From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
plugins/managesieve/managesieve.js | 303 +++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 236 insertions(+), 67 deletions(-)
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index 4e810b1..117f01a 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -1,4 +1,19 @@
-/* (Manage)Sieve Filters */
+/**
+ * (Manage)Sieve Filters plugin
+ *
+ * @licstart The following is the entire license notice for the
+ * JavaScript code in this file.
+ *
+ * Copyright (c) 2012-2014, The Roundcube Dev Team
+ *
+ * The JavaScript code in this page is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation, either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * @licend The above is the entire license notice
+ * for the JavaScript code in this file.
+ */
if (window.rcmail) {
rcmail.addEventListener('init', function(evt) {
@@ -9,16 +24,6 @@
rcmail.env.message_commands.push('managesieve-create');
else
rcmail.enable_command('managesieve-create', true);
- }
- else {
- var tab = $('<span>').attr('id', 'settingstabpluginmanagesieve').addClass('tablink filter'),
- button = $('<a>').attr('href', rcmail.env.comm_path+'&_action=plugin.managesieve')
- .attr('title', rcmail.gettext('managesieve.managefilters'))
- .html(rcmail.gettext('managesieve.filters'))
- .appendTo(tab);
-
- // add tab
- rcmail.add_element(tab, 'tabs');
}
if (rcmail.env.task == 'mail' || rcmail.env.action.startsWith('plugin.managesieve')) {
@@ -43,55 +48,42 @@
if (rcmail.env.action.startsWith('plugin.managesieve')) {
if (rcmail.gui_objects.sieveform) {
rcmail.enable_command('plugin.managesieve-save', true);
-
- // small resize for header element
- $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
- if (this.value == '...') this.style.width = '40px';
- });
-
- // resize dialog window
- if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
- parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
- }
-
- $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
-
- // initialize smart list inputs
- $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
- smart_field_init(this);
- });
+ sieve_form_init();
}
else {
rcmail.enable_command('plugin.managesieve-add', 'plugin.managesieve-setadd', !rcmail.env.sieveconnerror);
}
- var i, p = rcmail, setcnt, set = rcmail.env.currentset;
+ var setcnt, set = rcmail.env.currentset;
if (rcmail.gui_objects.filterslist) {
rcmail.filters_list = new rcube_list_widget(rcmail.gui_objects.filterslist,
- {multiselect:false, draggable:true, keyboard:false});
- rcmail.filters_list.addEventListener('select', function(e) { p.managesieve_select(e); });
- rcmail.filters_list.addEventListener('dragstart', function(e) { p.managesieve_dragstart(e); });
- rcmail.filters_list.addEventListener('dragend', function(e) { p.managesieve_dragend(e); });
- rcmail.filters_list.row_init = function (row) {
- row.obj.onmouseover = function() { p.managesieve_focus_filter(row); };
- row.obj.onmouseout = function() { p.managesieve_unfocus_filter(row); };
- };
- rcmail.filters_list.init();
- rcmail.filters_list.focus();
+ {multiselect:false, draggable:true, keyboard:true});
+
+ rcmail.filters_list
+ .addEventListener('select', function(e) { rcmail.managesieve_select(e); })
+ .addEventListener('dragstart', function(e) { rcmail.managesieve_dragstart(e); })
+ .addEventListener('dragend', function(e) { rcmail.managesieve_dragend(e); })
+ .addEventListener('initrow', function(row) {
+ row.obj.onmouseover = function() { rcmail.managesieve_focus_filter(row); };
+ row.obj.onmouseout = function() { rcmail.managesieve_unfocus_filter(row); };
+ })
+ .init();
}
if (rcmail.gui_objects.filtersetslist) {
