From dd7db217979d6960f53b6544cf053d8c0db8c416 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 09 Sep 2015 03:09:59 -0400
Subject: [PATCH] Fix XSS issue in drag-n-drop file uploads (#1490530)
---
program/js/app.js | 357 ++++++++++++++++++++++++++++++++++++++++++----------------
1 files changed, 257 insertions(+), 100 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 56d07f3..4b9f5d6 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -156,8 +156,8 @@
var n;
this.task = this.env.task;
- // check browser
- if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test() || (bw.mz && bw.vendver < 1.9) || (bw.ie && bw.vendver < 7))) {
+ // check browser capabilities (never use version checks here)
+ if (this.env.server_error != 409 && (!bw.dom || !bw.xmlhttp_test())) {
this.goto_url('error', '_code=0x199');
return;
}
@@ -592,7 +592,7 @@
.bind('mouseup', body_mouseup)
.bind('keydown', function(e){ return ref.doc_keypress(e); });
- $('iframe').load(function(e) {
+ $('iframe').on('load', function(e) {
try { $(this.contentDocument || this.contentWindow).on('mouseup', body_mouseup); }
catch (e) {/* catch possible "Permission denied" error in IE */ }
})
@@ -653,7 +653,9 @@
}
// check input before leaving compose step
- if (this.task == 'mail' && this.env.action == 'compose' && $.inArray(command, this.env.compose_commands) < 0 && !this.env.server_error) {
+ if (this.task == 'mail' && this.env.action == 'compose' && !this.env.server_error && command != 'save-pref'
+ && $.inArray(command, this.env.compose_commands) < 0
+ ) {
if (!this.env.is_sent && this.cmp_hash != this.compose_field_hash() && !confirm(this.get_label('notsentwarning')))
return false;
@@ -762,7 +764,7 @@
case 'open':
if (uid = this.get_single_uid()) {
- obj.href = this.url('show', {_mbox: this.get_message_mailbox(uid), _uid: uid});
+ obj.href = this.url('show', this.params_from_uid(uid));
return true;
}
break;
@@ -774,7 +776,7 @@
case 'list':
if (props && props != '') {
- this.reset_qsearch();
+ this.reset_qsearch(true);
}
if (this.env.action == 'compose' && this.env.extwin) {
window.close();
@@ -894,7 +896,7 @@
else {
// reload form
if (props == 'reload') {
- form.action += '?_reload=1';
+ form.action += '&_reload=1';
}
else if (this.task == 'settings' && (this.env.identities_level % 2) == 0 &&
(input = $("input[name='_email']", form)) && input.length && !rcube_check_email(input.val())
@@ -1188,8 +1190,8 @@
this.gui_objects.messagepartframe.contentWindow.print();
}
else if (uid = this.get_single_uid()) {
- url = '&_action=print&_uid='+uid+'&_mbox='+urlencode(this.get_message_mailbox(uid))+(this.env.safemode ? '&_safe=1' : '');
- if (this.open_window(this.env.comm_path + url, true, true)) {
+ url = this.url('print', this.params_from_uid(uid, {_safe: this.env.safemode ? 1 : 0}));
+ if (this.open_window(url, true, true)) {
if (this.env.action != 'show')
this.mark_message('read', uid);
}
@@ -1198,7 +1200,7 @@
case 'viewsource':
if (uid = this.get_single_uid())
- this.open_window(this.env.comm_path+'&_action=viewsource&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox), true, true);
+ this.open_window(this.url('viewsource', this.params_from_uid(uid)), true, true);
break;
case 'download':
@@ -1206,7 +1208,7 @@
location.href = location.href.replace(/_frame=/, '_download=');
}
else if (uid = this.get_single_uid()) {
- this.goto_url('viewsource', { _uid: uid, _mbox: this.get_message_mailbox(uid), _save: 1 });
+ this.goto_url('viewsource', this.params_from_uid(uid, {_save: 1}));
}
break;
@@ -1221,17 +1223,16 @@
// reset quicksearch
case 'reset-search':
- var n, s = this.env.search_request || this.env.qsearch,
- ss = this.gui_objects.qsearchbox && this.gui_objects.qsearchbox.value != '';
+ var n, s = this.env.search_request || this.env.qsearch;
- this.reset_qsearch();
+ this.reset_qsearch(true);
this.select_all_mode = false;
