From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
skins/larry/ui.js | 384 +++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 276 insertions(+), 108 deletions(-)
diff --git a/skins/larry/ui.js b/skins/larry/ui.js
index d7ef9ae..36b5235 100644
--- a/skins/larry/ui.js
+++ b/skins/larry/ui.js
@@ -7,8 +7,6 @@
* License. It is allowed to copy, distribute, transmit and to adapt the work
* by keeping credits to the original autors in the README file.
* See http://creativecommons.org/licenses/by-sa/3.0/ for details.
- *
- * $Id$
*/
@@ -23,7 +21,7 @@
dragmessagemenu: { sticky:1 },
groupmenu: { above:1 },
mailboxmenu: { above:1 },
- composeoptionsmenu: { editable:1, overlap:1 },
+ spellmenu: { callback: spellmenu },
// toggle: #1486823, #1486930
'attachment-form': { editable:1, above:1, toggle:!bw.ie&&!bw.linux },
'upload-form': { editable:1, toggle:!bw.ie&&!bw.linux }
@@ -45,6 +43,19 @@
this.hide_header_row = hide_header_row;
+ // set minimal mode on small screens (don't wait for document.ready)
+ if (window.$ && document.body) {
+ var minmode = rcmail.get_cookie('minimalmode');
+ if (parseInt(minmode) || (minmode === null && $(window).height() < 850)) {
+ $(document.body).addClass('minimal');
+ }
+
+ if (bw.tablet) {
+ $('#viewport').attr('content', "width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0");
+ }
+ }
+
+
/**
*
*/
@@ -61,6 +72,17 @@
{
rcmail.addEventListener('message', message_displayed);
+ /*** prepare minmode functions ***/
+ $('#taskbar a').each(function(i,elem){
+ $(elem).append('<span class="tooltip">' + $('.button-inner', this).html() + '</span>')
+ });
+
+ $('#taskbar .minmodetoggle').click(function(e){
+ var ismin = $(document.body).toggleClass('minimal').hasClass('minimal');
+ rcmail.set_cookie('minimalmode', ismin?1:0);
+ $(window).resize();
+ });
+
/*** mail task ***/
if (rcmail.env.task == 'mail') {
rcmail.addEventListener('menu-open', show_listoptions);
@@ -74,8 +96,8 @@
}
if (rcmail.env.action == 'show' || rcmail.env.action == 'preview') {
- layout_messageview();
- $("#all-headers").resizable({ handles: 's', minHeight: 50 });
+ rcmail.addEventListener('aftershow-headers', function() { layout_messageview(); });
+ rcmail.addEventListener('afterhide-headers', function() { layout_messageview(); });
$('#previewheaderstoggle').click(function(e){ toggle_preview_headers(this); return false });
}
else if (rcmail.env.action == 'compose') {
@@ -91,12 +113,17 @@
show_header_row(fields[f], true);
}
- $('#composeoptionstoggle').parent().click(function(){
- $('#composeoptionstoggle').toggleClass('enabled');
+ $('#composeoptionstoggle').click(function(){
+ $('#composeoptionstoggle').toggleClass('remove');
$('#composeoptions').toggle();
layout_composeview();
return false;
}).css('cursor', 'pointer');
+
+ // toggle compose options if opened in new window and they were visible before
+ var opener_rc = rcmail.opener();
+ if (opener_rc && opener_rc.env.action == 'compose' && $('#composeoptionstoggle', opener.document).hasClass('remove'))
+ $('#composeoptionstoggle').click();
new rcube_splitter({ id:'composesplitterv', p1:'#composeview-left', p2:'#composeview-right',
orientation:'v', relative:true, start:248, min:170, size:12, render:layout_composeview }).init();
@@ -108,16 +135,18 @@
$('#mailthreadmode').addClass(rcmail.env.threading ? 'selected' : '').click(function(e){ switch_view_mode('thread'); return false });
mailviewsplit = new rcube_splitter({ id:'mailviewsplitter', p1:'#mailview-top', p2:'#mailview-bottom',
