From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/compose.inc | 44 +++++++++++++++++++++++++-------------------
1 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index d98452a..2e12b0f 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -124,7 +124,7 @@
$OUTPUT->add_label('nosubject', 'nosenderwarning', 'norecipientwarning', 'nosubjectwarning', 'cancel',
'nobodywarning', 'notsentwarning', 'notuploadedwarning', 'savingmessage', 'sendingmessage',
'messagesaved', 'converting', 'editorwarning', 'searching', 'uploading', 'uploadingmany',
- 'fileuploaderror');
+ 'fileuploaderror', 'sendmessage');
$OUTPUT->set_env('compose_id', $COMPOSE['id']);
@@ -138,6 +138,9 @@
$OUTPUT->set_env('sig_above', $RCMAIL->config->get('sig_above', false));
$OUTPUT->set_env('top_posting', $RCMAIL->config->get('top_posting', false));
$OUTPUT->set_env('recipients_separator', trim($RCMAIL->config->get('recipients_separator', ',')));
+
+// use jquery UI for showing prompt() dialogs
+$RCMAIL->plugins->load_plugin('jqueryui');
// get reference message and set compose mode
if ($msg_uid = $COMPOSE['param']['draft_uid']) {
@@ -240,7 +243,8 @@
if (count($MESSAGE->identities))
{
foreach ($MESSAGE->identities as $idx => $ident) {
- $email = mb_strtolower(rcube_idn_to_utf8($ident['email']));
+ $ident['email'] = format_email($ident['email']);
+ $email = format_email(rcube_idn_to_utf8($ident['email']));
$MESSAGE->identities[$idx]['email_ascii'] = $ident['email'];
$MESSAGE->identities[$idx]['ident'] = format_email_recipient($ident['email'], $ident['name']);
@@ -265,7 +269,7 @@
$a_to = $IMAP->decode_address_list($MESSAGE->headers->to);
foreach ($a_to as $addr) {
if (!empty($addr['mailto'])) {
- $a_recipients[] = strtolower($addr['mailto']);
+ $a_recipients[] = format_email($addr['mailto']);
$a_names[] = $addr['name'];
}
}
@@ -274,7 +278,7 @@
$a_cc = $IMAP->decode_address_list($MESSAGE->headers->cc);
foreach ($a_cc as $addr) {
if (!empty($addr['mailto'])) {
- $a_recipients[] = strtolower($addr['mailto']);
+ $a_recipients[] = format_email($addr['mailto']);
$a_names[] = $addr['name'];
}
}
@@ -346,10 +350,14 @@
// we have a set of recipients stored is session
if ($header == 'to' && ($mailto_id = $COMPOSE['param']['mailto'])
- && $COMPOSE[$mailto_id]
+ && $_SESSION['mailto'][$mailto_id]
) {
- $fvalue = urldecode($COMPOSE[$mailto_id]);
+ $fvalue = urldecode($_SESSION['mailto'][$mailto_id]);
$decode_header = false;
+
+ // make session to not grow up too much
+ unset($_SESSION['mailto'][$mailto_id]);
+ $COMPOSE['param']['to'] = $fvalue;
}
else if (!empty($_POST['_'.$header])) {
$fvalue = get_input_value('_'.$header, RCUBE_INPUT_POST, TRUE);
@@ -417,7 +425,7 @@
if (empty($addr_part['mailto']))
continue;
- $mailto = mb_strtolower(rcube_idn_to_utf8($addr_part['mailto']));
+ $mailto = format_email(rcube_idn_to_utf8($addr_part['mailto']));
if (!in_array($mailto, $a_recipients)
&& ($header == 'to' || empty($MESSAGE->compose['from_email']) || $mailto != $MESSAGE->compose['from_email'])
@@ -708,7 +716,7 @@
if ($isHtml) {
$attrib['class'] = 'mce_editor';
$textarea = new html_textarea($attrib);
- $out .= $textarea->show($MESSAGE_BODY);
+ $out .= $textarea->show(htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET));
}
else {
$textarea = new html_textarea($attrib);
@@ -893,18 +901,18 @@
"<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('subject'), Q($MESSAGE->subject),
rcube_label('date'), Q($date),
- rcube_label('from'), htmlspecialchars(Q($MESSAGE->get_header('from'), 'replace'), ENT_COMPAT, $charset),
- rcube_label('to'), htmlspecialchars(Q($MESSAGE->get_header('to'), 'replace'), ENT_COMPAT, $charset));
+ rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
+ rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));
if ($MESSAGE->headers->cc)
$prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('cc'),
- htmlspecialchars(Q($MESSAGE->get_header('cc'), 'replace'), ENT_COMPAT, $charset));
+ Q($MESSAGE->get_header('cc'), 'replace'));
if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
$prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
rcube_label('replyto'),
- htmlspecialchars(Q($MESSAGE->get_header('replyto'), 'replace'), ENT_COMPAT, $charset));
+ Q($MESSAGE->get_header('replyto'), 'replace'));
$prefix .= "</tbody></table><br>";
}
@@ -1231,7 +1239,7 @@
'title' => rcube_label('delete'),
'onclick' => sprintf("return %s.command('remove-attachment','rcmfile%s', this)", JS_OBJECT_NAME, $id)),
$button) . Q($a_prop['name']));
-
+
$jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']);
}
}
@@ -1245,14 +1253,14 @@
$OUTPUT->set_env('attachments', $jslist);
$OUTPUT->add_gui_object('attachmentlist', $attrib['id']);
-
+
return html::tag('ul', $attrib, $out, html::$common_attrib);
}
function rcmail_compose_attachment_form($attrib)
{
- global $RCMAIL, $OUTPUT;
+ global $OUTPUT;
// add ID if not given
if (!$attrib['id'])
@@ -1293,7 +1301,7 @@
function rcmail_priority_selector($attrib)
{
global $MESSAGE;
-
+
list($form_start, $form_end) = get_form_tags($attrib);
unset($attrib['form']);
@@ -1330,7 +1338,7 @@
unset($attrib['form']);
if (!isset($attrib['id']))
- $attrib['id'] = 'receipt';
+ $attrib['id'] = 'receipt';
$attrib['name'] = '_receipt';
$attrib['value'] = '1';
@@ -1373,8 +1381,6 @@
function rcmail_editor_selector($attrib)
{
- global $CONFIG, $MESSAGE, $compose_mode;
-
// determine whether HTML or plain text should be checked
$useHtml = rcmail_compose_editor_mode();
--
Gitblit v1.9.1