if (s && this.env.action == 'compose') {
if (this.contact_list)
this.list_contacts_clear();
}
- else if (s && ss && this.env.mailbox) {
+ else if (s && this.env.mailbox) {
this.list_mailbox(this.env.mailbox, 1);
}
else if (s && this.task == 'addressbook') {
@@ -1269,7 +1270,7 @@
$('input[name="_unlock"]', form).val(importlock);
- if (!(flag = this.upload_file(form, 'import'))) {
+ if (!(flag = this.upload_file(form, 'import', importlock))) {
this.set_busy(false, null, importlock);
if (flag !== false)
alert(this.get_label('selectimportfile'));
@@ -1441,7 +1442,7 @@
else if (delay)
setTimeout(function() { ref.reload(); }, delay);
else if (window.location)
- location.href = this.env.comm_path + (this.env.action ? '&_action='+this.env.action : '');
+ location.href = this.url('', {_extwin: this.env.extwin});
};
// Add variable to GET string, replace old value if exists
@@ -1608,15 +1609,16 @@
this.folder_collapsed = function(node)
{
- var prefname = this.env.task == 'addressbook' ? 'collapsed_abooks' : 'collapsed_folders';
+ var prefname = this.env.task == 'addressbook' ? 'collapsed_abooks' : 'collapsed_folders',
+ old = this.env[prefname];
if (node.collapsed) {
this.env[prefname] = this.env[prefname] + '&'+urlencode(node.id)+'&';
// select the folder if one of its childs is currently selected
// don't select if it's virtual (#1488346)
- if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(name + this.env.delimiter))
- this.command('list', name);
+ if (!node.virtual && this.env.mailbox && this.env.mailbox.startsWith(node.id + this.env.delimiter))
+ this.command('list', node.id);
}
else {
var reg = new RegExp('&'+urlencode(node.id)+'&');
@@ -1624,7 +1626,8 @@
}
if (!this.drag_active) {
- this.command('save-pref', { name: prefname, value: this.env[prefname] });
+ if (old !== this.env[prefname])
+ this.command('save-pref', { name: prefname, value: this.env[prefname] });
if (this.env.unread_counts)
this.set_unread_count_display(node.id, false);
@@ -2232,35 +2235,33 @@
return;
var win, target = window,
- action = preview ? 'preview': 'show',
- url = '&_action='+action+'&_uid='+id+'&_mbox='+urlencode(this.get_message_mailbox(id));
+ url = this.params_from_uid(id, {_caps: this.browser_capabilities()});
if (preview && (win = this.get_frame_window(this.env.contentframe))) {
target = win;
- url += '&_framed=1';
+ url._framed = 1;
}
if (safe)
- url += '&_safe=1';
+ url._safe = 1;
// also send search request to get the right messages
if (this.env.search_request)
- url += '&_search='+this.env.search_request;
-
- // add browser capabilities, so we can properly handle attachments
- url += '&_caps='+urlencode(this.browser_capabilities());
+ url._search = this.env.search_request;
if (this.env.extwin)
- url += '&_extwin=1';
+ url._extwin = 1;
+
+ url = this.url(preview ? 'preview': 'show', url);
if (preview && String(target.location.href).indexOf(url) >= 0) {
this.show_contentframe(true);
}
else {
if (!preview && this.env.message_extwin && !this.env.extwin)
- this.open_window(this.env.comm_path+url, true);
+ this.open_window(url, true);
else
- this.location_href(this.env.comm_path+url, target, true);
+ this.location_href(url, target, true);
// mark as read and change mbox unread counter
if (preview && this.message_list && this.message_list.rows[id] && this.message_list.rows[id].unread && this.env.preview_pane_mark_read > 0) {
@@ -2376,6 +2377,9 @@
// list messages of a specific mailbox using filter
this.filter_mailbox = function(filter)
{
+ if (this.filter_disabled)
+ return;
+
var lock = this.set_busy(true, 'searching');
this.clear_message_list();
@@ -2409,16 +2413,17 @@
if (sort)
url._sort = sort;
- // also send search request to get the right messages
- if (this.env.search_request)
- url._search = this.env.search_request;
-
- // set page=1 if changeing to another mailbox
+ // folder change, reset page, search scope, etc.
