From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcube_vcard.php | 193 +++++++++++++++++++++++++++++++++++++-----------
1 files changed, 149 insertions(+), 44 deletions(-)
diff --git a/program/include/rcube_vcard.php b/program/include/rcube_vcard.php
index 0cb0b20..9929d0f 100644
--- a/program/include/rcube_vcard.php
+++ b/program/include/rcube_vcard.php
@@ -33,7 +33,7 @@
'FN' => array(),
'N' => array(array('','','','','')),
);
- private $fieldmap = array(
+ private static $fieldmap = array(
'phone' => 'TEL',
'birthday' => 'BDAY',
'website' => 'URL',
@@ -41,15 +41,17 @@
'email' => 'EMAIL',
'address' => 'ADR',
'jobtitle' => 'TITLE',
+ 'department' => 'X-DEPARTMENT',
'gender' => 'X-GENDER',
'maidenname' => 'X-MAIDENNAME',
'anniversary' => 'X-ANNIVERSARY',
'assistant' => 'X-ASSISTANT',
'manager' => 'X-MANAGER',
'spouse' => 'X-SPOUSE',
+ 'edit' => 'X-AB-EDIT',
);
- private $typemap = array('iPhone' => 'mobile', 'CELL' => 'mobile');
- private $phonetypemap = array('HOME1' => 'HOME', 'BUSINESS1' => 'WORK', 'BUSINESS2' => 'WORK2', 'WORKFAX' => 'BUSINESSFAX');
+ private $typemap = array('iPhone' => 'mobile', 'CELL' => 'mobile', 'WORK,FAX' => 'workfax');
+ private $phonetypemap = array('HOME1' => 'HOME', 'BUSINESS1' => 'WORK', 'BUSINESS2' => 'WORK2', 'BUSINESSFAX' => 'WORK,FAX');
private $addresstypemap = array('BUSINESS' => 'WORK');
private $immap = array('X-JABBER' => 'jabber', 'X-ICQ' => 'icq', 'X-MSN' => 'msn', 'X-AIM' => 'aim', 'X-YAHOO' => 'yahoo', 'X-SKYPE' => 'skype', 'X-SKYPE-USERNAME' => 'skype');
@@ -63,12 +65,16 @@
public $notes;
public $email = array();
+ public static $eol = "\r\n";
/**
* Constructor
*/
- public function __construct($vcard = null, $charset = RCMAIL_CHARSET, $detect = false)
+ public function __construct($vcard = null, $charset = RCMAIL_CHARSET, $detect = false, $fieldmap = array())
{
+ if (!empty($fielmap))
+ $this->extend_fieldmap($fieldmap);
+
if (!empty($vcard))
$this->load($vcard, $charset, $detect);
}
@@ -95,6 +101,10 @@
($detected_charset = self::detect_encoding(self::vcard_encode($this->raw))) && $detected_charset != RCMAIL_CHARSET) {
$this->raw = self::charset_convert($this->raw, $detected_charset);
}
+
+ // consider FN empty if the same as the primary e-mail address
+ if ($this->raw['FN'][0][0] == $this->raw['EMAIL'][0][0])
+ $this->raw['FN'][0][0] = '';
// find well-known address fields
$this->displayname = $this->raw['FN'][0][0];
@@ -114,13 +124,6 @@
$tmp = $this->email[0];
$this->email[0] = $this->email[$pref_index];
$this->email[$pref_index] = $tmp;
- }
-
- // make sure displayname is not empty (required by RFC2426)
- if (!strlen($this->displayname)) {
- // the same method is used in steps/mail/addcontact.inc
- $this->displayname = ucfirst(preg_replace('/[\.\-]/', ' ',
- substr($this->email[0], 0, strpos($this->email[0], '@'))));
}
}
@@ -147,15 +150,19 @@
$out['suffix'] = $this->raw['N'][0][4];
// convert from raw vcard data into associative data for Roundcube
