From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/settings/func.inc |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 319c58d..981d4e4 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -653,14 +653,15 @@
     }
 
     if (!isset($no_override['default_font'])) {
-      $field_id     = 'rcmfd_default_font';
-      $fonts        = rcube_fontdefs();
-      $default_font = $config['default_font'] ? $config['default_font'] : 'Verdana';
+      $field_id = 'rcmfd_default_font';
+      $fonts    = rcube_fontdefs();
+      $selected = $config['default_font'];
 
       $select = '<select name="_default_font" id="'.$field_id.'">';
+      $select .= '<option value=""' . (!$selected ? ' selected="selected"' : '') . '>---</option>';
       foreach ($fonts as $fname => $font)
         $select .= '<option value="'.$fname.'"'
-          . ($fname == $default_font ? ' selected="selected"' : '')
+          . ($fname == $selected ? ' selected="selected"' : '')
           . ' style=\'font-family: ' . $font . '\'>'
           . Q($fname) . '</option>';
       $select .= '</select>';

--
Gitblit v1.9.1