From 58fc995728352b466f166a67281b11f6db191f31 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 12 Aug 2011 15:39:39 -0400
Subject: [PATCH] Backport XSS vulnerability fix to 0.5 branch

---
 program/include/rcube_json_output.php |   74 ++++++++++++++++++++++---------------
 1 files changed, 44 insertions(+), 30 deletions(-)

diff --git a/program/include/rcube_json_output.php b/program/include/rcube_json_output.php
index 9700472..f9fe38d 100644
--- a/program/include/rcube_json_output.php
+++ b/program/include/rcube_json_output.php
@@ -28,15 +28,20 @@
  */
 class rcube_json_output
 {
+    /**
+     * Stores configuration object.
+     *
+     * @var rcube_config
+     */
     private $config;
     private $charset = RCMAIL_CHARSET;
-    private $env = array();
     private $texts = array();
     private $commands = array();
     private $callbacks = array();
     private $message = null;
 
     public $browser;
+    public $env = array();
     public $type = 'js';
     public $ajax_call = true;
 
@@ -54,8 +59,8 @@
     /**
      * Set environment variable
      *
-     * @param string Property name
-     * @param mixed Property value
+     * @param string $name Property name
+     * @param mixed $value Property value
      */
     public function set_env($name, $value)
     {
@@ -66,7 +71,7 @@
     /**
      * Issue command to set page title
      *
-     * @param string New page title
+     * @param string $title New page title
      */
     public function set_pagetitle($title)
     {
@@ -98,8 +103,8 @@
     /**
      * Register a template object handler
      *
-     * @param  string Object name
-     * @param  string Function name to call
+     * @param  string $obj Object name
+     * @param  string $func Function name to call
      * @return void
      */
     public function add_handler($obj, $func)
@@ -111,7 +116,7 @@
     /**
      * Register a list of template object handlers
      *
-     * @param  array Hash array with object=>handler pairs
+     * @param  array $arr Hash array with object=>handler pairs
      * @return void
      */
     public function add_handlers($arr)
@@ -129,14 +134,14 @@
     public function command()
     {
         $cmd = func_get_args();
-        
+
         if (strpos($cmd[0], 'plugin.') === 0)
           $this->callbacks[] = $cmd;
         else
           $this->commands[] = $cmd;
     }
-    
-    
+
+
     /**
      * Add a localized label to the client environment
      */
@@ -145,7 +150,7 @@
         $args = func_get_args();
         if (count($args) == 1 && is_array($args[0]))
             $args = $args[0];
-        
+
         foreach ($args as $name) {
             $this->texts[$name] = rcube_label($name);
         }
@@ -155,21 +160,25 @@
     /**
      * Invoke display_message command
      *
-     * @param string Message to display
-     * @param string Message type [notice|confirm|error]
-     * @param array Key-value pairs to be replaced in localized text
-     * @param boolean Override last set message
+     * @param string  $message  Message to display
+     * @param string  $type     Message type [notice|confirm|error]
+     * @param array   $vars     Key-value pairs to be replaced in localized text
+     * @param boolean $override Override last set message
      * @uses self::command()
      */
     public function show_message($message, $type='notice', $vars=null, $override=true)
     {
         if ($override || !$this->message) {
+            if (rcube_label_exists($message)) {
+                if (!empty($vars))
+                    $vars = array_map('Q', $vars);
+                $msgtext = rcube_label(array('name' => $message, 'vars' => $vars));
+            }
+            else
+                $msgtext = $message;
+
             $this->message = $message;
-            $this->command(
-                'display_message',
-                rcube_label(array('name' => $message, 'vars' => $vars)),
-                $type
-            );
+            $this->command('display_message', $msgtext, $type, $timeout * 1000);
         }
     }
 
@@ -188,7 +197,8 @@
     /**
      * Redirect to a certain url
      *
-     * @param mixed Either a string with the action or url parameters as key-value pairs
+     * @param mixed $p Either a string with the action or url parameters as key-value pairs
+     * @param int $delay Delay in seconds
      * @see rcmail::url()
      */
     public function redirect($p = array(), $delay = 1)
@@ -197,8 +207,8 @@
         $this->remote_response("window.setTimeout(\"location.href='{$location}'\", $delay);");
         exit;
     }
-    
-    
+
+
     /**
      * Send an AJAX response to the client.
      */
@@ -207,12 +217,12 @@
         $this->remote_response();
         exit;
     }
-    
-    
+
+
     /**
      * Send an AJAX response with executable JS code
      *
-     * @param  string  Additional JS code
+     * @param  string  $add Additional JS code
      * @param  boolean True if output buffer should be flushed
      * @return void
      * @deprecated
@@ -231,17 +241,21 @@
         unset($this->env['task'], $this->env['action'], $this->env['comm_path']);
 
         $rcmail = rcmail::get_instance();
-        $response = array('action' => $rcmail->action, 'unlock' => (bool)$_REQUEST['_unlock']);
-        
+        $response['action'] = $rcmail->action;
+
+        if ($unlock = get_input_value('_unlock', RCUBE_INPUT_GPC)) {
+            $response['unlock'] = $unlock;
+        }
+
         if (!empty($this->env))
             $response['env'] = $this->env;
-          
+
         if (!empty($this->texts))
             $response['texts'] = $this->texts;
 
         // send function calls
         $response['exec'] = $this->get_js_commands() . $add;
-        
+
         if (!empty($this->callbacks))
             $response['callbacks'] = $this->callbacks;
 

--
Gitblit v1.9.1