From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
plugins/managesieve/managesieve.js | 274 +++++++++++++++++++++++++++++++++++++++++-------------
1 files changed, 208 insertions(+), 66 deletions(-)
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index 7fcd9d9..117f01a 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -1,4 +1,19 @@
-/* (Manage)Sieve Filters */
+/**
+ * (Manage)Sieve Filters plugin
+ *
+ * @licstart The following is the entire license notice for the
+ * JavaScript code in this file.
+ *
+ * Copyright (c) 2012-2014, The Roundcube Dev Team
+ *
+ * The JavaScript code in this page is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation, either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * @licend The above is the entire license notice
+ * for the JavaScript code in this file.
+ */
if (window.rcmail) {
rcmail.addEventListener('init', function(evt) {
@@ -33,67 +48,42 @@
if (rcmail.env.action.startsWith('plugin.managesieve')) {
if (rcmail.gui_objects.sieveform) {
rcmail.enable_command('plugin.managesieve-save', true);
-
- // small resize for header element
- $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
- if (this.value == '...') this.style.width = '40px';
- });
-
- // resize dialog window
- if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
- parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
- }
-
- $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
-
- // initialize smart list inputs
- $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
- smart_field_init(this);
- });
-
- // enable date pickers on date fields
- if ($.datepicker && rcmail.env.date_format) {
- $.datepicker.setDefaults({
- dateFormat: rcmail.env.date_format,
- changeMonth: true,
- showOtherMonths: true,
- selectOtherMonths: true,
- onSelect: function(dateText) { $(this).focus().val(dateText) }
- });
- $('input.datepicker').datepicker();
- }
+ sieve_form_init();
}
else {
rcmail.enable_command('plugin.managesieve-add', 'plugin.managesieve-setadd', !rcmail.env.sieveconnerror);
}
- var i, p = rcmail, setcnt, set = rcmail.env.currentset;
+ var setcnt, set = rcmail.env.currentset;
if (rcmail.gui_objects.filterslist) {
rcmail.filters_list = new rcube_list_widget(rcmail.gui_objects.filterslist,
- {multiselect:false, draggable:true, keyboard:false});
- rcmail.filters_list.addEventListener('select', function(e) { p.managesieve_select(e); });
- rcmail.filters_list.addEventListener('dragstart', function(e) { p.managesieve_dragstart(e); });
- rcmail.filters_list.addEventListener('dragend', function(e) { p.managesieve_dragend(e); });
- rcmail.filters_list.row_init = function (row) {
- row.obj.onmouseover = function() { p.managesieve_focus_filter(row); };
- row.obj.onmouseout = function() { p.managesieve_unfocus_filter(row); };
- };
- rcmail.filters_list.init();
- rcmail.filters_list.focus();
+ {multiselect:false, draggable:true, keyboard:true});
+
+ rcmail.filters_list
+ .addEventListener('select', function(e) { rcmail.managesieve_select(e); })
+ .addEventListener('dragstart', function(e) { rcmail.managesieve_dragstart(e); })
+ .addEventListener('dragend', function(e) { rcmail.managesieve_dragend(e); })
+ .addEventListener('initrow', function(row) {
+ row.obj.onmouseover = function() { rcmail.managesieve_focus_filter(row); };
+ row.obj.onmouseout = function() { rcmail.managesieve_unfocus_filter(row); };
+ })
+ .init();
}
if (rcmail.gui_objects.filtersetslist) {
- rcmail.filtersets_list = new rcube_list_widget(rcmail.gui_objects.filtersetslist, {multiselect:false, draggable:false, keyboard:false});
- rcmail.filtersets_list.addEventListener('select', function(e) { p.managesieve_setselect(e); });
- rcmail.filtersets_list.init();
- rcmail.filtersets_list.focus();
+ rcmail.filtersets_list = new rcube_list_widget(rcmail.gui_objects.filtersetslist,
+ {multiselect:false, draggable:false, keyboard:true});
+
+ rcmail.filtersets_list.init().focus();
if (set != null) {
set = rcmail.managesieve_setid(set);
- rcmail.filtersets_list.shift_start = set;
- rcmail.filtersets_list.highlight_row(set, false);
+ rcmail.filtersets_list.select(set);
}
+
+ // attach select event after initial record was selected
+ rcmail.filtersets_list.addEventListener('select', function(e) { rcmail.managesieve_setselect(e); });
setcnt = rcmail.filtersets_list.rowcount;
rcmail.enable_command('plugin.managesieve-set', true);
