From dd7db217979d6960f53b6544cf053d8c0db8c416 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 09 Sep 2015 03:09:59 -0400
Subject: [PATCH] Fix XSS issue in drag-n-drop file uploads (#1490530)
---
program/js/app.js | 202 ++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 155 insertions(+), 47 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index b6b4d31..4b9f5d6 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -156,8 +156,8 @@
var n;
this.task = this.env.task;
- // check browser
- if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test() || (bw.mz && bw.vendver < 1.9) || (bw.ie && bw.vendver < 7))) {
+ // check browser capabilities (never use version checks here)
+ if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test())) {
this.goto_url('error', '_code=0x199');
return;
}
@@ -592,7 +592,7 @@
.bind('mouseup', body_mouseup)
.bind('keydown', function(e){ return ref.doc_keypress(e); });
- $('iframe').load(function(e) {
+ $('iframe').on('load', function(e) {
try { $(this.contentDocument || this.contentWindow).on('mouseup', body_mouseup); }
catch (e) {/* catch possible "Permission denied" error in IE */ }
})
@@ -653,7 +653,9 @@
}
// check input before leaving compose step
- if (this.task == 'mail' && this.env.action == 'compose' && $.inArray(command, this.env.compose_commands) < 0 && !this.env.server_error) {
+ if (this.task == 'mail' && this.env.action == 'compose' && !this.env.server_error && command != 'save-pref'
+ && $.inArray(command, this.env.compose_commands) < 0
+ ) {
if (!this.env.is_sent && this.cmp_hash != this.compose_field_hash() && !confirm(this.get_label('notsentwarning')))
return false;
@@ -762,7 +764,7 @@
case 'open':
if (uid = this.get_single_uid()) {
- obj.href = this.url('show', {_mbox: this.get_message_mailbox(uid), _uid: uid});
+ obj.href = this.url('show', this.params_from_uid(uid));
return true;
}
break;
@@ -1188,8 +1190,8 @@
this.gui_objects.messagepartframe.contentWindow.print();
}
else if (uid = this.get_single_uid()) {
- url = '&_action=print&_uid='+uid+'&_mbox='+urlencode(this.get_message_mailbox(uid))+(this.env.safemode ? '&_safe=1' : '');
- if (this.open_window(this.env.comm_path + url, true, true)) {
+ url = this.url('print', this.params_from_uid(uid, {_safe: this.env.safemode ? 1 : 0}));
+ if (this.open_window(url, true, true)) {
if (this.env.action != 'show')
this.mark_message('read', uid);
}
@@ -1198,7 +1200,7 @@
case 'viewsource':
if (uid = this.get_single_uid())
- this.open_window(this.env.comm_path+'&_action=viewsource&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox), true, true);
+ this.open_window(this.url('viewsource', this.params_from_uid(uid)), true, true);
break;
case 'download':
@@ -1206,7 +1208,7 @@
location.href = location.href.replace(/_frame=/, '_download=');
}
else if (uid = this.get_single_uid()) {
- this.goto_url('viewsource', { _uid: uid, _mbox: this.get_message_mailbox(uid), _save: 1 });
+ this.goto_url('viewsource', this.params_from_uid(uid, {_save: 1}));
}
break;
@@ -1268,7 +1270,7 @@
$('input[name="_unlock"]', form).val(importlock);
- if (!(flag = this.upload_file(form, 'import'))) {
+ if (!(flag = this.upload_file(form, 'import', importlock))) {
this.set_busy(false, null, importlock);
if (flag !== false)
alert(this.get_label('selectimportfile'));
@@ -1615,8 +1617,8 @@
// select the folder if one of its childs is currently selected
// don't select if it's virtual (#1488346)
- if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(name + this.env.delimiter))
- this.command('list', name);
+ if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(node.id + this.env.delimiter))
+ this.command('list', node.id);
}
else {
var reg = new RegExp('&'+urlencode(node.id)+'&');
@@ -2233,35 +2235,33 @@
return;
var win, target = window,
- action = preview ? 'preview': 'show',
- url = '&_action='+action+'&_uid='+id+'&_mbox='+urlencode(this.get_message_mailbox(id));
+ url = this.params_from_uid(id, {_caps: this.browser_capabilities()});
if (preview && (win = this.get_frame_window(this.env.contentframe))) {
target = win;
- url += '&_framed=1';
+ url._framed = 1;
}
if (safe)
- url += '&_safe=1';
+ url._safe = 1;
// also send search request to get the right messages
