From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 07:28:48 -0500
Subject: [PATCH] Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
---
program/js/app.js | 289 +++++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 215 insertions(+), 74 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 28df384..4e65a9c 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -58,7 +58,6 @@
request_timeout: 180, // seconds
draft_autosave: 0, // seconds
comm_path: './',
- blankpage: 'program/resources/blank.gif',
recipients_separator: ',',
recipients_delimiter: ', ',
popup_width: 1150,
@@ -163,6 +162,9 @@
return;
}
+ if (!this.env.blankpage)
+ this.env.blankpage = this.assets_path('program/resources/blank.gif');
+
// find all registered gui containers
for (n in this.gui_containers)
this.gui_containers[n] = $('#'+this.gui_containers[n]);
@@ -235,8 +237,6 @@
$(this.message_list.thead).on('click', 'a.sortcol', function(e){
return ref.command('sort', $(this).attr('rel'), this);
});
-
- this.gui_objects.messagelist.parentNode.onclick = function(e){ return ref.click_on_list(e || window.event); };
this.enable_command('toggle_status', 'toggle_flag', 'sort', true);
this.enable_command('set-listmode', this.env.threads && !this.is_multifolder_listing());
@@ -406,8 +406,6 @@
.addEventListener('dragend', function(e) { ref.drag_end(e); })
.init();
- this.gui_objects.contactslist.parentNode.onmousedown = function(e){ return ref.click_on_list(e); };
-
$(this.gui_objects.qsearchbox).focusin(function() { ref.contact_list.blur(); });
this.update_group_commands();
@@ -560,13 +558,14 @@
// show message
if (this.pending_message)
- this.display_message(this.pending_message[0], this.pending_message[1], this.pending_message[2]);
+ this.display_message.apply(this, this.pending_message);
// init treelist widget
if (this.gui_objects.folderlist && window.rcube_treelist_widget) {
this.treelist = new rcube_treelist_widget(this.gui_objects.folderlist, {
selectable: true,
id_prefix: 'rcmli',
+ parent_focus: true,
id_encode: this.html_identifier_encode,
id_decode: this.html_identifier_decode,
check_droptarget: function(node) { return !node.virtual && ref.check_droptarget(node.id) }
@@ -633,8 +632,9 @@
if (obj && obj.blur && !(event && rcube_event.is_keyboard(event)))
obj.blur();
- // do nothing if interface is locked by other command (with exception for searching reset)
- if (this.busy && !(command == 'reset-search' && this.last_command == 'search'))
+ // do nothing if interface is locked by another command
+ // with exception for searching reset and menu
+ if (this.busy && !(command == 'reset-search' && this.last_command == 'search') && !command.match(/^menu-/))
return false;
// let the browser handle this click (shift/ctrl usually opens the link in a new window/tab)
@@ -1056,7 +1056,7 @@
if (this.task == 'mail') {
url._mbox = this.env.mailbox;
if (props)
- url._to = props;
+ url._to = props;
// also send search request so we can go back to search result after message is sent
if (this.env.search_request)
url._search = this.env.search_request;
@@ -1084,8 +1084,12 @@
break;
}
}
- else if (props)
+ else if (props && typeof props == 'string') {
url._to = props;
+ }
+ else if (props && typeof props == 'object') {
+ $.extend(url, props);
+ }
this.open_compose_step(url);
break;
@@ -1404,8 +1408,10 @@
if (task == 'mail')
url += '&_mbox=INBOX';
- else if (task == 'logout' && !this.env.server_error)
+ else if (task == 'logout' && !this.env.server_error) {
+ url += '&_token=' + this.env.request_token;
this.clear_compose_data();
+ }
this.redirect(url);
};
@@ -1415,7 +1421,10 @@
if (!url)
url = this.env.comm_path;
- return url.replace(/_task=[a-z0-9_-]+/i, '_task='+task);
+ if (url.match(/[?&]_task=[a-zA-Z0-9_-]+/))
+ return url.replace(/_task=[a-zA-Z0-9_-]+/, '_task=' + task);
