From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Roundcube/rcube_plugin_api.php | 23 ++++++++++++++---------
1 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/program/lib/Roundcube/rcube_plugin_api.php b/program/lib/Roundcube/rcube_plugin_api.php
index 33f04ea..617e921 100644
--- a/program/lib/Roundcube/rcube_plugin_api.php
+++ b/program/lib/Roundcube/rcube_plugin_api.php
@@ -35,8 +35,9 @@
public $url = 'plugins/';
public $task = '';
public $output;
- public $handlers = array();
- public $allowed_prefs = array();
+ public $handlers = array();
+ public $allowed_prefs = array();
+ public $allowed_session_prefs = array();
protected $plugins = array();
protected $tasks = array();
@@ -167,10 +168,11 @@
* Load the specified plugin
*
* @param string Plugin name
+ * @param boolean Force loading of the plugin even if it doesn't match the filter
*
* @return boolean True on success, false if not loaded or failure
*/
- public function load_plugin($plugin_name)
+ public function load_plugin($plugin_name, $force = false)
{
static $plugins_dir;
@@ -180,7 +182,7 @@
}
// plugin already loaded
- if ($this->plugins[$plugin_name] || class_exists($plugin_name, false)) {
+ if ($this->plugins[$plugin_name]) {
return true;
}
@@ -188,7 +190,9 @@
. DIRECTORY_SEPARATOR . $plugin_name . '.php';
if (file_exists($fn)) {
- include $fn;
+ if (!class_exists($plugin_name, false)) {
+ include $fn;
+ }
// instantiate class if exists
if (class_exists($plugin_name, false)) {
@@ -196,7 +200,7 @@
// check inheritance...
if (is_subclass_of($plugin, 'rcube_plugin')) {
// ... task, request type and framed mode
- if ((!$plugin->task || preg_match('/^('.$plugin->task.')$/i', $this->task))
+ if (($force || !$plugin->task || preg_match('/^('.$plugin->task.')$/i', $this->task))
&& (!$plugin->noajax || (is_object($this->output) && $this->output->type == 'html'))
&& (!$plugin->noframe || empty($_REQUEST['_framed']))
) {
@@ -229,7 +233,7 @@
/**
* Get information about a specific plugin.
- * This is either provided my a plugin's info() method or extracted from a package.xml or a composer.json file
+ * This is either provided by a plugin's info() method or extracted from a package.xml or a composer.json file
*
* @param string Plugin name
* @return array Meta information about a plugin or False if plugin was not found
@@ -275,13 +279,14 @@
include($fn);
if (class_exists($plugin_name))
- $info = $plugin_name::info();
+ $info = call_user_func(array($plugin_name, 'info'));
// fall back to composer.json file
if (!$info) {
$composer = INSTALL_PATH . "/plugins/$plugin_name/composer.json";
if (file_exists($composer) && ($json = @json_decode(file_get_contents($composer), true))) {
list($info['vendor'], $info['name']) = explode('/', $json['name']);
+ $info['version'] = $json['version'];
$info['license'] = $json['license'];
if ($license_uri = $license_uris[$info['license']])
$info['license_uri'] = $license_uri;
@@ -403,7 +408,7 @@
$args = $ret + $args;
}
- if ($args['abort']) {
+ if ($args['break']) {
break;
}
}
--
Gitblit v1.9.1