- foreach (array_flip($this->fieldmap) as $tag => $col) {
+ foreach (array_flip(self::$fieldmap) as $tag => $col) {
foreach ((array)$this->raw[$tag] as $i => $raw) {
if (is_array($raw)) {
$k = -1;
$key = $col;
+ $subtype = '';
- $subtype = $typemap[$raw['type'][++$k]] ? $typemap[$raw['type'][$k]] : strtolower($raw['type'][$k]);
- while ($k < count($raw['type']) && ($subtype == 'internet' || $subtype == 'pref'))
- $subtype = $typemap[$raw['type'][++$k]] ? $typemap[$raw['type'][$k]] : strtolower($raw['type'][$k]);
+ if (!empty($raw['type'])) {
+ $combined = join(',', self::array_filter((array)$raw['type'], 'internet,pref', true));
+ $subtype = $typemap[$combined] ? $typemap[$combined] : ($typemap[$raw['type'][++$k]] ? $typemap[$raw['type'][$k]] : strtolower($raw['type'][$k]));
+ while ($k < count($raw['type']) && ($subtype == 'internet' || $subtype == 'pref'))
+ $subtype = $typemap[$raw['type'][++$k]] ? $typemap[$raw['type'][$k]] : strtolower($raw['type'][$k]);
+ }
// read vcard 2.1 subtype
if (!$subtype) {
@@ -168,7 +175,7 @@
}
// force subtype if none set
- if (preg_match('/^(email|phone|address|website)/', $key) && !$subtype)
+ if (!$subtype && preg_match('/^(email|phone|address|website)/', $key))
$subtype = 'other';
if ($subtype)
@@ -221,7 +228,7 @@
public function reset($fields = null)
{
if (!$fields)
- $fields = array_merge(array_values($this->fieldmap), array_keys($this->immap), array('FN','N','ORG','NICKNAME','EMAIL','ADR','BDAY'));
+ $fields = array_merge(array_values(self::$fieldmap), array_keys($this->immap), array('FN','N','ORG','NICKNAME','EMAIL','ADR','BDAY'));
foreach ($fields as $f)
unset($this->raw[$f]);
@@ -245,7 +252,7 @@
public function set($field, $value, $type = 'HOME')
{
$field = strtolower($field);
- $type = strtoupper($type);
+ $type_uc = strtoupper($type);
$typemap = array_flip($this->typemap);
switch ($field) {
@@ -285,16 +292,15 @@
case 'photo':
if (strpos($value, 'http:') === 0) {
// TODO: fetch file from URL and save it locally?
- $this->raw['PHOTO'][0] = array(0 => $value, 'URL' => true);
+ $this->raw['PHOTO'][0] = array(0 => $value, 'url' => true);
}
else {
- $encoded = !preg_match('![^a-z0-9/=+-]!i', $value);
- $this->raw['PHOTO'][0] = array(0 => $encoded ? $value : base64_encode($value), 'BASE64' => true);
+ $this->raw['PHOTO'][0] = array(0 => $value, 'base64' => (bool) preg_match('![^a-z0-9/=+-]!i', $value));
}
break;
case 'email':
- $this->raw['EMAIL'][] = array(0 => $value, 'type' => array_filter(array('INTERNET', $type)));
+ $this->raw['EMAIL'][] = array(0 => $value, 'type' => array_filter(array('INTERNET', $type_uc)));
$this->email[] = $value;
break;
@@ -311,8 +317,8 @@
break;
case 'address':
- if ($this->addresstypemap[$type])
- $type = $this->addresstypemap[$type];
+ if ($this->addresstypemap[$type_uc])
+ $type = $this->addresstypemap[$type_uc];
$value = $value[0] ? $value : array('', '', $value['street'], $value['locality'], $value['region'], $value['zipcode'], $value['country']);
@@ -321,17 +327,30 @@
break;
default:
