From 6731d2116c1edbbec04af4874e46aa033c1828f5 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 09 Sep 2015 03:10:49 -0400
Subject: [PATCH] Fix XSS issue in drag-n-drop file uploads (#1490530)
---
program/js/app.js | 25 ++++++++++++++-----------
1 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 6dcec92..32809d1 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -156,8 +156,8 @@
var n;
this.task = this.env.task;
- // check browser
- if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test() || (bw.mz && bw.vendver < 1.9) || (bw.ie && bw.vendver < 7))) {
+ // check browser capabilities (never use version checks here)
+ if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test())) {
this.goto_url('error', '_code=0x199');
return;
}
@@ -653,7 +653,9 @@
}
// check input before leaving compose step
- if (this.task == 'mail' && this.env.action == 'compose' && $.inArray(command, this.env.compose_commands) < 0 && !this.env.server_error) {
+ if (this.task == 'mail' && this.env.action == 'compose' && !this.env.server_error && command != 'save-pref'
+ && $.inArray(command, this.env.compose_commands) < 0
+ ) {
if (!this.env.is_sent && this.cmp_hash != this.compose_field_hash() && !confirm(this.get_label('notsentwarning')))
return false;
@@ -1615,8 +1617,8 @@
// select the folder if one of its childs is currently selected
// don't select if it's virtual (#1488346)
- if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(name + this.env.delimiter))
- this.command('list', name);
+ if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(node.id + this.env.delimiter))
+ this.command('list', node.id);
}
else {
var reg = new RegExp('&'+urlencode(node.id)+'&');
@@ -3593,7 +3595,7 @@
var oldval = input.val(), rx = new RegExp(RegExp.escape(delim) + '\\s*$');
if (oldval && !rx.test(oldval))
oldval += delim + ' ';
- input.val(oldval + recipients.join(delim + ' ') + delim + ' ');
+ input.val(oldval + recipients.join(delim + ' ') + delim + ' ').change();
this.triggerEvent('add-recipient', { field:field, recipients:recipients });
}
@@ -7061,7 +7063,7 @@
if (show) {
// truncate stack down to the one containing the ref link
for (var i = this.menu_stack.length - 1; stack && i >= 0; i--) {
- if (!$(ref).parents('#'+this.menu_stack[i]).length)
+ if (!$(ref).parents('#'+this.menu_stack[i]).length && $(event.target).parent().attr('role') != 'menuitem')
this.hide_menu(this.menu_stack[i], event);
}
if (stack && this.menu_stack.length) {
@@ -7524,7 +7526,7 @@
}
this.enable_command('set-listmode', this.env.threads && !is_multifolder);
- if (list.rowcount > 0)
+ if (list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
list.focus();
this.msglist_select(list);
}
@@ -7540,7 +7542,7 @@
this.enable_command('search-create', this.env.source == '');
this.enable_command('search-delete', this.env.search_id);
this.update_group_commands();
- if (this.contact_list.rowcount > 0)
+ if (this.contact_list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
this.contact_list.focus();
this.triggerEvent('listupdate', { folder:this.env.source, rowcount:this.contact_list.rowcount });
}
@@ -7826,7 +7828,8 @@
var submit_data = function() {
var multiple = files.length > 1,
ts = new Date().getTime(),
- content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
+ // jQuery way to escape filename (#1490530)
+ content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
// add to attachments list
if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))
@@ -8040,7 +8043,7 @@
// get the IMP mailbox of the message with the given UID
this.get_message_mailbox = function(uid)
{
- var msg = this.env.messages ? this.env.messages[uid] : {};
+ var msg = (this.env.messages && uid ? this.env.messages[uid] : null) || {};
return msg.mbox || this.env.mailbox;
};
--
Gitblit v1.9.1