From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/mark.inc |   17 +++++++----------
 1 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc
index 238e117..dfc892e 100644
--- a/program/steps/mail/mark.inc
+++ b/program/steps/mail/mark.inc
@@ -113,24 +113,21 @@
       $OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($msg_count), $mbox);
 
       if ($threading) {
-	    $count = get_input_value('_count', RCUBE_INPUT_POST);
+        $count = get_input_value('_count', RCUBE_INPUT_POST);
       }
 
       // add new rows from next page (if any)
       if ($count && $uids != '*' && ($jump_back || $nextpage_count > 0)) {
-        $sort_col   = isset($_SESSION['sort_col'])   ? $_SESSION['sort_col']   : $CONFIG['message_sort_col'];
-        $sort_order = isset($_SESSION['sort_order']) ? $_SESSION['sort_order'] : $CONFIG['message_sort_order'];
-
-        $a_headers = $RCMAIL->storage->list_messages($mbox, NULL, $sort_col, $sort_order,
-	    $jump_back ? NULL : $count);
+        $a_headers = $RCMAIL->storage->list_messages($mbox, NULL,
+          rcmail_sort_column(), rcmail_sort_order(), $jump_back ? NULL : $count);
 
         rcmail_js_message_list($a_headers, false);
       }
     }
   }
-
-  $OUTPUT->send();
+}
+else {
+    $OUTPUT->show_message('internalerror', 'error');
 }
 
-exit;
-
+$OUTPUT->send();

--
Gitblit v1.9.1