From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/js/app.js | 143 ++++++++++++++++++++++++++++-------------------
1 files changed, 85 insertions(+), 58 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 6c0d2cd..8ec2095 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -171,7 +171,7 @@
}
// enable general commands
- this.enable_command('logout', 'mail', 'addressbook', 'settings', 'save-pref', 'compose', 'undo', true);
+ this.enable_command('logout', 'mail', 'addressbook', 'settings', 'save-pref', 'compose', 'undo', 'switch-task', true);
if (this.env.permaurl)
this.enable_command('permaurl', true);
@@ -228,7 +228,8 @@
this.enable_command('reply-list', this.env.list_post);
if (this.env.action == 'show') {
- this.http_request('pagenav', '_uid='+this.env.uid+'&_mbox='+urlencode(this.env.mailbox),
+ this.http_request('pagenav', '_uid='+this.env.uid+'&_mbox='+urlencode(this.env.mailbox)
+ + (this.env.search_request ? '&_search='+this.env.search_request : ''),
this.display_message('', 'loading'));
}
@@ -268,7 +269,7 @@
// show printing dialog
else if (this.env.action == 'print' && this.env.uid)
if (bw.safari)
- window.setTimeout('window.print()', 10);
+ setTimeout('window.print()', 10);
else
window.print();
@@ -745,7 +746,7 @@
case 'always-load':
if (this.env.uid && this.env.sender) {
this.add_contact(urlencode(this.env.sender));
- window.setTimeout(function(){ ref.command('load-images'); }, 300);
+ setTimeout(function(){ ref.command('load-images'); }, 300);
break;
}
@@ -763,7 +764,7 @@
qstring += '&_safe=1';
this.attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment');
if (this.attachment_win) {
- window.setTimeout(function(){ ref.attachment_win.focus(); }, 10);
+ setTimeout(function(){ ref.attachment_win.focus(); }, 10);
break;
}
}
@@ -878,19 +879,25 @@
break;
case 'savedraft':
+ var form = this.gui_objects.messageform, msgid;
+
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
- if (!this.gui_objects.messageform)
+ // saving Drafts is disabled
+ if (!form)
break;
- // if saving Drafts is disabled in main.inc.php
- // or if compose form did not change
- if (!this.env.drafts_mailbox || this.cmp_hash == this.compose_field_hash())
+ // compose form did not change
+ if (this.cmp_hash == this.compose_field_hash()) {
+ this.auto_save_start();
break;
+ }
- var form = this.gui_objects.messageform,
- msgid = this.set_busy(true, 'savingmessage');
+ // re-set keep-alive timeout
+ this.start_keepalive();
+
+ msgid = this.set_busy(true, 'savingmessage');
form.target = "savetarget";
form._draft.value = '1';
@@ -902,11 +909,11 @@
if (!this.gui_objects.messageform)
break;
- if (!this.check_compose_input())
+ if (!props.nocheck && !this.check_compose_input(command))
break;
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
// all checks passed, send message
var lang = this.spellcheck_lang(),
@@ -925,7 +932,7 @@
case 'send-attachment':
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
this.upload_file(props)
break;
@@ -963,7 +970,7 @@
if (uid = this.get_single_uid()) {
ref.printwin = window.open(this.env.comm_path+'&_action=print&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox)+(this.env.safemode ? '&_safe=1' : ''));
if (this.printwin) {
- window.setTimeout(function(){ ref.printwin.focus(); }, 20);
+ setTimeout(function(){ ref.printwin.focus(); }, 20);
if (this.env.action != 'show')
this.mark_message('read', uid);
}
@@ -974,7 +981,7 @@
if (uid = this.get_single_uid()) {
ref.sourcewin = window.open(this.env.comm_path+'&_action=viewsource&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox));
if (this.sourcewin)
- window.setTimeout(function(){ ref.sourcewin.focus(); }, 20);
+ setTimeout(function(){ ref.sourcewin.focus(); }, 20);
}
break;
@@ -1119,7 +1126,7 @@
// set timer for requests
if (a && this.env.request_timeout)
- this.request_timer = window.setTimeout(function(){ ref.request_timed_out(); }, this.env.request_timeout * 1000);
+ this.request_timer = setTimeout(function(){ ref.request_timed_out(); }, this.env.request_timeout * 1000);
return id;
};
@@ -1171,7 +1178,7 @@
if (this.is_framed())
parent.rcmail.reload(delay);
else if (delay)
- window.setTimeout(function(){ rcmail.reload(); }, delay);
+ setTimeout(function(){ rcmail.reload(); }, delay);
else if (window.location)
location.href = this.env.comm_path + (this.env.action ? '&_action='+this.env.action : '');
};
@@ -1304,7 +1311,7 @@
this.env.last_folder_target = null;
if (this.folder_auto_timer) {
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
this.folder_auto_timer = null;
this.folder_auto_expand = null;
}
@@ -1357,15 +1364,15 @@
// if the folder is collapsed, expand it after 1sec and restart the drag & drop process.
