From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 skins/larry/mail.css |  396 +++++++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 277 insertions(+), 119 deletions(-)

diff --git a/skins/larry/mail.css b/skins/larry/mail.css
index 23bbc60..0f7752a 100644
--- a/skins/larry/mail.css
+++ b/skins/larry/mail.css
@@ -2,14 +2,12 @@
  * Roundcube webmail styles for the Email section
  *
  * Copyright (c) 2012, The Roundcube Dev Team
- * Screendesign by FLINT / B�ro f�r Gestaltung, bueroflint.com
+ * Screendesign by FLINT / B�ro f�r Gestaltung, bueroflint.com
  *
  * The contents are subject to the Creative Commons Attribution-ShareAlike
  * License. It is allowed to copy, distribute, transmit and to adapt the work
  * by keeping credits to the original autors in the README file.
  * See http://creativecommons.org/licenses/by-sa/3.0/ for details.
- *
- * $Id$
  */
 
 #mailview-left {
@@ -30,6 +28,10 @@
 	z-index: 3;
 }
 
+#mailview-right.fullwidth {
+	left: 0;
+}
+
 #mailview-top {
 	position: absolute;
 	top: 42px;
@@ -47,7 +49,9 @@
 	left: 0;
 	bottom: 0;
 	width: 100%;
-	height: 26px;
+	height: 27px;
+	border-radius: 4px;
+	border-top: none;
 }
 
 #folderlist-header {
@@ -137,8 +141,9 @@
 	background-position: 6px 2px;
 }
 
-#mailboxlist li:first-child {
+#mailboxlist > li:first-child {
 	border-radius: 4px 4px 0 0;
+	border-top: 0;
 }
 
 #mailboxlist li.mailbox a {
@@ -151,7 +156,7 @@
 	background-position: 6px 3px;
 }
 
-#mailboxlist li.mailbox.unread a {
+#mailboxlist li.mailbox.unread > a {
 	padding-right: 36px;
 }
 
@@ -219,6 +224,17 @@
 	color: #017cb4;
 }
 
+#mailboxlist li.mailbox div.treetoggle {
+	top: 13px;
+	left: 19px;
+}
+
+#mailboxlist li.mailbox ul li:last-child {
+	border-bottom: 0;
+}
+
+/* nested mailboxes */
+
 #mailboxlist li.mailbox ul {
 	list-style: none;
 	margin: 0;
@@ -226,50 +242,57 @@
 	border-top: 1px solid #bbd3da;
 }
 
-#mailboxlist li.mailbox ul li {
-	padding-left: 26px;
-}
-
 #mailboxlist li.mailbox ul li a {
-	background-position: 6px -93px;
+	padding-left: 52px;  /* 36 + 1 x 16 */
+	background-position: 22px -93px;  /* 6 + 1 x 16 */
 }
-
 #mailboxlist li.mailbox ul li.selected > a {
-	background-position: 6px -117px;
+	background-position: 22px -117px;
 }
-
-#mailboxlist li.mailbox ul li:last-child {
-	border-bottom: 0;
-}
-
-#mailboxlist li.mailbox div.collapsed,
-#mailboxlist li.mailbox div.expanded {
-	position: absolute;
-	top: 13px;
-	left: 19px;
-	width: 13px;
-	height: 13px;
-	background: url(images/listicons.png) -3px -144px no-repeat;
-	cursor: pointer;
-}
-
-#mailboxlist li.mailbox div.expanded {
-	background-position: -3px -168px;
-}
-
-#mailboxlist li.mailbox.selected > div.collapsed {
-	background-position: -23px -144px;
-}
-
-#mailboxlist li.mailbox.selected > div.expanded {
-	background-position: -23px -168px;
-}
-
-
-#mailboxlist li.mailbox ul li div.collapsed,
-#mailboxlist li.mailbox ul li div.expanded {
-	left: 43px;
+#mailboxlist li.mailbox ul li div.treetoggle {
+	left: 33px;
 	top: 14px;
+}
+
+#mailboxlist li.mailbox ul ul li.mailbox a {
+	padding-left: 68px;  /* 2x */
+	background-position: 38px -93px;
+}
+#mailboxlist li.mailbox ul ul li.selected > a {
+	background-position: 38px -117px;
+}
+#mailboxlist li.mailbox ul ul li div.treetoggle {
+	left: 48px;
+}
+
+#mailboxlist li.mailbox ul ul ul li.mailbox a {
+	padding-left: 84px;  /* 3x */
+	background-position: 54px -93px;
+}
+#mailboxlist li.mailbox ul ul ul li.selected > a {
+	background-position: 54px -117px;
+}
+#mailboxlist li.mailbox ul ul ul li div.treetoggle {
+	left: 64px;
+}
+
+#mailboxlist li.mailbox ul ul ul ul li.mailbox a {
+	padding-left: 100px;  /* 4x */
+	background-position: 70px -93px;
+}
+#mailboxlist li.mailbox ul ul ul ul li.selected > a {
+	background-position: 70px -117px;
+}
+#mailboxlist li.mailbox ul ul ul ul li div.treetoggle {
+	left: 80px;
+}
+
+/* indent folders on levels > 4 */
+#mailboxlist li.mailbox ul ul ul ul ul li {
+	padding-left: 16px;
+}
+#mailboxlist li.mailbox ul ul ul ul ul li div.treetoggle {
+	left: 96px;
 }
 