@@ -101,9 +91,10 @@
rcmail.enable_command('plugin.managesieve-setdel', setcnt > 1);
// Fix dragging filters over sets list
- $('tr', rcmail.gui_objects.filtersetslist).each(function (i, e) { p.managesieve_fixdragend(e); });
+ $('tr', rcmail.gui_objects.filtersetslist).each(function (i, e) { rcmail.managesieve_fixdragend(e); });
}
}
+
if (rcmail.gui_objects.sieveform && rcmail.env.rule_disabled)
$('#disabled').attr('checked', true);
});
@@ -190,7 +181,7 @@
var id = this.filtersets_list.get_single_selection(),
script = this.env.filtersets[id];
- location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script);
+ this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true);
};
// Set activate/deactivate request
@@ -235,7 +226,6 @@
this.set_busy(true);
switch (action) {
-
// Delete filter row
case 'del':
var id = o.id, list = this.filters_list;
@@ -256,11 +246,13 @@
var rowid = this.id.substr(6);
// remove all attached events
- $(this).unbind();
+ $(this).off();
// update row id
- if (rowid > id)
- $(this).attr('id', 'rcmrow' + (rowid-1));
+ if (rowid > id) {
+ this.uid = rowid - 1;
+ $(this).attr('id', 'rcmrow' + this.uid);
+ }
});
list.init();
@@ -425,7 +417,7 @@
rcube_webmail.prototype.managesieve_fixdragend = function(elem)
{
var p = this;
- $(elem).bind('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
+ $(elem).on('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
if (p.drag_active)
p.filters_list.drag_mouse_up(e);
});
@@ -589,6 +581,20 @@
}
};
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses = function(id)
+{
+ var lock = this.set_busy(true, 'loading');
+ this.http_post('plugin.managesieve-action', {_act: 'addresses', _aid: id}, lock);
+};
+
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses_update = function(id, addresses)
+{
+ var field = $('#vacation_addresses,#action_addresses' + (id || ''));
+ smart_field_reset(field.get(0), addresses);
+};
+
function rule_header_select(id)
{
var obj = document.getElementById('header' + id),
@@ -718,6 +724,13 @@
}
};
+function vacation_action_select()
+{
+ var selected = $('#vacation_action').val();
+
+ $('#action_target_span')[selected == 'discard' || selected == 'keep' ? 'hide' : 'show']();
+};
+
// Inititalizes smart list input
function smart_field_init(field)
{
@@ -738,6 +751,9 @@
if (field.attr('disabled'))
area.hide();
+ // disable the original field anyway, we don't want it in POST
+ else
+ field.prop('disabled', true);
field.after(area);
@@ -760,6 +776,7 @@
input = $('input', elem).attr(attrs).keydown(function(e) {
var input = $(this);
+
// element creation event (on Enter)
if (e.which == 13) {
var name = input.attr('name').replace(/\[\]$/, ''),
@@ -768,6 +785,21 @@
input.parent().after(elem);
$('input', elem).focus();
+ }
+ // backspace or delete: remove input, focus previous one
+ else if ((e.which == 8 || e.which == 46) && input.val() == '') {
+
+ var parent = input.parent(), siblings = parent.parent().children();
+
+ if (siblings.length > 1) {
+ if (parent.prev().length)
+ parent.prev().children('input').focus();
+ else
+ parent.next().children('input').focus();
+
+ parent.remove();
+ return false;
+ }
}
});
@@ -784,16 +816,32 @@
return elem;
}
+// Reset and fill the smart list input with new data
+function smart_field_reset(field, data)
+{
+ var id = field.id + '_list',
+ list = data.length ? data : [''];
+ area = $('#' + id);
+
+ area.empty();
+
+ // add input rows
+ $.each(list, function(i, v) {
+ area.append(smart_field_row(v, field.name, i, $(field).data('size')));
+ });
+}
+
// Register onmouse(leave/enter) events for tips on specified form element
rcube_webmail.prototype.managesieve_tip_register = function(tips)
{
var n, framed = parent.rcmail,
tip = framed ? parent.rcmail.env.ms_tip_layer : rcmail.env.ms_tip_layer;
- for (var n in tips) {
+ for (n in tips) {
$('#'+tips[n][0])
.data('tip', tips[n][1])
- .bind('mouseenter', function(e) {
+ .mouseleave(function(e) { tip.hide(); })
+ .mouseenter(function(e) {
var elem = $(this),
offset = elem.offset(),
left = offset.left,
@@ -810,10 +858,104 @@
top -= tip.height();
tip.css({left: left, top: top, minWidth: (minwidth-2) + 'px'}).show();
- })
- .bind('mouseleave', function(e) { tip.hide(); });
+ });
}
};
+
+// format time string
+function sieve_formattime(hour, minutes)
+{
+ var i, c, h, time = '', format = rcmail.env.time_format || 'H:i';
+
+ for (i=0; i<format.length; i++) {
