From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 skins/larry/styles.css |  267 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 259 insertions(+), 8 deletions(-)

diff --git a/skins/larry/styles.css b/skins/larry/styles.css
index b4a4d81..39f01f7 100644
--- a/skins/larry/styles.css
+++ b/skins/larry/styles.css
@@ -8,8 +8,6 @@
  * License. It is allowed to copy, distribute, transmit and to adapt the work
  * by keeping credits to the original autors in the README file.
  * See http://creativecommons.org/licenses/by-sa/3.0/ for details.
- *
- * $Id$
  */
 
 body {
@@ -69,6 +67,12 @@
 
 .bold {
 	font-weight: bold;
+}
+
+/* fixes vertical alignment of checkboxes and labels */
+label input,
+label span {
+	vertical-align: middle;
 }
 
 /*** buttons ***/
@@ -504,15 +508,21 @@
 
 /*** basic page layout ***/
 
+#header {
+	overflow-x: hidden; /* Chrome bug #1488851 */
+}
+
 #topline {
 	height: 18px;
 	background: url(images/linen_header.jpg) repeat #666;
 	border-bottom: 1px solid #4f4f4f;
 	padding: 2px 0 2px 10px;
 	color: #aaa;
+	text-align: center;
 }
 
 #topnav {
+	position: relative;
 	height: 46px;
 	margin-bottom: 10px;
 	padding: 0 0 0 10px;
@@ -569,8 +579,156 @@
 	color: #fff;
 }
 
+#taskbar .button-logout {
+	display: none;
+}
+
+#taskbar a.button-logout span.button-inner {
+	background-position: -2px -1791px;
+}
+
+#taskbar a.button-logout:hover span.button-inner {
+	background-position: -2px -1829px;
+}
+
+
+/*** minimal version of the page header ***/
+
+.minimal #topline {
+	position: fixed;
+	top: -18px;
+	background: #444;
+	z-index: 5000;
+	width: 100%;
+	height: 22px;
+	-moz-box-sizing: border-box;
+	box-sizing: border-box;
+}
+
+.minimal #topline:hover {
+	top: 0px;
+	opacity: 0.94;
+	filter: alpha(opacity=94);
+	-webkit-transition: top 0.3s ease-in-out;
+	-moz-transition: top 0.3s ease-in-out;
+	-o-transition: top 0.3s ease-in-out;
+	transition: top 0.3s ease-in-out;
+}
+
+.extwin #topline,
+.extwin #topline:hover {
+	position: static;
+	top: 0px;
+	height: 18px;
+	width: auto;
+	-moz-box-sizing: content-box;
+	box-sizing: content-box;
+	opacity: 0.999;
+}
+
+.partwin #topline {
+	position: absolute;
+	right: 6px;
+	top: 18px;
+	width: auto;
+	z-index: 100;
+	background: transparent;
+	background: none;
+	border: 0;
+}
+
+.minimal #topline a.button-logout {
+	display: none;
+}
+
+.minimal #topline span.username {
+	display: inline-block;
+	padding-top: 2px;
+}
+
+.minimal #topnav {
+	position: relative;
+	top: 4px;
+	height: 42px;
+}
+
+.minimal #taskbar a {
+	position: relative;
+	padding: 10px 10px 0 6px;
+	height: 32px;
+}
+
+.minimal #taskbar .button-logout {
+	display: inline-block;
+}
+
+.minimal #taskbar .button-inner {
+	top: -4px;
+	padding: 0;
+	height: 24px !important;
+	width: 27px;
+	text-indent: -5000px;
+}
+
+#taskbar .tooltip {
+	display: none;
+}
+
+.minimal #taskbar .tooltip {
+	position: absolute;
+	top: -500px;
+	right: 2px;
+	display: inline-block;
+	padding: 2px 8px 3px 8px;
+	background: #444;
+	background: -moz-linear-gradient(top, #444 0%, #333 100%);
+	background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#444), color-stop(100%,#333));
+	background: -o-linear-gradient(top, #444 0%, #333 100%);
+	background: -ms-linear-gradient(top, #444 0%, #333 100%);
+	background: linear-gradient(top, #444 0%, #333 100%);
+	color: #eee;
+	font-weight: bold;
+	white-space: nowrap;
+	border: 1px solid #777;
+	box-shadow: 0 1px 5px 0 #333;
+	-moz-box-shadow: 0 1px 5px 0 #333;
+	-webkit-box-shadow: 0 1px 5px 0 #333;
+	-o-box-shadow: 0 1px 5px 0 #333;
+	z-index: 200;
+	white-space: nowrap;
+	text-shadow: 0px 1px 1px #000;
+}
+
+.minimal #taskbar .tooltip:after {
+	content: "";
+	position: absolute;
+	top: -4px;
+	right: 15px;
+	border-style: solid;
+	border-width: 0 4px 4px;
+	border-color: #888 transparent;
+	/* reduce the damage in FF3.0 */
+	display: block; 
+	width: 0;
+	z-index: 251;
+}
+
+.ie8 .minimal #taskbar .tooltip:after {
+	top: -6px;
+}
+
+.minimal #taskbar a:hover .tooltip {
+	display: block;
+	top: 39px;
+}
+
 