+ else
+ return url.replace(/\?.*$/, '') + '?_task=' + task;
};
this.reload = function(delay)
@@ -1451,7 +1460,7 @@
this.is_framed = function()
{
- return (this.env.framed && parent.rcmail && parent.rcmail != this && parent.rcmail.command);
+ return this.env.framed && parent.rcmail && parent.rcmail != this && typeof parent.rcmail.command == 'function';
};
this.save_pref = function(prop)
@@ -1659,7 +1668,7 @@
}
skip = obj.data('parent');
}
- }, 10);
+ }, 10, e);
};
// global keypress event handler
@@ -1713,19 +1722,6 @@
return true;
}
-
- this.click_on_list = function(e)
- {
- if (this.gui_objects.qsearchbox)
- this.gui_objects.qsearchbox.blur();
-
- if (this.message_list)
- this.message_list.focus(e);
- else if (this.contact_list)
- this.contact_list.focus(e);
-
- return true;
- };
this.msglist_select = function(list)
{
@@ -2039,7 +2035,7 @@
}
if (flags.forwarded) {
status_class += ' forwarded';
- status_label += this.get_label('replied') + ' ';
+ status_label += this.get_label('forwarded') + ' ';
}
// update selection
@@ -2494,7 +2490,7 @@
// expand all threads with unread children
this.expand_unread = function()
{
- var r, tbody = this.gui_objects.messagelist.tBodies[0],
+ var r, tbody = this.message_list.tbody,
new_row = tbody.firstChild;
while (new_row) {
@@ -3331,7 +3327,7 @@
if (!this.gui_objects.messageform)
return false;
- var i, input_from = $("[name='_from']"),
+ var i, pos, input_from = $("[name='_from']"),
input_to = $("[name='_to']"),
input_subject = $("input[name='_subject']"),
input_message = $("[name='_message']").get(0),
@@ -3365,16 +3361,24 @@
}
if (!html_mode) {
- this.set_caret_pos(input_message, this.env.top_posting ? 0 : $(input_message).val().length);
+ pos = this.env.top_posting ? 0 : input_message.value.length;
+ this.set_caret_pos(input_message, pos);
+
// add signature according to selected identity
// if we have HTML editor, signature is added in callback
if (input_from.prop('type') == 'select-one') {
this.change_identity(input_from[0]);
}
+
+ // scroll to the bottom of the textarea (#1490114)
+ if (pos) {
+ $(input_message).scrollTop(input_message.scrollHeight);
+ }
}
// check for locally stored compose data
- this.compose_restore_dialog(0, html_mode)
+ if (this.env.save_localstorage)
+ this.compose_restore_dialog(0, html_mode)
if (input_to.val() == '')
input_to.focus();
@@ -3430,6 +3434,7 @@
this.get_label('restoremessage'),
[{
text: this.get_label('restore'),
+ 'class': 'mainaction',
click: function(){
ref.restore_compose_form(key, html_mode);
ref.remove_compose_data(key); // remove old copy
@@ -3439,6 +3444,7 @@
},
{
text: this.get_label('delete'),
+ 'class': 'delete',
click: function(){
ref.remove_compose_data(key);
$(this).dialog('close');
@@ -3628,11 +3634,15 @@
this.toggle_editor = function(props, obj, e)
{
// @todo: this should work also with many editors on page
- var result = this.editor.toggle(props.html);
+ var result = this.editor.toggle(props.html, props.noconvert || false);
+
+ // satisfy the expectations of aftertoggle-editor event subscribers
+ props.mode = props.html ? 'html' : 'plain';
if (!result && e) {
// fix selector value if operation failed
- $(e.target).filter('select').val(props.html ? 'plain' : 'html');
+ props.mode = props.html ? 'plain' : 'html';
+ $(e.target).filter('select').val(props.mode);
}
if (result) {
@@ -3659,7 +3669,7 @@
this.save_response = function()
{
// show dialog to enter a name and to modify the text to be saved
- var buttons = {}, text = this.editor.get_content(true, true),
+ var buttons = {}, text = this.editor.get_content({selection: true, format: 'text', nosig: true}),
html = '<form class="propform">' +
'<div class="prop block"><label>' + this.get_label('responsename') + '</label>' +
'<input type="text" name="name" id="ffresponsename" size="40" /></div>' +