- orientation:'h', relative:true, start:310, min:150, size:0, offset:-22 });
+ orientation:'h', relative:true, start:310, min:150, size:12, offset:4 });
if (previewframe)
mailviewsplit.init();
+
+ new rcube_scroller('#folderlist-content', '#folderlist-header', '#folderlist-footer');
rcmail.addEventListener('setquota', update_quota);
}
if ($('#mailview-left').length) {
new rcube_splitter({ id:'mailviewsplitterv', p1:'#mailview-left', p2:'#mailview-right',
- orientation:'v', relative:true, start:248, min:150, size:12, callback:render_mailboxlist, render:resize_leftcol }).init();
+ orientation:'v', relative:true, start:226, min:150, size:12, callback:render_mailboxlist, render:resize_leftcol }).init();
}
}
/*** settings task ***/
@@ -133,67 +162,80 @@
if (rcmail.env.action == 'folders') {
new rcube_splitter({ id:'folderviewsplitter', p1:'#folderslist', p2:'#folder-details',
- orientation:'v', relative:true, start:305, min:150, size:12 }).init();
+ orientation:'v', relative:true, start:266, min:180, size:12 }).init();
+
+ new rcube_scroller('#folderslist-content', '#folderslist-header', '#folderslist-footer');
+
+ rcmail.addEventListener('setquota', update_quota);
}
else if (rcmail.env.action == 'identities') {
new rcube_splitter({ id:'identviewsplitter', p1:'#identitieslist', p2:'#identity-details',
- orientation:'v', relative:true, start:305, min:150, size:12 }).init();
+ orientation:'v', relative:true, start:266, min:180, size:12 }).init();
+ }
+ else if (rcmail.env.action == 'preferences' || !rcmail.env.action) {
+ new rcube_splitter({ id:'prefviewsplitter', p1:'#sectionslist', p2:'#preferences-box',
+ orientation:'v', relative:true, start:266, min:180, size:12 }).init();
}
}
/*** addressbook task ***/
else if (rcmail.env.task == 'addressbook') {
rcmail.addEventListener('afterupload-photo', show_uploadform);
+ rcmail.addEventListener('beforepushgroup', push_contactgroup);
+ rcmail.addEventListener('beforepopgroup', pop_contactgroup);
if (rcmail.env.action == '') {
new rcube_splitter({ id:'addressviewsplitterd', p1:'#addressview-left', p2:'#addressview-right',
orientation:'v', relative:true, start:226, min:150, size:12, render:resize_leftcol }).init();
new rcube_splitter({ id:'addressviewsplitter', p1:'#addresslist', p2:'#contacts-box',
- orientation:'v', relative:true, start:296, min:220, size:12 }).init();
+ orientation:'v', relative:true, start:286, min:270, size:12 }).init();
+
+ new rcube_scroller('#directorylist-content', '#directorylist-header', '#directorylist-footer');
}
}
- /*** login page ***/
- else if (rcmail.env.task == 'login') {
- if (bw.ie && bw.vendver < 8) {
- var popup = $('<div>')
- .addClass('readtext')
- .html("Roundcube will not work well with the crappy browser ya' using. Get yourself a new internet browsing software and don't come back without!<p>Sincerly,<br/>the Roundcube Dev Team</p>")
- .appendTo(document.body)
- .dialog({
- dialogClass: 'alert',
- closeOnEscape: true,
- title: "No way, are you serious?",
- close: function() {
- popup.dialog('destroy').remove();
- },
- width: 450
- });
- }
+
+ // set min-width to show all toolbar buttons
+ var screen = $('.minwidth');
+ if (screen.length) {
+ screen.css('min-width', $('.toolbar').width() + $('#quicksearchbar').parent().width() + 20);
}
// turn a group of fieldsets into tabs
$('.tabbed').each(function(idx, elem){ init_tabs(elem); })
// decorate select elements
- if (!bw.opera) {
