From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
skins/classic/templates/compose.html | 107 +++++++++++++++++++++++++++++++++++++----------------
1 files changed, 74 insertions(+), 33 deletions(-)
diff --git a/skins/classic/templates/compose.html b/skins/classic/templates/compose.html
index caebf31..5b0b479 100644
--- a/skins/classic/templates/compose.html
+++ b/skins/classic/templates/compose.html
@@ -9,51 +9,75 @@
<script type="text/javascript" src="/functions.js"></script>
<script type="text/javascript" src="/splitter.js"></script>
<style type="text/css">
-#compose-attachments { width: <roundcube:exp expression="!empty(cookie:composesplitterv) ? cookie:composesplitterv-5 : 175" />px; }
-#compose-container { left: <roundcube:exp expression="!empty(cookie:composesplitterv) ? cookie:composesplitterv+5 : 185" />px;
-<roundcube:exp expression="browser:ie ? ('width: expression((parseInt(this.parentNode.offsetWidth)-'.(!empty(cookie:composesplitterv) ? cookie:composesplitterv+5 : 180).')+\\'px\\');') : ''" />
+#compose-contacts { width: <roundcube:exp expression="!empty(cookie:composesplitterv1) ? cookie:composesplitterv1-5 : 195" />px; }
+#compose-container { left: <roundcube:exp expression="!empty(cookie:composesplitterv1) ? cookie:composesplitterv1+5 : 205" />px;
+<roundcube:exp expression="browser:ie ? ('width: expression((parseInt(this.parentNode.offsetWidth)-'.(!empty(cookie:composesplitterv1) ? cookie:composesplitterv1+5 : 200).')+\\'px\\');') : ''" />
}
</style>
</head>
+<roundcube:if condition="env:extwin" />
+<body class="extwin" onload="rcube_init_mail_ui()">
+<roundcube:object name="message" id="message" />
+<roundcube:else />
<body onload="rcube_init_mail_ui()">
-
<roundcube:include file="/includes/taskbar.html" />
<roundcube:include file="/includes/header.html" />
-
-<form name="form" action="./" method="post">
+<roundcube:endif />
<div id="messagetoolbar">
+<roundcube:if condition="env:extwin" />
+ <roundcube:button command="close" type="link" class="button back" classAct="button back" classSel="button backSel" title="close" content=" " />
+<roundcube:else />
<roundcube:button command="list" type="link" class="button back" classAct="button back" classSel="button backSel" title="backtolist" content=" " />
+<roundcube:endif />
<roundcube:button command="send" type="link" class="buttonPas send" classAct="button send" classSel="button sendSel" title="sendmessage" content=" " />
+ <roundcube:button name="addattachment" type="link" class="button attach" classAct="button attach" classSel="button attachSel" title="addattachment" onclick="rcmail_ui.show_popup('uploadmenu', true);return false" content=" " />
+ <roundcube:button command="insert-sig" type="link" class="buttonPas insertsig" classAct="button insertsig" classSel="button insertsigSel" title="insertsignature" content=" " />
+ <roundcube:button command="savedraft" type="link" class="buttonPas savedraft" classAct="button savedraft" classSel="button savedraftSel" title="savemessage" content=" " />
<roundcube:if condition="config:enable_spellcheck" />
<span class="dropbutton">
<roundcube:button command="spellcheck" type="link" class="buttonPas spellcheck" classAct="button spellcheck" classSel="button spellcheckSel" title="checkspelling" content=" " />
<span id="spellmenulink" onclick="rcmail_ui.show_popup('spellmenu');return false"></span>
</span>
<roundcube:endif />
- <roundcube:button name="addattachment" type="link" class="button attach" classAct="button attach" classSel="button attachSel" title="addattachment" onclick="rcmail_ui.show_popup('uploadmenu', true);return false" content=" " />
- <roundcube:button command="insert-sig" type="link" class="buttonPas insertsig" classAct="button insertsig" classSel="button insertsigSel" title="insertsignature" content=" " />
