From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcube_vcard.php | 68 +++++++++++++++++++++++----------
1 files changed, 47 insertions(+), 21 deletions(-)
diff --git a/program/include/rcube_vcard.php b/program/include/rcube_vcard.php
index ec3ad9c..9929d0f 100644
--- a/program/include/rcube_vcard.php
+++ b/program/include/rcube_vcard.php
@@ -51,7 +51,7 @@
'edit' => 'X-AB-EDIT',
);
private $typemap = array('iPhone' => 'mobile', 'CELL' => 'mobile', 'WORK,FAX' => 'workfax');
- private $phonetypemap = array('HOME1' => 'HOME', 'BUSINESS1' => 'WORK', 'BUSINESS2' => 'WORK2', 'BUSINESSFAX' => 'WORK,FAX', 'WORKFAX' => 'WORK,FAX');
+ private $phonetypemap = array('HOME1' => 'HOME', 'BUSINESS1' => 'WORK', 'BUSINESS2' => 'WORK2', 'BUSINESSFAX' => 'WORK,FAX');
private $addresstypemap = array('BUSINESS' => 'WORK');
private $immap = array('X-JABBER' => 'jabber', 'X-ICQ' => 'icq', 'X-MSN' => 'msn', 'X-AIM' => 'aim', 'X-YAHOO' => 'yahoo', 'X-SKYPE' => 'skype', 'X-SKYPE-USERNAME' => 'skype');
@@ -252,7 +252,7 @@
public function set($field, $value, $type = 'HOME')
{
$field = strtolower($field);
- $type = strtoupper($type);
+ $type_uc = strtoupper($type);
$typemap = array_flip($this->typemap);
switch ($field) {
@@ -292,16 +292,15 @@
case 'photo':
if (strpos($value, 'http:') === 0) {
// TODO: fetch file from URL and save it locally?
- $this->raw['PHOTO'][0] = array(0 => $value, 'URL' => true);
+ $this->raw['PHOTO'][0] = array(0 => $value, 'url' => true);
}
else {
- $encoded = !preg_match('![^a-z0-9/=+-]!i', $value);
- $this->raw['PHOTO'][0] = array(0 => $encoded ? $value : base64_encode($value), 'BASE64' => true);
+ $this->raw['PHOTO'][0] = array(0 => $value, 'base64' => (bool) preg_match('![^a-z0-9/=+-]!i', $value));
}
break;
case 'email':
- $this->raw['EMAIL'][] = array(0 => $value, 'type' => array_filter(array('INTERNET', $type)));
+ $this->raw['EMAIL'][] = array(0 => $value, 'type' => array_filter(array('INTERNET', $type_uc)));
$this->email[] = $value;
break;
@@ -318,8 +317,8 @@
break;
case 'address':
- if ($this->addresstypemap[$type])
- $type = $this->addresstypemap[$type];
+ if ($this->addresstypemap[$type_uc])
+ $type = $this->addresstypemap[$type_uc];
$value = $value[0] ? $value : array('', '', $value['street'], $value['locality'], $value['region'], $value['zipcode'], $value['country']);
@@ -328,8 +327,8 @@
break;
default:
- if ($field == 'phone' && $this->phonetypemap[$type])
- $type = $this->phonetypemap[$type];
+ if ($field == 'phone' && $this->phonetypemap[$type_uc])
+ $type = $this->phonetypemap[$type_uc];
if (($tag = self::$fieldmap[$field]) && (is_array($value) || strlen($value))) {
$index = count($this->raw[$tag]);
@@ -549,26 +548,45 @@
if (preg_match_all('/([^\\;]+);?/', $line[1], $regs2)) {
$entry = array();
$field = strtoupper($regs2[1][0]);
+ $enc = null;
foreach($regs2[1] as $attrid => $attr) {
if ((list($key, $value) = explode('=', $attr)) && $value) {
$value = trim($value);
if ($key == 'ENCODING') {
// add next line(s) to value string if QP line end detected
- while ($value == 'QUOTED-PRINTABLE' && preg_match('/=$/', $lines[$i]))
+ if ($value == 'QUOTED-PRINTABLE') {
+ while (preg_match('/=$/', $lines[$i]))
$line[2] .= "\n" . $lines[++$i];
-
- $line[2] = self::decode_value($line[2], $value);
+ }
+ $enc = $value;
}
- else
- $entry[strtolower($key)] = array_merge((array)$entry[strtolower($key)], (array)self::vcard_unquote($value, ','));
+ else {
+ $lc_key = strtolower($key);
+ $entry[$lc_key] = array_merge((array)$entry[$lc_key], (array)self::vcard_unquote($value, ','));
+ }
}
else if ($attrid > 0) {
- $entry[$key] = true; // true means attr without =value
+ $entry[strtolower($key)] = true; // true means attr without =value
}
}
- $entry = array_merge($entry, (array)self::vcard_unquote($line[2]));
+ // decode value
+ if ($enc || !empty($entry['base64'])) {
+ // save encoding type (#1488432)
+ if ($enc == 'B') {
+ $entry['encoding'] = 'B';
+ // should we use vCard 3.0 instead?
+ // $entry['base64'] = true;
+ }
+ $line[2] = self::decode_value($line[2], $enc ? $enc : 'base64');
+ }
+
+ if ($enc != 'B' && empty($entry['base64'])) {
+ $line[2] = self::vcard_unquote($line[2]);
+ }
+
+ $entry = array_merge($entry, (array) $line[2]);
$data[$field][] = $entry;
}
}
@@ -593,6 +611,7 @@
return quoted_printable_decode($value);
case 'base64':
+ case 'b':
self::$values_decoded = true;
return base64_decode($value);
@@ -624,13 +643,20 @@
if (is_array($entry)) {
$value = array();
foreach($entry as $attrname => $attrvalues) {
- if (is_int($attrname))
+ if (is_int($attrname)) {
+ if (!empty($entry['base64']) || $entry['encoding'] == 'B') {
+ $attrvalues = base64_encode($attrvalues);
+ }
$value[] = $attrvalues;
- elseif ($attrvalues === true)
- $attr .= ";$attrname"; // true means just tag, not tag=value, as in PHOTO;BASE64:...
+ }
+ else if (is_bool($attrvalues)) {
+ if ($attrvalues) {
+ $attr .= strtoupper(";$attrname"); // true means just tag, not tag=value, as in PHOTO;BASE64:...
+ }
+ }
else {
foreach((array)$attrvalues as $attrvalue)
- $attr .= ";$attrname=" . self::vcard_quote($attrvalue, ',');
+ $attr .= strtoupper(";$attrname=") . self::vcard_quote($attrvalue, ',');
}
}
}
--
Gitblit v1.9.1