- $('select.decorated').each(function(){
- var title = $('option', this).first().text();
- if ($('option:selected', this).val() != '')
- title = $('option:selected', this).text();
- var select = $(this)
- .change(function(){
- var val = $('option:selected', this).text();
- $(this).next().children().html(val);
- });
+ $('select.decorated').each(function(){
+ if (bw.opera) {
+ $(this).removeClass('decorated');
+ return;
+ }
- $('<a class="menuselector dropdownselector"><span class="handle">' + title + '</span></a>')
- .css('position', 'absolute')
- .offset(select.position())
- .insertAfter(select)
- .children().width(select.outerWidth() - 40);
+ var select = $(this),
+ height = Math.max(select.height(), 26) - 2,
+ width = select.width() - 22,
+ title = $('option', this).first().text();
- select.parent().css('position', 'relative');
- });
- }
+ if ($('option:selected', this).val() != '')
+ title = $('option:selected', this).text();
+
+ var overlay = $('<a class="menuselector"><span class="handle">' + title + '</span></a>')
+ .css('position', 'absolute')
+ .offset(select.position())
+ .insertAfter(select);
+
+ overlay.children().width(width).height(height).css('line-height', (height - 1) + 'px');
+
+ select.change(function() {
+ var val = $('option:selected', this).text();
+ $(this).next().children().html(val);
+ });
+
+ var parent = select.parent();
+ if (parent.css('position') != 'absolute')
+ parent.css('position', 'relative');
+
+ // re-set original select width to fix click action and options width in some browsers
+ select.width(overlay.width());
+ });
$(document.body)
.bind('mouseup', body_mouseup)
@@ -208,17 +250,19 @@
$('iframe').load(function(e){
// this = iframe
- var doc = this.contentDocument ? this.contentDocument : this.contentWindow ? this.contentWindow.document : null;
- $(doc).mouseup(body_mouseup);
+ try {
+ var doc = this.contentDocument ? this.contentDocument : this.contentWindow ? this.contentWindow.document : null;
+ $(doc).mouseup(body_mouseup);
+ }
+ catch (e) {
+ // catch possible "Permission denied" error in IE
+ };
})
.contents().mouseup(body_mouseup);
- $(window).resize(function(e) {
- // check target due to bugs in jquery
- // http://bugs.jqueryui.com/ticket/7514
- // http://bugs.jquery.com/ticket/9841
- if (e.target == window) resize();
- });
+ // don't use $(window).resize() due to some unwanted side-effects
+ window.onresize = resize;
+ resize();
}
/**
@@ -228,6 +272,8 @@
function body_mouseup(e)
{
var config, obj, target = e.target;
+ if (target.className == 'inner')
+ target = e.target.parentNode;
for (var id in popups) {
obj = popups[id];
config = popupconfig[id];
@@ -248,12 +294,26 @@
*/
function resize()
{
- if (rcmail.env.task == 'mail' && (rcmail.env.action == 'show' || rcmail.env.action == 'preview')) {
- layout_messageview();
+ if (rcmail.env.task == 'mail') {
+ if (rcmail.env.action == 'show' || rcmail.env.action == 'preview')
+ layout_messageview();
+ else if (rcmail.env.action == 'compose')
+ layout_composeview();
}
- if (rcmail.env.task == 'mail' && rcmail.env.action == 'compose') {
- layout_composeview();
- }
+
+ // make iframe footer buttons float if scrolling is active
+ $('body.iframe .footerleft').each(function(){
+ var footer = $(this),
+ body = $(document.body),
+ floating = footer.hasClass('floating'),
+ overflow = body.outerHeight(true) > $(window).height();
+
+ if (overflow != floating) {
+ var action = overflow ? 'addClass' : 'removeClass';
+ footer[action]('floating');