@@ -3687,7 +3697,7 @@
$(this).dialog('close');
};
- this.show_popup_dialog(html, this.gettext('newresponse'), buttons);
+ this.show_popup_dialog(html, this.gettext('newresponse'), buttons, {button_classes: ['mainaction']});
$('#ffresponsetext').val(text);
$('#ffresponsename').select();
@@ -3806,7 +3816,7 @@
}
// save compose form content to local storage every 5 seconds
- if (!this.local_save_timer && window.localStorage) {
+ if (!this.local_save_timer && window.localStorage && this.env.save_localstorage) {
// track typing activity and only save on changes
this.compose_type_activity = this.compose_type_activity_last = 0;
$(document).bind('keypress', function(e){ ref.compose_type_activity++; });
@@ -3847,7 +3857,7 @@
if (val = $('[name="_' + hash_fields[i] + '"]').val())
str += val + ':';
- str += this.editor.get_content();
+ str += this.editor.get_content({refresh: false});
if (this.env.attachments)
for (id in this.env.attachments)
@@ -3862,6 +3872,10 @@
// store the contents of the compose form to localstorage
this.save_compose_form_local = function()
{
+ // feature is disabled
+ if (!this.env.save_localstorage)
+ return;
+
var formdata = { session:this.env.session_id, changed:new Date().getTime() },
ed, empty = true;
@@ -3931,7 +3945,7 @@
// initialize HTML editor
if ((formdata._is_html == '1' && !html_mode) || (formdata._is_html != '1' && html_mode)) {
- this.command('toggle-editor', {id: this.env.composebody, html: !html_mode});
+ this.command('toggle-editor', {id: this.env.composebody, html: !html_mode, noconvert: true});
}
}
};
@@ -3968,6 +3982,19 @@
if (!show_sig)
show_sig = this.env.show_sig;
+ var id = obj.options[obj.selectedIndex].value,
+ sig = this.env.identity,
+ delim = this.env.recipients_separator,
+ rx_delim = RegExp.escape(delim);
+
+ // enable manual signature insert
+ if (this.env.signatures && this.env.signatures[id]) {
+ this.enable_command('insert-sig', true);
+ this.env.compose_commands.push('insert-sig');
+ }
+ else
+ this.enable_command('insert-sig', false);
+
// first function execution
if (!this.env.identities_initialized) {
this.env.identities_initialized = true;
@@ -3976,11 +4003,6 @@
if (this.env.opened_extwin)
return;
}
-
- var id = obj.options[obj.selectedIndex].value,
- sig = this.env.identity,
- delim = this.env.recipients_separator,
- rx_delim = RegExp.escape(delim);
// update reply-to/bcc fields with addresses defined in identities
$.each(['replyto', 'bcc'], function() {
@@ -4014,14 +4036,6 @@
if (old_val || new_val)
input.val(input_val).change();
});
-
- // enable manual signature insert
- if (this.env.signatures && this.env.signatures[id]) {
- this.enable_command('insert-sig', true);
- this.env.compose_commands.push('insert-sig');
- }
- else
- this.enable_command('insert-sig', false);
this.editor.change_signature(id, show_sig);
this.env.identity = id;
@@ -4452,7 +4466,7 @@
this.ksearch_destroy();
// insert all members of a group
- if (typeof this.env.contacts[id] === 'object' && this.env.contacts[id].type == 'group') {
+ if (typeof this.env.contacts[id] === 'object' && this.env.contacts[id].type == 'group' && !this.env.contacts[id].email) {
insert += this.env.contacts[id].name + this.env.recipients_delimiter;
this.group2expand[this.env.contacts[id].id] = $.extend({ input: this.ksearch_input }, this.env.contacts[id]);
this.http_request('mail/group-expand', {_source: this.env.contacts[id].source, _gid: this.env.contacts[id].id}, false);
@@ -4596,7 +4610,7 @@
id = i + this.env.contacts.length;
$('<li>').attr('id', 'rcmkSearchItem' + id)
.attr('role', 'option')
- .html(this.quote_html(text.replace(new RegExp('('+RegExp.escape(value)+')', 'ig'), '##$1%%')).replace(/##([^%]+)%%/g, '<b>$1</b>'))
+ .html('<i class="icon"></i>' + this.quote_html(text.replace(new RegExp('('+RegExp.escape(value)+')', 'ig'), '##$1%%')).replace(/##([^%]+)%%/g, '<b>$1</b>'))