- rcmail.filtersets_list = new rcube_list_widget(rcmail.gui_objects.filtersetslist, {multiselect:false, draggable:false, keyboard:false});
- rcmail.filtersets_list.addEventListener('select', function(e) { p.managesieve_setselect(e); });
- rcmail.filtersets_list.init();
- rcmail.filtersets_list.focus();
+ rcmail.filtersets_list = new rcube_list_widget(rcmail.gui_objects.filtersetslist,
+ {multiselect:false, draggable:false, keyboard:true});
+
+ rcmail.filtersets_list.init().focus();
if (set != null) {
set = rcmail.managesieve_setid(set);
- rcmail.filtersets_list.shift_start = set;
- rcmail.filtersets_list.highlight_row(set, false);
+ rcmail.filtersets_list.select(set);
}
+
+ // attach select event after initial record was selected
+ rcmail.filtersets_list.addEventListener('select', function(e) { rcmail.managesieve_setselect(e); });
setcnt = rcmail.filtersets_list.rowcount;
rcmail.enable_command('plugin.managesieve-set', true);
@@ -99,9 +91,10 @@
rcmail.enable_command('plugin.managesieve-setdel', setcnt > 1);
// Fix dragging filters over sets list
- $('tr', rcmail.gui_objects.filtersetslist).each(function (i, e) { p.managesieve_fixdragend(e); });
+ $('tr', rcmail.gui_objects.filtersetslist).each(function (i, e) { rcmail.managesieve_fixdragend(e); });
}
}
+
if (rcmail.gui_objects.sieveform && rcmail.env.rule_disabled)
$('#disabled').attr('checked', true);
});
@@ -188,7 +181,7 @@
var id = this.filtersets_list.get_single_selection(),
script = this.env.filtersets[id];
- location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script);
+ this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true);
};
// Set activate/deactivate request
@@ -233,10 +226,9 @@
this.set_busy(true);
switch (action) {
-
// Delete filter row
case 'del':
- var i = 0, list = this.filters_list;
+ var id = o.id, list = this.filters_list;
list.remove_row(this.managesieve_rowid(o.id));
list.clear_selection();
@@ -251,8 +243,16 @@
return;
}
- // modify ID and remove all attached events
- $(this).attr('id', 'rcmrow'+(i++)).unbind();
+ var rowid = this.id.substr(6);
+
+ // remove all attached events
+ $(this).off();
+
+ // update row id
+ if (rowid > id) {
+ this.uid = rowid - 1;
+ $(this).attr('id', 'rcmrow' + this.uid);
+ }
});
list.init();
@@ -417,7 +417,7 @@
rcube_webmail.prototype.managesieve_fixdragend = function(elem)
{
var p = this;
- $(elem).bind('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
+ $(elem).on('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
if (p.drag_active)
p.filters_list.drag_mouse_up(e);
});
@@ -447,6 +447,12 @@
// Form submition
rcube_webmail.prototype.managesieve_save = function()
{
+ if (this.env.action == 'plugin.managesieve-vacation') {
+ var data = $(this.gui_objects.sieveform).serialize();
+ this.http_post('plugin.managesieve-vacation', data, this.display_message(this.get_label('managesieve.vacation.saving'), 'loading'));
+ return;
+ }
+
if (parent.rcmail && parent.rcmail.filters_list && this.gui_objects.sieveform.name != 'filtersetform') {
var id = parent.rcmail.filters_list.get_single_selection();
if (id != null)
@@ -512,6 +518,11 @@
row.setAttribute('id', 'actionrow'+id);
row.innerHTML = content;
+ // initialize smart list inputs
+ $('textarea[data-type="list"]', row).each(function() {
+ smart_field_init(this);
+ });
+
this.managesieve_formbuttons(div);
}
};
@@ -568,6 +579,20 @@
$(button).addClass('disabled');
}
}
+};
+
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses = function(id)
+{
+ var lock = this.set_busy(true, 'loading');
+ this.http_post('plugin.managesieve-action', {_act: 'addresses', _aid: id}, lock);
+};
+
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses_update = function(id, addresses)
+{
