From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcube_shared.inc | 146 ++++++++++++++----------------------------------
1 files changed, 42 insertions(+), 104 deletions(-)
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index 1fd6ed0..c7461ed 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -22,7 +22,7 @@
/**
* Roundcube shared functions
- *
+ *
* @package Core
*/
@@ -70,50 +70,6 @@
/**
- * Check request for If-Modified-Since and send an according response.
- * This will terminate the current script if headers match the given values
- *
- * @param int Modified date as unix timestamp
- * @param string Etag value for caching
- */
-function send_modified_header($mdate, $etag=null, $skip_check=false)
-{
- if (headers_sent())
- return;
-
- $iscached = false;
- $etag = $etag ? "\"$etag\"" : null;
-
- if (!$skip_check)
- {
- if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] && strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $mdate)
- $iscached = true;
-
- if ($etag)
- $iscached = ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag);
- }
-
- if ($iscached)
- header("HTTP/1.x 304 Not Modified");
- else
- header("Last-Modified: ".gmdate("D, d M Y H:i:s", $mdate)." GMT");
-
- header("Cache-Control: private, must-revalidate, max-age=0");
- header("Expires: ");
- header("Pragma: ");
-
- if ($etag)
- header("Etag: $etag");
-
- if ($iscached)
- {
- ob_end_clean();
- exit;
- }
-}
-
-
-/**
* Similar function as in_array() but case-insensitive
*
* @param mixed Needle value
@@ -126,7 +82,7 @@
foreach ($haystack as $value)
if ($needle===mb_strtolower($value))
return true;
-
+
return false;
}
@@ -208,52 +164,6 @@
}
/**
- * Convert paths like ../xxx to an absolute path using a base url
- *
- * @param string Relative path
- * @param string Base URL
- * @return string Absolute URL
- */
-function make_absolute_url($path, $base_url)
-{
- $host_url = $base_url;
- $abs_path = $path;
-
- // check if path is an absolute URL
- if (preg_match('/^[fhtps]+:\/\//', $path))
- return $path;
-
- // cut base_url to the last directory
- if (strrpos($base_url, '/')>7)
- {
- $host_url = substr($base_url, 0, strpos($base_url, '/', 7));
- $base_url = substr($base_url, 0, strrpos($base_url, '/'));
- }
-
- // $path is absolute
- if ($path{0}=='/')
- $abs_path = $host_url.$path;
- else
- {
- // strip './' because its the same as ''
- $path = preg_replace('/^\.\//', '', $path);
-
- if (preg_match_all('/\.\.\//', $path, $matches, PREG_SET_ORDER))
- foreach ($matches as $a_match)
- {
- if (strrpos($base_url, '/'))
- $base_url = substr($base_url, 0, strrpos($base_url, '/'));
-
- $path = substr($path, 3);
- }
-
- $abs_path = $base_url.'/'.$path;
- }
-
- return $abs_path;
-}
-
-/**
* Wrapper function for wordwrap
*/
function rc_wordwrap($string, $width=75, $break="\n", $cut=false)
@@ -325,7 +235,7 @@
}
return $hdrs[$key];
- }
+}
/**
@@ -344,7 +254,7 @@
{
return preg_replace('/\/$/', '', $str);
}
-
+
/**
* Delete all files within a folder
@@ -374,7 +284,7 @@
* @return int Unix timestamp
*/
function get_offset_time($offset_str, $factor=1)
- {
+{
if (preg_match('/^([0-9]+)\s*([smhdw])/i', $offset_str, $regs))
{
$amount = (int)$regs[1];
@@ -385,7 +295,7 @@
$amount = (int)$offset_str;
$unit = 's';
}
-
+
$ts = mktime();
switch ($unit)
{
@@ -418,7 +328,7 @@
function abbreviate_string($str, $maxlength, $place_holder='...', $ending=false)
{
$length = mb_strlen($str);
-
+
if ($length > $maxlength)
{
if ($ending)
@@ -432,6 +342,7 @@
return $str;
}
+
/**
* A method to guess the mime_type of an attachment.
@@ -451,12 +362,14 @@
$mime_type = null;
$mime_magic = rcmail::get_instance()->config->get('mime_magic');
$mime_ext = @include(RCMAIL_CONFIG_DIR . '/mimetypes.php');
- $suffix = $name ? substr($name, strrpos($name, '.')+1) : '*';
// use file name suffix with hard-coded mime-type map
- if (is_array($mime_ext)) {
- $mime_type = $mime_ext[$suffix];
+ if (is_array($mime_ext) && $name) {
+ if ($suffix = substr($name, strrpos($name, '.')+1)) {
+ $mime_type = $mime_ext[strtolower($suffix)];
+ }
}
+
// try fileinfo extension if available
if (!$mime_type && function_exists('finfo_open')) {
if ($finfo = finfo_open(FILEINFO_MIME, $mime_magic)) {
@@ -467,10 +380,12 @@
finfo_close($finfo);
}
}
+
// try PHP's mime_content_type
if (!$mime_type && !$is_stream && function_exists('mime_content_type')) {
$mime_type = @mime_content_type($path);
}
+
// fall back to user-submitted string
if (!$mime_type) {
$mime_type = $failover;
@@ -547,7 +462,7 @@
$input[$idx] = rc_utf8_clean($val);
return $input;
}
-
+
if (!is_string($input) || $input == '')
return $input;
@@ -569,7 +484,7 @@
'|[\xF1-\xF3][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.// UTF8-4
'|\xF4[\x80-\x8F][\x80-\xBF][\x80-\xBF]'. // UTF8-4
')$/';
-
+
$seq = '';
$out = '';
@@ -640,7 +555,7 @@
$p = $i + 1;
}
}
-
+
$result[] = substr($string, $p);
return $result;
}
@@ -655,7 +570,7 @@
function array_keys_recursive($array)
{
$keys = array();
-
+
if (!empty($array))
foreach ($array as $key => $child) {
$keys[] = $key;
@@ -667,6 +582,29 @@
/**
+ * Format e-mail address
+ *
+ * @param string $email E-mail address
+ *
+ * @return string Formatted e-mail address
+ */
+function format_email($email)
+{
+ $email = trim($email);
+ $parts = explode('@', $email);
+ $count = count($parts);
+
+ if ($count > 1) {
+ $parts[$count-1] = mb_strtolower($parts[$count-1]);
+
+ $email = implode('@', $parts);
+ }
+
+ return $email;
+}
+
+
+/**
* mbstring replacement functions
*/
--
Gitblit v1.9.1