From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcube_shared.inc | 186 +++++++++++++++++----------------------------
1 files changed, 71 insertions(+), 115 deletions(-)
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index b79ab36..c7461ed 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -5,7 +5,7 @@
| rcube_shared.inc |
| |
| This file is part of the Roundcube PHP suite |
- | Copyright (C) 2005-2007, Roundcube Dev. - Switzerland |
+ | Copyright (C) 2005-2007, The Roundcube Dev Team |
| Licensed under the GNU GPL |
| |
| CONTENTS: |
@@ -22,7 +22,7 @@
/**
* Roundcube shared functions
- *
+ *
* @package Core
*/
@@ -70,50 +70,6 @@
/**
- * Check request for If-Modified-Since and send an according response.
- * This will terminate the current script if headers match the given values
- *
- * @param int Modified date as unix timestamp
- * @param string Etag value for caching
- */
-function send_modified_header($mdate, $etag=null, $skip_check=false)
-{
- if (headers_sent())
- return;
-
- $iscached = false;
- $etag = $etag ? "\"$etag\"" : null;
-
- if (!$skip_check)
- {
- if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] && strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $mdate)
- $iscached = true;
-
- if ($etag)
- $iscached = ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag);
- }
-
- if ($iscached)
- header("HTTP/1.x 304 Not Modified");
- else
- header("Last-Modified: ".gmdate("D, d M Y H:i:s", $mdate)." GMT");
-
- header("Cache-Control: private, must-revalidate, max-age=0");
- header("Expires: ");
- header("Pragma: ");
-
- if ($etag)
- header("Etag: $etag");
-
- if ($iscached)
- {
- ob_end_clean();
- exit;
- }
-}
-
-
-/**
* Similar function as in_array() but case-insensitive
*
* @param mixed Needle value
@@ -126,7 +82,7 @@
foreach ($haystack as $value)
if ($needle===mb_strtolower($value))
return true;
-
+
return false;
}
@@ -140,7 +96,7 @@
function get_boolean($str)
{
$str = strtolower($str);
- if (in_array($str, array('false', '0', 'no', 'nein', ''), TRUE))
+ if (in_array($str, array('false', '0', 'no', 'off', 'nein', ''), TRUE))
return FALSE;
else
return TRUE;
@@ -180,7 +136,7 @@
return floatval($bytes);
}
-
+
/**
* Create a human readable string for a number of bytes
*
@@ -189,69 +145,22 @@
*/
function show_bytes($bytes)
{
- if ($bytes > 1073741824)
+ if ($bytes >= 1073741824)
{
$gb = $bytes/1073741824;
$str = sprintf($gb>=10 ? "%d " : "%.1f ", $gb) . rcube_label('GB');
}
- else if ($bytes > 1048576)
+ else if ($bytes >= 1048576)
{
$mb = $bytes/1048576;
$str = sprintf($mb>=10 ? "%d " : "%.1f ", $mb) . rcube_label('MB');
}
- else if ($bytes > 1024)
+ else if ($bytes >= 1024)
$str = sprintf("%d ", round($bytes/1024)) . rcube_label('KB');
else
$str = sprintf('%d ', $bytes) . rcube_label('B');
return $str;
-}
-
-
-/**
- * Convert paths like ../xxx to an absolute path using a base url
- *
- * @param string Relative path
- * @param string Base URL
- * @return string Absolute URL
- */
-function make_absolute_url($path, $base_url)
-{
- $host_url = $base_url;
- $abs_path = $path;
-
- // check if path is an absolute URL
- if (preg_match('/^[fhtps]+:\/\//', $path))
- return $path;
-
- // cut base_url to the last directory
- if (strrpos($base_url, '/')>7)
- {
- $host_url = substr($base_url, 0, strpos($base_url, '/', 7));
- $base_url = substr($base_url, 0, strrpos($base_url, '/'));
- }
-
- // $path is absolute
- if ($path{0}=='/')
- $abs_path = $host_url.$path;
- else
- {
- // strip './' because its the same as ''
- $path = preg_replace('/^\.\//', '', $path);
-
- if (preg_match_all('/\.\.\//', $path, $matches, PREG_SET_ORDER))
- foreach ($matches as $a_match)
- {
- if (strrpos($base_url, '/'))
- $base_url = substr($base_url, 0, strrpos($base_url, '/'));
-
- $path = substr($path, 3);
- }
-
- $abs_path = $base_url.'/'.$path;
- }
-
- return $abs_path;
}
/**
@@ -326,7 +235,7 @@
}
return $hdrs[$key];
- }
+}
/**
@@ -345,7 +254,7 @@
{
return preg_replace('/\/$/', '', $str);
}
-
+
/**
* Delete all files within a folder
@@ -375,7 +284,7 @@
* @return int Unix timestamp
*/
function get_offset_time($offset_str, $factor=1)
- {
+{
if (preg_match('/^([0-9]+)\s*([smhdw])/i', $offset_str, $regs))
{
$amount = (int)$regs[1];
@@ -386,7 +295,7 @@
$amount = (int)$offset_str;
$unit = 's';
}
-
+
$ts = mktime();
switch ($unit)
{
@@ -419,7 +328,7 @@
function abbreviate_string($str, $maxlength, $place_holder='...', $ending=false)
{
$length = mb_strlen($str);
-
+
if ($length > $maxlength)
{
if ($ending)
@@ -433,6 +342,7 @@
return $str;
}
+
/**
* A method to guess the mime_type of an attachment.
