From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/js/app.js | 85 +++++++++++++++++++++++-------------------
1 files changed, 47 insertions(+), 38 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index e01b72a..8ec2095 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -171,7 +171,7 @@
}
// enable general commands
- this.enable_command('logout', 'mail', 'addressbook', 'settings', 'save-pref', 'compose', 'undo', true);
+ this.enable_command('logout', 'mail', 'addressbook', 'settings', 'save-pref', 'compose', 'undo', 'switch-task', true);
if (this.env.permaurl)
this.enable_command('permaurl', true);
@@ -269,7 +269,7 @@
// show printing dialog
else if (this.env.action == 'print' && this.env.uid)
if (bw.safari)
- window.setTimeout('window.print()', 10);
+ setTimeout('window.print()', 10);
else
window.print();
@@ -746,7 +746,7 @@
case 'always-load':
if (this.env.uid && this.env.sender) {
this.add_contact(urlencode(this.env.sender));
- window.setTimeout(function(){ ref.command('load-images'); }, 300);
+ setTimeout(function(){ ref.command('load-images'); }, 300);
break;
}
@@ -764,7 +764,7 @@
qstring += '&_safe=1';
this.attachment_win = window.open(this.env.comm_path+'&_action=get&'+qstring+'&_frame=1', 'rcubemailattachment');
if (this.attachment_win) {
- window.setTimeout(function(){ ref.attachment_win.focus(); }, 10);
+ setTimeout(function(){ ref.attachment_win.focus(); }, 10);
break;
}
}
@@ -879,19 +879,25 @@
break;
case 'savedraft':
+ var form = this.gui_objects.messageform, msgid;
+
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
- if (!this.gui_objects.messageform)
+ // saving Drafts is disabled
+ if (!form)
break;
- // if saving Drafts is disabled in main.inc.php
- // or if compose form did not change
- if (!this.env.drafts_mailbox || this.cmp_hash == this.compose_field_hash())
+ // compose form did not change
+ if (this.cmp_hash == this.compose_field_hash()) {
+ this.auto_save_start();
break;
+ }
- var form = this.gui_objects.messageform,
- msgid = this.set_busy(true, 'savingmessage');
+ // re-set keep-alive timeout
+ this.start_keepalive();
+
+ msgid = this.set_busy(true, 'savingmessage');
form.target = "savetarget";
form._draft.value = '1';
@@ -907,7 +913,7 @@
break;
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
// all checks passed, send message
var lang = this.spellcheck_lang(),
@@ -926,7 +932,7 @@
case 'send-attachment':
// Reset the auto-save timer
- self.clearTimeout(this.save_timer);
+ clearTimeout(this.save_timer);
this.upload_file(props)
break;
@@ -964,7 +970,7 @@
if (uid = this.get_single_uid()) {
ref.printwin = window.open(this.env.comm_path+'&_action=print&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox)+(this.env.safemode ? '&_safe=1' : ''));
if (this.printwin) {
- window.setTimeout(function(){ ref.printwin.focus(); }, 20);
+ setTimeout(function(){ ref.printwin.focus(); }, 20);
if (this.env.action != 'show')
this.mark_message('read', uid);
}
@@ -975,7 +981,7 @@
if (uid = this.get_single_uid()) {
ref.sourcewin = window.open(this.env.comm_path+'&_action=viewsource&_uid='+uid+'&_mbox='+urlencode(this.env.mailbox));
if (this.sourcewin)
- window.setTimeout(function(){ ref.sourcewin.focus(); }, 20);
+ setTimeout(function(){ ref.sourcewin.focus(); }, 20);
}
break;
@@ -1120,7 +1126,7 @@
// set timer for requests
if (a && this.env.request_timeout)
- this.request_timer = window.setTimeout(function(){ ref.request_timed_out(); }, this.env.request_timeout * 1000);
+ this.request_timer = setTimeout(function(){ ref.request_timed_out(); }, this.env.request_timeout * 1000);
return id;
};
@@ -1172,7 +1178,7 @@
if (this.is_framed())
parent.rcmail.reload(delay);
else if (delay)
- window.setTimeout(function(){ rcmail.reload(); }, delay);
+ setTimeout(function(){ rcmail.reload(); }, delay);
else if (window.location)
location.href = this.env.comm_path + (this.env.action ? '&_action='+this.env.action : '');
};
@@ -1305,7 +1311,7 @@
this.env.last_folder_target = null;
if (this.folder_auto_timer) {
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
this.folder_auto_timer = null;
this.folder_auto_expand = null;
}
@@ -1358,15 +1364,15 @@
// if the folder is collapsed, expand it after 1sec and restart the drag & drop process.