- if ($field == 'phone' && $this->phonetypemap[$type])
- $type = $this->phonetypemap[$type];
+ if ($field == 'phone' && $this->phonetypemap[$type_uc])
+ $type = $this->phonetypemap[$type_uc];
- if (($tag = $this->fieldmap[$field]) && (is_array($value) || strlen($value))) {
+ if (($tag = self::$fieldmap[$field]) && (is_array($value) || strlen($value))) {
$index = count($this->raw[$tag]);
$this->raw[$tag][$index] = (array)$value;
if ($type)
- $this->raw[$tag][$index]['type'] = array(($typemap[$type] ? $typemap[$type] : $type));
+ $this->raw[$tag][$index]['type'] = explode(',', ($typemap[$type] ? $typemap[$type] : $type));
}
break;
}
+ }
+
+ /**
+ * Setter for individual vcard properties
+ *
+ * @param string VCard tag name
+ * @param array Value-set of this vcard property
+ * @param boolean Set to true if the value-set should be appended instead of replacing any existing value-set
+ */
+ public function set_raw($tag, $value, $append = false)
+ {
+ $index = $append ? count($this->raw[$tag]) : 0;
+ $this->raw[$tag][$index] = (array)$value;
}
@@ -378,6 +397,16 @@
/**
+ * Extends fieldmap definition
+ */
+ public function extend_fieldmap($map)
+ {
+ if (is_array($map))
+ self::$fieldmap = array_merge($map, self::$fieldmap);
+ }
+
+
+ /**
* Factory method to import a vcard file
*
* @param string vCard file content
@@ -408,8 +437,8 @@
if (preg_match('/^END:VCARD$/i', $line)) {
// parse vcard
- $obj = new rcube_vcard(self::cleanup($vcard_block), $charset, true);
- if (!empty($obj->displayname))
+ $obj = new rcube_vcard(self::cleanup($vcard_block), $charset, true, self::$fieldmap);
+ if (!empty($obj->displayname) || !empty($obj->email))
$out[] = $obj;
$in_vcard_block = false;
@@ -519,26 +548,45 @@
if (preg_match_all('/([^\\;]+);?/', $line[1], $regs2)) {
$entry = array();
$field = strtoupper($regs2[1][0]);
+ $enc = null;
foreach($regs2[1] as $attrid => $attr) {
if ((list($key, $value) = explode('=', $attr)) && $value) {
$value = trim($value);
if ($key == 'ENCODING') {
// add next line(s) to value string if QP line end detected
- while ($value == 'QUOTED-PRINTABLE' && preg_match('/=$/', $lines[$i]))
+ if ($value == 'QUOTED-PRINTABLE') {
+ while (preg_match('/=$/', $lines[$i]))
$line[2] .= "\n" . $lines[++$i];
-
- $line[2] = self::decode_value($line[2], $value);
+ }
+ $enc = $value;
}
- else
- $entry[strtolower($key)] = array_merge((array)$entry[strtolower($key)], (array)self::vcard_unquote($value, ','));
+ else {
+ $lc_key = strtolower($key);
+ $entry[$lc_key] = array_merge((array)$entry[$lc_key], (array)self::vcard_unquote($value, ','));
+ }
}
else if ($attrid > 0) {
- $entry[$key] = true; // true means attr without =value
+ $entry[strtolower($key)] = true; // true means attr without =value
}
}
- $entry = array_merge($entry, (array)self::vcard_unquote($line[2]));
+ // decode value
+ if ($enc || !empty($entry['base64'])) {
+ // save encoding type (#1488432)
+ if ($enc == 'B') {
+ $entry['encoding'] = 'B';
+ // should we use vCard 3.0 instead?