.addClass(type || '')
.appendTo(ul)
.mouseover(function() { ref.ksearch_select(this); })
@@ -4700,7 +4714,7 @@
source = this.env.source ? this.env.address_sources[this.env.source] : null;
// we don't have dblclick handler here, so use 200 instead of this.dblclick_time
- if (id = list.get_single_selection())
+ if (this.env.contentframe && (id = list.get_single_selection()))
this.preview_timer = setTimeout(function(){ ref.load_contact(id, 'show'); }, 200);
else if (this.env.contentframe)
this.show_contentframe(false);
@@ -4752,6 +4766,7 @@
this.list_contacts = function(src, group, page)
{
var win, folder, url = {},
+ refresh = src === undefined && group === undefined && page === undefined,
target = window;
if (!src)
@@ -4764,7 +4779,7 @@
page = this.env.current_page = 1;
this.reset_qsearch();
}
- else if (group != this.env.group)
+ else if (!refresh && group != this.env.group)
page = this.env.current_page = 1;
if (this.env.search_id)
@@ -4902,6 +4917,9 @@
if (action && (cid || action == 'add') && !this.drag_active) {
if (this.env.group)
url._gid = this.env.group;
+
+ if (this.env.search_request)
+ url._search = this.env.search_request;
url._action = action;
url._source = this.env.source;
@@ -5165,6 +5183,7 @@
this.show_popup_dialog(content, this.get_label('newgroup'),
[{
text: this.get_label('save'),
+ 'class': 'mainaction',
click: function() {
var name;
@@ -5192,6 +5211,7 @@
this.show_popup_dialog(content, this.get_label('grouprename'),
[{
text: this.get_label('save'),
+ 'class': 'mainaction',
click: function() {
var name;
@@ -5555,6 +5575,7 @@
this.show_popup_dialog(content, this.get_label('searchsave'),
[{
text: this.get_label('save'),
+ 'class': 'mainaction',
click: function() {
var name;
@@ -5754,15 +5775,19 @@
this.subscription_list = new rcube_treelist_widget(this.gui_objects.subscriptionlist, {
selectable: true,
+ tabexit: false,
+ parent_focus: true,
id_prefix: 'rcmli',
id_encode: this.html_identifier_encode,
- id_decode: this.html_identifier_decode
+ id_decode: this.html_identifier_decode,
+ searchbox: '#foldersearch'
});
this.subscription_list
.addEventListener('select', function(node) { ref.subscription_select(node.id); })
.addEventListener('collapse', function(node) { ref.folder_collapsed(node) })
.addEventListener('expand', function(node) { ref.folder_collapsed(node) })
+ .addEventListener('search', function(p) { if (p.query) ref.subscription_select(); })
.draggable({cancel: 'li.mailbox.root'})
.droppable({
// @todo: find better way, accept callback is executed for every folder
@@ -5845,6 +5870,12 @@
if (!this.gui_objects.subscriptionlist)
return false;
+ // reset searching
+ if (this.subscription_list.is_search()) {
+ this.subscription_select();
+ this.subscription_list.reset_search();
+ }
+
// disable drag-n-drop temporarily
this.subscription_list.draggable('destroy').droppable('destroy');
@@ -5863,8 +5894,9 @@
row.attr({id: 'rcmli' + this.html_identifier_encode(id), 'class': class_name});
if (!refrow || !refrow.length) {
- // remove old subfolders and toggle
+ // remove old data, subfolders and toggle
$('ul,div.treetoggle', row).remove();
+ row.removeData('filtered');
}
// set folder name
@@ -5991,7 +6023,7 @@
this.subscription_list.expand(this.folder_id2name(parent.id));
}
- row = row.get(0);
+ row = row.show().get(0);
if (row.scrollIntoView)
row.scrollIntoView();
@@ -6002,10 +6034,18 @@
this.replace_folder_row = function(oldid, id, name, display_name, is_protected, class_name)
{
if (!this.gui_objects.subscriptionlist) {
- if (this.is_framed)
- return parent.rcmail.replace_folder_row(oldid, id, name, display_name, is_protected, class_name);
+ if (this.is_framed()) {
+ // @FIXME: for some reason this 'parent' variable need to be prefixed with 'window.'