 #mailboxlist li.mailbox .unreadcount {
@@ -325,7 +348,7 @@
 	position: absolute;
 	right: 256px;
 	width: auto;
-	top: 7px;
+	top: 2px;
 }
 
 #searchfilter select {
@@ -415,10 +438,13 @@
 	border-left: 0;
 }
 
-
 #messagelist tr td.size {
 	width: 60px;
 	text-align: right;
+}
+
+#messagelist thead tr td.size {
+	text-align: left;
 }
 
 #messagelist tr td.fromto,
@@ -612,12 +638,12 @@
 }
 
 #messagelist tr td div.collapsed {
-	background-position: 0 -1136px;
+	background-position: 0 -1137px;
 	cursor: pointer;
 }
 
 #messagelist tr td div.expanded {
-	background-position: 0 -1156px;
+	background-position: 0 -1157px;
 	cursor: pointer;
 }
 
@@ -688,17 +714,20 @@
 	position: relative;
 	padding: 3px 0;
 	background: #f9f9f9;
-	background: -moz-linear-gradient(top, #fff 0%, #e9e9e9 100%);
-	background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#fff), color-stop(100%,#e9e9e9));
-	background: -o-linear-gradient(top, #fff 0%, #e9e9e9 100%);
-	background: -ms-linear-gradient(top, #fff 0%, #e9e9e9 100%);
-	background: linear-gradient(top, #fff 0%, #e9e9e9 100%);
+	background: -moz-linear-gradient(top, #fff 0%, #f0f0f0 100%);
+	background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#fff), color-stop(100%,#f0f0f0));
+	background: -o-linear-gradient(top, #fff 0%, #f0f0f0 100%);
+	background: -ms-linear-gradient(top, #fff 0%, #f0f0f0 100%);
+	background: linear-gradient(top, #fff 0%, #f0f0f0 100%);
+	border-bottom: 1px solid #dfdfdf;
 }
 
 #mailview-right #messageheader {
 	border-radius: 4px 4px 0 0;
-	padding-left: 58px;
-	border-bottom: 2px solid #e6e6e6;
+	padding-left: 78px;
+	/* avoid headers eating up all the vertical space */
+	max-height: 50%;
+	overflow: auto;
 }
 
 h2.subject {
@@ -716,7 +745,7 @@
 
 h3.subject {
 	font-size: 14px;
-	margin: 0 8em 0 0;
+	margin: 0 12em 0 0;
 	padding: 8px 8px 4px 8px;
 	white-space: nowrap;
 	overflow: hidden;
@@ -728,7 +757,8 @@
 	padding: 2px 8px;
 }
 
-.headers-table td.header {
+.headers-table td.header,
+.ui-dialog-content.popup span.adr {
 	font-weight: bold;
 }
 
@@ -736,12 +766,14 @@
 	white-space: nowrap;
 }
 
-.headers-table td.header a {
+.headers-table td.header a,
+.ui-dialog-content.popup span.adr a {
 	color: #666;
 	text-decoration: none;
 }
 
-.headers-table td.header a:hover {
+.headers-table td.header a:hover,
+.ui-dialog-content.popup span.adr a:hover {
 	text-decoration: underline;
 }
 
@@ -751,8 +783,15 @@
 	font-weight: bold;
 }
 
-.headers-table td.header span {
+.headers-table td.header span,
+.ui-dialog-content.popup span.adr {
 	white-space: nowrap;
+}
+
+.headers-table td.header a.morelink {
+	color: #0069a6;
+	white-space: nowrap;
+	font-weight: normal;
 }
 
