From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/list.js |   34 ++++++++++++++++++++++------------
 1 files changed, 22 insertions(+), 12 deletions(-)

diff --git a/program/js/list.js b/program/js/list.js
index 874f8f7..f6380ad 100644
--- a/program/js/list.js
+++ b/program/js/list.js
@@ -36,7 +36,7 @@
   this.colcount = 0;
 
   this.subject_col = -1;
-  this.shiftkey = false;
+  this.modkey = 0;
   this.multiselect = false;
   this.multiexpand = false;
   this.multi_selecting = false;
@@ -182,8 +182,12 @@
  */
 remove_row: function(uid, sel_next)
 {
-  if (this.rows[uid].obj)
-    this.rows[uid].obj.style.display = 'none';
+  var obj = this.rows[uid] ? this.rows[uid].obj : null;
+
+  if (!obj)
+    return;
+
+  obj.style.display = 'none';
 
   if (sel_next)
     this.select_next();
@@ -648,7 +652,7 @@
       case CONTROL_KEY:
         if (!with_mouse)
           this.highlight_row(id, true);
-        break; 
+        break;
 
       case CONTROL_SHIFT_KEY:
         this.shift_select(id, true);
@@ -954,7 +958,8 @@
  */
 key_press: function(e)
 {
-  if (this.focused != true)
+  var target = e.target || {};
+  if (this.focused != true || target.nodeName == 'INPUT' || target.nodeName == 'TEXTAREA' || target.nodeName == 'SELECT')
     return true;
 
   var keyCode = rcube_event.get_keycode(e),
@@ -962,7 +967,7 @@
 
   switch (keyCode) {
     case 40:
-    case 38: 
+    case 38:
     case 63233: // "down", in safari keypress
     case 63232: // "up", in safari keypress
       // Stop propagation so that the browser doesn't scroll
@@ -976,7 +981,9 @@
       rcube_event.cancel(e);
       var ret = this.use_plusminus_key(keyCode, mod_key);
       this.key_pressed = keyCode;
+      this.modkey = mod_key;
       this.triggerEvent('keypress');
+      this.modkey = 0;
       return ret;
     case 36: // Home
       this.select_first(mod_key);
@@ -985,11 +992,10 @@
       this.select_last(mod_key);
       return rcube_event.cancel(e);
     default:
-      this.shiftkey = e.shiftKey;
       this.key_pressed = keyCode;
+      this.modkey = mod_key;
       this.triggerEvent('keypress');
-      // reset shiftkey flag, we need it only for registered events
-      this.shiftkey = false;
+      this.modkey = 0;
 
       if (this.key_pressed == this.BACKSPACE_KEY)
         return rcube_event.cancel(e);
@@ -1003,13 +1009,17 @@
  */
 key_down: function(e)
 {
+  var target = e.target || {};
+  if (this.focused != true || target.nodeName == 'INPUT' || target.nodeName == 'TEXTAREA' || target.nodeName == 'SELECT')
+    return true;
+  
   switch (rcube_event.get_keycode(e)) {
     case 27:
       if (this.drag_active)
-	    return this.drag_mouse_up(e);
+      return this.drag_mouse_up(e);
       if (this.col_drag_active) {
         this.selected_column = null;
-	    return this.column_drag_mouse_up(e);
+        return this.column_drag_mouse_up(e);
       }
 
     case 40:
@@ -1044,7 +1054,7 @@
     new_row = this.get_prev_row();
 
   if (new_row) {
-    this.select_row(new_row.uid, mod_key, true);
+    this.select_row(new_row.uid, mod_key, false);
     this.scrollto(new_row.uid);
   }
 

--
Gitblit v1.9.1