 /*** taskbar ***/
+
+#taskbar {
+	position: relative;
+	padding-right: 18px;
+}
 
 #taskbar a {
 	display: inline-block;
@@ -629,6 +787,22 @@
 	background-position: 0 -168px;
 }
 
+#taskbar .minmodetoggle {
+	position: absolute;
+	top: 0;
+	right: 0;
+	display: block;
+	width: 19px;
+	height: 46px;
+	cursor: pointer;
+	background: url(images/buttons.png) -35px -1778px no-repeat;
+}
+
+.minimal #taskbar .minmodetoggle {
+	height: 42px;
+	background-position: -35px -1820px;
+}
+
 #mainscreen {
 	position: absolute;
 	top: 88px;
@@ -637,12 +811,24 @@
 	bottom: 20px;
 }
 
+.minimal #mainscreen {
+	top: 62px;
+}
+
+.minimal #mainscreen.offset {
+	top: 102px;
+}
+
+.partwin #mainscreen {
+	top: 60px
+}
+
 .extwin #mainscreen {
 	top: 40px;
 }
 
 #mainscreen.offset {
-	top: 130px;
+	top: 132px;
 }
 
 #mainscreen .offset {
@@ -690,6 +876,15 @@
 	background-position: center;
 	background-repeat: no-repeat;
 }
+
+/* fix scrolling within iframes in webkit browsers on touch devices */
+@media screen and (-webkit-min-device-pixel-ratio:0) and (max-device-width:1024px) {
+	.iframebox {
+		overflow: auto;
+		-webkit-overflow-scrolling: touch;
+	}
+}
+
 
 /*** lists ***/
 
@@ -800,9 +995,17 @@
 	background-color: #d9ecf4;
 }
 
+ul.listing li ul {
+	border-top: 1px solid #bbd3da;
+}
+
 ul.listing li.droptarget,
 table.listing tr.droptarget td {
 	background-color: #e8e798;
+}
+
+.listbox table.listing {
+	background-color: #d9ecf4;
 }
 
 table.listing,
@@ -814,6 +1017,32 @@
 
 table.layout td {
 	vertical-align: top;
+}
+
+ul.treelist li {
+	position: relative;
+}
+
+ul.treelist li div.treetoggle {
+	position: absolute;
+	top: 13px;
+	left: 19px;
+	width: 13px;
+	height: 13px;
+	background: url(images/listicons.png) -3px -144px no-repeat;
+	cursor: pointer;
+}
+
+ul.treelist li div.treetoggle.expanded {
+	background-position: -3px -168px;
+}
+
+ul.treelist li.selected > div.collapsed {
+	background-position: -23px -144px;
+}
+
+ul.treelist li.selected > div.expanded {
+	background-position: -23px -168px;
 }
 
 .listbox .boxfooter {
@@ -1058,6 +1287,10 @@
 body.iframe {
 	background: #fff;
 	margin: 38px 0 10px 0;
+}
+
+body.iframe.error {
+	background: #ededed;
 }
 
 body.iframe.floatingbuttons {
@@ -1328,17 +1561,21 @@
 
 /*** quicksearch **/
 
+.searchbox {
+	position: relative;
+}
+
 #quicksearchbar {
 	position: absolute;
 	right: 1px;
-	top: 0;
+	top: 2px;
 	width: 240px;
 }
 
+.searchbox input,
 #quicksearchbar input {
 	width: 176px;
 	margin: 0;
-	margin-top: 7px;
 	padding: 3px 30px 3px 34px;
 	height: 18px;
 	background: #f1f1f1;
@@ -1347,15 +1584,17 @@
 	font-size: 11px;
 }
 
+.searchbox #searchmenulink,
 #quicksearchbar #searchmenulink {
 	position: absolute;
-	top: 12px;
+	top: 5px;
 	left: 6px;
 }
 
+.searchbox #searchreset,
 #quicksearchbar #searchreset {
 	position: absolute;
-	top: 11px;
+	top: 4px;
 	right: 1px;
 }
 
@@ -1387,6 +1626,7 @@
 	-o-box-shadow: none;
 	background: url(images/buttons.png) -100px 0 no-repeat transparent;
 	border: 0;
+	border-radius: 0;
 }
 
 .toolbar a.button.disabled {
@@ -1973,10 +2213,21 @@
 	background-position: 0 -390px;
 }
 
-.attachmentslist li.html {
+.attachmentslist li.sig,
+.attachmentslist li.pgp-signature,
+.attachmentslist li.pkcs7-signature {
 	background-position: 0 -442px;
 }
 
+.attachmentslist li.html {
+	background-position: 0 -468px;
+}
+
+.attachmentslist li.eml,
+.attachmentslist li.rfc822 {
+	background-position: 0 -494px;
+}
+
 .attachmentslist li a,
 #compose-attachments ul li {
 	display: block;

--
Gitblit v1.9.1