From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/headers.inc | 47 +++++++++++++++++++++++++----------------------
1 files changed, 25 insertions(+), 22 deletions(-)
diff --git a/program/steps/mail/headers.inc b/program/steps/mail/headers.inc
index 946a688..7d166f9 100644
--- a/program/steps/mail/headers.inc
+++ b/program/steps/mail/headers.inc
@@ -3,8 +3,8 @@
+-----------------------------------------------------------------------+
| program/steps/mail/headers.inc |
| |
- | This file is part of the RoundCube Webmail client |
- | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland |
+ | This file is part of the Roundcube Webmail client |
+ | Copyright (C) 2005-2007, The Roundcube Dev Team |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
@@ -20,28 +20,31 @@
if ($uid = get_input_value('_uid', RCUBE_INPUT_POST))
{
- $source = $IMAP->get_raw_headers($uid);
+ $source = $IMAP->get_raw_headers($uid);
- if ($source)
- {
- $source = htmlspecialchars(trim($source));
- $source = preg_replace(
- array(
- '/\n[\t\s]+/',
- '/^([a-z0-9_:-]+)/im',
- '/\r?\n/'
- ),
- array(
- "\n ",
- '<font class="bold">\1</font>',
- '<br />'
- ), $source);
-
- $OUTPUT->command('set_headers', $source);
- $OUTPUT->send();
+ if ($source !== false) {
+ $source = htmlspecialchars(trim($source));
+ $source = preg_replace(
+ array(
+ '/\n[\t\s]+/',
+ '/^([a-z0-9_:-]+)/im',
+ '/\r?\n/'
+ ),
+ array(
+ "\n ",
+ '<font class="bold">\1</font>',
+ '<br />'
+ ), $source);
+
+ $OUTPUT->command('set_headers', $source);
}
+ else {
+ $RCMAIL->output->show_message('messageopenerror', 'error');
+ }
+
+ $OUTPUT->send();
}
-
+
exit;
-?>
+
--
Gitblit v1.9.1