 .rcmaddcontact {
@@ -779,7 +818,7 @@
 	padding-right: 18px;
 }
 
-#previewheaderstoggle {
+.moreheaderstoggle {
 	display: block;
 	position: absolute;
 	top: 0;
@@ -798,7 +837,7 @@
 	border-radius: 3px 0 0 0; /* for Opera */
 }
 
-#previewheaderstoggle .iconlink {
+.moreheaderstoggle .iconlink {
 	display: inline-block;
 	position: absolute;
 	top: 8px;
@@ -808,7 +847,7 @@
 	background: url(images/buttons.png) -27px -242px no-repeat;
 }
 
-#previewheaderstoggle.remove .iconlink {
+.moreheaderstoggle.remove .iconlink {
 	top: auto;
 	bottom: 5px;
 	background-position: -5px -242px;
@@ -825,11 +864,11 @@
 	width: 12px;
 	height: 10px;
 	cursor: pointer;
-	background: url(images/buttons.png) center -1619px no-repeat;
+	background: url(images/buttons.png) center -1579px no-repeat;
 }
 
 div.hide-headers {
-	background-position: center -1629px;
+	background-position: center -1589px;
 }
 
 #all-headers {
@@ -859,24 +898,22 @@
 	color: #333;
 }
 
-#messagepreviewheader #all-headers {
+#messageheader.previewheader #all-headers {
 	margin-left: 0;
 }
 
-#messagepreviewheader {
+#messageheader.previewheader {
 	position: relative;
 	height: auto;
 	min-height: 52px;
-	margin: 0 8px 0 0;
-	padding: 0 0 0px 72px;
-	border-bottom: 2px solid #f0f0f0;
+	padding: 0 0 3px 72px;
 }
 
-#messagepreviewheader h3.subject {
+#messageheader.previewheader h3.subject {
 	padding: 8px 8px 2px 0;
 }
 
-#messagepreviewheader #contactphoto {
+#messageheader.previewheader #contactphoto {
 	display: block;
 	position: absolute;
 	top: 11px;
@@ -888,21 +925,26 @@
 	border-radius: 3px;
 }
 
-#messagepreviewheader #contactphoto img {
+#messageheader.previewheader #contactphoto img {
 	width: 32px;
 	height: auto;
 	border-radius: 3px;
+}
+
+#messageheader .message-headers {
+	min-height: 60px;
 }
 
 #messageheader #contactphoto {
 	display: block;
 	position: absolute;
 	top: 34px;
-	left: 10px;
+	left: 30px;
 	width: 48px;
 	height: 48px;
 	overflow: hidden;
 	border-radius: 4px;
+	border: 1px solid #e6e6e6;
 	background: url(images/contactpic_48px.png) center center no-repeat #fff;
 }
 
@@ -912,12 +954,10 @@
 	border-radius: 4px;
 }
 
-#messagepreviewheader #countcontrols,
 #messageheader #countcontrols {
 	position: absolute;
 	top: 8px;
 	right: 8px;
-	width: 20em;
 	text-align: right;
 	white-space: nowrap;
 }
@@ -952,6 +992,7 @@
 }
 
 #messagebody {
+	position: relative;
 	margin: 8px;
 }
 
@@ -966,7 +1007,7 @@
 	color: #960;
 	border: 1px solid #ffdf0e;
 	background-color: #fef893;
-	background-position: 5px -85px;
+	background-position: 5px -83px;
 	padding: 6px 12px 4px 30px;
 	white-space: normal;
 }
@@ -977,12 +1018,14 @@
 }
 
 div.message-part,
-div.message-htmlpart {
-	padding: 0 2px 10px 2px;
-	border-top: 2px solid #f0f0f0;
+div.message-htmlpart,
+div.message-partheaders {
+	padding: 10px 2px;
+	border-top: 1px solid #ccc;
 }
 
 #messagebody div:first-child {
+	padding-top: 0;
 	border-top: 0;
 }
 
@@ -1023,6 +1066,24 @@
 	border-right: 2px solid #bb0000;
 }
 
+div.message-partheaders {
+	margin-top: 8px;
+	padding: 8px 0;
+}
+
+div.message-partheaders .headers-table {
+	width: 100%;
+}
+
+div.message-partheaders .headers-table td.header-title {
+	width: auto;
+	padding-left: 0;
+}
+
+div.message-partheaders .headers-table td.header {
+	width: 88%;
+}
+
 #messagebody > hr {
 	color: #fff;
 	background: #fff;
@@ -1030,8 +1091,49 @@
 	border-bottom: 2px solid #f0f0f0;
 }
 
