From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/search.inc | 50 ++++++++++++++++++++++++++++++--------------------
1 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/program/steps/mail/search.inc b/program/steps/mail/search.inc
index e512e79..ab026d5 100644
--- a/program/steps/mail/search.inc
+++ b/program/steps/mail/search.inc
@@ -27,10 +27,12 @@
$imap_charset = RCMAIL_CHARSET;
// get search string
-$str = get_input_value('_q', RCUBE_INPUT_GET);
-$filter = get_input_value('_filter', RCUBE_INPUT_GET);
-$mbox = get_input_value('_mbox', RCUBE_INPUT_GET);
+$str = get_input_value('_q', RCUBE_INPUT_GET, true);
+$mbox = get_input_value('_mbox', RCUBE_INPUT_GET, true);
+$filter = get_input_value('_filter', RCUBE_INPUT_GET);
$headers = get_input_value('_headers', RCUBE_INPUT_GET);
+$subject = array();
+
$search_request = md5($mbox.$filter.$str);
// add list filter string
@@ -69,15 +71,20 @@
list(,$srch) = explode(":", $str);
$subject['text'] = "TEXT";
}
-else if(trim($str))
+else if (strlen(trim($str)))
{
if ($headers) {
- foreach(explode(',', $headers) as $header)
- switch ($header) {
- case 'text': $subject['text'] = 'TEXT'; break;
- default: $subject[$header] = 'HEADER '.strtoupper($header);
+ foreach (explode(',', $headers) as $header) {
+ if ($header == 'text') {
+ // #1488208: get rid of other headers when searching by "TEXT"
+ $subject = array('text' => 'TEXT');
+ break;
}
-
+ else {
+ $subject[$header] = 'HEADER '.strtoupper($header);
+ }
+ }
+
// save search modifiers for the current folder to user prefs
$search_mods = $RCMAIL->config->get('search_mods', $SEARCH_MODS_DEFAULT);
$search_mods[$mbox] = array_fill_keys(array_keys($subject), 1);
@@ -88,9 +95,9 @@
}
}
-$search = $srch ? trim($srch) : trim($str);
+$search = isset($srch) ? trim($srch) : trim($str);
-if ($subject) {
+if (!empty($subject)) {
$search_str .= str_repeat(' OR', count($subject)-1);
foreach ($subject as $sub)
$search_str .= sprintf(" %s {%d}\r\n%s", $sub, strlen($search), $search);
@@ -100,10 +107,10 @@
// execute IMAP search
if ($search_str)
- $result = $IMAP->search($mbox, $search_str, $imap_charset, $_SESSION['sort_col']);
+ $IMAP->search($mbox, $search_str, $imap_charset, rcmail_sort_column());
// Get the headers
-$result_h = $IMAP->list_headers($mbox, 1, $_SESSION['sort_col'], $_SESSION['sort_order']);
+$result_h = $IMAP->list_headers($mbox, 1, rcmail_sort_column(), rcmail_sort_order());
$count = $IMAP->messagecount(NULL, $IMAP->threading ? 'THREADS' : 'ALL');
// save search results in session
@@ -111,27 +118,30 @@
$_SESSION['search'] = array();
if ($search_str) {
- $_SESSION['search'][$search_request] = $IMAP->get_search_set();
+ $_SESSION['search'] = $IMAP->get_search_set();
$_SESSION['last_text_search'] = $str;
}
+$_SESSION['search_request'] = $search_request;
// Make sure we got the headers
-if (!empty($result_h))
-{
+if (!empty($result_h)) {
rcmail_js_message_list($result_h);
if ($search_str)
$OUTPUT->show_message('searchsuccessful', 'confirmation', array('nr' => $IMAP->messagecount(NULL, 'ALL')));
}
-else
-{
+// handle IMAP errors (e.g. #1486905)
+else if ($err_code = $IMAP->get_error_code()) {
+ rcmail_display_server_error();
+}
+else {
$OUTPUT->show_message('searchnomatch', 'notice');
}
// update message count display
-$OUTPUT->set_env('search_request', $search_str ? $search_request : -1);
+$OUTPUT->set_env('search_request', $search_str ? $search_request : '');
$OUTPUT->set_env('messagecount', $count);
$OUTPUT->set_env('pagecount', ceil($count/$IMAP->page_size));
-$OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($count, 1));
+$OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($count, 1), $mbox);
$OUTPUT->send();
--
Gitblit v1.9.1