if (this.env.mailbox != mbox) {
page = 1;
this.env.current_page = page;
+ this.env.search_scope = 'base';
this.select_all_mode = false;
+ this.reset_search_filter();
}
+ // also send search request to get the right messages
+ else if (this.env.search_request)
+ url._search = this.env.search_request;
if (!update_only) {
// unselect selected messages and clear the list and message data
@@ -3250,6 +3255,92 @@
this.set_alttext('delete', label);
};
+ // Initialize input element for list page jump
+ this.init_pagejumper = function(element)
+ {
+ $(element).addClass('rcpagejumper')
+ .on('focus', function(e) {
+ // create and display popup with page selection
+ var i, html = '';
+
+ for (i = 1; i <= ref.env.pagecount; i++)
+ html += '<li>' + i + '</li>';
+
+ html = '<ul class="toolbarmenu">' + html + '</ul>';
+
+ if (!ref.pagejump) {
+ ref.pagejump = $('<div id="pagejump-selector" class="popupmenu"></div>')
+ .appendTo(document.body)
+ .on('click', 'li', function() {
+ if (!ref.busy)
+ $(element).val($(this).text()).change();
+ });
+ }
+
+ if (ref.pagejump.data('count') != i)
+ ref.pagejump.html(html);
+
+ ref.pagejump.attr('rel', '#' + this.id).data('count', i);
+
+ // display page selector
+ ref.show_menu('pagejump-selector', true, e);
+ $(this).keydown();
+ })
+ // keyboard navigation
+ .on('keydown keyup click', function(e) {
+ var current, selector = $('#pagejump-selector'),
+ ul = $('ul', selector),
+ list = $('li', ul),
+ height = ul.height(),
+ p = parseInt(this.value);
+
+ if (e.which != 27 && e.which != 9 && e.which != 13 && !selector.is(':visible'))
+ return ref.show_menu('pagejump-selector', true, e);
+
+ if (e.type == 'keydown') {
+ // arrow-down
+ if (e.which == 40) {
+ if (list.length > p)
+ this.value = (p += 1);
+ }
+ // arrow-up
+ else if (e.which == 38) {
+ if (p > 1 && list.length > p - 1)
+ this.value = (p -= 1);
+ }
+ // enter
+ else if (e.which == 13) {
+ return $(this).change();
+ }
+ // esc, tab
+ else if (e.which == 27 || e.which == 9) {
+ return $(element).val(ref.env.current_page);
+ }
+ }
+
+ $('li.selected', ul).removeClass('selected');
+
+ if ((current = $(list[p - 1])).length) {
+ current.addClass('selected');
+ $('#pagejump-selector').scrollTop(((ul.height() / list.length) * (p - 1)) - selector.height() / 2);
+ }
+ })
+ .on('change', function(e) {
+ // go to specified page
+ var p = parseInt(this.value);
+ if (p && p != ref.env.current_page && !ref.busy) {
+ ref.hide_menu('pagejump-selector');
+ ref.list_page(p);
+ }
+ });
+ };
+
+ // Update page-jumper state on list updates
+ this.update_pagejumper = function()
+ {
+ $('input.rcpagejumper').val(this.env.current_page).prop('disabled', this.env.pagecount < 2);
+ };
+
/*********************************************************/
/********* mailbox folders methods *********/
/*********************************************************/
@@ -3344,7 +3435,7 @@
if (!this.gui_objects.messageform)
return false;
- var i, pos, input_from = $("[name='_from']"),
+ var i, elem, pos, input_from = $("[name='_from']"),
input_to = $("[name='_to']"),
input_subject = $("input[name='_subject']"),
input_message = $("[name='_message']").get(0),
@@ -3379,13 +3470,15 @@
if (!html_mode) {
pos = this.env.top_posting ? 0 : input_message.value.length;
- this.set_caret_pos(input_message, pos);
// add signature according to selected identity
- // if we have HTML editor, signature is added in callback
+ // if we have HTML editor, signature is added in a callback
if (input_from.prop('type') == 'select-one') {