-#messagebody > p > img {
+#messagebody fieldset.image-attachment {
+	border: 0;
+	border-top: 1px solid #ccc;
+	margin-top: 1em;
+}
+
+#messagebody fieldset.image-attachment p > img {
 	max-width: 80%;
+}
+
+#messagebody legend.image-filename {
+	color: #999;
+	font-size: 0.9em;
+	margin: 0 1em;
+}
+
+#messagebody p.image-attachment {
+	position: relative;
+	padding: 1em;
+	border-top: 1px solid #ccc;
+}
+
+#messagebody p.image-attachment a.image-link {
+	float: left;
+	display: block;
+	margin-right: 2em;
+	min-width: 160px;
+	min-height: 60px;
+	text-align: center;
+}
+
+#messagebody p.image-attachment .image-filename {
+	display: block;
+	font-weight: bold;
+	line-height: 1.6em;
+}
+
+#messagebody p.image-attachment .image-filesize {
+	padding-right: 1em;
+}
+
+#messagebody p.image-attachment .attachment-links a {
+	margin-right: 0.6em;
 }
 
 #messagepartcontainer {
@@ -1044,6 +1146,8 @@
 
 #messagepartframe {
 	border: 0;
+	width: 100%;
+	height: 100%;
 }
 
 /*** message composition ***/
@@ -1072,6 +1176,23 @@
 	bottom: 0;
 }
 
+#composequicksearch {
+	position: relative;
+	padding: 4px;
+	background: #c7e3ef;
+}
+
+#composequicksearch .searchbox input {
+	width: 100%;
+	height: 26px;
+	-moz-box-sizing: border-box;
+	box-sizing: border-box;
+}
+
+#composequicksearch #searchmenulink {
+	width: 15px;
+}
+
 #compose-contacts #directorylist {
 	border-bottom: 4px solid #c7e3ef;
 }
@@ -1093,11 +1214,31 @@
 	display: block;
 }
 
+#contacts-table td span.email {
+	display: inline;
+	color: #69939e;
+	font-style: italic;
+	margin-left: 0.5em;
+}
+
 #compose-contacts li a, #contacts-table td {
 	background: url(images/listicons.png) -100px 0 no-repeat;
 	overflow: hidden;
 	padding-left: 36px;
 	text-overflow: ellipsis;
+}
+
+#contacts-table td.contactgroup a {
+	color: #376572;
+	text-decoration: none;
+}
+
+#contacts-table td.contactgroup a span {
+	display: inline-block;
+	font-size: 16px;
+	font-weight: bold;
+	line-height: 11px;
+	margin-left: 0.3em;
 }
 
 #contacts-table tr:first-child td {
@@ -1130,46 +1271,48 @@
 	background-position: 6px -1627px;
 }
 
-
 #compose-content {
 	position: absolute;
 	top: 42px;
 	left: 0;
 	width: 100%;
 	bottom: 28px;
-	border-bottom-left-radius: 0;
-	border-bottom-right-radius: 0;
+	border-radius: 4px 4px 0 0;
+	border-bottom: none;
 	overflow: hidden;
 }
 
 #composeheaders {
 	border-radius: 4px 4px 0 0;
-	-webkit-box-shadow: 0 2px 3px 0 #999;
-	-moz-box-shadow: 0 2px 3px 0 #999;
-	box-shadow: 0 2px 3px 0 #999;
+	padding-left: 19px;
 }
 
 #composebuttons {
 	position: absolute;
-	top: 8px;
-	right: 8px;
+	top: 6px;
+	right: 6px;
 	width: auto;
 	white-space: nowrap;
 	z-index: 100;
 }
 
+#composebuttons a.button.extwin {
+	padding: 2px 3px;
+}
+
 .compose-headers {
 	width: 99%;
-	margin: 4px 0;
+	margin-bottom: 2px;
 }
 
 .compose-headers td {
-	padding: 4px 4px 4px 8px;
+	padding: 2px 4px;
 }
 
 .compose-headers td.title {
 	width: 11%;
 	white-space: nowrap;
+	padding-left: 6px;
 }
 