if (this.env.search_request)
- url += '&_search='+this.env.search_request;
-
- // add browser capabilities, so we can properly handle attachments
- url += '&_caps='+urlencode(this.browser_capabilities());
+ url._search = this.env.search_request;
if (this.env.extwin)
- url += '&_extwin=1';
+ url._extwin = 1;
+
+ url = this.url(preview ? 'preview': 'show', url);
if (preview && String(target.location.href).indexOf(url) >= 0) {
this.show_contentframe(true);
}
else {
if (!preview && this.env.message_extwin && !this.env.extwin)
- this.open_window(this.env.comm_path+url, true);
+ this.open_window(url, true);
else
- this.location_href(this.env.comm_path+url, target, true);
+ this.location_href(url, target, true);
// mark as read and change mbox unread counter
if (preview && this.message_list && this.message_list.rows[id] && this.message_list.rows[id].unread && this.env.preview_pane_mark_read > 0) {
@@ -3255,6 +3255,92 @@
this.set_alttext('delete', label);
};
+ // Initialize input element for list page jump
+ this.init_pagejumper = function(element)
+ {
+ $(element).addClass('rcpagejumper')
+ .on('focus', function(e) {
+ // create and display popup with page selection
+ var i, html = '';
+
+ for (i = 1; i <= ref.env.pagecount; i++)
+ html += '<li>' + i + '</li>';
+
+ html = '<ul class="toolbarmenu">' + html + '</ul>';
+
+ if (!ref.pagejump) {
+ ref.pagejump = $('<div id="pagejump-selector" class="popupmenu"></div>')
+ .appendTo(document.body)
+ .on('click', 'li', function() {
+ if (!ref.busy)
+ $(element).val($(this).text()).change();
+ });
+ }
+
+ if (ref.pagejump.data('count') != i)
+ ref.pagejump.html(html);
+
+ ref.pagejump.attr('rel', '#' + this.id).data('count', i);
+
+ // display page selector
+ ref.show_menu('pagejump-selector', true, e);
+ $(this).keydown();
+ })
+ // keyboard navigation
+ .on('keydown keyup click', function(e) {
+ var current, selector = $('#pagejump-selector'),
+ ul = $('ul', selector),
+ list = $('li', ul),
+ height = ul.height(),
+ p = parseInt(this.value);
+
+ if (e.which != 27 && e.which != 9 && e.which != 13 && !selector.is(':visible'))
+ return ref.show_menu('pagejump-selector', true, e);
+
+ if (e.type == 'keydown') {
+ // arrow-down
+ if (e.which == 40) {
+ if (list.length > p)
+ this.value = (p += 1);
+ }
+ // arrow-up
+ else if (e.which == 38) {
+ if (p > 1 && list.length > p - 1)
+ this.value = (p -= 1);
+ }
+ // enter
+ else if (e.which == 13) {
+ return $(this).change();
+ }
+ // esc, tab
+ else if (e.which == 27 || e.which == 9) {
+ return $(element).val(ref.env.current_page);
+ }
+ }
+
+ $('li.selected', ul).removeClass('selected');
+
+ if ((current = $(list[p - 1])).length) {
+ current.addClass('selected');
+ $('#pagejump-selector').scrollTop(((ul.height() / list.length) * (p - 1)) - selector.height() / 2);
+ }
+ })
+ .on('change', function(e) {
+ // go to specified page
+ var p = parseInt(this.value);
+ if (p && p != ref.env.current_page && !ref.busy) {
+ ref.hide_menu('pagejump-selector');
+ ref.list_page(p);
+ }
+ });
+ };
+
+ // Update page-jumper state on list updates
+ this.update_pagejumper = function()
+ {
+ $('input.rcpagejumper').val(this.env.current_page).prop('disabled', this.env.pagecount < 2);
+ };
+
/*********************************************************/
/********* mailbox folders methods *********/
/*********************************************************/
@@ -3595,7 +3681,7 @@
var oldval = input.val(), rx = new RegExp(RegExp.escape(delim) + '\\s*$');
if (oldval && !rx.test(oldval))
oldval += delim + ' ';
- input.val(oldval + recipients.join(delim + ' ') + delim + ' ');
+ input.val(oldval + recipients.join(delim + ' ') + delim + ' ').change();
this.triggerEvent('add-recipient', { field:field, recipients:recipients });
}
@@ -3878,7 +3964,7 @@
}
}, 5000);
- $(window).unload(function() {
+ $(window).on('unload', function() {
// remove copy from local storage if compose screen is left after warning
if (!ref.env.server_error)
ref.remove_compose_data(ref.env.compose_id);
@@ -4093,7 +4179,7 @@
};
// upload (attachment) file
- this.upload_file = function(form, action)
+ this.upload_file = function(form, action, lock)
{
if (!form)
return;
@@ -4135,6 +4221,9 @@
if (!content.match(/display_message/))
