From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/search.inc | 150 +++++++++++++++++++++++++++++++-------------------
1 files changed, 93 insertions(+), 57 deletions(-)
diff --git a/program/steps/mail/search.inc b/program/steps/mail/search.inc
index c4b843b..ab026d5 100644
--- a/program/steps/mail/search.inc
+++ b/program/steps/mail/search.inc
@@ -11,6 +11,8 @@
| Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
+ $Id$
+
*/
$REMOTE_REQUEST = TRUE;
@@ -21,91 +23,125 @@
$_SESSION['page'] = 1;
// using encodeURI with javascript "should" give us
-// a correctly UTF-8 encoded query string
-$imap_charset = 'UTF-8';
+// a correctly encoded query string
+$imap_charset = RCMAIL_CHARSET;
// get search string
-$str = get_input_value('_search', RCUBE_INPUT_GET);
-$mbox = get_input_value('_mbox', RCUBE_INPUT_GET);
-$search_request = md5($mbox.$str);
+$str = get_input_value('_q', RCUBE_INPUT_GET, true);
+$mbox = get_input_value('_mbox', RCUBE_INPUT_GET, true);
+$filter = get_input_value('_filter', RCUBE_INPUT_GET);
+$headers = get_input_value('_headers', RCUBE_INPUT_GET);
+$subject = array();
+$search_request = md5($mbox.$filter.$str);
+
+// add list filter string
+$search_str = $filter && $filter != 'ALL' ? $filter : '';
+
+$_SESSION['search_filter'] = $filter;
// Check the search string for type of search
-if (preg_match("/^from:/i", $str))
+if (preg_match("/^from:.*/i", $str))
{
list(,$srch) = explode(":", $str);
- $subject = "HEADER FROM";
- $search = trim($srch);
+ $subject['from'] = "HEADER FROM";
}
-else if (preg_match("/^to:/i", $str))
+else if (preg_match("/^to:.*/i", $str))
{
list(,$srch) = explode(":", $str);
- $subject = "HEADER TO";
- $search = trim($srch);
+ $subject['to'] = "HEADER TO";
}
-else if (preg_match("/^cc:/i", $str))
+else if (preg_match("/^cc:.*/i", $str))
{
list(,$srch) = explode(":", $str);
- $subject = "HEADER CC";
- $search = trim($srch);
+ $subject['cc'] = "HEADER CC";
}
-else if (preg_match("/^subject:/i", $str))
+else if (preg_match("/^bcc:.*/i", $str))
{
list(,$srch) = explode(":", $str);
- $subject = "HEADER SUBJECT";
- $search = trim($srch);
+ $subject['bcc'] = "HEADER BCC";
}
-else if (preg_match("/^body:/i", $str))
+else if (preg_match("/^subject:.*/i", $str))
{
list(,$srch) = explode(":", $str);
- $subject = "TEXT";
- $search = trim($srch);
+ $subject['subject'] = "HEADER SUBJECT";
}
-// search in subject and sender by default
-else
+else if (preg_match("/^body:.*/i", $str))
{
- $subject = array("HEADER SUBJECT", "HEADER FROM");
- $search = trim($str);
+ list(,$srch) = explode(":", $str);
+ $subject['text'] = "TEXT";
+}
+else if (strlen(trim($str)))
+{
+ if ($headers) {
+ foreach (explode(',', $headers) as $header) {
+ if ($header == 'text') {
+ // #1488208: get rid of other headers when searching by "TEXT"
+ $subject = array('text' => 'TEXT');
+ break;
+ }
+ else {
+ $subject[$header] = 'HEADER '.strtoupper($header);
+ }
+ }
+
+ // save search modifiers for the current folder to user prefs
+ $search_mods = $RCMAIL->config->get('search_mods', $SEARCH_MODS_DEFAULT);
+ $search_mods[$mbox] = array_fill_keys(array_keys($subject), 1);
+ $RCMAIL->user->save_prefs(array('search_mods' => $search_mods));
+ } else {
+ // search in subject by default
+ $subject['subject'] = 'HEADER SUBJECT';
+ }
}
+$search = isset($srch) ? trim($srch) : trim($str);
+
+if (!empty($subject)) {
+ $search_str .= str_repeat(' OR', count($subject)-1);
+ foreach ($subject as $sub)
+ $search_str .= sprintf(" %s {%d}\r\n%s", $sub, strlen($search), $search);
+}
+
+$search_str = trim($search_str);
// execute IMAP search
-$result = $IMAP->search($mbox, $subject, $search, $imap_charset);
+if ($search_str)
+ $IMAP->search($mbox, $search_str, $imap_charset, rcmail_sort_column());
-$commands = '';
-$count = 0;
-
-// Make sure our $result is legit..
-if (is_array($result) && $result[0] != '')
- {
- // Get the headers
- $result_h = $IMAP->list_header_set($mbox, $result, 1, $_SESSION['sort_col'], $_SESSION['sort_order']);
- $count = count($result);
+// Get the headers
+$result_h = $IMAP->list_headers($mbox, 1, rcmail_sort_column(), rcmail_sort_order());
+$count = $IMAP->messagecount(NULL, $IMAP->threading ? 'THREADS' : 'ALL');
- // save search results in session
- if (!is_array($_SESSION['search']))
- $_SESSION['search'] = array();
+// save search results in session
+if (!is_array($_SESSION['search']))
+ $_SESSION['search'] = array();
- // Make sure we got the headers
- if ($result_h != NULL)
- {
- $_SESSION['search'][$search_request] = $IMAP->get_search_set();
- $commands = rcmail_js_message_list($result_h);
- $commands .= show_message('searchsuccessful', 'confirmation', array('nr' => $count));
- }
- }
-else
- {
- $commands = show_message('searchnomatch', 'warning');
- $search_request = -1;
- }
+if ($search_str) {
+ $_SESSION['search'] = $IMAP->get_search_set();
+ $_SESSION['last_text_search'] = $str;
+}
+$_SESSION['search_request'] = $search_request;
+
+// Make sure we got the headers
+if (!empty($result_h)) {
+ rcmail_js_message_list($result_h);
+ if ($search_str)
+ $OUTPUT->show_message('searchsuccessful', 'confirmation', array('nr' => $IMAP->messagecount(NULL, 'ALL')));
+}
+// handle IMAP errors (e.g. #1486905)
+else if ($err_code = $IMAP->get_error_code()) {
+ rcmail_display_server_error();
+}
+else {
+ $OUTPUT->show_message('searchnomatch', 'notice');
+}
// update message count display
-$pages = ceil($count/$IMAP->page_size);
-$commands .= sprintf("\nthis.set_env('search_request', '%s')\n", $search_request);
-$commands .= sprintf("this.set_env('messagecount', %d);\n", $count);
-$commands .= sprintf("this.set_env('pagecount', %d);\n", $pages);
-$commands .= sprintf("this.set_rowcount('%s');\n", rcmail_get_messagecount_text($count, 1));
-rcube_remote_response($commands);
+$OUTPUT->set_env('search_request', $search_str ? $search_request : '');
+$OUTPUT->set_env('messagecount', $count);
+$OUTPUT->set_env('pagecount', ceil($count/$IMAP->page_size));
+$OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($count, 1), $mbox);
+$OUTPUT->send();
-?>
\ No newline at end of file
+
--
Gitblit v1.9.1