From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/mail/show.inc | 85 +++++++++++++++++++++++++++++++++++-------
1 files changed, 70 insertions(+), 15 deletions(-)
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 1d7a326..eeafabd 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -30,8 +30,6 @@
rcmail_message_error($uid);
}
- send_nocacheing_headers();
-
$mbox_name = $IMAP->get_mailbox_name();
// show images?
@@ -51,6 +49,13 @@
$OUTPUT->set_env('permaurl', rcmail_url('show', array('_uid' => $MESSAGE->uid, '_mbox' => $mbox_name)));
$OUTPUT->set_env('delimiter', $IMAP->get_hierarchy_delimiter());
$OUTPUT->set_env('mailbox', $mbox_name);
+ if ($CONFIG['drafts_mbox']) {
+ $OUTPUT->set_env('drafts_mailbox', $CONFIG['drafts_mbox']);
+ }
+
+ // mimetypes supported by the browser (default settings)
+ $mimetypes = $RCMAIL->config->get('client_mimetypes', 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/x-javascript,application/pdf,application/x-shockwave-flash');
+ $OUTPUT->set_env('mimetypes', is_string($mimetypes) ? explode(',', $mimetypes) : (array)$mimetypes);
if ($CONFIG['trash_mbox'])
$OUTPUT->set_env('trash_mailbox', $CONFIG['trash_mbox']);
@@ -64,18 +69,21 @@
$OUTPUT->set_env('display_next', true);
if ($MESSAGE->headers->others['list-post'])
$OUTPUT->set_env('list_post', true);
+ if ($CONFIG['forward_attachment'])
+ $OUTPUT->set_env('forward_attachment', true);
if (!$OUTPUT->ajax_call)
$OUTPUT->add_label('checkingmail', 'deletemessage', 'movemessagetotrash',
'movingmessage', 'deletingmessage');
// check for unset disposition notification
- if ($MESSAGE->headers->mdn_to &&
- !$MESSAGE->headers->mdn_sent && !$MESSAGE->headers->seen &&
- ($IMAP->check_permflag('MDNSENT') || $IMAP->check_permflag('*')) &&
- $mbox_name != $CONFIG['drafts_mbox'] &&
- $mbox_name != $CONFIG['sent_mbox'])
- {
+ if ($MESSAGE->headers->mdn_to
+ && empty($MESSAGE->headers->flags['MDNSENT'])
+ && empty($MESSAGE->headers->flags['SEEN'])
+ && ($IMAP->check_permflag('MDNSENT') || $IMAP->check_permflag('*'))
+ && $mbox_name != $CONFIG['drafts_mbox']
+ && $mbox_name != $CONFIG['sent_mbox']
+ ) {
$mdn_cfg = intval($CONFIG['mdn_requests']);
if ($mdn_cfg == 1 || (($mdn_cfg == 3 || $mdn_cfg == 4) && rcmail_contact_exists($MESSAGE->sender['mailto']))) {
@@ -94,9 +102,12 @@
}
}
- if (!$MESSAGE->headers->seen && ($RCMAIL->action == 'show' || ($RCMAIL->action == 'preview' && intval($CONFIG['preview_pane_mark_read']) == 0)))
+ if (empty($MESSAGE->headers->flags['SEEN'])
+ && ($RCMAIL->action == 'show' || ($RCMAIL->action == 'preview' && intval($CONFIG['preview_pane_mark_read']) == 0))
+ ) {
$RCMAIL->plugins->exec_hook('message_read', array('uid' => $MESSAGE->uid,
'mailbox' => $mbox_name, 'message' => $MESSAGE));
+ }
}
@@ -124,7 +135,7 @@
$ol .= html::tag('li', null,
html::a(array(
- 'href' => $MESSAGE->get_part_url($attach_prop->mime_id),
+ 'href' => $MESSAGE->get_part_url($attach_prop->mime_id, false),
'onclick' => sprintf(
'return %s.command(\'load-attachment\',{part:\'%s\', mimetype:\'%s\'},this)',
JS_OBJECT_NAME,
@@ -142,12 +153,13 @@
return $out;
}
-function rcmail_remote_objects_msg($attrib)
+function rcmail_remote_objects_msg()
{
global $MESSAGE, $RCMAIL;
- if (!$attrib['id'])
- $attrib['id'] = 'rcmremoteobjmsg';
+ $attrib['id'] = 'remote-objects-message';
+ $attrib['class'] = 'notice';
+ $attrib['style'] = 'display: none';
$msg = Q(rcube_label('blockedimages')) . ' ';
$msg .= html::a(array('href' => "#loadimages", 'onclick' => JS_OBJECT_NAME.".command('load-images')"), Q(rcube_label('showimages')));
@@ -160,6 +172,48 @@
$RCMAIL->output->add_gui_object('remoteobjectsmsg', $attrib['id']);
return html::div($attrib, $msg);
+}
+
+function rcmail_message_buttons()
+{
+ global $MESSAGE, $RCMAIL, $CONFIG;
+
+ $mbox = $RCMAIL->imap->get_mailbox_name();
+ $delim = $RCMAIL->imap->get_hierarchy_delimiter();
+ $dbox = $CONFIG['drafts_mbox'];
+
+ // the message is not a draft
+ if ($mbox != $dbox && strpos($mbox, $dbox.$delim) !== 0) {
+ return '';
+ }
+
+ $attrib['id'] = 'message-buttons';
+ $attrib['class'] = 'notice';
+
+ $msg = Q(rcube_label('isdraft')) . ' ';
+ $msg .= html::a(array('href' => "#edit", 'onclick' => JS_OBJECT_NAME.".command('edit')"), Q(rcube_label('edit')));
+
+ return html::div($attrib, $msg);
+}
+
+function rcmail_message_objects($attrib)
+{
+ global $RCMAIL, $MESSAGE;
+
+ if (!$attrib['id'])
+ $attrib['id'] = 'message-objects';
+
+ $content = array(
+ rcmail_message_buttons(),
+ rcmail_remote_objects_msg(),
+ );
+
+ $plugin = $RCMAIL->plugins->exec_hook('message_objects',
+ array('content' => $content, 'message' => $MESSAGE));
+
+ $content = implode("\n", $plugin['content']);
+
+ return html::div($attrib, $content);
}
function rcmail_contact_exists($email)
@@ -181,7 +235,8 @@
$OUTPUT->add_handlers(array(
'messageattachments' => 'rcmail_message_attachments',
'mailboxname' => 'rcmail_mailbox_name_display',
- 'blockedobjects' => 'rcmail_remote_objects_msg'));
+ 'messageobjects' => 'rcmail_message_objects',
+));
if ($RCMAIL->action=='print' && $OUTPUT->template_exists('messageprint'))
@@ -193,7 +248,7 @@
// mark message as read
-if ($MESSAGE && $MESSAGE->headers && !$MESSAGE->headers->seen &&
+if ($MESSAGE && $MESSAGE->headers && empty($MESSAGE->headers->flags['SEEN']) &&
($RCMAIL->action == 'show' || ($RCMAIL->action == 'preview' && intval($CONFIG['preview_pane_mark_read']) == 0)))
{
if ($IMAP->set_flag($MESSAGE->uid, 'SEEN')) {
--
Gitblit v1.9.1