From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/func.inc |   25 ++++++++++++++++---------
 1 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 0dae6de..28e6baa 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -929,7 +929,7 @@
       $value = $headers[$hkey];
     else if ($headers['others'][$hkey])
       $value = $headers['others'][$hkey];
-    else
+    else if (!$attrib['valueof'])
       continue;
 
     if (in_array($hkey, $exclude_headers))
@@ -1532,11 +1532,11 @@
 /**
  * Wrap text to a given number of characters per line
  * but respect the mail quotation of replies messages (>).
- * Finally add another quotation level by prpending the lines
+ * Finally add another quotation level by prepending the lines
  * with >
  *
  * @param string Text to wrap
- * @param int The line width
+ * @param int    The line width
  * @return string The wrapped text
  */
 function rcmail_wrap_and_quote($text, $length = 72)
@@ -1552,7 +1552,7 @@
       $line = '>' . rtrim($line);
     else if (mb_strlen($line) > $max) {
       $newline = '';
-      foreach(explode("\n", rc_wordwrap($line, $length - 2)) as $l) {
+      foreach (explode("\n", rc_wordwrap($line, $length - 2)) as $l) {
         if (strlen($l))
           $newline .= '> ' . $l . "\n";
         else
@@ -1803,9 +1803,17 @@
     // Try Return-Path
     if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) {
         foreach ($identities as $idx => $ident) {
-            if (strpos($return_path, str_replace('@', '=', $ident['email_ascii']).'@') !== false) {
-                $from_idx = $idx;
-                break;
+            // Return-Path header contains an email address, but on some mailing list
+            // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net>
+            // where local@domain.tld is the address we're looking for (#1489241)
+            $ident1 = $ident['email_ascii'];
+            $ident2 = str_replace('@', '=', $ident1);
+
+            foreach ((array)$return_path as $path) {
+                if (stripos($path, $ident1) !== false || stripos($path, $ident2)) {
+                    $from_idx = $idx;
+                    break 2;
+                }
             }
         }
     }
@@ -1840,8 +1848,7 @@
   // application/pdf.A520491B_3BF7_494D_8855_7FAC2C6C0608
   if (preg_match('/^application\/pdf.+/', $name))
     $name = 'application/pdf';
-
-  // treat image/pjpeg as image/jpeg
+  // treat image/pjpeg (image/pjpg, image/jpg) as image/jpeg (#1489097)
   else if (preg_match('/^image\/p?jpe?g$/', $name))
     $name = 'image/jpeg';
 

--
Gitblit v1.9.1