From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/func.inc | 32 ++++++++++++++++++++------------
1 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 7ef8216..28e6baa 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -929,7 +929,7 @@
$value = $headers[$hkey];
else if ($headers['others'][$hkey])
$value = $headers['others'][$hkey];
- else
+ else if (!$attrib['valueof'])
continue;
if (in_array($hkey, $exclude_headers))
@@ -1441,9 +1441,10 @@
$name = $part['name'];
$mailto = $part['mailto'];
$string = $part['string'];
+ $valid = check_email($mailto, false);
// phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
- if ($name && $name != $mailto && strpos($name, '@')) {
+ if ($name && $valid && $name != $mailto && strpos($name, '@')) {
$name = '';
}
@@ -1459,7 +1460,7 @@
// for printing we display all addresses
continue;
}
- else if (check_email($part['mailto'], false)) {
+ else if ($valid) {
if ($linked) {
$address = html::a(array(
'href' => 'mailto:'.$mailto,
@@ -1492,7 +1493,7 @@
if ($name)
$address .= Q($name);
if ($mailto)
- $address .= (strlen($address) ? ' ' : '') . sprintf('<%s>', Q($mailto));
+ $address = trim($address . ' ' . Q($name ? sprintf('<%s>', $mailto) : $mailto));
}
$address = html::span('adr', $address);
@@ -1531,11 +1532,11 @@
/**
* Wrap text to a given number of characters per line
* but respect the mail quotation of replies messages (>).
- * Finally add another quotation level by prpending the lines
+ * Finally add another quotation level by prepending the lines
* with >
*
* @param string Text to wrap
- * @param int The line width
+ * @param int The line width
* @return string The wrapped text
*/
function rcmail_wrap_and_quote($text, $length = 72)
@@ -1551,7 +1552,7 @@
$line = '>' . rtrim($line);
else if (mb_strlen($line) > $max) {
$newline = '';
- foreach(explode("\n", rc_wordwrap($line, $length - 2)) as $l) {
+ foreach (explode("\n", rc_wordwrap($line, $length - 2)) as $l) {
if (strlen($l))
$newline .= '> ' . $l . "\n";
else
@@ -1802,9 +1803,17 @@
// Try Return-Path
if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) {
foreach ($identities as $idx => $ident) {
- if (strpos($return_path, str_replace('@', '=', $ident['email_ascii']).'@') !== false) {
- $from_idx = $idx;
- break;
+ // Return-Path header contains an email address, but on some mailing list
+ // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net>
+ // where local@domain.tld is the address we're looking for (#1489241)
+ $ident1 = $ident['email_ascii'];
+ $ident2 = str_replace('@', '=', $ident1);
+
+ foreach ((array)$return_path as $path) {
+ if (stripos($path, $ident1) !== false || stripos($path, $ident2)) {
+ $from_idx = $idx;
+ break 2;
+ }
}
}
}
@@ -1839,8 +1848,7 @@
// application/pdf.A520491B_3BF7_494D_8855_7FAC2C6C0608
if (preg_match('/^application\/pdf.+/', $name))
$name = 'application/pdf';
-
- // treat image/pjpeg as image/jpeg
+ // treat image/pjpeg (image/pjpg, image/jpg) as image/jpeg (#1489097)
else if (preg_match('/^image\/p?jpe?g$/', $name))
$name = 'image/jpeg';
--
Gitblit v1.9.1