From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/check_recent.inc |  105 ++++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 80 insertions(+), 25 deletions(-)

diff --git a/program/steps/mail/check_recent.inc b/program/steps/mail/check_recent.inc
index 3d0ceb2..4ec27c0 100644
--- a/program/steps/mail/check_recent.inc
+++ b/program/steps/mail/check_recent.inc
@@ -4,12 +4,12 @@
  +-----------------------------------------------------------------------+
  | program/steps/mail/check_recent.inc                                   |
  |                                                                       |
- | This file is part of the RoundCube Webmail client                     |
- | Copyright (C) 2005, RoundCube Dev. - Switzerland                      |
+ | This file is part of the Roundcube Webmail client                     |
+ | Copyright (C) 2005-2010, The Roundcube Dev Team                       |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
- |   Check for recent messages                                           |
+ |   Check for recent messages, in all mailboxes                         |
  |                                                                       |
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
@@ -19,29 +19,84 @@
 
 */
 
-$REMOTE_REQUEST = TRUE;
-$mbox = $IMAP->get_mailbox_name();
+$current = $IMAP->get_mailbox_name();
+$check_all = !empty($_GET['_refresh']) || (bool)$RCMAIL->config->get('check_all_folders');
 
-if ($recent_count = $IMAP->messagecount(NULL, 'RECENT', TRUE))
-  {
-  $count = $IMAP->messagecount();
-  $unread_count = $IMAP->messagecount(NULL, 'UNSEEN', TRUE);
-    
-  $commands = sprintf("this.set_unread_count('%s', %d, true);\n", addslashes($mbox), $unread_count);
-  $commands .= sprintf("this.set_env('messagecount', %d);\n", $count);
-  $commands .= sprintf("this.set_rowcount('%s');\n", rcmail_get_messagecount_text());
-  
-  // add new message headers to list
-  $a_headers = array();
-  for ($i=$recent_count, $id=$count-$recent_count+1; $i>0; $i--, $id++)
-    $a_headers[] = $IMAP->get_headers($id, NULL, FALSE);
-    
-  $commands .= rcmail_js_message_list($a_headers, TRUE);
-  }
+// list of folders to check
+if ($check_all) {
+    $a_mailboxes = $IMAP->list_mailboxes('', '*', 'mail');
+}
+else {
+    $a_mailboxes = (array) $current;
+    if ($a_mailboxes[0] != 'INBOX')
+        $a_mailboxes[] = 'INBOX';
+}
 
-if (strtoupper($mbox)!='INBOX' && $IMAP->messagecount('INBOX', 'RECENT'))
-  $commands = sprintf("this.set_unread_count('INBOX', %d);\n", $IMAP->messagecount('INBOX', 'UNSEEN'));
+// check recent/unseen counts
+foreach ($a_mailboxes as $mbox_name) {
+    $is_current = $mbox_name == $current;
+    if ($is_current) {
+        // Synchronize mailbox cache, handle flag changes
+        $IMAP->mailbox_sync($mbox_name);
+    }
 
+    // Get mailbox status
+    $status = $IMAP->mailbox_status($mbox_name);
 
-rcube_remote_response($commands);
-?>
\ No newline at end of file
+    if ($status & 1) {
+        // trigger plugin hook
+        $RCMAIL->plugins->exec_hook('new_messages',
+            array('mailbox' => $mbox_name, 'is_current' => $is_current));
+    }
+
+    rcmail_send_unread_count($mbox_name, true);
+
+    if ($status && $is_current) {
+        // refresh saved search set
+        $search_request = get_input_value('_search', RCUBE_INPUT_GPC);
+        if ($search_request && isset($_SESSION['search'])
+            && $_SESSION['search_request'] == $search_request
+        ) {
+            $_SESSION['search'] = $IMAP->refresh_search();
+        }
+
+        if (!empty($_GET['_quota']))
+            $OUTPUT->command('set_quota', rcmail_quota_content());
+
+        // "No-list" mode, don't get messages
+        if (empty($_GET['_list']))
+            continue;
+
+        // get overall message count; allow caching because rcube_imap::mailbox_status() did a refresh
+        $all_count = $IMAP->messagecount(null, $IMAP->threading ? 'THREADS' : 'ALL');
+
+        // check current page if we're not on the first page
+        if ($all_count && $IMAP->list_page > 1) {
+            $remaining = $all_count - $IMAP->page_size * ($IMAP->list_page - 1);
+            if ($remaining <= 0) {
+                $IMAP->set_page($IMAP->list_page-1);
+                $_SESSION['page'] = $IMAP->list_page;
+            }
+        }
+
+        $OUTPUT->set_env('messagecount', $all_count);
+        $OUTPUT->set_env('pagecount', ceil($all_count/$IMAP->page_size));
+        $OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($all_count), $mbox_name);
+        $OUTPUT->set_env('current_page', $all_count ? $IMAP->list_page : 1);
+
+        // remove old rows (and clear selection if new list is empty)
+        $OUTPUT->command('message_list.clear', $all_count ? false : true);
+
+        if ($all_count) {
+            $a_headers = $IMAP->list_headers($mbox_name, null, rcmail_sort_column(), rcmail_sort_order());
+            // add message rows
+            rcmail_js_message_list($a_headers, false);
+            // remove messages that don't exists from list selection array
+            $OUTPUT->command('update_selection');
+        }
+    }
+}
+
+$RCMAIL->plugins->exec_hook('keep_alive', array());
+
+$OUTPUT->send();

--
Gitblit v1.9.1