From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/check_recent.inc | 61 +++++++++++++++++++-----------
1 files changed, 38 insertions(+), 23 deletions(-)
diff --git a/program/steps/mail/check_recent.inc b/program/steps/mail/check_recent.inc
index 76546ac..4ec27c0 100644
--- a/program/steps/mail/check_recent.inc
+++ b/program/steps/mail/check_recent.inc
@@ -4,8 +4,8 @@
+-----------------------------------------------------------------------+
| program/steps/mail/check_recent.inc |
| |
- | This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2010, RoundCube Dev. - Switzerland |
+ | This file is part of the Roundcube Webmail client |
+ | Copyright (C) 2005-2010, The Roundcube Dev Team |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -21,18 +21,43 @@
$current = $IMAP->get_mailbox_name();
$check_all = !empty($_GET['_refresh']) || (bool)$RCMAIL->config->get('check_all_folders');
-$a_mailboxes = $check_all ? $IMAP->list_mailboxes() : (array)$current;
-// check recent/unseen counts for all mailboxes
+// list of folders to check
+if ($check_all) {
+ $a_mailboxes = $IMAP->list_mailboxes('', '*', 'mail');
+}
+else {
+ $a_mailboxes = (array) $current;
+ if ($a_mailboxes[0] != 'INBOX')
+ $a_mailboxes[] = 'INBOX';
+}
+
+// check recent/unseen counts
foreach ($a_mailboxes as $mbox_name) {
- if ($mbox_name == $current && ($status = $IMAP->mailbox_status($mbox_name))) {
+ $is_current = $mbox_name == $current;
+ if ($is_current) {
+ // Synchronize mailbox cache, handle flag changes
+ $IMAP->mailbox_sync($mbox_name);
+ }
- rcmail_send_unread_count($mbox_name, true);
+ // Get mailbox status
+ $status = $IMAP->mailbox_status($mbox_name);
+ if ($status & 1) {
+ // trigger plugin hook
+ $RCMAIL->plugins->exec_hook('new_messages',
+ array('mailbox' => $mbox_name, 'is_current' => $is_current));
+ }
+
+ rcmail_send_unread_count($mbox_name, true);
+
+ if ($status && $is_current) {
// refresh saved search set
$search_request = get_input_value('_search', RCUBE_INPUT_GPC);
- if ($search_request && isset($_SESSION['search'][$search_request])) {
- $_SESSION['search'][$search_request] = $IMAP->refresh_search();
+ if ($search_request && isset($_SESSION['search'])
+ && $_SESSION['search_request'] == $search_request
+ ) {
+ $_SESSION['search'] = $IMAP->refresh_search();
}
if (!empty($_GET['_quota']))
@@ -56,32 +81,22 @@
$OUTPUT->set_env('messagecount', $all_count);
$OUTPUT->set_env('pagecount', ceil($all_count/$IMAP->page_size));
- $OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($all_count));
+ $OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($all_count), $mbox_name);
$OUTPUT->set_env('current_page', $all_count ? $IMAP->list_page : 1);
-
- if ($status & 1) {
- if ($RCMAIL->config->get('focus_on_new_message', true))
- $OUTPUT->command('new_message_focus');
- // trigger plugin hook
- $RCMAIL->plugins->exec_hook('new_messages', array('mailbox' => $mbox_name));
- }
// remove old rows (and clear selection if new list is empty)
$OUTPUT->command('message_list.clear', $all_count ? false : true);
if ($all_count) {
- $a_headers = $IMAP->list_headers($mbox_name, null, $_SESSION['sort_col'], $_SESSION['sort_order']);
+ $a_headers = $IMAP->list_headers($mbox_name, null, rcmail_sort_column(), rcmail_sort_order());
// add message rows
- rcmail_js_message_list($a_headers, false, false);
+ rcmail_js_message_list($a_headers, false);
// remove messages that don't exists from list selection array
$OUTPUT->command('update_selection');
}
}
- else {
- rcmail_send_unread_count($mbox_name, true);
- }
}
-$OUTPUT->send();
+$RCMAIL->plugins->exec_hook('keep_alive', array());
-?>
+$OUTPUT->send();
--
Gitblit v1.9.1