+ c = format.charAt(i);
+ switch (c) {
+ case 'a': time += hour > 12 ? 'am' : 'pm'; break;
+ case 'A': time += hour > 12 ? 'AM' : 'PM'; break;
+ case 'g':
+ case 'h':
+ h = hour == 0 ? 12 : hour > 12 ? hour - 12 : hour;
+ time += (c == 'h' && hour < 10 ? '0' : '') + hour;
+ break;
+ case 'G': time += hour; break;
+ case 'H': time += (hour < 10 ? '0' : '') + hour; break;
+ case 'i': time += (minutes < 10 ? '0' : '') + minutes; break;
+ case 's': time += '00';
+ default: time += c;
+ }
+ }
+
+ return time;
+}
+
+function sieve_form_init()
+{
+ // small resize for header element
+ $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
+ if (this.value == '...') this.style.width = '40px';
+ });
+
+ // resize dialog window
+ if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
+ parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
+ }
+
+ $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
+
+ // initialize smart list inputs
+ $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
+ smart_field_init(this);
+ });
+
+ // enable date pickers on date fields
+ if ($.datepicker && rcmail.env.date_format) {
+ $.datepicker.setDefaults({
+ dateFormat: rcmail.env.date_format,
+ changeMonth: true,
+ showOtherMonths: true,
+ selectOtherMonths: true,
+ onSelect: function(dateText) { $(this).focus().val(dateText); }
+ });
+ $('input.datepicker').datepicker();
+ }
+
+ // configure drop-down menu on time input fields based on jquery UI autocomplete
+ $('#vacation_timefrom, #vacation_timeto')
+ .attr('autocomplete', "off")
+ .autocomplete({
+ delay: 100,
+ minLength: 1,
+ source: function(p, callback) {
+ var h, result = [];
+ for (h = 0; h < 24; h++)
+ result.push(sieve_formattime(h, 0));
+ result.push(sieve_formattime(23, 59));
+
+ return callback(result);
+ },
+ open: function(event, ui) {
+ // scroll to current time
+ var $this = $(this), val = $this.val(),
+ widget = $this.autocomplete('widget').css('width', '10em'),
+ menu = $this.data('ui-autocomplete').menu;
+
+ if (val && val.length)
+ widget.children().each(function() {
+ var li = $(this);
+ if (li.text().indexOf(val) == 0)
+ menu._scrollIntoView(li);
+ });
+ },
+ select: function(event, ui) {
+ $(this).val(ui.item.value);
+ return false;
+ }
+ })
+ .click(function() { // show drop-down upon clicks
+ $(this).autocomplete('search', $(this).val() || ' ');
+ })
+}
+
/*********************************************************/
/********* Mail UI methods *********/
@@ -821,7 +963,7 @@
rcube_webmail.prototype.managesieve_create = function(force)
{
- if (!force && this.env.action != 'show' && !$('#'+this.env.contentframe).is(':visible')) {
+ if (!force && this.env.action != 'show') {
var uid = this.message_list.get_single_selection(),
lock = this.set_busy(true, 'loading');
@@ -841,7 +983,7 @@
}
// build dialog window content
- html = '<fieldset><legend>'+this.gettext('managesieve.usedata')+'</legend><ul>';
+ html = '<fieldset><legend>'+this.get_label('managesieve.usedata')+'</legend><ul>';
for (i in this.env.sieve_headers)
html += '<li><input type="checkbox" name="headers[]" id="sievehdr'+i+'" value="'+i+'" checked="checked" />'
+'<label for="sievehdr'+i+'">'+this.env.sieve_headers[i][0]+':</label> '+this.env.sieve_headers[i][1]+'</li>';
@@ -850,11 +992,11 @@
dialog.html(html);
// [Next Step] button action
- buttons[this.gettext('managesieve.nextstep')] = function () {
+ buttons[this.get_label('managesieve.nextstep')] = function () {
// check if there's at least one checkbox checked
var hdrs = $('input[name="headers[]"]:checked', dialog);
if (!hdrs.length) {
- alert(rcmail.gettext('managesieve.nodata'));
+ alert(rcmail.get_label('managesieve.nodata'));
return;
}
@@ -874,7 +1016,7 @@
// Change [Next Step] button with [Save] button
buttons = {};
- buttons[rcmail.gettext('save')] = function() {
+ buttons[rcmail.get_label('save')] = function() {
var win = $('iframe', dialog).get(0).contentWindow;
win.rcmail.managesieve_save();
};
@@ -884,9 +1026,9 @@
// show dialog window
dialog.dialog({
modal: false,
- resizable: !bw.ie6,
- closeOnEscape: (!bw.ie6 && !bw.ie7), // disable for performance reasons
- title: this.gettext('managesieve.newfilter'),
+ resizable: true,
+ closeOnEscape: !bw.ie7, // disable for performance reasons
+ title: this.get_label('managesieve.newfilter'),
close: function() { rcmail.managesieve_dialog_close(); },
buttons: buttons,
minWidth: 600,
--
Gitblit v1.9.1