From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/settings/folders.inc | 94 ++++++++++++++++++++++++++++++++++++++++-------
1 files changed, 80 insertions(+), 14 deletions(-)
diff --git a/program/steps/settings/folders.inc b/program/steps/settings/folders.inc
index a906809..72c1976 100644
--- a/program/steps/settings/folders.inc
+++ b/program/steps/settings/folders.inc
@@ -76,8 +76,16 @@
$mbox_utf8 = get_input_value('_mbox', RCUBE_INPUT_POST, true);
$mbox = rcube_charset_convert($mbox_utf8, RCMAIL_CHARSET, 'UTF7-IMAP');
- if (strlen($mbox))
- $deleted = $IMAP->delete_mailbox($mbox);
+ if (strlen($mbox)) {
+ $plugin = $RCMAIL->plugins->exec_hook('folder_delete', array('name' => $mbox));
+
+ if (!$plugin['abort']) {
+ $deleted = $IMAP->delete_mailbox($plugin['name']);
+ }
+ else {
+ $deleted = $plugin['result'];
+ }
+ }
if ($OUTPUT->ajax_call && $deleted) {
// Remove folder and subfolders rows
@@ -179,7 +187,7 @@
list($form_start, $form_end) = get_form_tags($attrib, 'folders');
unset($attrib['form']);
-
+
if (!$attrib['id'])
$attrib['id'] = 'rcmSubscriptionlist';
@@ -192,11 +200,12 @@
}
// get folders from server
- $IMAP->clear_cache('/^mailboxes.*/', true);
+ $IMAP->clear_cache('mailboxes', true);
$a_unsubscribed = $IMAP->list_unsubscribed();
- $a_subscribed = $IMAP->list_mailboxes();
+ $a_subscribed = $IMAP->list_mailboxes('', '*', null, null, true); // unsorted
$delimiter = $IMAP->get_hierarchy_delimiter();
+ $namespace = $IMAP->get_namespace();
$a_js_folders = array();
$seen = array();
$list_folders = array();
@@ -242,6 +251,13 @@
unset($seen);
+ // add drop-target representing 'root'
+ $table->add_row(array('id' => 'mailboxroot', 'class' => 'virtual root'));
+ $table->add('name', ' ');
+ $table->add(null, ' ');
+
+ $a_js_folders['mailboxroot'] = array('', '', true);
+
$checkbox_subscribe = new html_checkbox(array(
'name' => '_subscribed[]',
'title' => rcube_label('changesubscription'),
@@ -251,28 +267,69 @@
// create list of available folders
foreach ($list_folders as $i => $folder) {
$idx = $i + 1;
- $subscribed = in_array($folder['id'], $a_subscribed);
+ $sub_key = array_search($folder['id'], $a_subscribed);
+ $subscribed = $sub_key !== false;
$protected = ($CONFIG['protect_default_folders'] == true && in_array($folder['id'], $CONFIG['default_imap_folders']));
+ $noselect = false;
$classes = array($i%2 ? 'even' : 'odd');
$folder_js = Q($folder['id']);
$folder_utf8 = rcube_charset_convert($folder['id'], 'UTF7-IMAP');
$display_folder = str_repeat(' ', $folder['level'])
. Q($protected ? rcmail_localize_foldername($folder['id']) : $folder['name']);
-
+
if ($folder['virtual']) {
$classes[] = 'virtual';
}
if (!$protected) {
- $opts = $IMAP->mailbox_options($folder['id']);
- $noselect = in_array('\\Noselect', $opts);
+ $attrs = $IMAP->mailbox_attributes($folder['id']);
+ $noselect = in_array('\\Noselect', $attrs);
}
$disabled = (($protected && $subscribed) || $noselect);
- $table->add_row(array('id' => 'rcmrow'.$idx, 'class' => join(' ', $classes)));
-
+ // check if the folder is a namespace prefix, then disable subscription option on it
+ if (!$disabled && $folder['virtual'] && $folder['level'] == 0 && !empty($namespace)) {
+ $fname = $folder['id'] . $delimiter;
+ foreach ($namespace as $ns) {
+ if (is_array($ns)) {
+ foreach ($ns as $item) {
+ if ($item[0] === $fname) {
+ $disabled = true;
+ break 2;
+ }
+ }
+ }
+ }
+ }
+ // check if the folder is an other users virtual-root folder, then disable subscription option on it
+ if (!$disabled && $folder['virtual'] && $folder['level'] == 1
+ && !empty($namespace) && !empty($namespace['other'])
+ ) {
+ $parts = explode($delimiter, $folder['id']);
+ $fname = $parts[0] . $delimiter;
+ foreach ($namespace['other'] as $item) {
+ if ($item[0] === $fname) {
+ $disabled = true;
+ break;
+ }
+ }
+ }
+ // check if the folder is shared, then disable subscription option on it (if not subscribed already)
+ if (!$disabled && !$subscribed && $folder['virtual'] && !empty($namespace)) {
+ $tmp_ns = array_merge((array)$namespace['other'], (array)$namespace['shared']);
+ foreach ($tmp_ns as $item) {
+ if (strpos($folder['id'], $item[0]) === 0) {
+ $disabled = true;
+ break;
+ }
+ }
+ }
+
+ $table->add_row(array('id' => 'rcmrow'.$idx, 'class' => join(' ', $classes),
+ 'foldername' => $folder['id']));
+
$table->add('name', $display_folder);
$table->add('subscribed', $checkbox_subscribe->show(($subscribed ? $folder_utf8 : ''),
array('value' => $folder_utf8, 'disabled' => $disabled ? 'disabled' : '')));
@@ -297,7 +354,7 @@
if (!$attrib['id'])
$attrib['id'] = 'rcmfolderframe';
-
+
$attrib['name'] = $attrib['id'];
$OUTPUT->set_env('contentframe', $attrib['name']);
@@ -311,10 +368,19 @@
global $RCMAIL;
$delimiter = $RCMAIL->imap->get_hierarchy_delimiter();
- $rename = $RCMAIL->imap->rename_mailbox($oldname, $newname);
+
+ $plugin = $RCMAIL->plugins->exec_hook('folder_rename', array(
+ 'oldname' => $oldname, 'newname' => $newname));
+
+ if (!$plugin['abort']) {
+ $renamed = $RCMAIL->imap->rename_mailbox($oldname, $newname);
+ }
+ else {
+ $renamed = $plugin['result'];
+ }
// update per-folder options for modified folder and its subfolders
- if ($rename !== false) {
+ if ($renamed) {
$a_threaded = (array) $RCMAIL->config->get('message_threading', array());
$oldprefix = '/^' . preg_quote($oldname . $delimiter, '/') . '/';
--
Gitblit v1.9.1