Roundcubemail devel
blame | history | patch | commit | commitdiff | ignore whitespace
Aleksander Machniak
2015-12-22 21b523c29b2d022f27c5c730d3afd394aff5cd0f 
 program/include/rcmail_output_html.php


@@ -153,6 +153,17 @@


     */


    public function set_skin($skin)


    {


        // Sanity check to prevent from path traversal vulnerability (#1490620)


        if (strpos($skin, '/') !== false || strpos($skin, "\\") !== false) {


            rcube::raise_error(array(


                    'file'    => __FILE__,


                    'line'    => __LINE__,


                    'message' => 'Invalid skin name'


                ), true, false);




            return false;


        }




        $valid = false;


        $path  = RCUBE_INSTALL_PATH . 'skins/';




@@ -167,6 +178,8 @@


            }


            $valid = !$skin;


        }




        $skin_path = rtrim($skin_path, '/');




        $this->config->set('skin_path', $skin_path);


        $this->base_path = $skin_path;


@@ -870,16 +883,16 @@


                    $attrib['name'] = $this->eval_expression($attrib['expression']);




                if ($attrib['name'] || $attrib['command']) {


                    // @FIXME: 'noshow' is useless, remove?


                    if ($attrib['noshow']) {


                        return '';


                    }




                    $vars = $attrib + array('product' => $this->config->get('product_name'));


                    unset($vars['name'], $vars['command']);




                    $label   = $this->app->gettext($attrib + array('vars' => $vars));


                    $quoting = !empty($attrib['quoting']) ? strtolower($attrib['quoting']) : (rcube_utils::get_boolean((string)$attrib['html']) ? 'no' : '');




                    // 'noshow' can be used in skins to define new labels


                    if ($attrib['noshow']) {


                        return '';


                    }




                    switch ($quoting) {


                        case 'no':


@@ -1629,6 +1642,12 @@


            $out .= $input_host->show();


        }




        if (rcube_utils::get_boolean($attrib['submit'])) {


            $submit = new html_inputfield(array('type' => 'submit', 'id' => 'rcmloginsubmit',


                'class' => 'button mainaction', 'value' => $this->app->gettext('login')));


            $out .= html::p('formbuttons', $submit->show());


        }




        // surround html output with a form tag


        if (empty($attrib['form'])) {


            $out = $this->form_tag(array('name' => $form_name, 'method' => 'post'), $out);


@@ -1691,9 +1710,9 @@


        // add form tag around text field


        if (empty($attrib['form'])) {


            $out = $this->form_tag(array(


                'name' => "rcmqsearchform",


                'name'     => "rcmqsearchform",


                'onsubmit' => self::JS_OBJECT_NAME . ".command('search'); return false",


                'style' => "display:inline"),


                'style'    => "display:inline"),


                $out);


        }