From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 skins/larry/templates/compose.html |  123 ++++++++++++++++++++++++----------------
 1 files changed, 73 insertions(+), 50 deletions(-)

diff --git a/skins/larry/templates/compose.html b/skins/larry/templates/compose.html
index 7f0998e..9cfe7fe 100644
--- a/skins/larry/templates/compose.html
+++ b/skins/larry/templates/compose.html
@@ -3,23 +3,53 @@
 <head>
 <title><roundcube:object name="pagetitle" /></title>
 <roundcube:include file="/includes/links.html" />
+<roundcube:if condition="config:enable_spellcheck" />
 <link rel="stylesheet" type="text/css" href="/googiespell.css" />
+<roundcube:endif />
 </head>
-<body>
+<roundcube:if condition="env:extwin" /><body class="extwin"><roundcube:else /><body><roundcube:endif />
 
 <roundcube:include file="/includes/header.html" />
 
 <div id="mainscreen">
+
+<!-- toolbar -->
+<div id="messagetoolbar" class="fullwidth">
+<div id="mailtoolbar" class="toolbar">
+	<roundcube:button command="list" type="link" class="button back disabled" classAct="button back" classSel="button back pressed" label="cancel" condition="!env:extwin" />
+	<roundcube:button command="close" type="link" class="button close disabled" classAct="button close" classSel="button close pressed" label="cancel" condition="env:extwin" />
+	<span class="spacer"></span>
+	<roundcube:button command="send" type="link" class="button send" classAct="button send" classSel="button send pressed" label="send" title="sendmessage" />
+	<roundcube:button command="savedraft" type="link" class="button savedraft" classAct="button savedraft" classSel="button savedraft pressed" label="save" title="savemessage" />
+	<span class="spacer"></span>
+	<roundcube:if condition="config:enable_spellcheck" />
+	<span class="dropbutton">
+		<roundcube:button command="spellcheck" type="link" class="button spellcheck disabled" classAct="button spellcheck" classSel="button spellcheck pressed" label="spellcheck" title="checkspelling" />
+		<span class="dropbuttontip" id="spellmenulink" onclick="UI.show_popup('spellmenu');return false"></span>
+	</span>
+	<roundcube:endif />
+	<roundcube:button name="addattachment" type="link" class="button attach" classAct="button attach" classSel="button attach pressed" label="attach" title="addattachment" onclick="UI.show_uploadform();return false" />
+	<roundcube:button command="insert-sig" type="link" class="button insertsig disabled" classAct="button insertsig" classSel="button insertsig pressed" label="signature" title="insertsignature" />
+	<roundcube:container name="toolbar" id="compose-toolbar" />
+</div>
+</div>
 
 <div id="composeview-left">
 
 <!-- inline address book -->
 <div id="compose-contacts" class="uibox listbox">
 <h2 class="boxtitle"><roundcube:label name="contacts" /></h2>
-<div class="scroller withfooter">
-	<roundcube:object name="adressbooks" id="directorylist" class="listing" />
-	<roundcube:object name="addresslist" id="contacts-table" class="listing" noheader="true" />
-</div>
+	<div id="composequicksearch">
+		<div class="searchbox">
+			<roundcube:object name="searchform" id="contactsearchbox" />
+			<a id="searchmenulink" class="iconbutton searchoptions"> </a>
+			<roundcube:button command="reset-search" id="searchreset" class="iconbutton reset" title="resetsearch" content=" " />
+		</div>
+	</div>
+	<roundcube:object name="addressbooks" id="directorylist" class="listing" />
+	<div class="scroller withfooter">
+		<roundcube:object name="addresslist" id="contacts-table" class="listing" noheader="true" />
+	</div>
 <div class="boxfooter">
 	<roundcube:button command="add-recipient" prop="to" type="link" title="to" class="listbutton addto disabled" classAct="listbutton addto" innerClass="inner" content="To+" /><roundcube:button command="add-recipient" prop="cc" type="link" title="cc" class="listbutton addcc disabled" classAct="listbutton addcc" innerClass="inner" content="Cc+" /><roundcube:button command="add-recipient" prop="bcc" type="link" title="bcc" class="listbutton addbcc disabled" classAct="listbutton addbcc" innerClass="inner" content="Bcc+" />
 </div>
@@ -35,20 +65,11 @@
 
 <div id="composeview-right">
 
-<!-- toolbar -->
-<div id="messagetoolbar" class="fullwidth">
-<div id="mailtoolbar" class="toolbar">
-	<roundcube:button command="spellcheck" type="link" class="button spellcheck disabled" classAct="button spellcheck" classSel="button spellcheck pressed" label="spellcheck" title="checkspelling" />
-	<roundcube:button name="addattachment" type="link" class="button attach" classAct="button attach" classSel="button attach pressed" label="attach" title="addattachment" onclick="UI.show_uploadform();return false" />
-	<roundcube:button command="insert-sig" type="link" class="button insertsig disabled" classAct="button insertsig" classSel="button insertsig pressed" label="signature" title="insertsignature" />
-	<roundcube:container name="toolbar" id="compose-toolbar" />
-</div>
-</div>
-
 <form name="form" action="./" method="post" id="compose-content" class="uibox">
 
 <!-- message headers -->
 <div id="composeheaders">
+<a href="#options" id="composeoptionstoggle" class="moreheaderstoggle"><span class="iconlink" title="<roundcube:label name='options' />"></span></a>
 