+ // $entry['base64'] = true;
+ }
+ $line[2] = self::decode_value($line[2], $enc ? $enc : 'base64');
+ }
+
+ if ($enc != 'B' && empty($entry['base64'])) {
+ $line[2] = self::vcard_unquote($line[2]);
+ }
+
+ $entry = array_merge($entry, (array) $line[2]);
$data[$field][] = $entry;
}
}
@@ -563,6 +611,7 @@
return quoted_printable_decode($value);
case 'base64':
+ case 'b':
self::$values_decoded = true;
return base64_decode($value);
@@ -585,18 +634,29 @@
while ($type == "N" && is_array($entries[0]) && count($entries[0]) < 5)
$entries[0][] = "";
+ // make sure FN is not empty (required by RFC2426)
+ if ($type == "FN" && empty($entries))
+ $entries[0] = $data['EMAIL'][0][0];
+
foreach((array)$entries as $entry) {
$attr = '';
if (is_array($entry)) {
$value = array();
foreach($entry as $attrname => $attrvalues) {
- if (is_int($attrname))
+ if (is_int($attrname)) {
+ if (!empty($entry['base64']) || $entry['encoding'] == 'B') {
+ $attrvalues = base64_encode($attrvalues);
+ }
$value[] = $attrvalues;
- elseif ($attrvalues === true)
- $attr .= ";$attrname"; // true means just tag, not tag=value, as in PHOTO;BASE64:...
+ }
+ else if (is_bool($attrvalues)) {
+ if ($attrvalues) {
+ $attr .= strtoupper(";$attrname"); // true means just tag, not tag=value, as in PHOTO;BASE64:...
+ }
+ }
else {
foreach((array)$attrvalues as $attrvalue)
- $attr .= ";$attrname=" . self::vcard_quote($attrvalue, ',');
+ $attr .= strtoupper(";$attrname=") . self::vcard_quote($attrvalue, ',');
}
}
}
@@ -604,11 +664,15 @@
$value = $entry;
}
- $vcard .= self::vcard_quote($type) . $attr . ':' . self::vcard_quote($value) . "\n";
+ // skip empty entries
+ if (self::is_empty($value))
+ continue;
+
+ $vcard .= self::vcard_quote($type) . $attr . ':' . self::vcard_quote($value) . self::$eol;
}
}
- return "BEGIN:VCARD\nVERSION:3.0\n{$vcard}END:VCARD";
+ return 'BEGIN:VCARD' . self::$eol . 'VERSION:3.0' . self::$eol . $vcard . 'END:VCARD';
}
@@ -650,12 +714,53 @@
return $result;
}
else {
- return strtr($s, array("\r" => '', '\\\\' => '\\', '\n' => "\n", '\N' => "\n", '\,' => ',', '\;' => ';'));
+ return strtr($s, array("\r" => '', '\\\\' => '\\', '\n' => "\n", '\N' => "\n", '\,' => ',', '\;' => ';', '\:' => ':'));
}
}
/**
+ * Check if vCard entry is empty: empty string or an array with
+ * all entries empty.
+ *
+ * @param mixed $value Attribute value (string or array)
+ *
+ * @return bool True if the value is empty, False otherwise
+ */
+ private static function is_empty($value)
+ {
+ foreach ((array)$value as $v) {
+ if (((string)$v) !== '') {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Extract array values by a filter
+ *
+ * @param array Array to filter
+ * @param keys Array or comma separated list of values to keep
+ * @param boolean Invert key selection: remove the listed values
+ * @return array The filtered array
+ */
+ private static function array_filter($arr, $values, $inverse = false)
+ {
+ if (!is_array($values))
+ $values = explode(',', $values);
+
+ $result = array();
+ $keep = array_flip((array)$values);
+ foreach ($arr as $key => $val)
+ if ($inverse != isset($keep[strtolower($val)]))
+ $result[$key] = $val;
+
+ return $result;
+ }
+
+ /**
* Returns UNICODE type based on BOM (Byte Order Mark)
*
* @param string Input string to test
--
Gitblit v1.9.1