this.change_identity(input_from[0]);
}
+
+ // set initial cursor position
+ this.set_caret_pos(input_message, pos);
// scroll to the bottom of the textarea (#1490114)
if (pos) {
@@ -3398,11 +3491,14 @@
this.compose_restore_dialog(0, html_mode)
if (input_to.val() == '')
- input_to.focus();
+ elem = input_to;
else if (input_subject.val() == '')
- input_subject.focus();
+ elem = input_subject;
else if (input_message)
- input_message.focus();
+ elem = input_message;
+
+ // focus first empty element (need to be visible on IE8)
+ $(elem).filter(':visible').focus();
this.env.compose_focus_elem = document.activeElement;
@@ -3585,7 +3681,7 @@
var oldval = input.val(), rx = new RegExp(RegExp.escape(delim) + '\\s*$');
if (oldval && !rx.test(oldval))
oldval += delim + ' ';
- input.val(oldval + recipients.join(delim + ' ') + delim + ' ');
+ input.val(oldval + recipients.join(delim + ' ') + delim + ' ').change();
this.triggerEvent('add-recipient', { field:field, recipients:recipients });
}
@@ -3868,7 +3964,7 @@
}
}, 5000);
- $(window).unload(function() {
+ $(window).on('unload', function() {
// remove copy from local storage if compose screen is left after warning
if (!ref.env.server_error)
ref.remove_compose_data(ref.env.compose_id);
@@ -4083,7 +4179,7 @@
};
// upload (attachment) file
- this.upload_file = function(form, action)
+ this.upload_file = function(form, action, lock)
{
if (!form)
return;
@@ -4125,6 +4221,9 @@
if (!content.match(/display_message/))
ref.display_message(ref.get_label('fileuploaderror'), 'error');
ref.remove_from_attachment_list(e.data.ts);
+
+ if (lock)
+ ref.set_busy(false, null, lock);
}
// Opera hack: handle double onload
if (bw.opera)
@@ -4330,14 +4429,28 @@
return url;
};
+ // reset search filter
+ this.reset_search_filter = function()
+ {
+ this.filter_disabled = true;
+ if (this.gui_objects.search_filter)
+ $(this.gui_objects.search_filter).val('ALL').change();
+ this.filter_disabled = false;
+ };
+
// reset quick-search form
- this.reset_qsearch = function()
+ this.reset_qsearch = function(all)
{
if (this.gui_objects.qsearchbox)
this.gui_objects.qsearchbox.value = '';
if (this.env.qsearch)
this.abort_request(this.env.qsearch);
+
+ if (all) {
+ this.env.search_scope = 'base';
+ this.reset_search_filter();
+ }
this.env.qsearch = null;
this.env.search_request = null;
@@ -6649,6 +6762,8 @@
{
this.enable_command('nextpage', 'lastpage', this.env.pagecount > this.env.current_page);
this.enable_command('previouspage', 'firstpage', this.env.current_page > 1);
+
+ this.update_pagejumper();
};
// mark a mailbox as selected and set environment variable
@@ -6705,6 +6820,9 @@
repl, cell, col, n, len, tr;
this.env.listcols = listcols;
+
+ if (!this.env.coltypes)
+ this.env.coltypes = {};
// replace old column headers
if (thead) {
@@ -7033,7 +7151,7 @@
if (show) {
// truncate stack down to the one containing the ref link
for (var i = this.menu_stack.length - 1; stack && i >= 0; i--) {
- if (!$(ref).parents('#'+this.menu_stack[i]).length)
+ if (!$(ref).parents('#'+this.menu_stack[i]).length && $(event.target).parent().attr('role') != 'menuitem')
this.hide_menu(this.menu_stack[i], event);
}
if (stack && this.menu_stack.length) {
@@ -7197,7 +7315,7 @@
// compose a valid url with the given parameters
this.url = function(action, query)
{
- var querystring = typeof query === 'string' ? '&' + query : '';
+ var querystring = typeof query === 'string' ? query : '';
if (typeof action !== 'string')
query = action;
@@ -7209,12 +7327,12 @@
else if (this.env.action)
query._action = this.env.action;
