From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/include/rcube_smtp.php |   26 +++++++++++++++-----------
 1 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/program/include/rcube_smtp.php b/program/include/rcube_smtp.php
index 654c7ef..56b6012 100644
--- a/program/include/rcube_smtp.php
+++ b/program/include/rcube_smtp.php
@@ -105,7 +105,7 @@
 
     $this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host);
 
-    if($RCMAIL->config->get('smtp_debug'))
+    if ($RCMAIL->config->get('smtp_debug'))
       $this->conn->setDebug(true, array($this, 'debug_handler'));
 
     // try to connect to server and exit on failure
@@ -116,6 +116,13 @@
       $this->error = array('label' => 'smtpconnerror', 'vars' => array('code' => $this->conn->_code));
       $this->conn = null;
       return false;
+    }
+
+    // workaround for timeout bug in Net_SMTP 1.5.[0-1] (#1487843)
+    if (method_exists($this->conn, 'setTimeout')
+      && ($timeout = ini_get('default_socket_timeout'))
+    ) {
+      $this->conn->setTimeout($timeout);
     }
 
     $smtp_user = str_replace('%u', $_SESSION['username'], $CONFIG['smtp_user']);
@@ -207,14 +214,10 @@
     if ($opts['dsn']) {
       $exts = $this->conn->getServiceExtensions();
 
-      if (!isset($exts['DSN'])) {
-        $this->error = array('label' => 'smtpdsnerror');
-        $this->response[] = "DSN not supported";
-        return false;
+      if (isset($exts['DSN'])) {
+        $from_params      = 'RET=HDRS';
+        $recipient_params = 'NOTIFY=SUCCESS,FAILURE';
       }
-
-      $from_params      = 'RET=HDRS';
-      $recipient_params = 'NOTIFY=SUCCESS,FAILURE';
     }
 
     // RFC2298.3: remove envelope sender address
@@ -378,7 +381,7 @@
           $from = $addresses[0];
 
         // Reject envelope From: addresses with spaces.
-        if (strstr($from, ' '))
+        if (strpos($from, ' ') !== false)
           return false;
 
         $lines[] = $key . ': ' . $value;
@@ -432,14 +435,14 @@
     // if we're passed an array, assume addresses are valid and implode them before parsing.
     if (is_array($recipients))
       $recipients = implode(', ', $recipients);
-    
+
     $addresses = array();
     $recipients = rcube_explode_quoted_string(',', $recipients);
 
     reset($recipients);
     while (list($k, $recipient) = each($recipients))
     {
-      $a = explode(" ", $recipient);
+      $a = rcube_explode_quoted_string(' ', $recipient);
       while (list($k2, $word) = each($a))
       {
         if (strpos($word, "@") > 0 && $word[strlen($word)-1] != '"')
@@ -450,6 +453,7 @@
         }
       }
     }
+
     return $addresses;
   }
 

--
Gitblit v1.9.1