- <roundcube:button command="savedraft" type="link" class="buttonPas savedraft" classAct="button savedraft" classSel="button savedraftSel" title="savemessage" content=" " />
<roundcube:container name="toolbar" id="compose-toolbar" />
<roundcube:button name="messageoptions" id="composemenulink" type="link" class="button messagemenu" title="messageoptions" onclick="rcmail_ui.show_popup('composemenu', true);return false" content=" " />
</div>
+<form name="form" action="./" method="post">
+
<div id="mainscreen">
-<div id="compose-attachments">
-<div class="boxtitle"><roundcube:label name="attachments" /></div>
+<div id="compose-contacts">
+<div class="boxtitle"><roundcube:label name="contacts" /></div>
<div class="boxlistcontent">
- <roundcube:object name="composeAttachmentList" id="attachmentslist" loadingIcon="/images/display/loading_blue.gif" />
+ <div id="quicksearchbar">
+ <img id="searchmenulink" src="/images/icons/glass.png" width="16" height="16" />
+ <roundcube:object name="searchform" id="quicksearchbox" form="true" tabindex="13" />
+ <roundcube:button command="reset-search" id="searchreset" image="/images/icons/reset.gif" title="resetsearch" width="13" height="13" />
+ </div>
+ <roundcube:object name="addressbooks" id="directorylist" />
+ <roundcube:object name="addresslist" id="contacts-table" class="records-table" cellspacing="0" noheader="true" />
</div>
<div class="boxfooter">
- <roundcube:button name="uploadmenulink" id="uploadmenulink" type="link" title="addattachment" class="button addgroup" onclick="rcmail_ui.show_popup('uploadmenu', true);return false" content=" " />
+ <div id="abookactions" class="pagenav">
+ <roundcube:button command="add-recipient" prop="to" type="link" title="to" class="button disabled" classAct="button" content="To &raquo;" />
+ <roundcube:button command="add-recipient" prop="cc" type="link" title="cc" class="button disabled" classAct="button" content="Cc &raquo;" />
+ <roundcube:button command="add-recipient" prop="bcc" type="link" title="bcc" class="button disabled" classAct="button" content="Bcc &raquo;" />
+ </div>
+ <div id="abookcountbar" class="pagenav">
+ <roundcube:button command="firstpage" type="link" class="buttonPas firstpage" classAct="button firstpage" classSel="button firstpageSel" title="firstpage" content=" " />
+ <roundcube:button command="previouspage" type="link" class="buttonPas prevpage" classAct="button prevpage" classSel="button prevpageSel" title="previouspage" content=" " />
+ <span style="float:left"> </span>
+ <roundcube:button command="nextpage" type="link" class="buttonPas nextpage" classAct="button nextpage" classSel="button nextpageSel" title="nextpage" content=" " />
+ <roundcube:button command="lastpage" type="link" class="buttonPas lastpage" classAct="button lastpage" classSel="button lastpageSel" title="lastpage" content=" " />
+ </div>
</div>
</div>
-<roundcube:object name="fileDropArea" id="compose-attachments" />
<script type="text/javascript">
- var composesplitv = new rcube_splitter({id:'composesplitterv', p1: 'compose-attachments', p2: 'compose-container', orientation: 'v', relative: true, start: 175});
- rcmail.add_onload('composesplitv.init()');
+ var composesplitv1 = new rcube_splitter({id:'composesplitterv1', p1: 'compose-contacts', p2: 'compose-container', orientation: 'v', relative: true, start: 200});
+ rcmail.add_onload('composesplitv1.init()');
</script>
<div id="compose-container">
@@ -64,6 +88,7 @@
<td class="editfield formlinks">
<roundcube:object name="composeHeaders" part="from" form="form" id="_from" tabindex="1" />
<a href="#identities" onclick="return rcmail.command('identities')"><roundcube:label name="editidents" /></a>
+ <roundcube:button command="extwin" image="/images/icons/extwin.png" width="15" height="15" title="openinextwin" id="openextwinlink" condition="!env:extwin" />
</td>
</tr><tr>
