From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcmail.php | 64 ++++++++++++++++----------------
1 files changed, 32 insertions(+), 32 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index edda07c..a3c04ef 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -452,9 +452,12 @@
true, true);
}
+ // set configured sort order
+ if ($sort_col = $this->config->get('addressbook_sort_col'))
+ $contacts->set_sort_order($sort_col);
+
// add to the 'books' array for shutdown function
- if (!isset($this->address_books[$id]))
- $this->address_books[$id] = $contacts;
+ $this->address_books[$id] = $contacts;
return $contacts;
}
@@ -594,7 +597,6 @@
return;
$this->imap = new rcube_imap();
- $this->imap->debug_level = $this->config->get('debug_level');
$this->imap->skip_deleted = $this->config->get('skip_deleted');
// enable caching of imap data
@@ -679,18 +681,21 @@
if (session_id())
return;
+ $sess_name = $this->config->get('session_name');
+ $sess_domain = $this->config->get('session_domain');
+ $lifetime = $this->config->get('session_lifetime', 0) * 60;
+
// set session domain
- if ($domain = $this->config->get('session_domain')) {
- ini_set('session.cookie_domain', $domain);
+ if ($sess_domain) {
+ ini_set('session.cookie_domain', $sess_domain);
}
// set session garbage collecting time according to session_lifetime
- $lifetime = $this->config->get('session_lifetime', 0) * 60;
if ($lifetime) {
ini_set('session.gc_maxlifetime', $lifetime * 2);
}
ini_set('session.cookie_secure', rcube_https_check());
- ini_set('session.name', 'roundcube_sessid');
+ ini_set('session.name', $sess_name ? $sess_name : 'roundcube_sessid');
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.serialize_handler', 'php');
@@ -699,8 +704,7 @@
$this->session = new rcube_session($this->get_dbh(), $this->config);
$this->session->register_gc_handler('rcmail_temp_gc');
- if ($this->config->get('enable_caching'))
- $this->session->register_gc_handler('rcmail_cache_gc');
+ $this->session->register_gc_handler('rcmail_cache_gc');
// start PHP session (if not in CLI mode)
if ($_SERVER['REMOTE_ADDR'])
@@ -730,7 +734,7 @@
$keep_alive = max(60, $keep_alive);
$this->session->set_keep_alive($keep_alive);
}
-
+
$this->session->set_secret($this->config->get('des_key') . $_SERVER['HTTP_USER_AGENT']);
$this->session->set_ip_check($this->config->get('ip_check'));
}
@@ -840,16 +844,8 @@
if (!$imap_login)
return false;
- $this->set_imap_prop();
-
// user already registered -> update user's record
if (is_object($user)) {
- // fix some old settings according to namespace prefix
- $this->fix_namespace_settings($user);
-
- // create default folders on first login
- if (!$user->data['last_login'] && $config['create_default_folders'])
- $this->imap->create_default_folders();
// update last login timestamp
$user->touch();
}
@@ -857,13 +853,6 @@
else if ($config['auto_create_user']) {
if ($created = rcube_user::create($username, $host)) {
$user = $created;
-
- // fix default settings according to namespace prefix
- $this->fix_namespace_settings($user);
-
- // create default folders on first login
- if ($config['create_default_folders'])
- $this->imap->create_default_folders();
}
else {
raise_error(array(
@@ -883,8 +872,18 @@
// login succeeded
if (is_object($user) && $user->ID) {
+ // Configure environment
$this->set_user($user);
+ $this->set_imap_prop();
$this->session_configure();
+
+ // fix some old settings according to namespace prefix
+ $this->fix_namespace_settings($user);
+
+ // create default folders on first login
+ if ($config['create_default_folders'] && (!empty($created) || empty($user->data['last_login']))) {
+ $this->imap->create_default_folders();
+ }
// set session vars
$_SESSION['user_id'] = $user->ID;
@@ -894,9 +893,11 @@
$_SESSION['imap_ssl'] = $imap_ssl;
$_SESSION['password'] = $this->encrypt($pass);
$_SESSION['login_time'] = mktime();
-
+
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_')
$_SESSION['timezone'] = floatval($_REQUEST['_timezone']);
+ if (isset($_REQUEST['_dstactive']) && $_REQUEST['_dstactive'] != '_default_')
+ $_SESSION['dst_active'] = intval($_REQUEST['_dstactive']);
// force reloading complete list of subscribed mailboxes
$this->imap->clear_cache('mailboxes', true);
@@ -1229,7 +1230,6 @@
// before closing the database connection, write session data
if ($_SERVER['REMOTE_ADDR'] && is_object($this->session)) {
- $this->session->cleanup();
session_write_close();
}
@@ -1271,7 +1271,7 @@
{
$sess_id = $_COOKIE[ini_get('session.name')];
if (!$sess_id) $sess_id = session_id();
- $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->task . $this->config->get('des_key') . $sess_id)));
+ $plugin = $this->plugins->exec_hook('request_token', array('value' => md5('RT' . $this->user->ID . $this->config->get('des_key') . $sess_id)));
return $plugin['value'];
}
@@ -1565,7 +1565,7 @@
// use strtr behaviour of going through source string once
$cmd = strtr($cmd, $replacements);
-
+
return (string)shell_exec($cmd);
}
@@ -1601,7 +1601,7 @@
}
}
}
-
+
/**
* Returns current action filename
*
@@ -1631,8 +1631,8 @@
if (!$prefix_len)
return;
- $prefs = $user->get_prefs();
- if (empty($prefs) || $prefs['namespace_fixed'])
+ $prefs = $this->config->all();
+ if (!empty($prefs['namespace_fixed']))
return;
// Build namespace prefix regexp
--
Gitblit v1.9.1