ref.display_message(ref.get_label('fileuploaderror'), 'error');
ref.remove_from_attachment_list(e.data.ts);
+
+ if (lock)
+ ref.set_busy(false, null, lock);
}
// Opera hack: handle double onload
if (bw.opera)
@@ -6673,6 +6762,8 @@
{
this.enable_command('nextpage', 'lastpage', this.env.pagecount > this.env.current_page);
this.enable_command('previouspage', 'firstpage', this.env.current_page > 1);
+
+ this.update_pagejumper();
};
// mark a mailbox as selected and set environment variable
@@ -7060,7 +7151,7 @@
if (show) {
// truncate stack down to the one containing the ref link
for (var i = this.menu_stack.length - 1; stack && i >= 0; i--) {
- if (!$(ref).parents('#'+this.menu_stack[i]).length)
+ if (!$(ref).parents('#'+this.menu_stack[i]).length && $(event.target).parent().attr('role') != 'menuitem')
this.hide_menu(this.menu_stack[i], event);
}
if (stack && this.menu_stack.length) {
@@ -7500,32 +7591,36 @@
this.env.qsearch = null;
case 'list':
if (this.task == 'mail') {
- var is_multifolder = this.is_multifolder_listing();
+ var is_multifolder = this.is_multifolder_listing(),
+ list = this.message_list,
+ uid = this.env.list_uid;
+
this.enable_command('show', 'select-all', 'select-none', this.env.messagecount > 0);
this.enable_command('expunge', this.env.exists && !is_multifolder);
this.enable_command('purge', this.purge_mailbox_test() && !is_multifolder);
this.enable_command('import-messages', !is_multifolder);
this.enable_command('expand-all', 'expand-unread', 'collapse-all', this.env.threading && this.env.messagecount && !is_multifolder);
- if ((response.action == 'list' || response.action == 'search') && this.message_list) {
- var list = this.message_list, uid = this.env.list_uid;
-
- // highlight message row when we're back from message page
- if (uid) {
- if (!list.rows[uid])
- uid += '-' + this.env.mailbox;
- if (list.rows[uid]) {
- list.select(uid);
+ if (list) {
+ if (response.action == 'list' || response.action == 'search') {
+ // highlight message row when we're back from message page
+ if (uid) {
+ if (!list.rows[uid])
+ uid += '-' + this.env.mailbox;
+ if (list.rows[uid]) {
+ list.select(uid);
+ }
+ delete this.env.list_uid;
}
- delete this.env.list_uid;
+
+ this.enable_command('set-listmode', this.env.threads && !is_multifolder);
+ if (list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
+ list.focus();
+ this.msglist_select(list);
}
- this.enable_command('set-listmode', this.env.threads && !is_multifolder);
- if (list.rowcount > 0)
- list.focus();
- this.msglist_select(list);
- this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:list.rowcount });
-
+ if (response.action != 'getunread')
+ this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:list.rowcount });
}
}
else if (this.task == 'addressbook') {
@@ -7535,7 +7630,7 @@
this.enable_command('search-create', this.env.source == '');
this.enable_command('search-delete', this.env.search_id);
this.update_group_commands();
- if (this.contact_list.rowcount > 0)
+ if (this.contact_list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
this.contact_list.focus();
this.triggerEvent('listupdate', { folder:this.env.source, rowcount:this.contact_list.rowcount });
}
@@ -7821,7 +7916,8 @@
var submit_data = function() {
var multiple = files.length > 1,
ts = new Date().getTime(),
- content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
+ // jQuery way to escape filename (#1490530)
+ content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
// add to attachments list
if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))
@@ -8035,10 +8131,22 @@
// get the IMP mailbox of the message with the given UID
this.get_message_mailbox = function(uid)
{
- var msg = this.env.messages ? this.env.messages[uid] : {};
+ var msg = (this.env.messages && uid ? this.env.messages[uid] : null) || {};
return msg.mbox || this.env.mailbox;
};
+ // build request parameters from single message id (maybe with mailbox name)
+ this.params_from_uid = function(uid, params)
+ {
+ if (!params)
+ params = {};
+
+ params._uid = String(uid).split('-')[0];
+ params._mbox = this.get_message_mailbox(uid);
+
+ return params;
+ };
+
// gets cursor position
this.get_caret_pos = function(obj)
{
--
Gitblit v1.9.1