From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/addcontact.inc |  104 +++++++++++++++++++++++++++++++++------------------
 1 files changed, 67 insertions(+), 37 deletions(-)

diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc
index 722b0f2..ca8d66c 100644
--- a/program/steps/mail/addcontact.inc
+++ b/program/steps/mail/addcontact.inc
@@ -4,8 +4,8 @@
  +-----------------------------------------------------------------------+
  | program/steps/mail/addcontact.inc                                     |
  |                                                                       |
- | This file is part of the RoundCube Webmail client                     |
- | Copyright (C) 2005, RoundCube Dev. - Switzerland                      |
+ | This file is part of the Roundcube Webmail client                     |
+ | Copyright (C) 2005-2009, The Roundcube Dev Team                       |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
@@ -19,49 +19,79 @@
 
 */
 
-$REMOTE_REQUEST = TRUE;
+// only process ajax requests
+if (!$OUTPUT->ajax_call)
+  return;
 
-if (!empty($_GET['_address']))
-  {
-  $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET));
-  if (sizeof($contact_arr))
-    {
-    $contact = $contact_arr[1];
+$abook = $RCMAIL->config->get('default_addressbook');
 
-    if ($contact['mailto'])
-      $sql_result = $DB->query("SELECT 1 FROM ".get_table_name('contacts')."
-                                WHERE  user_id=?
-                                AND    email=?
-                                AND    del<>1",
-                                $_SESSION['user_id'],$contact['mailto']);
+// Get configured addressbook
+$CONTACTS = $RCMAIL->get_address_book($abook, true);
 
-    // contact entry with this mail address exists
-    if ($sql_result && $DB->num_rows($sql_result))
-      $existing_contact = TRUE;
+// Get first writeable addressbook if the configured doesn't exist
+// This can happen when user deleted the addressbook (e.g. Kolab folder)
+if ($abook == null || !is_object($CONTACTS)) {
+  $source = reset($RCMAIL->get_address_sources(true));
+  $CONTACTS = $RCMAIL->get_address_book($source['id'], true);
+}
 
-    else if ($contact['mailto'])
-      {
-      $DB->query("INSERT INTO ".get_table_name('contacts')."
-                  (user_id, changed, del, name, email)
-                  VALUES (?, now(), 0, ?, ?)",
-                  $_SESSION['user_id'],
-                  $contact['name'],
-                  $contact['mailto']);
+if (!empty($_POST['_address']) && is_object($CONTACTS))
+{
+  $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_POST, true), 1, false);
 
-      $added = $DB->insert_id(get_sequence_name('contacts'));
-      }
+  if (!empty($contact_arr[1]['mailto'])) {
+    $contact = array(
+      'email' => $contact_arr[1]['mailto'],
+      'name' => $contact_arr[1]['name']
+    );
+
+    // Validity checks
+    if (empty($contact['email'])) {
+      $OUTPUT->show_message('errorsavingcontact', 'error');
+      $OUTPUT->send();
     }
 
-  if ($added)
-    $commands = show_message('addedsuccessfully', 'confirmation');
-  else if ($existing_contact)
-    $commands = show_message('contactexists', 'warning');
+    $email = rcube_idn_to_ascii($contact['email']);
+    if (!check_email($email, false)) {
+      $OUTPUT->show_message('emailformaterror', 'error', array('email' => $contact['email']));
+      $OUTPUT->send();
+    }
+
+    $contact['email'] = rcube_idn_to_utf8($contact['email']);
+    $contact = $RCMAIL->plugins->exec_hook('contact_displayname', $contact);
+
+    if (empty($contact['firstname']) || empty($contact['surname']))
+      $contact['name'] = rcube_addressbook::compose_display_name($contact);
+
+    // validate contact record
+    if (!$CONTACTS->validate($contact, true)) {
+      $error = $CONTACTS->get_error();
+      // TODO: show dialog to complete record
+      // if ($error['type'] == rcube_addressbook::ERROR_VALIDATE) { }
+
+      $OUTPUT->show_message($error['message'] ? $error['message'] : 'errorsavingcontact', 'error');
+      $OUTPUT->send();
+    }
+
+    // check for existing contacts
+    $existing = $CONTACTS->search('email', $contact['email'], 1, false);
+
+    if ($done = $existing->count)
+      $OUTPUT->show_message('contactexists', 'warning');
+    else {
+      $plugin = $RCMAIL->plugins->exec_hook('contact_create', array('record' => $contact, 'source' => null));
+      $contact = $plugin['record'];
+
+      $done = !$plugin['abort'] ? $CONTACTS->insert($contact) : $plugin['result'];
+
+      if ($done)
+        $OUTPUT->show_message('addedsuccessfully', 'confirmation');
+    }
   }
+}
 
+if (!$done)
+  $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'errorsavingcontact', 'error');
 
-if (!$commands)
-  $commands = show_message('errorsavingcontact', 'warning');
+$OUTPUT->send();
 
-rcube_remote_response($commands);  
-exit;
-?>
\ No newline at end of file

--
Gitblit v1.9.1