+ body[action]('floatingbuttons');
+ }
+ });
}
/**
@@ -262,14 +322,22 @@
function message_displayed(p)
{
// show a popup dialog on errors
- if (p.type == 'error') {
+ if (p.type == 'error' && rcmail.env.task != 'login') {
+ if (me.message_timer) {
+ window.clearTimeout(me.message_timer);
+ }
if (!me.messagedialog) {
- me.messagedialog = $('<div>').addClass('popupdialog');
+ me.messagedialog = $('<div>').addClass('popupdialog').hide();
}
- var pos = $(p.object).offset();
- me.messagedialog.dialog('close');
- me.messagedialog.html(p.message)
+ var msg = p.message,
+ pos = $(p.object).offset();
+ pos.top -= (rcmail.env.task == 'login' ? 20 : 160);
+
+ if (me.messagedialog.is(':visible'))
+ msg = me.messagedialog.html() + '<p>' + p.message + '</p>';
+
+ me.messagedialog.html(msg)
.dialog({
resizable: false,
closeOnEscape: true,
@@ -278,13 +346,13 @@
close: function() {
me.messagedialog.dialog('destroy').hide();
},
- position: ['center', pos.top - 160],
+ position: ['center', pos.top],
hide: { effect:'drop', direction:'down' },
width: 420,
minHeight: 90
}).show();
- window.setTimeout(function(){ me.messagedialog.dialog('close'); }, Math.max(2000, p.timeout / 2));
+ me.message_timer = window.setTimeout(function(){ me.messagedialog.dialog('close'); }, Math.max(2000, p.timeout / 2));
}
}
@@ -294,9 +362,9 @@
*/
function layout_messageview()
{
- $('#messagecontent').css('top', ($('#messageheader').outerHeight() + 10) + 'px');
+ $('#messagecontent').css('top', ($('#messageheader').outerHeight() + 1) + 'px');
$('#message-objects div a').addClass('button');
-
+
if (!$('#attachment-list li').length) {
$('div.rightcol').hide();
$('div.leftcol').css('margin-right', '0');
@@ -312,8 +380,7 @@
function resize_leftcol(splitter)
{
- if (splitter)
- $('#quicksearchbar input').css('width', (splitter.pos - 70) + 'px');
+ // STUB
}
@@ -322,22 +389,25 @@
var body = $('#composebody'),
form = $('#compose-content'),
bottom = $('#composeview-bottom'),
- w, h;
+ w, h, bh, ovflw, btns = 0,
+ minheight = 300,
- bottom.css('height', (form.height() - bottom.position().top) + 'px');
+ bh = (form.height() - bottom.position().top);
+ ovflw = minheight - bh;
+ btns = ovflw > -100 ? 0 : 40;
+ bottom.css('height', Math.max(minheight, bh) + 'px');
+ form.css('overflow', ovflw > 0 ? 'auto' : 'hidden');
- w = body.parent().width() - 6;
- h = body.parent().height() - 36;
+ w = body.parent().width() - 5;
+ h = body.parent().height() - 16;
body.width(w).height(h);
- if (window.tinyMCE && tinyMCE.get('composebody')) {
- $('#composebody_tbl').width((w+10)+'px').height('').css('margin-top', '1px');
- $('#composebody_ifr').width((w+10)+'px').height((h-22)+'px');
- }
- else {
- $('#googie_edit_layer').height(h+'px');
- }
-
+ $('#composebody_tbl').width((w+8)+'px').height('').css('margin-top', '1px');
+ $('#composebody_ifr').width((w+8)+'px').height((h-40)+'px');
+ $('#googie_edit_layer').height(h+'px');
+// $('#composebodycontainer')[(btns ? 'addClass' : 'removeClass')]('buttons');
+// $('#composeformbuttons')[(btns ? 'show' : 'hide')]();
+
var abooks = $('#directorylist');
$('#compose-contacts .scroller').css('top', abooks.position().top + abooks.outerHeight());
}
@@ -345,7 +415,13 @@
function update_quota(p)
{
- var y = p.total ? Math.ceil(p.percent / 100 * 20) * 24 : 0;
+ var step = 24, step_count = 20,
+ y = p.total ? Math.ceil(p.percent / 100 * step_count) * step : 0;
+
+ // never show full-circle if quota is close to 100% but below.