@@ -452,12 +362,14 @@
$mime_type = null;
$mime_magic = rcmail::get_instance()->config->get('mime_magic');
$mime_ext = @include(RCMAIL_CONFIG_DIR . '/mimetypes.php');
- $suffix = $name ? substr($name, strrpos($name, '.')+1) : '*';
// use file name suffix with hard-coded mime-type map
- if (is_array($mime_ext)) {
- $mime_type = $mime_ext[$suffix];
+ if (is_array($mime_ext) && $name) {
+ if ($suffix = substr($name, strrpos($name, '.')+1)) {
+ $mime_type = $mime_ext[strtolower($suffix)];
+ }
}
+
// try fileinfo extension if available
if (!$mime_type && function_exists('finfo_open')) {
if ($finfo = finfo_open(FILEINFO_MIME, $mime_magic)) {
@@ -468,22 +380,43 @@
finfo_close($finfo);
}
}
+
// try PHP's mime_content_type
if (!$mime_type && !$is_stream && function_exists('mime_content_type')) {
$mime_type = @mime_content_type($path);
}
+
// fall back to user-submitted string
if (!$mime_type) {
$mime_type = $failover;
}
else {
- // sometimes content-type contains charset definition,
- // remove useless "charset=binary", should we remove any charset def. here?
- $mime_type = preg_replace('/; charset=binary;*/i', '', $mime_type);
+ // Sometimes (PHP-5.3?) content-type contains charset definition,
+ // Remove it (#1487122) also "charset=binary" is useless
+ $mime_type = array_shift(preg_split('/[; ]/', $mime_type));
}
return $mime_type;
}
+
+
+/**
+ * Detect image type of the given binary data by checking magic numbers
+ *
+ * @param string Binary file content
+ * @return string Detected mime-type or jpeg as fallback
+ */
+function rc_image_content_type($data)
+{
+ $type = 'jpeg';
+ if (preg_match('/^\x89\x50\x4E\x47/', $data)) $type = 'png';
+ else if (preg_match('/^\x47\x49\x46\x38/', $data)) $type = 'gif';
+ else if (preg_match('/^\x00\x00\x01\x00/', $data)) $type = 'ico';
+// else if (preg_match('/^\xFF\xD8\xFF\xE0/', $data)) $type = 'jpeg';
+
+ return 'image/' . $type;
+}
+
/**
* A method to guess encoding of a string.
@@ -529,7 +462,7 @@
$input[$idx] = rc_utf8_clean($val);
return $input;
}
-
+
if (!is_string($input) || $input == '')
return $input;
@@ -551,7 +484,7 @@
'|[\xF1-\xF3][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.// UTF8-4
'|\xF4[\x80-\x8F][\x80-\xBF][\x80-\xBF]'. // UTF8-4
')$/';
-
+
$seq = '';
$out = '';
@@ -622,7 +555,7 @@
$p = $i + 1;
}
}
-
+
$result[] = substr($string, $p);
return $result;
}
@@ -637,7 +570,7 @@
function array_keys_recursive($array)
{
$keys = array();
-
+
if (!empty($array))
foreach ($array as $key => $child) {
$keys[] = $key;
@@ -645,6 +578,29 @@
$keys[] = $val;
}
return $keys;
+}
+
+
+/**
+ * Format e-mail address
+ *
+ * @param string $email E-mail address
+ *
+ * @return string Formatted e-mail address
+ */
+function format_email($email)
+{
+ $email = trim($email);
+ $parts = explode('@', $email);
+ $count = count($parts);
+
+ if ($count > 1) {
+ $parts[$count-1] = mb_strtolower($parts[$count-1]);
+
+ $email = implode('@', $parts);
+ }
+
+ return $email;
}
@@ -700,7 +656,7 @@
$loaded = true;
}
- if ($idn && $domain && preg_match('/(^|@|\.)xn--/i', $domain)) {
+ if ($idn && $domain && preg_match('/(^|\.)xn--/i', $domain)) {
try {
$domain = $idn->decode($domain);
}
--
Gitblit v1.9.1