- var base = this.env.comm_path, k, param = {};
+ var url = this.env.comm_path, k, param = {};
// overwrite task name
if (action && action.match(/([a-z0-9_-]+)\/([a-z0-9-_.]+)/)) {
query._action = RegExp.$2;
- base = base.replace(/\_task=[a-z0-9_-]+/, '_task='+RegExp.$1);
+ url = url.replace(/\_task=[a-z0-9_-]+/, '_task=' + RegExp.$1);
}
// remove undefined values
@@ -7223,7 +7341,13 @@
param[k] = query[k];
}
- return base + (base.indexOf('?') > -1 ? '&' : '?') + $.param(param) + querystring;
+ if (param = $.param(param))
+ url += (url.indexOf('?') > -1 ? '&' : '?') + param;
+
+ if (querystring)
+ url += (url.indexOf('?') > -1 ? '&' : '?') + querystring;
+
+ return url;
};
this.redirect = function(url, lock)
@@ -7276,22 +7400,32 @@
};
// send a http request to the server
- this.http_request = function(action, query, lock)
+ this.http_request = function(action, data, lock)
{
- var url = this.url(action, query);
+ if (typeof data !== 'object')
+ data = rcube_parse_query(data);
+
+ data._remote = 1;
+ data._unlock = lock ? lock : 0;
// trigger plugin hook
- var result = this.triggerEvent('request'+action, query);
+ var result = this.triggerEvent('request' + action, data);
- if (result !== undefined) {
- // abort if one the handlers returned false
- if (result === false)
- return false;
- else
- url = this.url(action, result);
+ // abort if one of the handlers returned false
+ if (result === false) {
+ if (data._unlock)
+ this.set_busy(false, null, data._unlock);
+ return false;
+ }
+ else if (result !== undefined) {
+ data = result;
+ if (data._action) {
+ action = data._action;
+ delete data._action;
+ }
}
- url += '&_remote=1';
+ var url = this.url(action, data);
// send request
this.log('HTTP GET: ' + url);
@@ -7300,33 +7434,39 @@
this.start_keepalive();
return $.ajax({
- type: 'GET', url: url, data: { _unlock:(lock?lock:0) }, dataType: 'json',
- success: function(data){ ref.http_response(data); },
+ type: 'GET', url: url, dataType: 'json',
+ success: function(data) { ref.http_response(data); },
error: function(o, status, err) { ref.http_error(o, status, err, lock, action); }
});
};
// send a http POST request to the server
- this.http_post = function(action, postdata, lock)
+ this.http_post = function(action, data, lock)
{
- var url = this.url(action);
+ if (typeof data !== 'object')
+ data = rcube_parse_query(data);
- if (postdata && typeof postdata === 'object') {
- postdata._remote = 1;
- postdata._unlock = (lock ? lock : 0);
- }
- else
- postdata += (postdata ? '&' : '') + '_remote=1' + (lock ? '&_unlock='+lock : '');
+ data._remote = 1;
+ data._unlock = lock ? lock : 0;
// trigger plugin hook
- var result = this.triggerEvent('request'+action, postdata);
- if (result !== undefined) {
- // abort if one of the handlers returned false
- if (result === false)
- return false;
- else
- postdata = result;
+ var result = this.triggerEvent('request'+action, data);
+
+ // abort if one of the handlers returned false
+ if (result === false) {
+ if (data._unlock)
+ this.set_busy(false, null, data._unlock);
+ return false;
}
+ else if (result !== undefined) {
+ data = result;
+ if (data._action) {
+ action = data._action;
+ delete data._action;
+ }
+ }
+
+ var url = this.url(action);
// send request
this.log('HTTP POST: ' + url);
@@ -7335,7 +7475,7 @@
this.start_keepalive();
return $.ajax({
- type: 'POST', url: url, data: postdata, dataType: 'json',
+ type: 'POST', url: url, data: data, dataType: 'json',
success: function(data){ ref.http_response(data); },