+ if (p.total && y == step * step_count && p.percent < 100)
+ y -= step;
+
$('#quotadisplay').css('background-position', '0 -'+y+'px');
}
@@ -413,7 +489,7 @@
$('select').css('visibility', show?'hidden':'inherit');
$('select', obj).css('visibility', 'inherit');
}
-
+
return show;
}
@@ -439,14 +515,14 @@
var button = $(e.target),
frame = $('#mailpreviewframe'),
visible = !frame.is(':visible'),
- splitter = mailviewsplit.pos || parseInt(bw.get_cookie('mailviewsplitter') || 320),
+ splitter = mailviewsplit.pos || parseInt(rcmail.get_cookie('mailviewsplitter') || 320),
topstyles, bottomstyles, uid;
frame.toggle();
button.removeClass().addClass(visible ? 'enabled' : 'closed');
if (visible) {
- $('#mailview-top').css({ bottom:'auto' });
+ $('#mailview-top').removeClass('fullheight').css({ bottom:'auto' });
$('#mailview-bottom').css({ height:'auto' });
rcmail.env.contentframe = 'messagecontframe';
@@ -465,7 +541,7 @@
rcmail.env.contentframe = null;
rcmail.show_contentframe(false);
- $('#mailview-top').css({ height:'auto', bottom:'28px' });
+ $('#mailview-top').addClass('fullheight').css({ height:'auto', bottom:'28px' });
$('#mailview-bottom').css({ top:'auto', height:'26px' });
if (mailviewsplit.handle)
@@ -542,6 +618,42 @@
}
+ function spellmenu(show)
+ {
+ var link, li,
+ lang = rcmail.spellcheck_lang(),
+ menu = popups.spellmenu,
+ ul = $('ul', menu);
+
+ if (!ul.length) {
+ ul = $('<ul class="toolbarmenu selectable">');
+
+ for (i in rcmail.env.spell_langs) {
+ li = $('<li>');
+ link = $('<a href="#"></a>').text(rcmail.env.spell_langs[i])
+ .addClass('active').data('lang', i)
+ .click(function() {
+ rcmail.spellcheck_lang_set($(this).data('lang'));
+ });
+
+ link.appendTo(li);
+ li.appendTo(ul);
+ }
+
+ ul.appendTo(menu);
+ }
+
+ // select current language
+ $('li', ul).each(function() {
+ var el = $('a', this);
+ if (el.data('lang') == lang)
+ el.addClass('selected');
+ else if (el.hasClass('selected'))
+ el.removeClass('selected');
+ });
+ }
+
+
/**
*
*/
@@ -559,21 +671,11 @@
$('input[name="sort_col"][value="'+rcmail.env.sort_col+'"]').prop('checked', true);
$('input[name="sort_ord"][value="DESC"]').prop('checked', rcmail.env.sort_order == 'DESC');
$('input[name="sort_ord"][value="ASC"]').prop('checked', rcmail.env.sort_order != 'DESC');
- $('input[name="view"][value="thread"]').prop('checked', rcmail.env.threading ? true : false);
- $('input[name="view"][value="list"]').prop('checked', rcmail.env.threading ? false : true);
- // list columns
- var found, cols = $('input[name="list_col[]"]');
- for (var i=0; i < cols.length; i++) {
- if (cols[i].value != 'from') {
- found = $.inArray(cols[i].value, rcmail.env.coltypes) != -1;
- }
- else {
- found = ($.inArray('from', rcmail.env.coltypes) != -1
- || $.inArray('to', rcmail.env.coltypes) != -1);
- }
- $(cols[i]).prop('checked', found);
- }
+ // set checkboxes
+ $('input[name="list_col[]"]').each(function() {
+ $(this).prop('checked', $.inArray(this.value, rcmail.env.coltypes) != -1);
+ });
$dialog.dialog({
modal: true,
@@ -597,11 +699,10 @@
var sort = $('input[name="sort_col"]:checked').val(),
ord = $('input[name="sort_ord"]:checked').val(),
- thread = $('input[name="view"]:checked').val(),
cols = $('input[name="list_col[]"]:checked')
.map(function(){ return this.value; }).get();
- rcmail.set_list_options(cols, sort, ord, thread == 'thread' ? 1 : 0);
+ rcmail.set_list_options(cols, sort, ord, rcmail.env.threading);
}
@@ -653,6 +754,35 @@
});
}
+ function push_contactgroup(p)
+ {
+ // lets the contacts list swipe to the left, nice!