 <table class="headers-table compose-headers">
 <tbody>
@@ -70,7 +91,7 @@
 	</tr><tr id="compose-bcc">
 		<td class="title top">
 			<label for="_bcc"><roundcube:label name="bcc" /></label>
-			<a href="#bcc" onclick="return UI.hide_header_row('bcc');" class="iconbutton cancel"title="<roundcube:label name='delete' />" />x</a>
+			<a href="#bcc" onclick="return UI.hide_header_row('bcc');" class="iconbutton cancel" title="<roundcube:label name='delete' />" />x</a>
 		</td>
 		<td colspan="2" class="editfield"><roundcube:object name="composeHeaders" part="bcc" form="form" id="_bcc" cols="70" rows="1" tabindex="4" /></td>
 	</tr><tr id="compose-replyto">
@@ -100,57 +121,57 @@
 </tbody>
 </table>
 
-<div id="composebuttons" class="formbuttons">
-	<roundcube:button type="input" command="send" class="button mainaction" label="sendmessage" tabindex="10" />
-	<roundcube:button type="input" command="savedraft" class="button" label="savemessage" tabindex="10" />
-	<roundcube:button type="input" command="list" class="button" label="cancel" tabindex="11" />
-</div>
-
+<div id="composebuttons" class="pagenav formbuttons">
+	<roundcube:button command="extwin" type="link" class="button extwin" classSel="button extwin pressed" innerClass="inner" title="openinextwin" content="[]" condition="!env:extwin" />
 </div>
 
 <!-- (collapsable) message options -->
-<div id="composeoptionsbox">
+<div id="composeoptions">
+	<roundcube:if condition="!in_array('htmleditor', (array)config:dont_override)" />
 	<span class="composeoption">
-		<label><roundcube:label name="options" />
-			<a href="#options" id="composeoptionstoggle">&nbsp;</a></label>
+		<label><roundcube:label name="editortype" />
+			<roundcube:object name="editorSelector" editorid="composebody" tabindex="14" /></label>
 	</span>
-	
-	<div id="composeoptions">
-		<roundcube:if condition="!in_array('htmleditor', (array)config:dont_override)" />
-		<span class="composeoption">
-			<label><roundcube:label name="editortype" />
-				<roundcube:object name="editorSelector" editorid="composebody" tabindex="12" /></label>
-		</span>
-		<roundcube:endif />
-		<span class="composeoption">
-			<label><label for="rcmcomposepriority"><roundcube:label name="priority" />
-				<roundcube:object name="prioritySelector" form="form" id="rcmcomposepriority" /></label>
-		</span>
-		<span class="composeoption">
-			<label><roundcube:object name="receiptCheckBox" form="form" id="rcmcomposereceipt" /> <roundcube:label name="returnreceipt" /></label>
-		</span>
-		<span class="composeoption">
-			<label><roundcube:object name="dsnCheckBox" form="form" id="rcmcomposedsn" /> <roundcube:label name="dsn" /></label>
-		</span>
-		<span class="composeoption">
-			<label><roundcube:label name="savesentmessagein" /> <roundcube:object name="storetarget" maxlength="30" style="max-width:12em" /></label>
-		</span>
-		<roundcube:container name="composeoptions" id="composeoptions" />
-	</div>
+	<roundcube:endif />
+	<span class="composeoption">
+		<label for="rcmcomposepriority"><roundcube:label name="priority" />
+			<roundcube:object name="prioritySelector" form="form" id="rcmcomposepriority" /></label>
+	</span>
+	<span class="composeoption">
+		<label><roundcube:object name="receiptCheckBox" form="form" id="rcmcomposereceipt" /> <roundcube:label name="returnreceipt" /></label>
+	</span>
+	<span class="composeoption">
+		<label><roundcube:object name="dsnCheckBox" form="form" id="rcmcomposedsn" /> <roundcube:label name="dsn" /></label>
+	</span>
+	<roundcube:if condition="!config:no_save_sent_messages" />
+	<span class="composeoption">
+		<label><roundcube:label name="savesentmessagein" /> <roundcube:object name="storetarget" maxlength="30" style="max-width:12em" /></label>
+	</span>
+	<roundcube:endif />
+	<roundcube:container name="composeoptions" id="composeoptions" />
+</div>
+
 </div>
 
 <!-- message compose body -->
 <div id="composeview-bottom">
 	<div id="composebodycontainer">
-		<div id="spellcheck-control"></div>
 		<roundcube:object name="composeBody" id="composebody" form="form" cols="70" rows="20" tabindex="9" />
 	</div>
 	<div id="compose-attachments" class="rightcol">
 		<div style="text-align:center; margin-bottom:20px">
 			<roundcube:button name="addattachment" type="input" class="button" classSel="button pressed" label="addattachment" onclick="UI.show_uploadform();return false" />
 		</div>
-		<roundcube:object name="composeAttachmentList" id="attachment-list" cancelIcon="/images/0.gif" />
+		<roundcube:object name="composeAttachmentList" id="attachment-list" class="attachmentslist" />
+		<roundcube:object name="fileDropArea" id="compose-attachments" />
 	</div>
+<!--
+	<div id="composeformbuttons" class="footerleft formbuttons floating">
+		<roundcube:button type="input" command="send" class="button mainaction" label="sendmessage" tabindex="11" />
+		<roundcube:button type="input" command="savedraft" class="button" label="savemessage" tabindex="12" />
+		<roundcube:button type="input" command="list" class="button" label="cancel" tabindex="13" />
+	</div>
+-->
 </div>
 
 </form>
@@ -171,6 +192,8 @@
 	</div>
 </div>
 
+<div id="spellmenu" class="popupmenu"></div>
+
 <roundcube:include file="/includes/footer.html" />
 
 </body>

--
Gitblit v1.9.1