From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/settings/func.inc | 30 +++++++++---------------------
1 files changed, 9 insertions(+), 21 deletions(-)
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 876e027..981d4e4 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -483,8 +483,8 @@
$blocks = array(
'main' => array('name' => Q(rcube_label('mainoptions'))),
- 'spellcheck' => array('name' => Q(rcube_label('spellcheckoptions'))),
'sig' => array('name' => Q(rcube_label('signatureoptions'))),
+ 'spellcheck' => array('name' => Q(rcube_label('spellcheckoptions'))),
);
// show checkbox to compose messages in a new window
@@ -581,8 +581,7 @@
if (!isset($no_override['reply_mode'])) {
$field_id = 'rcmfd_reply_mode';
- $select_replymode = new html_select(array('name' => '_reply_mode', 'id' => $field_id,
- 'onchange' => "\$('#rcmfd_sig_above').attr('disabled',this.selectedIndex<2)"));
+ $select_replymode = new html_select(array('name' => '_reply_mode', 'id' => $field_id));
$select_replymode->add(rcube_label('replyempty'), -1);
$select_replymode->add(rcube_label('replybottomposting'), 0);
$select_replymode->add(rcube_label('replytopposting'), 1);
@@ -631,18 +630,6 @@
);
}
- if (!isset($no_override['sig_above'])) {
- $field_id = 'rcmfd_sig_above';
- $select_sigabove = new html_select(array('name' => '_sig_above', 'id' => $field_id, 'disabled' => $config['reply_mode'] < 1));
- $select_sigabove->add(rcube_label('belowquote'), 0);
- $select_sigabove->add(rcube_label('abovequote'), 1);
-
- $blocks['sig']['options']['sig_above'] = array(
- 'title' => html::label($field_id, Q(rcube_label('replysignaturepos'))),
- 'content' => $select_sigabove->show($config['sig_above']?1:0),
- );
- }
-
if (!isset($no_override['strip_existing_sig'])) {
$field_id = 'rcmfd_strip_existing_sig';
$input_stripexistingsig = new html_checkbox(array('name' => '_strip_existing_sig', 'id' => $field_id, 'value' => 1));
@@ -666,14 +653,15 @@
}
if (!isset($no_override['default_font'])) {
- $field_id = 'rcmfd_default_font';
- $fonts = rcube_fontdefs();
- $default_font = $config['default_font'] ? $config['default_font'] : 'Verdana';
+ $field_id = 'rcmfd_default_font';
+ $fonts = rcube_fontdefs();
+ $selected = $config['default_font'];
$select = '<select name="_default_font" id="'.$field_id.'">';
+ $select .= '<option value=""' . (!$selected ? ' selected="selected"' : '') . '>---</option>';
foreach ($fonts as $fname => $font)
$select .= '<option value="'.$fname.'"'
- . ($fname == $default_font ? ' selected="selected"' : '')
+ . ($fname == $selected ? ' selected="selected"' : '')
. ' style=\'font-family: ' . $font . '\'>'
. Q($fname) . '</option>';
$select .= '</select>';
@@ -695,7 +683,7 @@
);
if (!isset($no_override['default_addressbook'])
- && ($books = $RCMAIL->get_address_sources(true))
+ && ($books = $RCMAIL->get_address_sources(true, true))
) {
$field_id = 'rcmfd_default_addressbook';
$select_abook = new html_select(array('name' => '_default_addressbook', 'id' => $field_id));
@@ -705,7 +693,7 @@
}
$blocks['main']['options']['default_addressbook'] = array(
- 'title' => html::label($field_id, Q(rcube_label('defaultaddressbook'))),
+ 'title' => html::label($field_id, Q(rcube_label('defaultabook'))),
'content' => $select_abook->show($config['default_addressbook']),
);
}
--
Gitblit v1.9.1