From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
plugins/managesieve/managesieve.js | 190 ++++++++++++++++++++++++++++++++++++-----------
1 files changed, 145 insertions(+), 45 deletions(-)
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index 5e14431..117f01a 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -48,35 +48,7 @@
if (rcmail.env.action.startsWith('plugin.managesieve')) {
if (rcmail.gui_objects.sieveform) {
rcmail.enable_command('plugin.managesieve-save', true);
-
- // small resize for header element
- $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
- if (this.value == '...') this.style.width = '40px';
- });
-
- // resize dialog window
- if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
- parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
- }
-
- $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
-
- // initialize smart list inputs
- $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
- smart_field_init(this);
- });
-
- // enable date pickers on date fields
- if ($.datepicker && rcmail.env.date_format) {
- $.datepicker.setDefaults({
- dateFormat: rcmail.env.date_format,
- changeMonth: true,
- showOtherMonths: true,
- selectOtherMonths: true,
- onSelect: function(dateText) { $(this).focus().val(dateText); }
- });
- $('input.datepicker').datepicker();
- }
+ sieve_form_init();
}
else {
rcmail.enable_command('plugin.managesieve-add', 'plugin.managesieve-setadd', !rcmail.env.sieveconnerror);
@@ -209,7 +181,7 @@
var id = this.filtersets_list.get_single_selection(),
script = this.env.filtersets[id];
- location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script);
+ this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true);
};
// Set activate/deactivate request
@@ -254,7 +226,6 @@
this.set_busy(true);
switch (action) {
-
// Delete filter row
case 'del':
var id = o.id, list = this.filters_list;
@@ -275,11 +246,13 @@
var rowid = this.id.substr(6);
// remove all attached events
- $(this).unbind();
+ $(this).off();
// update row id
- if (rowid > id)
- $(this).attr('id', 'rcmrow' + (rowid-1));
+ if (rowid > id) {
+ this.uid = rowid - 1;
+ $(this).attr('id', 'rcmrow' + this.uid);
+ }
});
list.init();
@@ -444,7 +417,7 @@
rcube_webmail.prototype.managesieve_fixdragend = function(elem)
{
var p = this;
- $(elem).bind('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
+ $(elem).on('mouseup' + ((bw.iphone || bw.ipad) ? ' touchend' : ''), function(e) {
if (p.drag_active)
p.filters_list.drag_mouse_up(e);
});
@@ -608,6 +581,20 @@
}
};
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses = function(id)
+{
+ var lock = this.set_busy(true, 'loading');
+ this.http_post('plugin.managesieve-action', {_act: 'addresses', _aid: id}, lock);
+};
+
+// update vacation addresses field with user identities
+rcube_webmail.prototype.managesieve_vacation_addresses_update = function(id, addresses)
+{
+ var field = $('#vacation_addresses,#action_addresses' + (id || ''));
+ smart_field_reset(field.get(0), addresses);
+};
+
function rule_header_select(id)
{
var obj = document.getElementById('header' + id),
@@ -764,6 +751,9 @@
if (field.attr('disabled'))
area.hide();
+ // disable the original field anyway, we don't want it in POST
+ else
+ field.prop('disabled', true);
field.after(area);
@@ -826,16 +816,32 @@
return elem;
}
+// Reset and fill the smart list input with new data
+function smart_field_reset(field, data)
+{
+ var id = field.id + '_list',
+ list = data.length ? data : [''];
+ area = $('#' + id);
+
+ area.empty();
+
+ // add input rows
+ $.each(list, function(i, v) {
+ area.append(smart_field_row(v, field.name, i, $(field).data('size')));
+ });
+}
+
// Register onmouse(leave/enter) events for tips on specified form element
rcube_webmail.prototype.managesieve_tip_register = function(tips)
{
var n, framed = parent.rcmail,
tip = framed ? parent.rcmail.env.ms_tip_layer : rcmail.env.ms_tip_layer;
- for (var n in tips) {
+ for (n in tips) {
$('#'+tips[n][0])
.data('tip', tips[n][1])
- .bind('mouseenter', function(e) {
+ .mouseleave(function(e) { tip.hide(); })
+ .mouseenter(function(e) {
var elem = $(this),
offset = elem.offset(),
left = offset.left,
@@ -852,10 +858,104 @@
top -= tip.height();
tip.css({left: left, top: top, minWidth: (minwidth-2) + 'px'}).show();
- })
- .bind('mouseleave', function(e) { tip.hide(); });
+ });
}
};
+
+// format time string
+function sieve_formattime(hour, minutes)
+{