if (div.hasClass('collapsed')) {
if (this.folder_auto_timer)
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
- this.folder_auto_expand = k;
- this.folder_auto_timer = window.setTimeout(function() {
+ this.folder_auto_expand = this.env.mailboxes[k].id;
+ this.folder_auto_timer = setTimeout(function() {
rcmail.command('collapse-folder', rcmail.folder_auto_expand);
rcmail.drag_start(null);
}, 1000);
} else if (this.folder_auto_timer) {
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
this.folder_auto_timer = null;
this.folder_auto_expand = null;
}
@@ -1406,8 +1413,9 @@
div.removeClass('expanded').addClass('collapsed');
this.env.collapsed_folders = this.env.collapsed_folders+'&'+urlencode(name)+'&';
- // select parent folder if one of its childs is currently selected
- if (this.env.mailbox.indexOf(name + this.env.delimiter) == 0)
+ // select the folder if one of its childs is currently selected
+ // don't select if it's virtual (#1488346)
+ if (this.env.mailbox.indexOf(name + this.env.delimiter) == 0 && !$(li).hasClass('virtual'))
this.command('list', name);
}
else
@@ -1516,7 +1524,7 @@
// start timer for message preview (wait for double click)
if (selected && this.env.contentframe && !list.multi_selecting && !this.dummy_select)
- this.preview_timer = window.setTimeout(function(){ ref.msglist_get_preview(); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.msglist_get_preview(); }, 200);
else if (this.env.contentframe)
this.show_contentframe(false);
};
@@ -1533,7 +1541,7 @@
clearTimeout(this.preview_timer);
if (this.preview_read_timer)
clearTimeout(this.preview_read_timer);
- this.preview_timer = window.setTimeout(function(){ ref.msglist_get_preview(); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.msglist_get_preview(); }, 200);
}
}
};
@@ -1592,7 +1600,7 @@
for (i=0; i<cols.length; i++)
if (cols[i].id && cols[i].id.match(/^rcm/)) {
name = cols[i].id.replace(/^rcm/, '');
- this.env.coltypes.push(name == 'to' ? 'from' : name);
+ this.env.coltypes.push(name);
}
if ((found = $.inArray('flag', this.env.coltypes)) >= 0)
@@ -1802,8 +1810,11 @@
else if (c == 'threads')
html = expando;
else if (c == 'subject') {
- if (bw.ie)
+ if (bw.ie) {
col.onmouseover = function() { rcube_webmail.long_subject_title_ie(this, message.depth+1); };
+ if (bw.ie8)
+ tree = '<span></span>' + tree; // #1487821
+ }
html = tree + cols[c];
}
else if (c == 'priority') {
@@ -1864,7 +1875,7 @@
// make sure new columns are added at the end of the list
var i, idx, name, newcols = [], oldcols = this.env.coltypes;
for (i=0; i<oldcols.length; i++) {
- name = oldcols[i] == 'to' ? 'from' : oldcols[i];
+ name = oldcols[i];
idx = $.inArray(name, cols);
if (idx != -1) {
newcols.push(name);
@@ -1914,7 +1925,7 @@
// mark as read and change mbox unread counter
if (action == 'preview' && this.message_list && this.message_list.rows[id] && this.message_list.rows[id].unread && this.env.preview_pane_mark_read >= 0) {
- this.preview_read_timer = window.setTimeout(function() {
+ this.preview_read_timer = setTimeout(function() {
ref.set_message(id, 'unread', false);
ref.update_thread_root(id, 'read');
if (ref.env.unread_counts[ref.env.mailbox]) {
@@ -2954,7 +2965,7 @@
};
// checks the input fields before sending a message
- this.check_compose_input = function()
+ this.check_compose_input = function(cmd)
{
// check input fields
var ed, input_to = $("[name='_to']"),
@@ -2989,15 +3000,28 @@
// display localized warning for missing subject
if (input_subject.val() == '') {
- var subject = prompt(this.get_label('nosubjectwarning'), this.get_label('nosubject'));
+ var myprompt = $('<div class="prompt">').html('<div class="message">' + this.get_label('nosubjectwarning') + '</div>').appendTo(document.body);
+ var prompt_value = $('<input>').attr('type', 'text').attr('size', 30).appendTo(myprompt).val(this.get_label('nosubject'));
- // user hit cancel, so don't send
- if (!subject && subject !== '') {
+ var buttons = {};
+ buttons[this.get_label('cancel')] = function(){
input_subject.focus();
- return false;
- }
- else
- input_subject.val((subject ? subject : this.get_label('nosubject')));
+ $(this).dialog('close');
+ };
+ buttons[this.get_label('sendmessage')] = function(){
+ input_subject.val(prompt_value.val());
+ $(this).dialog('close');
+ ref.command(cmd, { nocheck:true }); // repeat command which triggered this
+ };
+
+ myprompt.dialog({
+ modal: true,
+ resizable: false,
+ buttons: buttons,
