githubFork/roundcubemail.git

			@@ -1,6 +1,8 @@
			CHANGELOG Roundcube Webmail
			===========================

			- Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

			RELEASE 0.8.6
			-------------
			- Fix security issue in save-pref command

			@@ -36,6 +36,7 @@
			public $output;
			public $config;
			public $allowed_prefs = array();
			public $allowed_session_prefs = array();

			public $handlers = array();
			private $plugins = array();

			@@ -21,14 +21,24 @@

			$name = get_input_value('_name', RCUBE_INPUT_POST);
			$value = get_input_value('_value', RCUBE_INPUT_POST);
			$sessname = get_input_value('_session', RCUBE_INPUT_POST);

			// Whitelisted preferences and session variables, others
			// can be added by plugins
			$whitelist = array(
			'preview_pane',
			'list_cols',
			'collapsed_folders',
			'collapsed_abooks',
			);
			$whitelist_sess = array(
			'list_attrib/columns',
			);

			if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) {
			$whitelist = array_merge($whitelist, $RCMAIL->plugins->allowed_prefs);
			$whitelist_sess = array_merge($whitelist_sess, $RCMAIL->plugins->allowed_session_prefs);

			if (!in_array($name, $whitelist) \|\| ($sessname && !in_array($sessname, $whitelist_sess))) {
			raise_error(array('code' => 500, 'type' => 'php',
			'file' => __FILE__, 'line' => __LINE__,
			'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])),
			@@ -42,7 +52,7 @@
			$RCMAIL->user->save_prefs(array($name => $value));

			// update also session if requested
			if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) {
			if ($sessname) {
			// Support multidimensional arrays...
			$vars = explode('/', $sessname);

			@@ -57,4 +67,3 @@

			$OUTPUT->reset();
			$OUTPUT->send();

	CHANGELOG	2 ●●●●● patch \| view \| raw \| blame \| history
	program/include/rcube_plugin_api.php	1 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/utils/save_pref.inc	15 ●●●●● patch \| view \| raw \| blame \| history