 .compose-headers td.title label {
@@ -1205,55 +1348,43 @@
 .compose-headers td input {
 	width: 100%;
 	resize: none;
+	font-family: "Lucida Grande", Verdana, Arial, Helvetica, sans-serif;
+	font-size: 11px;
 }
 
 #compose-cc, #compose-bcc, #compose-replyto, #compose-followupto {
 	display: none;
 }
 
-#composeoptionsbox {
-	padding: 4px 8px 0 8px;
-	background: #d2d2d2;
-	border-bottom: 1px solid #e8e8e8;
-	-webkit-box-shadow: 0 2px 3px 0 #999;
-	-moz-box-shadow: 0 2px 3px 0 #999;
-	box-shadow: 0 2px 3px 0 #999;
-	white-space: nowrap;
-}
-
 #composeoptions {
 	display: none;
-	padding: 2px 0;
+	padding: 2px 0 0 8px;
 	white-space: normal;
+	border-top: 1px solid #dfdfdf;
+	box-shadow: inset 0 1px 0 0 #fff;
+	-o-box-shadow: inset 0 1px 0 0 #fff;
+	-webkit-box-shadow: inset 0 1px 0 0 #fff;
+	-moz-box-shadow: inset 0 1px 0 0 #fff;
+
 }
 
 .composeoption {
+	color: #666;
 	padding-right: 22px;
 	white-space: nowrap;
 }
 
 #composeoptions .composeoption {
 	display: inline-block;
-	padding: 4px 28px 4px 0;
+	padding: 4px 22px 4px 0;
 }
 
 #composeoptions .composeoption:last-child {
 	padding-right: 4px;
 }
 
-#composeoptionstoggle {
-	display: inline-block;
-	position: relative;
-	top: -1px;
-	left: 6px;
-	width: 20px;
-	height: 18px;
-	background: url(images/buttons.png) -3px -1640px no-repeat;
-	text-decoration: none;
-}
-
-#composeoptionstoggle.enabled {
-	background-position: -28px -1640px;
+.mozilla .composeoption input {
+	vertical-align: -3px;
 }
 
 #composeview-bottom {
@@ -1270,24 +1401,35 @@
 	bottom: 0;
 }
 
+#composebodycontainer.buttons {
+	bottom: 42px;
+}
+
 #composebody {
 	position: absolute;
-	top: 1px;
+	top: 0;
 	left: 0;
 	bottom: 0;
 	width: 99%;
 	border: 0;
 	border-radius: 0;
 	padding: 8px 0 8px 8px;
-	box-shadow: none;
 	resize: none;
 	font-family: monospace;
 	font-size: 9pt;
 	outline: none;
+	box-shadow: inset 0 0 2px 1px rgba(0,0,0, 0.2);
+	-moz-box-shadow: inset 0 0 2px 1px rgba(0,0,0, 0.2);
+	-webkit-box-shadow: inset 0 0 2px 1px rgba(0,0,0, 0.2);
+	-o-box-shadow: inset 0 0 2px 1px rgba(0,0,0, 0.2);
 }
 
 #composebody:active,
 #composebody:focus {
+	box-shadow: inset 0 0 3px 2px rgba(71,135,177, 0.9);
+	-moz-box-shadow: inset 0 0 3px 2px rgba(71,135,177, 0.9);
+	-webkit-box-shadow: inset 0 0 3px 2px rgba(71,135,177, 0.9);
+	-o-box-shadow: inset 0 0 3px 2px rgba(71,135,177, 0.9);
 }
 
 #compose-attachments {
@@ -1327,11 +1469,27 @@
 	-o-box-shadow: 0 0 5px 2px rgba(71,135,177, 0.9);
 }
 
+#composeview-bottom .formbuttons.floating {
+	position: absolute;
+	width: auto;
+	right: 260px;
+	z-index: 200;
+	padding-bottom: 8px;
+}
+
 .defaultSkin table.mceLayout,
 .defaultSkin table.mceLayout tr.mceLast td {
 	border: 0 !important;
 }
 
+.defaultSkin td.mceToolbar {
+	border: 0 !important;
+}
+
+.defaultSkin table.mceLayout tr.mceFirst td {
+	background: #f0f0f0;
+}
+
 #composebody_toolbargroup {
 	border-bottom: 1px solid #ddd;
 }

--
Gitblit v1.9.1