+ close: function(event, ui) { $(this).remove() }
+ });
+ prompt_value.select();
+ return false;
}
// Apply spellcheck changes if spell checker is active
@@ -3068,7 +3092,7 @@
if (!vis)
this.stop_spellchecking();
- $(this.env.spellcheck.spell_container).css('visibility', vis ? 'visible' : 'hidden');
+ $(this.env.spellcheck.spell_container)[vis ? 'show' : 'hide']();
}
};
@@ -3116,7 +3140,7 @@
this.auto_save_start = function()
{
if (this.env.draft_autosave)
- this.save_timer = self.setTimeout(function(){ ref.command("savedraft"); }, this.env.draft_autosave * 1000);
+ this.save_timer = setTimeout(function(){ ref.command("savedraft"); }, this.env.draft_autosave * 1000);
// Unlock interface now that saving is complete
this.busy = false;
@@ -3400,7 +3424,7 @@
this.upload_progress_start = function(action, name)
{
- window.setTimeout(function() { rcmail.http_request(action, {_progress: name}); },
+ setTimeout(function() { rcmail.http_request(action, {_progress: name}); },
this.env.upload_progress_time * 1000);
};
@@ -3500,7 +3524,7 @@
{
this.display_message(msg, type);
// before redirect we need to wait some time for Chrome (#1486177)
- window.setTimeout(function(){ ref.list_mailbox(); }, 500);
+ setTimeout(function(){ ref.list_mailbox(); }, 500);
};
@@ -3519,9 +3543,9 @@
mod = rcube_event.get_modifier(e);
switch (key) {
- case 38: // key up
- case 40: // key down
- if (!this.ksearch_pane)
+ case 38: // arrow up
+ case 40: // arrow down
+ if (!this.ksearch_visible())
break;
var dir = key==38 ? 1 : 0;
@@ -3558,11 +3582,11 @@
case 37: // left
case 39: // right
if (mod != SHIFT_KEY)
- return;
+ return;
}
// start timer
- this.ksearch_timer = window.setTimeout(function(){ ref.ksearch_get_results(props); }, 200);
+ this.ksearch_timer = setTimeout(function(){ ref.ksearch_get_results(props); }, 200);
this.ksearch_input = obj;
return true;
@@ -3870,7 +3894,7 @@
source = this.env.source ? this.env.address_sources[this.env.source] : null;
if (id = list.get_single_selection())
- this.preview_timer = window.setTimeout(function(){ ref.load_contact(id, 'show'); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.load_contact(id, 'show'); }, 200);
else if (this.env.contentframe)
this.show_contentframe(false);
@@ -4051,7 +4075,7 @@
this.delete_contacts = function()
{
var selection = this.contact_list.get_selection(),
- undelete = this.env.address_sources[this.env.source].undelete;
+ undelete = this.env.source && this.env.address_sources[this.env.source].undelete;
// exit if no mailbox specified or if selection is empty
if (!(selection.length || this.env.cid) || (!undelete && !confirm(this.get_label('deletecontactconfirm'))))
@@ -5359,7 +5383,7 @@
}
// add element and set timeout
this.messages[key].elements.push(id);
- window.setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
+ setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
return id;
}
@@ -5377,7 +5401,7 @@
}
if (timeout > 0)
- window.setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
+ setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
return id;
};
@@ -5460,7 +5484,7 @@
// for reordering column array (Konqueror workaround)
// and for setting some message list global variables
- this.set_message_coltypes = function(coltypes, repl)
+ this.set_message_coltypes = function(coltypes, repl, smart_col)
{
var list = this.message_list,
thead = list ? list.list.tHead : null,
@@ -5488,7 +5512,7 @@
for (n=0, len=this.env.coltypes.length; n<len; n++) {
col = this.env.coltypes[n];
- if ((cell = thead.rows[0].cells[n]) && (col=='from' || col=='to')) {
+ if ((cell = thead.rows[0].cells[n]) && (col == 'from' || col == 'to' || col == 'fromto')) {
cell.id = 'rcm'+col;
// if we have links for sorting, it's a bit more complicated...
if (cell.firstChild && cell.firstChild.tagName.toLowerCase()=='a') {
@@ -5496,7 +5520,7 @@
cell.onclick = function(){ return rcmail.command('sort', this.__col, this); };
cell.__col = col;
}
- cell.innerHTML = this.get_label(col);
+ cell.innerHTML = this.get_label(col == 'fromto' ? smart_col : col);
}
}
}
@@ -5743,10 +5767,13 @@
});
};
- this.plain2html = function(plainText, id)
+ this.plain2html = function(plain, id)
{
var lock = this.set_busy(true, 'converting');
- $('#'+id).val(plainText ? '<pre>'+plainText+'</pre>' : '');
+
+ plain = plain.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>');
+ $('#'+id).val(plain ? '<pre>'+plain+'</pre>' : '');
+
this.set_busy(false, null, lock);
};
--
Gitblit v1.9.1