From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 skins/larry/templates/message.html |   67 ++++++++++++++-------------------
 1 files changed, 29 insertions(+), 38 deletions(-)

diff --git a/skins/larry/templates/message.html b/skins/larry/templates/message.html
index 89b7bd8..0179b6b 100644
--- a/skins/larry/templates/message.html
+++ b/skins/larry/templates/message.html
@@ -4,7 +4,7 @@
 <title><roundcube:object name="pagetitle" /></title>
 <roundcube:include file="/includes/links.html" />
 </head>
-<body class="noscroll">
+<roundcube:if condition="env:extwin" /><body class="noscroll extwin"><roundcube:else /><body class="noscroll"><roundcube:endif />
 
 <roundcube:include file="/includes/header.html" />
 
@@ -12,50 +12,42 @@
 
 <!-- toolbar -->
 <div id="messagetoolbar" class="toolbar fullwidth">
+<roundcube:if condition="!env:extwin" />
 	<roundcube:button command="list" type="link" class="button back disabled" classAct="button back" classSel="button back pressed" label="back" />
-	<span class="spacer"></span>
+<roundcube:endif />
 	<roundcube:include file="/includes/mailtoolbar.html" />
 	<div class="toolbarselect">
 		<roundcube:object name="mailboxlist" type="select" noSelection="moveto" maxlength="25" onchange="rcmail.command('moveto', this.options[this.selectedIndex].value)" class="mailboxlist decorated" folder_filter="mail" />
 	</div>
 </div>
 
+<roundcube:if condition="!env:extwin" />
+
 <div id="mailview-left">
 
 <!-- folders list -->
 <div id="mailboxcontainer" class="uibox listbox">
-    <div class="scroller">
-        <roundcube:object name="mailboxlist" id="mailboxlist" class="listing" folder_filter="mail" unreadwrap="%s" />
-    </div>
+<div class="scroller">
+<roundcube:object name="mailboxlist" id="mailboxlist" class="treelist listing" folder_filter="mail" unreadwrap="%s" />
+</div>
 </div>
 
-</div><!-- end mailview-left -->
+</div>
 
-<div id="mailview-right" class="uibox" style="top: 42px">
+<div id="mailview-right" class="offset uibox">
+<roundcube:else />
 
-<div id="messagecontent">
+<div id="mailview-right" class="offset fullwidth uibox">
+<roundcube:endif />
 
 <div id="messageheader">
-<h3 class="subject"><roundcube:object name="messageHeaders" valueOf="subject" /></h3>
+<span class="moreheaderstoggle"></span>
 
-<a href="#details" id="previewheaderstoggle"><span class="iconlink"></span><span id="headerstoggleall" class="iconlink allheaders"></span></a>
-
-<div id="contactphoto"><roundcube:object name="contactphoto" /></div>
-
-<table class="headers-table" id="preview-shortheaders"><tbody><tr>
-<roundcube:if condition="env:mailbox == config:drafts_mbox || env:mailbox == config:sent_mbox">
-	<td class="header-title"><roundcube:label name="to" /></td>
-	<td class="header from"><roundcube:object name="messageHeaders" valueOf="to" addicon="/images/addcontact.png" /></td>
-<roundcube:else />
-	<td class="header-title"><roundcube:label name="from" /></td>
-	<td class="header from"><roundcube:object name="messageHeaders" valueOf="from" addicon="/images/addcontact.png" /></td>
-<roundcube:endif />
-	<td class="header-title"><roundcube:label name="date" /></td>
-	<td class="header from"><roundcube:object name="messageHeaders" valueOf="date" /></td>
-</tr></tbody></table>
-
-<roundcube:object name="messageHeaders" id="preview-allheaders" class="headers-table" addicon="/images/addcontact.png" exclude="subject,replyto" />
-<roundcube:object name="messageFullHeaders" no-switch="true" />
+<h2 class="subject"><roundcube:object name="messageHeaders" valueOf="subject" /></h2>
+<div class="message-headers">
+<roundcube:object name="messageHeaders" class="headers-table" addicon="/images/addcontact.png" exclude="subject" max="20" />
+</div>
+<roundcube:object name="messageFullHeaders" id="full-headers" />
 
 <!-- record navigation -->
 <div id="countcontrols" class="pagenav">
@@ -64,19 +56,18 @@
 	<roundcube:button command="nextmessage" type="link" class="button nextpage disabled" classAct="button nextpage" classSel="button nextpage pressed" innerClass="inner" title="nextmessage" content="&amp;gt;" />
 </div>
 
-</div><!-- end messageheader -->
-
-<div id="messagepreview">
-    <div class="rightcol">
-        <roundcube:object name="messageAttachments" id="attachment-list" class="attachmentslist" />
-    </div>
-    <div class="leftcol">
-        <roundcube:object name="messageObjects" id="message-objects" />
-        <roundcube:object name="messageBody" id="messagebody" />
-    </div>
+<div id="contactphoto"><roundcube:object name="contactphoto" /></div>
 </div>
 
-</div><!-- end messagecontent -->
+<div id="messagecontent">
+<div class="rightcol">
+<roundcube:object name="messageAttachments" id="attachment-list" class="attachmentslist" />
+</div>
+<div class="leftcol">
+<roundcube:object name="messageObjects" id="message-objects" />
+<roundcube:object name="messageBody" id="messagebody" headertableclass="message-partheaders headers-table" />
+</div>
+</div>
 
 <roundcube:object name="message" id="message" class="statusbar" />
 

--
Gitblit v1.9.1