From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/steps/mail/compose.inc |   31 +++++++++++++++----------------
 1 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 7172960..2e12b0f 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -243,7 +243,8 @@
 if (count($MESSAGE->identities))
 {
   foreach ($MESSAGE->identities as $idx => $ident) {
-    $email = mb_strtolower(rcube_idn_to_utf8($ident['email']));
+    $ident['email'] = format_email($ident['email']);
+    $email = format_email(rcube_idn_to_utf8($ident['email']));
 
     $MESSAGE->identities[$idx]['email_ascii'] = $ident['email'];
     $MESSAGE->identities[$idx]['ident']       = format_email_recipient($ident['email'], $ident['name']);
@@ -268,7 +269,7 @@
     $a_to = $IMAP->decode_address_list($MESSAGE->headers->to);
     foreach ($a_to as $addr) {
       if (!empty($addr['mailto'])) {
-        $a_recipients[] = strtolower($addr['mailto']);
+        $a_recipients[] = format_email($addr['mailto']);
         $a_names[]      = $addr['name'];
       }
     }
@@ -277,7 +278,7 @@
       $a_cc = $IMAP->decode_address_list($MESSAGE->headers->cc);
       foreach ($a_cc as $addr) {
         if (!empty($addr['mailto'])) {
-          $a_recipients[] = strtolower($addr['mailto']);
+          $a_recipients[] = format_email($addr['mailto']);
           $a_names[]      = $addr['name'];
         }
       }
@@ -424,7 +425,7 @@
       if (empty($addr_part['mailto']))
         continue;
 
-      $mailto = mb_strtolower(rcube_idn_to_utf8($addr_part['mailto']));
+      $mailto = format_email(rcube_idn_to_utf8($addr_part['mailto']));
 
       if (!in_array($mailto, $a_recipients)
         && ($header == 'to' || empty($MESSAGE->compose['from_email']) || $mailto != $MESSAGE->compose['from_email'])
@@ -715,7 +716,7 @@
   if ($isHtml) {
     $attrib['class'] = 'mce_editor';
     $textarea = new html_textarea($attrib);
-    $out .= $textarea->show($MESSAGE_BODY);
+    $out .= $textarea->show(htmlentities($MESSAGE_BODY, ENT_NOQUOTES, RCMAIL_CHARSET));
   }
   else {
     $textarea = new html_textarea($attrib);
@@ -900,18 +901,18 @@
         "<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
       rcube_label('subject'), Q($MESSAGE->subject),
       rcube_label('date'), Q($date),
-      rcube_label('from'), htmlspecialchars(Q($MESSAGE->get_header('from'), 'replace'), ENT_COMPAT, $charset),
-      rcube_label('to'), htmlspecialchars(Q($MESSAGE->get_header('to'), 'replace'), ENT_COMPAT, $charset));
+      rcube_label('from'), Q($MESSAGE->get_header('from'), 'replace'),
+      rcube_label('to'), Q($MESSAGE->get_header('to'), 'replace'));
 
     if ($MESSAGE->headers->cc)
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
         rcube_label('cc'),
-        htmlspecialchars(Q($MESSAGE->get_header('cc'), 'replace'), ENT_COMPAT, $charset));
+        Q($MESSAGE->get_header('cc'), 'replace'));
 
     if ($MESSAGE->headers->replyto && $MESSAGE->headers->replyto != $MESSAGE->headers->from)
       $prefix .= sprintf("<tr><th align=\"right\" nowrap=\"nowrap\" valign=\"baseline\">%s: </th><td>%s</td></tr>",
         rcube_label('replyto'),
-        htmlspecialchars(Q($MESSAGE->get_header('replyto'), 'replace'), ENT_COMPAT, $charset));
+        Q($MESSAGE->get_header('replyto'), 'replace'));
 
     $prefix .= "</tbody></table><br>";
   }
@@ -1238,7 +1239,7 @@
             'title' => rcube_label('delete'),
             'onclick' => sprintf("return %s.command('remove-attachment','rcmfile%s', this)", JS_OBJECT_NAME, $id)),
           $button) . Q($a_prop['name']));
-        
+
         $jslist['rcmfile'.$id] = array('name' => $a_prop['name'], 'complete' => true, 'mimetype' => $a_prop['mimetype']);
     }
   }
@@ -1252,14 +1253,14 @@
 
   $OUTPUT->set_env('attachments', $jslist);
   $OUTPUT->add_gui_object('attachmentlist', $attrib['id']);
-    
+
   return html::tag('ul', $attrib, $out, html::$common_attrib);
 }
 
 
 function rcmail_compose_attachment_form($attrib)
 {
-  global $RCMAIL, $OUTPUT;
+  global $OUTPUT;
 
   // add ID if not given
   if (!$attrib['id'])
@@ -1300,7 +1301,7 @@
 function rcmail_priority_selector($attrib)
 {
   global $MESSAGE;
-  
+
   list($form_start, $form_end) = get_form_tags($attrib);
   unset($attrib['form']);
 
@@ -1337,7 +1338,7 @@
   unset($attrib['form']);
 
   if (!isset($attrib['id']))
-    $attrib['id'] = 'receipt';  
+    $attrib['id'] = 'receipt';
 
   $attrib['name'] = '_receipt';
   $attrib['value'] = '1';
@@ -1380,8 +1381,6 @@
 
 function rcmail_editor_selector($attrib)
 {
-  global $CONFIG, $MESSAGE, $compose_mode;
-
   // determine whether HTML or plain text should be checked
   $useHtml = rcmail_compose_editor_mode();
 

--
Gitblit v1.9.1