'))
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
-        rcube_label('replyto'),
-        Q($MESSAGE->get_header('replyto'), 'replace'));
+        rcube_label('replyto'), Q($replyto, 'replace'));
 
     $prefix .= "</tbody></table><br>";
   }
@@ -977,10 +981,19 @@
       && count($MESSAGE->mime_parts) > 0)
   {
     $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml);
+  }
+
+  // clean up HTML tags - XSS prevention (#1489251)
+  if ($bodyIsHtml) {
+    $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);
+
+    // remove comments (produced by washtml)
+    $body = preg_replace('/<!--[^>]+-->/', '', $body);
 
     // replace cid with href in inline images links
-    if ($cid_map)
+    if (!empty($cid_map)) {
       $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+    }
   }
 
   return $body;
@@ -1419,17 +1432,17 @@
                        rcube_label('normal'),
                        rcube_label('high'),
                        rcube_label('highest')),
-                 array(5, 4, 0, 2, 1));
+                 array('5', '4', '0', '2', '1'));
 
   if (isset($_POST['_priority']))
     $sel = $_POST['_priority'];
-  else if (intval($MESSAGE->headers->priority) != 3)
-    $sel = intval($MESSAGE->headers->priority);
+  else if (isset($MESSAGE->headers->priority) && intval($MESSAGE->headers->priority) != 3)
+    $sel = $MESSAGE->headers->priority;
   else
     $sel = 0;
 
   $out = $form_start ? "$form_start\n" : '';
-  $out .= $selector->show($sel);
+  $out .= $selector->show(strval($sel));
   $out .= $form_end ? "\n$form_end" : '';
 
   return $out;

--
Gitblit v1.9.1