+ return window.parent.rcmail.replace_folder_row(oldid, id, name, display_name, is_protected, class_name);
+ }
return false;
+ }
+
+ // reset searching
+ if (this.subscription_list.is_search()) {
+ this.subscription_select();
+ this.subscription_list.reset_search();
}
var subfolders = {},
@@ -6053,6 +6093,12 @@
// remove the table row of a specific mailbox from the table
this.remove_folder_row = function(folder)
{
+ // reset searching
+ if (this.subscription_list.is_search()) {
+ this.subscription_select();
+ this.subscription_list.reset_search();
+ }
+
var list = [], row = this.subscription_list.get_item(folder, true);
// get subfolders if any
@@ -6121,6 +6167,37 @@
$('#folder-size').replaceWith(size);
};
+ // filter folders by namespace
+ this.folder_filter = function(prefix)
+ {
+ this.subscription_list.reset_search();
+
+ this.subscription_list.container.children('li').each(function() {
+ var i, folder = ref.folder_id2name(this.id);
+ // show all folders
+ if (prefix == '---') {
+ }
+ // got namespace prefix
+ else if (prefix) {
+ if (folder !== prefix) {
+ $(this).data('filtered', true).hide();
+ return
+ }
+ }
+ // no namespace prefix, filter out all other namespaces
+ else {
+ // first get all namespace roots
+ for (i in ref.env.ns_roots) {
+ if (folder === ref.env.ns_roots[i]) {
+ $(this).data('filtered', true).hide();
+ return;
+ }
+ }
+ }
+
+ $(this).removeData('filtered').show();
+ });
+ };
/*********************************************************/
/********* GUI functionality *********/
@@ -6283,7 +6360,7 @@
};
// display a system message, list of types in common.css (below #message definition)
- this.display_message = function(msg, type, timeout)
+ this.display_message = function(msg, type, timeout, key)
{
// pass command to parent window
if (this.is_framed())
@@ -6292,18 +6369,34 @@
if (!this.gui_objects.message) {
// save message in order to display after page loaded
if (type != 'loading')
- this.pending_message = [msg, type, timeout];
+ this.pending_message = [msg, type, timeout, key];
return 1;
}
- type = type ? type : 'notice';
+ if (!type)
+ type = 'notice';
- var key = this.html_identifier(msg),
- date = new Date(),
+ if (!key)
+ key = this.html_identifier(msg);
+
+ var date = new Date(),
id = type + date.getTime();
- if (!timeout)
- timeout = this.message_time * (type == 'error' || type == 'warning' ? 2 : 1);
+ if (!timeout) {
+ switch (type) {
+ case 'error':
+ case 'warning':
+ timeout = this.message_time * 2;
+ break;
+
+ case 'uploading':
+ timeout = 0;
+ break;
+
+ default:
+ timeout = this.message_time;
+ }
+ }
if (type == 'loading') {
key = 'loading';
@@ -6336,7 +6429,7 @@
if (type == 'loading') {
this.messages[key].labels = [{'id': id, 'msg': msg}];
}
- else {
+ else if (type != 'uploading') {
obj.click(function() { return ref.hide_message(obj); })
.attr('role', 'alert');
}
@@ -6345,6 +6438,7 @@
if (timeout > 0)
setTimeout(function() { ref.hide_message(id, type != 'loading'); }, timeout);
+
return id;
};
@@ -6423,6 +6517,35 @@
this.messages = {};
};
