From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/compose.inc |   35 +++++++++++++++++++----------------
 1 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index e04986a..d4d08d1 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -511,7 +511,7 @@
       }
     }
 
-    $out = $select_from->show((int)$MESSAGE->compose['from']);
+    $out = $select_from->show($MESSAGE->compose['from']);
 
     // add signatures to client
     $OUTPUT->set_env('signatures', $a_signatures);
@@ -927,10 +927,10 @@
     $prefix .= rcube_label('from')    . ': ' . $MESSAGE->get_header('from') . "\n";
     $prefix .= rcube_label('to')      . ': ' . $MESSAGE->get_header('to') . "\n";
 
-    if ($MESSAGE->headers->cc)
-      $prefix .= rcube_label('cc') . ': ' . $MESSAGE->get_header('cc') . "\n";
-    if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
-      $prefix .= rcube_label('replyto') . ': ' . $MESSAGE->get_header('replyto') . "\n";
+    if ($cc = $MESSAGE->headers->get('cc'))
+      $prefix .= rcube_label('cc') . ': ' . $cc . "\n";
+    if (($replyto = $MESSAGE->headers->get('reply-to')) && $replyto != $MESSAGE->get_header('from'))
+      $prefix .= rcube_label('replyto') . ': ' . $replyto . "\n";
 
     $prefix .= "\n";
     $body = trim($body, "\r\n");
@@ -953,15 +953,13 @@
       rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
       rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));
 
-    if ($MESSAGE->headers->cc)
+    if ($cc = $MESSAGE->headers->get('cc'))
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
-        rcube_label('cc'),
-        Q($MESSAGE->get_header('cc'), 'replace'));
+        rcube_label('cc'), Q($cc, 'replace'));
 
-    if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
+    if (($replyto = $MESSAGE->headers->get('reply-to')) && $replyto != $MESSAGE->get_header('from'))
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
-        rcube_label('replyto'),
-        Q($MESSAGE->get_header('replyto'), 'replace'));
+        rcube_label('replyto'), Q($replyto, 'replace'));
 
     $prefix .= "</tbody></table><br>";
   }
@@ -985,12 +983,17 @@
     $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml);
   }
 
-  // clean up html tags - XSS prevention (#1489251)
-  $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);
+  // clean up HTML tags - XSS prevention (#1489251)
+  if ($bodyIsHtml) {
+    $body = rcmail_wash_html($body, array('safe' => 1), $cid_map);
 
-  // replace cid with href in inline images links
-  if ($cid_map) {
-    $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+    // remove comments (produced by washtml)
+    $body = preg_replace('/<!--[^>]+-->/', '', $body);
+
+    // replace cid with href in inline images links
+    if (!empty($cid_map)) {
+      $body = str_replace(array_keys($cid_map), array_values($cid_map), $body);
+    }
   }
 
   return $body;

--
Gitblit v1.9.1