+ var i, c, h, time = '', format = rcmail.env.time_format || 'H:i';
+
+ for (i=0; i<format.length; i++) {
+ c = format.charAt(i);
+ switch (c) {
+ case 'a': time += hour > 12 ? 'am' : 'pm'; break;
+ case 'A': time += hour > 12 ? 'AM' : 'PM'; break;
+ case 'g':
+ case 'h':
+ h = hour == 0 ? 12 : hour > 12 ? hour - 12 : hour;
+ time += (c == 'h' && hour < 10 ? '0' : '') + hour;
+ break;
+ case 'G': time += hour; break;
+ case 'H': time += (hour < 10 ? '0' : '') + hour; break;
+ case 'i': time += (minutes < 10 ? '0' : '') + minutes; break;
+ case 's': time += '00';
+ default: time += c;
+ }
+ }
+
+ return time;
+}
+
+function sieve_form_init()
+{
+ // small resize for header element
+ $('select[name="_header[]"]', rcmail.gui_objects.sieveform).each(function() {
+ if (this.value == '...') this.style.width = '40px';
+ });
+
+ // resize dialog window
+ if (rcmail.env.action == 'plugin.managesieve' && rcmail.env.task == 'mail') {
+ parent.rcmail.managesieve_dialog_resize(rcmail.gui_objects.sieveform);
+ }
+
+ $('input[type="text"]:first', rcmail.gui_objects.sieveform).focus();
+
+ // initialize smart list inputs
+ $('textarea[data-type="list"]', rcmail.gui_objects.sieveform).each(function() {
+ smart_field_init(this);
+ });
+
+ // enable date pickers on date fields
+ if ($.datepicker && rcmail.env.date_format) {
+ $.datepicker.setDefaults({
+ dateFormat: rcmail.env.date_format,
+ changeMonth: true,
+ showOtherMonths: true,
+ selectOtherMonths: true,
+ onSelect: function(dateText) { $(this).focus().val(dateText); }
+ });
+ $('input.datepicker').datepicker();
+ }
+
+ // configure drop-down menu on time input fields based on jquery UI autocomplete
+ $('#vacation_timefrom, #vacation_timeto')
+ .attr('autocomplete', "off")
+ .autocomplete({
+ delay: 100,
+ minLength: 1,
+ source: function(p, callback) {
+ var h, result = [];
+ for (h = 0; h < 24; h++)
+ result.push(sieve_formattime(h, 0));
+ result.push(sieve_formattime(23, 59));
+
+ return callback(result);
+ },
+ open: function(event, ui) {
+ // scroll to current time
+ var $this = $(this), val = $this.val(),
+ widget = $this.autocomplete('widget').css('width', '10em'),
+ menu = $this.data('ui-autocomplete').menu;
+
+ if (val && val.length)
+ widget.children().each(function() {
+ var li = $(this);
+ if (li.text().indexOf(val) == 0)
+ menu._scrollIntoView(li);
+ });
+ },
+ select: function(event, ui) {
+ $(this).val(ui.item.value);
+ return false;
+ }
+ })
+ .click(function() { // show drop-down upon clicks
+ $(this).autocomplete('search', $(this).val() || ' ');
+ })
+}
+
/*********************************************************/
/********* Mail UI methods *********/
@@ -863,7 +963,7 @@
rcube_webmail.prototype.managesieve_create = function(force)
{
- if (!force && this.env.action != 'show' && !$('#'+this.env.contentframe).is(':visible')) {
+ if (!force && this.env.action != 'show') {
var uid = this.message_list.get_single_selection(),
lock = this.set_busy(true, 'loading');
@@ -883,7 +983,7 @@
}
// build dialog window content
- html = '<fieldset><legend>'+this.gettext('managesieve.usedata')+'</legend><ul>';
+ html = '<fieldset><legend>'+this.get_label('managesieve.usedata')+'</legend><ul>';
for (i in this.env.sieve_headers)
html += '<li><input type="checkbox" name="headers[]" id="sievehdr'+i+'" value="'+i+'" checked="checked" />'
+'<label for="sievehdr'+i+'">'+this.env.sieve_headers[i][0]+':</label> '+this.env.sieve_headers[i][1]+'</li>';
@@ -892,11 +992,11 @@
dialog.html(html);
// [Next Step] button action
- buttons[this.gettext('managesieve.nextstep')] = function () {
+ buttons[this.get_label('managesieve.nextstep')] = function () {
// check if there's at least one checkbox checked
var hdrs = $('input[name="headers[]"]:checked', dialog);
if (!hdrs.length) {
- alert(rcmail.gettext('managesieve.nodata'));
+ alert(rcmail.get_label('managesieve.nodata'));
return;
}
@@ -916,7 +1016,7 @@
// Change [Next Step] button with [Save] button
buttons = {};
- buttons[rcmail.gettext('save')] = function() {
+ buttons[rcmail.get_label('save')] = function() {
var win = $('iframe', dialog).get(0).contentWindow;
win.rcmail.managesieve_save();
};
@@ -928,7 +1028,7 @@
modal: false,
resizable: true,
closeOnEscape: !bw.ie7, // disable for performance reasons
- title: this.gettext('managesieve.newfilter'),
+ title: this.get_label('managesieve.newfilter'),
close: function() { rcmail.managesieve_dialog_close(); },
buttons: buttons,
minWidth: 600,
--
Gitblit v1.9.1