if (div.hasClass('collapsed')) {
if (this.folder_auto_timer)
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
this.folder_auto_expand = this.env.mailboxes[k].id;
- this.folder_auto_timer = window.setTimeout(function() {
+ this.folder_auto_timer = setTimeout(function() {
rcmail.command('collapse-folder', rcmail.folder_auto_expand);
rcmail.drag_start(null);
}, 1000);
} else if (this.folder_auto_timer) {
- window.clearTimeout(this.folder_auto_timer);
+ clearTimeout(this.folder_auto_timer);
this.folder_auto_timer = null;
this.folder_auto_expand = null;
}
@@ -1518,7 +1524,7 @@
// start timer for message preview (wait for double click)
if (selected && this.env.contentframe && !list.multi_selecting && !this.dummy_select)
- this.preview_timer = window.setTimeout(function(){ ref.msglist_get_preview(); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.msglist_get_preview(); }, 200);
else if (this.env.contentframe)
this.show_contentframe(false);
};
@@ -1535,7 +1541,7 @@
clearTimeout(this.preview_timer);
if (this.preview_read_timer)
clearTimeout(this.preview_read_timer);
- this.preview_timer = window.setTimeout(function(){ ref.msglist_get_preview(); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.msglist_get_preview(); }, 200);
}
}
};
@@ -1594,7 +1600,7 @@
for (i=0; i<cols.length; i++)
if (cols[i].id && cols[i].id.match(/^rcm/)) {
name = cols[i].id.replace(/^rcm/, '');
- this.env.coltypes.push(name == 'to' ? 'from' : name);
+ this.env.coltypes.push(name);
}
if ((found = $.inArray('flag', this.env.coltypes)) >= 0)
@@ -1804,8 +1810,11 @@
else if (c == 'threads')
html = expando;
else if (c == 'subject') {
- if (bw.ie)
+ if (bw.ie) {
col.onmouseover = function() { rcube_webmail.long_subject_title_ie(this, message.depth+1); };
+ if (bw.ie8)
+ tree = '<span></span>' + tree; // #1487821
+ }
html = tree + cols[c];
}
else if (c == 'priority') {
@@ -1866,7 +1875,7 @@
// make sure new columns are added at the end of the list
var i, idx, name, newcols = [], oldcols = this.env.coltypes;
for (i=0; i<oldcols.length; i++) {
- name = oldcols[i] == 'to' ? 'from' : oldcols[i];
+ name = oldcols[i];
idx = $.inArray(name, cols);
if (idx != -1) {
newcols.push(name);
@@ -1916,7 +1925,7 @@
// mark as read and change mbox unread counter
if (action == 'preview' && this.message_list && this.message_list.rows[id] && this.message_list.rows[id].unread && this.env.preview_pane_mark_read >= 0) {
- this.preview_read_timer = window.setTimeout(function() {
+ this.preview_read_timer = setTimeout(function() {
ref.set_message(id, 'unread', false);
ref.update_thread_root(id, 'read');
if (ref.env.unread_counts[ref.env.mailbox]) {
@@ -3131,7 +3140,7 @@
this.auto_save_start = function()
{
if (this.env.draft_autosave)
- this.save_timer = self.setTimeout(function(){ ref.command("savedraft"); }, this.env.draft_autosave * 1000);
+ this.save_timer = setTimeout(function(){ ref.command("savedraft"); }, this.env.draft_autosave * 1000);
// Unlock interface now that saving is complete
this.busy = false;
@@ -3415,7 +3424,7 @@
this.upload_progress_start = function(action, name)
{
- window.setTimeout(function() { rcmail.http_request(action, {_progress: name}); },
+ setTimeout(function() { rcmail.http_request(action, {_progress: name}); },
this.env.upload_progress_time * 1000);
};
@@ -3515,7 +3524,7 @@
{
this.display_message(msg, type);
// before redirect we need to wait some time for Chrome (#1486177)
- window.setTimeout(function(){ ref.list_mailbox(); }, 500);
+ setTimeout(function(){ ref.list_mailbox(); }, 500);
};
@@ -3573,11 +3582,11 @@
case 37: // left
case 39: // right
if (mod != SHIFT_KEY)
- return;
+ return;
}
// start timer
- this.ksearch_timer = window.setTimeout(function(){ ref.ksearch_get_results(props); }, 200);
+ this.ksearch_timer = setTimeout(function(){ ref.ksearch_get_results(props); }, 200);
this.ksearch_input = obj;
return true;
@@ -3885,7 +3894,7 @@
source = this.env.source ? this.env.address_sources[this.env.source] : null;
if (id = list.get_single_selection())
- this.preview_timer = window.setTimeout(function(){ ref.load_contact(id, 'show'); }, 200);
+ this.preview_timer = setTimeout(function(){ ref.load_contact(id, 'show'); }, 200);
else if (this.env.contentframe)
this.show_contentframe(false);
@@ -5374,7 +5383,7 @@
}
// add element and set timeout
this.messages[key].elements.push(id);
- window.setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
+ setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
return id;
}
@@ -5392,7 +5401,7 @@
}
if (timeout > 0)
- window.setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
+ setTimeout(function() { ref.hide_message(id, type == 'loading'); }, timeout);
return id;
};
@@ -5475,7 +5484,7 @@
// for reordering column array (Konqueror workaround)
// and for setting some message list global variables
- this.set_message_coltypes = function(coltypes, repl)
+ this.set_message_coltypes = function(coltypes, repl, smart_col)
{
var list = this.message_list,
thead = list ? list.list.tHead : null,
@@ -5503,7 +5512,7 @@
for (n=0, len=this.env.coltypes.length; n<len; n++) {
col = this.env.coltypes[n];
- if ((cell = thead.rows[0].cells[n]) && (col=='from' || col=='to')) {
+ if ((cell = thead.rows[0].cells[n]) && (col == 'from' || col == 'to' || col == 'fromto')) {
cell.id = 'rcm'+col;
// if we have links for sorting, it's a bit more complicated...
if (cell.firstChild && cell.firstChild.tagName.toLowerCase()=='a') {
@@ -5511,7 +5520,7 @@
cell.onclick = function(){ return rcmail.command('sort', this.__col, this); };
cell.__col = col;
}
- cell.innerHTML = this.get_label(col);
+ cell.innerHTML = this.get_label(col == 'fromto' ? smart_col : col);
}
}
}
--
Gitblit v1.9.1