error: function(o, status, err) { ref.http_error(o, status, err, lock, action); }
});
@@ -7451,32 +7591,36 @@
this.env.qsearch = null;
case 'list':
if (this.task == 'mail') {
- var is_multifolder = this.is_multifolder_listing();
+ var is_multifolder = this.is_multifolder_listing(),
+ list = this.message_list,
+ uid = this.env.list_uid;
+
this.enable_command('show', 'select-all', 'select-none', this.env.messagecount > 0);
this.enable_command('expunge', this.env.exists && !is_multifolder);
this.enable_command('purge', this.purge_mailbox_test() && !is_multifolder);
this.enable_command('import-messages', !is_multifolder);
this.enable_command('expand-all', 'expand-unread', 'collapse-all', this.env.threading && this.env.messagecount && !is_multifolder);
- if ((response.action == 'list' || response.action == 'search') && this.message_list) {
- var list = this.message_list, uid = this.env.list_uid;
-
- // highlight message row when we're back from message page
- if (uid) {
- if (!list.rows[uid])
- uid += '-' + this.env.mailbox;
- if (list.rows[uid]) {
- list.select(uid);
+ if (list) {
+ if (response.action == 'list' || response.action == 'search') {
+ // highlight message row when we're back from message page
+ if (uid) {
+ if (!list.rows[uid])
+ uid += '-' + this.env.mailbox;
+ if (list.rows[uid]) {
+ list.select(uid);
+ }
+ delete this.env.list_uid;
}
- delete this.env.list_uid;
+
+ this.enable_command('set-listmode', this.env.threads && !is_multifolder);
+ if (list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
+ list.focus();
+ this.msglist_select(list);
}
- this.enable_command('set-listmode', this.env.threads && !is_multifolder);
- if (list.rowcount > 0)
- list.focus();
- this.msglist_select(list);
- this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:list.rowcount });
-
+ if (response.action != 'getunread')
+ this.triggerEvent('listupdate', { folder:this.env.mailbox, rowcount:list.rowcount });
}
}
else if (this.task == 'addressbook') {
@@ -7486,7 +7630,7 @@
this.enable_command('search-create', this.env.source == '');
this.enable_command('search-delete', this.env.search_id);
this.update_group_commands();
- if (this.contact_list.rowcount > 0)
+ if (this.contact_list.rowcount > 0 && !$(document.activeElement).is('input,textarea'))
this.contact_list.focus();
this.triggerEvent('listupdate', { folder:this.env.source, rowcount:this.contact_list.rowcount });
}
@@ -7772,7 +7916,8 @@
var submit_data = function() {
var multiple = files.length > 1,
ts = new Date().getTime(),
- content = '<span>' + (multiple ? ref.get_label('uploadingmany') : files[0].name) + '</span>';
+ // jQuery way to escape filename (#1490530)
+ content = $('<span>').text(multiple ? ref.get_label('uploadingmany') : files[0].name).html();
// add to attachments list
if (!ref.add2attachment_list(ts, { name:'', html:content, classname:'uploading', complete:false }))
@@ -7986,10 +8131,22 @@
// get the IMP mailbox of the message with the given UID
this.get_message_mailbox = function(uid)
{
- var msg = this.env.messages ? this.env.messages[uid] : {};
+ var msg = (this.env.messages && uid ? this.env.messages[uid] : null) || {};
return msg.mbox || this.env.mailbox;
};
+ // build request parameters from single message id (maybe with mailbox name)
+ this.params_from_uid = function(uid, params)
+ {
+ if (!params)
+ params = {};
+
+ params._uid = String(uid).split('-')[0];
+ params._mbox = this.get_message_mailbox(uid);
+
+ return params;
+ };
+
// gets cursor position
this.get_caret_pos = function(obj)
{
--
Gitblit v1.9.1