+ var field = $('#vacation_addresses,#action_addresses' + (id || ''));
+ smart_field_reset(field.get(0), addresses);
};
function rule_header_select(id)
@@ -699,6 +724,13 @@
}
};
+function vacation_action_select()
+{
+ var selected = $('#vacation_action').val();
+
+ $('#action_target_span')[selected == 'discard' || selected == 'keep' ? 'hide' : 'show']();
+};
+
// Inititalizes smart list input
function smart_field_init(field)
{
@@ -719,6 +751,9 @@
if (field.attr('disabled'))
area.hide();
+ // disable the original field anyway, we don't want it in POST
+ else
+ field.prop('disabled', true);
field.after(area);
@@ -741,6 +776,7 @@
input = $('input', elem).attr(attrs).keydown(function(e) {
var input = $(this);
+
// element creation event (on Enter)
if (e.which == 13) {
var name = input.attr('name').replace(/\[\]$/, ''),
@@ -749,6 +785,21 @@
input.parent().after(elem);
$('input', elem).focus();
+ }
+ // backspace or delete: remove input, focus previous one
+ else if ((e.which == 8 || e.which == 46) && input.val() == '') {
+
+ var parent = input.parent(), siblings = parent.parent().children();
+
+ if (siblings.length > 1) {
+ if (parent.prev().length)
+ parent.prev().children('input').focus();
+ else
+ parent.next().children('input').focus();
+
+ parent.remove();
+ return false;
+ }
}
});
@@ -765,16 +816,32 @@
return elem;
}
+// Reset and fill the smart list input with new data
+function smart_field_reset(field, data)
+{
+ var id = field.id + '_list',
+ list = data.length ? data : [''];
+ area = $('#' + id);
+
+ area.empty();
+
+ // add input rows
+ $.each(list, function(i, v) {
+ area.append(smart_field_row(v, field.name, i, $(field).data('size')));
+ });
+}
+
// Register onmouse(leave/enter) events for tips on specified form element
rcube_webmail.prototype.managesieve_tip_register = function(tips)
{
var n, framed = parent.rcmail,
tip = framed ? parent.rcmail.env.ms_tip_layer : rcmail.env.ms_tip_layer;
- for (var n in tips) {
+ for (n in tips) {
$('#'+tips[n][0])
.data('tip', tips[n][1])
- .bind('mouseenter', function(e) {
+ .mouseleave(function(e) { tip.hide(); })
+ .mouseenter(function(e) {
var elem = $(this),
offset = elem.offset(),
left = offset.left,
@@ -791,18 +858,120 @@
top -= tip.height();
tip.css({left: left, top: top, minWidth: (minwidth-2) + 'px'}).show();
- })
- .bind('mouseleave', function(e) { tip.hide(); });
+ });
}
};
+
+// format time string
+function sieve_formattime(hour, minutes)
+{
+ var i, c, h, time = '', format = rcmail.env.time_format || 'H:i';
+
+ for (i=0; i<format.length; i++) {
+ c = format.charAt(i);
+ switch (c) {
+ case 'a': time += hour > 12 ? 'am' : 'pm'; break;
+ case 'A': time += hour > 12 ? 'AM' : 'PM'; break;
+ case 'g':
+ case 'h':
+ h = hour == 0 ? 12 : hour > 12 ? hour - 12 : hour;
+ time += (c == 'h' && hour < 10 ? '0' : '') + hour;
+ break;
+ case 'G': time += hour; break;
+ case 'H': time += (hour < 10 ? '0' : '') + hour; break;
+ case 'i': time += (minutes < 10 ? '0' : '') + minutes; break;
+ case 's': time += '00';
+ default: time += c;
+ }
+ }
+
+ return time;
+}
+
+function sieve_form_init()
+{
+ // small resize for header element
+ $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
+ if (this.value == '...') this.style.width = '40px';
+ });
+
+ // resize dialog window
+ if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
+ parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
+ }
+
+ $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
+
+ // initialize smart list inputs
+ $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
+ smart_field_init(this);
+ });
+
+ // enable date pickers on date fields
+ if ($.datepicker && rcmail.env.date_format) {
+ $.datepicker.setDefaults({
