From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/settings/about.inc |   17 +++++++++--------
 1 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/program/steps/settings/about.inc b/program/steps/settings/about.inc
index 6776321..9b13402 100644
--- a/program/steps/settings/about.inc
+++ b/program/steps/settings/about.inc
@@ -7,7 +7,10 @@
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
  | Copyright (C) 2011, Kolab Systems AG                                  |
- | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
  |                                                                       |
  | PURPOSE:                                                              |
  |   Display license information about program and enabled plugins       |
@@ -15,18 +18,15 @@
  +-----------------------------------------------------------------------+
  | Author: Aleksander Machniak <alec@alec.pl>                            |
  +-----------------------------------------------------------------------+
-
- $Id: identities.inc 4410 2011-01-12 18:25:02Z thomasb $
-
 */
 
 
 function rcmail_supportlink($attrib)
 {
   global $RCMAIL;
-  
+
   if ($url = $RCMAIL->config->get('support_url')) {
-    $label = $attrub['label'] ? $attrub['label'] : 'support';
+    $label = $attrib['label'] ? $attrib['label'] : 'support';
     $attrib['href'] = $url;
     return html::a($attrib, rcube_label($label));
   }
@@ -61,11 +61,11 @@
   $table->add_header('source', rcube_label('source'));
 
   foreach ($plugins as $name => $data) {
-    $uri = $data['srcuri'];
+    $uri = $data['srcuri'] ? $data['srcuri'] : $data['uri'];
     if ($uri && stripos($uri, 'http') !== 0) {
       $uri = 'http://' . $uri;
     }
-    
+
     $table->add_row();
     $table->add('name', Q($data['name'] ? $data['name'] : $name));
     $table->add('version', Q($data['version']));
@@ -87,6 +87,7 @@
     'license' => 'string(//rc:package/rc:license)',
     'license_uri' => 'string(//rc:package/rc:license/@uri)',
     'srcuri' => 'string(//rc:package/rc:srcuri)',
+    'uri' => 'string(//rc:package/rc:uri)',
   );
 
   $package = INSTALL_PATH . "/plugins/$name/package.xml";

--
Gitblit v1.9.1