+ var table = $('#contacts-table'),
+ scroller = table.parent().css('overflow', 'hidden');
+
+ table.clone()
+ .css({ position:'absolute', top:'0', left:'0', width:table.width()+'px', 'z-index':10 })
+ .appendTo(scroller)
+ .animate({ left: -(table.width()+5) + 'px' }, 300, 'swing', function(){
+ $(this).remove();
+ scroller.css('overflow', 'auto')
+ });
+ }
+
+ function pop_contactgroup(p)
+ {
+ // lets the contacts list swipe to the left, nice!
+ var table = $('#contacts-table'),
+ scroller = table.parent().css('overflow', 'hidden'),
+ clone = table.clone().appendTo(scroller);
+
+ table.css({ position:'absolute', top:'0', left:-(table.width()+5) + 'px', width:table.width()+'px', height:table.height()+'px', 'z-index':10 })
+ .animate({ left:'0' }, 300, 'linear', function(){
+ clone.remove();
+ $(this).css({ position:'relative', left:'0', width:'100%', height:'auto', 'z-index':1 });
+ scroller.css('overflow', 'auto')
+ });
+ }
function show_uploadform()
{
@@ -663,7 +793,7 @@
$dialog.dialog('close');
return;
}
-
+
// add icons to clone file input field
if (rcmail.env.action == 'compose' && !$dialog.data('extended')) {
$('<a>')
@@ -797,6 +927,8 @@
// Select/unselect tab
$('#tab'+idx).toggleClass('selected', idx==index);
});
+
+ resize();
}
/**
@@ -830,6 +962,43 @@
}
}
+
+/**
+ * Roundcube Scroller class
+ */
+function rcube_scroller(list, top, bottom)
+{
+ var ref = this;
+
+ this.list = $(list);
+ this.top = $(top);
+ this.bottom = $(bottom);
+ this.step_size = 6;
+ this.step_time = 20;
+ this.delay = 500;
+
+ this.top
+ .mouseenter(function() { ref.ts = window.setTimeout(function() { ref.scroll('down'); }, ref.delay); })
+ .mouseout(function() { if (ref.ts) window.clearTimeout(ref.ts); });
+
+ this.bottom
+ .mouseenter(function() { ref.ts = window.setTimeout(function() { ref.scroll('up'); }, ref.delay); })
+ .mouseout(function() { if (ref.ts) window.clearTimeout(ref.ts); });
+
+ this.scroll = function(dir)
+ {
+ var ref = this, size = this.step_size;
+
+ if (!rcmail.drag_active)
+ return;
+
+ if (dir == 'down')
+ size *= -1;
+
+ this.list.get(0).scrollTop += size;
+ this.ts = window.setTimeout(function() { ref.scroll(dir); }, this.step_time);
+ };
+};
/**
@@ -887,7 +1056,7 @@
$(window).resize(onResize);
// read saved position from cookie
- var cookie = bw.get_cookie(this.id);
+ var cookie = rcmail.get_cookie(this.id);
if (cookie && !isNaN(cookie)) {
this.pos = parseFloat(cookie);
this.resize();
@@ -1048,7 +1217,7 @@
{
var exp = new Date();
exp.setYear(exp.getFullYear() + 1);
- bw.set_cookie(this.id, this.pos, exp);
+ rcmail.set_cookie(this.id, this.pos, exp);
};
} // end class rcube_splitter
@@ -1061,4 +1230,3 @@
{
return rcube_splitter._instances[id];
};
-
--
Gitblit v1.9.1