+ dateFormat: rcmail.env.date_format,
+ changeMonth: true,
+ showOtherMonths: true,
+ selectOtherMonths: true,
+ onSelect: function(dateText) { $(this).focus().val(dateText); }
+ });
+ $('input.datepicker').datepicker();
+ }
+
+ // configure drop-down menu on time input fields based on jquery UI autocomplete
+ $('#vacation_timefrom, #vacation_timeto')
+ .attr('autocomplete', "off")
+ .autocomplete({
+ delay: 100,
+ minLength: 1,
+ source: function(p, callback) {
+ var h, result = [];
+ for (h = 0; h < 24; h++)
+ result.push(sieve_formattime(h, 0));
+ result.push(sieve_formattime(23, 59));
+
+ return callback(result);
+ },
+ open: function(event, ui) {
+ // scroll to current time
+ var $this = $(this), val = $this.val(),
+ widget = $this.autocomplete('widget').css('width', '10em'),
+ menu = $this.data('ui-autocomplete').menu;
+
+ if (val && val.length)
+ widget.children().each(function() {
+ var li = $(this);
+ if (li.text().indexOf(val) == 0)
+ menu._scrollIntoView(li);
+ });
+ },
+ select: function(event, ui) {
+ $(this).val(ui.item.value);
+ return false;
+ }
+ })
+ .click(function() { // show drop-down upon clicks
+ $(this).autocomplete('search', $(this).val() || ' ');
+ })
+}
+
/*********************************************************/
/********* Mail UI methods *********/
/*********************************************************/
-rcube_webmail.prototype.managesieve_create = function()
+rcube_webmail.prototype.managesieve_create = function(force)
{
- if (!rcmail.env.sieve_headers || !rcmail.env.sieve_headers.length)
+ if (!force && this.env.action != 'show') {
+ var uid = this.message_list.get_single_selection(),
+ lock = this.set_busy(true, 'loading');
+
+ this.http_post('plugin.managesieve-action', {_uid: uid}, lock);
+ return;
+ }
+
+ if (!this.env.sieve_headers || !this.env.sieve_headers.length)
return;
var i, html, buttons = {}, dialog = $("#sievefilterform");
@@ -814,20 +983,20 @@
}
// build dialog window content
- html = '<fieldset><legend>'+this.gettext('managesieve.usedata')+'</legend><ul>';
- for (i in rcmail.env.sieve_headers)
+ html = '<fieldset><legend>'+this.get_label('managesieve.usedata')+'</legend><ul>';
+ for (i in this.env.sieve_headers)
html += '<li><input type="checkbox" name="headers[]" id="sievehdr'+i+'" value="'+i+'" checked="checked" />'
- +'<label for="sievehdr'+i+'">'+rcmail.env.sieve_headers[i][0]+':</label> '+rcmail.env.sieve_headers[i][1]+'</li>';
+ +'<label for="sievehdr'+i+'">'+this.env.sieve_headers[i][0]+':</label> '+this.env.sieve_headers[i][1]+'</li>';
html += '</ul></fieldset>';
dialog.html(html);
// [Next Step] button action
- buttons[this.gettext('managesieve.nextstep')] = function () {
+ buttons[this.get_label('managesieve.nextstep')] = function () {
// check if there's at least one checkbox checked
var hdrs = $('input[name="headers[]"]:checked', dialog);
if (!hdrs.length) {
- alert(rcmail.gettext('managesieve.nodata'));
+ alert(rcmail.get_label('managesieve.nodata'));
return;
}
@@ -847,7 +1016,7 @@
// Change [Next Step] button with [Save] button
buttons = {};
- buttons[rcmail.gettext('save')] = function() {
+ buttons[rcmail.get_label('save')] = function() {
var win = $('iframe', dialog).get(0).contentWindow;
win.rcmail.managesieve_save();
};
@@ -857,9 +1026,9 @@
// show dialog window
dialog.dialog({
modal: false,
- resizable: !bw.ie6,
- closeOnEscape: (!bw.ie6 && !bw.ie7), // disable for performance reasons
- title: this.gettext('managesieve.newfilter'),
+ resizable: true,
+ closeOnEscape: !bw.ie7, // disable for performance reasons
+ title: this.get_label('managesieve.newfilter'),
close: function() { rcmail.managesieve_dialog_close(); },
buttons: buttons,
minWidth: 600,
--
Gitblit v1.9.1