From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Roundcube/rcube_storage.php | 50 +++++++++++++++++++++++++++++++-------------------
1 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/program/lib/Roundcube/rcube_storage.php b/program/lib/Roundcube/rcube_storage.php
index 7ec05b7..9d70042 100644
--- a/program/lib/Roundcube/rcube_storage.php
+++ b/program/lib/Roundcube/rcube_storage.php
@@ -2,8 +2,6 @@
/*
+-----------------------------------------------------------------------+
- | program/include/rcube_storage.php |
- | |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2012, The Roundcube Dev Team |
| Copyright (C) 2012, Kolab Systems AG |
@@ -14,13 +12,11 @@
| |
| PURPOSE: |
| Mail Storage Engine |
- | |
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
| Author: Aleksander Machniak <alec@alec.pl> |
+-----------------------------------------------------------------------+
*/
-
/**
* Abstract class for accessing mail messages storage server
@@ -43,7 +39,7 @@
protected $default_charset = 'ISO-8859-1';
protected $default_folders = array('INBOX');
protected $search_set;
- protected $options = array('auth_method' => 'check');
+ protected $options = array('auth_type' => 'check');
protected $page_size = 10;
protected $threading = false;
@@ -57,6 +53,7 @@
protected $all_headers = array(
'IN-REPLY-TO',
'BCC',
+ 'SENDER',
'MESSAGE-ID',
'CONTENT-TRANSFER-ENCODING',
'REFERENCES',
@@ -64,8 +61,6 @@
'MAIL-FOLLOWUP-TO',
'MAIL-REPLY-TO',
'RETURN-PATH',
- 'DELIVERED-TO',
- 'ENVELOPE-TO',
);
const UNKNOWN = 0;
@@ -354,7 +349,7 @@
* Get messages count for a specific folder.
*
* @param string $folder Folder name
- * @param string $mode Mode for count [ALL|THREADS|UNSEEN|RECENT]
+ * @param string $mode Mode for count [ALL|THREADS|UNSEEN|RECENT|EXISTS]
* @param boolean $force Force reading from server and update cache
* @param boolean $status Enables storing folder status info (max UID/count),
* required for folder_status()
@@ -362,6 +357,18 @@
* @return int Number of messages
*/
abstract function count($folder = null, $mode = 'ALL', $force = false, $status = true);
+
+
+ /**
+ * Public method for listing message flags
+ *
+ * @param string $folder Folder name
+ * @param array $uids Message UIDs
+ * @param int $mod_seq Optional MODSEQ value
+ *
+ * @return array Indexed array with message flags
+ */
+ abstract function list_flags($folder, $uids, $mod_seq = null);
/**
@@ -428,7 +435,7 @@
/**
* Fetch message headers and body structure from the server and build
- * an object structure similar to the one generated by PEAR::Mail_mimeDecode
+ * an object structure.
*
* @param int $uid Message UID to fetch
* @param string $folder Folder to read from
@@ -543,12 +550,13 @@
/**
* Append a mail message (source) to a specific folder.
*
- * @param string $folder Target folder
- * @param string $message The message source string or filename
- * @param string $headers Headers string if $message contains only the body
- * @param boolean $is_file True if $message is a filename
- * @param array $flags Message flags
- * @param mixed $date Message internal date
+ * @param string $folder Target folder
+ * @param string|array $message The message source string or filename
+ * or array (of strings and file pointers)
+ * @param string $headers Headers string if $message contains only the body
+ * @param boolean $is_file True if $message is a filename
+ * @param array $flags Message flags
+ * @param mixed $date Message internal date
*
* @return int|bool Appended message UID or True on success, False on error
*/
@@ -605,7 +613,7 @@
/**
* Parse message UIDs input
*
- * @param mixed $uids UIDs array or comma-separated list or '*' or '1:*'
+ * @param mixed $uids UIDs array or comma-separated list or '*' or '1:*'
*
* @return array Two elements array with UIDs converted to list and ALL flag
*/
@@ -624,6 +632,9 @@
else {
if (is_array($uids)) {
$uids = join(',', $uids);
+ }
+ else if (strpos($uids, ':')) {
+ $uids = join(',', rcube_imap_generic::uncompressMessageSet($uids));
}
if (preg_match('/[^0-9,]/', $uids)) {
@@ -810,13 +821,14 @@
/**
- * Returns current status of a folder
+ * Returns current status of a folder (compared to the last time use)
*
* @param string $folder Folder name
+ * @param array $diff Difference data
*
* @return int Folder status
*/
- abstract function folder_status($folder = null);
+ abstract function folder_status($folder = null, &$diff = array());
/**
@@ -988,6 +1000,6 @@
/**
* Delete outdated cache entries
*/
- abstract function expunge_cache();
+ abstract function cache_gc();
} // end class rcube_storage
--
Gitblit v1.9.1