+ // display uploading message with progress indicator
+ // data should contain: name, total, current, percent, text
+ this.display_progress = function(data)
+ {
+ if (!data || !data.name)
+ return;
+
+ var msg = this.messages['progress' + data.name];
+
+ if (!data.label)
+ data.label = this.get_label('uploadingmany');
+
+ if (!msg) {
+ if (!data.percent || data.percent < 100)
+ this.display_message(data.label, 'uploading', 0, 'progress' + data.name);
+ return;
+ }
+
+ if (!data.total || data.percent >= 100) {
+ this.hide_message(msg.obj);
+ return;
+ }
+
+ if (data.text)
+ data.label += ' ' + data.text;
+
+ msg.obj.text(data.label);
+ };
+
// open a jquery UI dialog with the given content
this.show_popup_dialog = function(content, title, buttons, options)
{
@@ -6436,7 +6559,7 @@
if (typeof content == 'object')
popup.append(content);
else
- popup.html(html);
+ popup.html(content);
popup.dialog($.extend({
title: title,
@@ -6454,6 +6577,11 @@
popup.dialog('option', {
height: Math.min(h - 40, height + 75 + (buttons ? 50 : 0)),
width: Math.min(w - 20, width + 36)
+ });
+
+ // assign special classes to dialog buttons
+ $.each(options.button_classes || [], function(i, v) {
+ if (v) $($('.ui-dialog-buttonpane button.ui-button', popup.parent()).get(i)).addClass(v);
});
return popup;
@@ -6849,7 +6977,7 @@
// truncate stack down to the one containing the ref link
for (var i = this.menu_stack.length - 1; stack && i >= 0; i--) {
if (!$(ref).parents('#'+this.menu_stack[i]).length)
- this.hide_menu(this.menu_stack[i]);
+ this.hide_menu(this.menu_stack[i], event);
}
if (stack && this.menu_stack.length) {
obj.data('parent', $.last(this.menu_stack));
@@ -7773,13 +7901,17 @@
// and return the message uid
this.get_single_uid = function()
{
- return this.env.uid ? this.env.uid : (this.message_list ? this.message_list.get_single_selection() : null);
+ var uid = this.env.uid || (this.message_list ? this.message_list.get_single_selection() : null);
+ var result = ref.triggerEvent('get_single_uid', { uid: uid });
+ return result || uid;
};
// same as above but for contacts
this.get_single_cid = function()
{
- return this.env.cid ? this.env.cid : (this.contact_list ? this.contact_list.get_single_selection() : null);
+ var cid = this.env.cid || (this.contact_list ? this.contact_list.get_single_selection() : null);
+ var result = ref.triggerEvent('get_single_cid', { cid: cid });
+ return result || cid;
};
// get the IMP mailbox of the message with the given UID
@@ -7914,7 +8046,7 @@
img.onload = function() { ref.env.browser_capabilities.tif = 1; };
img.onerror = function() { ref.env.browser_capabilities.tif = 0; };
- img.src = 'program/resources/blank.tif';
+ img.src = this.assets_path('program/resources/blank.tif');
};
this.pdf_support_check = function()
@@ -7971,6 +8103,15 @@
return 0;
};
+ this.assets_path = function(path)
+ {
+ if (this.env.assets_path && !path.startsWith(this.env.assets_path)) {
+ path = this.env.assets_path + path;
+ }
+
+ return path;
+ };
+
// Cookie setter
this.set_cookie = function(name, value, expires)
{
--
Gitblit v1.9.1