<td class="title top"><label for="_to"><roundcube:label name="to" /></label></td>
@@ -79,7 +104,7 @@
<a href="#bcc" onclick="return rcmail_ui.hide_header_form('bcc');"><img src="/images/icons/minus.gif" alt="" width="13" height="11" title="<roundcube:label name='delete' />" /></a>
<label for="_bcc"><roundcube:label name="bcc" /></label>
</td>
- <td colspan="2" class="editfield"><roundcube:object name="composeHeaders" part="bcc" form="form" id="_bcc" cols="70" rows="2" tabindex="4" /></td>
+ <td class="editfield"><roundcube:object name="composeHeaders" part="bcc" form="form" id="_bcc" cols="70" rows="2" tabindex="4" /></td>
</tr><tr id="compose-replyto">
<td class="title top">
<a href="#replyto" onclick="return rcmail_ui.hide_header_form('replyto');"><img src="/images/icons/minus.gif" alt="" width="13" height="11" title="<roundcube:label name='delete' />" /></a>
@@ -110,23 +135,39 @@
</table>
</div>
<div id="compose-div">
- <div class="boxlistcontent" style="overflow: hidden; top: 0">
- <roundcube:object name="composeBody" id="compose-body" form="form" cols="70" rows="20" tabindex="9" />
- </div>
- <div class="boxfooter">
- <div id="compose-buttons">
- <roundcube:button type="input" command="send" class="button mainaction" label="sendmessage" tabindex="10" />
- <roundcube:button type="input" command="list" class="button" label="cancel" tabindex="11" />
+ <div id="compose-body-div">
+ <div class="boxlistcontent" style="overflow: hidden; top: 0">
+ <roundcube:object name="composeBody" id="compose-body" form="form" cols="70" rows="20" tabindex="9" />
</div>
- <div id="compose-editorfooter">
- <roundcube:if condition="!in_array('htmleditor', (array)config:dont_override)" />
- <span>
- <label><roundcube:label name="editortype" /></label>
- <roundcube:object name="editorSelector" editorid="compose-body" tabindex="12" />
- </span>
- <roundcube:endif />
+ <div class="boxfooter">
+ <div id="compose-buttons">
+ <roundcube:button type="input" command="send" class="button mainaction" label="sendmessage" tabindex="10" />
+ <roundcube:button type="input" command="list" class="button" label="cancel" tabindex="11" />
+ </div>
+ <div id="compose-editorfooter" class="pagenav">
+ <roundcube:if condition="!in_array('htmleditor', (array)config:dont_override)" />
+ <span>
+ <label><roundcube:label name="editortype" /></label>
+ <roundcube:object name="editorSelector" editorid="compose-body" tabindex="12" />
+ </span>
+ <roundcube:endif />
+ </div>
</div>
</div>
+<script type="text/javascript">
+ var composesplitv2 = new rcube_splitter({id:'composesplitterv2', p1: 'compose-body-div', p2: 'compose-attachments', orientation: 'v', relative: true, start: $('#compose-headers-div').width() - 175});
+ rcmail.add_onload('composesplitv2.init()');
+</script>
+ <div id="compose-attachments">
+ <div class="boxtitle"><roundcube:label name="attachments" /></div>
+ <div class="boxlistcontent">
+ <roundcube:object name="composeAttachmentList" id="attachmentslist" loadingIcon="/images/display/loading_blue.gif" />
+ </div>
+ <div class="boxfooter">
+ <roundcube:button name="uploadmenulink" id="uploadmenulink" type="link" title="addattachment" class="button addgroup" onclick="rcmail_ui.show_popup('uploadmenu', true);return false" content=" " />
+ </div>
+ </div>
+ <roundcube:object name="fileDropArea" id="compose-attachments" />
</div>
</div>
@@ -143,10 +184,10 @@
</tr><tr>
<td><label for="rcmcomposepriority"><roundcube:label name="priority" />:</label></td>
<td><roundcube:object name="prioritySelector" form="form" id="rcmcomposepriority" /></td>
- </tr><tr>
+ </tr><roundcube:if condition="!config:no_save_sent_messages" /><tr>
<td><label><roundcube:label name="savesentmessagein" />:</label></td>
<td><roundcube:object name="storetarget" maxlength="30" /></td>
- </tr>
+ </tr><roundcube:endif />
</table>
</div>
--
Gitblit v1.9.1