From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/steps/settings/folders.inc | 61 ++++++++++++++++++++++++------
1 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/program/steps/settings/folders.inc b/program/steps/settings/folders.inc
index 239413f..72c1976 100644
--- a/program/steps/settings/folders.inc
+++ b/program/steps/settings/folders.inc
@@ -76,8 +76,16 @@
$mbox_utf8 = get_input_value('_mbox', RCUBE_INPUT_POST, true);
$mbox = rcube_charset_convert($mbox_utf8, RCMAIL_CHARSET, 'UTF7-IMAP');
- if (strlen($mbox))
- $deleted = $IMAP->delete_mailbox($mbox);
+ if (strlen($mbox)) {
+ $plugin = $RCMAIL->plugins->exec_hook('folder_delete', array('name' => $mbox));
+
+ if (!$plugin['abort']) {
+ $deleted = $IMAP->delete_mailbox($plugin['name']);
+ }
+ else {
+ $deleted = $plugin['result'];
+ }
+ }
if ($OUTPUT->ajax_call && $deleted) {
// Remove folder and subfolders rows
@@ -195,7 +203,7 @@
$IMAP->clear_cache('mailboxes', true);
$a_unsubscribed = $IMAP->list_unsubscribed();
- $a_subscribed = $IMAP->list_mailboxes();
+ $a_subscribed = $IMAP->list_mailboxes('', '*', null, null, true); // unsorted
$delimiter = $IMAP->get_hierarchy_delimiter();
$namespace = $IMAP->get_namespace();
$a_js_folders = array();
@@ -243,6 +251,13 @@
unset($seen);
+ // add drop-target representing 'root'
+ $table->add_row(array('id' => 'mailboxroot', 'class' => 'virtual root'));
+ $table->add('name', ' ');
+ $table->add(null, ' ');
+
+ $a_js_folders['mailboxroot'] = array('', '', true);
+
$checkbox_subscribe = new html_checkbox(array(
'name' => '_subscribed[]',
'title' => rcube_label('changesubscription'),
@@ -252,7 +267,8 @@
// create list of available folders
foreach ($list_folders as $i => $folder) {
$idx = $i + 1;
- $subscribed = in_array($folder['id'], $a_subscribed);
+ $sub_key = array_search($folder['id'], $a_subscribed);
+ $subscribed = $sub_key !== false;
$protected = ($CONFIG['protect_default_folders'] == true && in_array($folder['id'], $CONFIG['default_imap_folders']));
$noselect = false;
$classes = array($i%2 ? 'even' : 'odd');
@@ -267,8 +283,8 @@
}
if (!$protected) {
- $opts = $IMAP->mailbox_options($folder['id']);
- $noselect = in_array('\\Noselect', $opts);
+ $attrs = $IMAP->mailbox_attributes($folder['id']);
+ $noselect = in_array('\\Noselect', $attrs);
}
$disabled = (($protected && $subscribed) || $noselect);
@@ -277,10 +293,12 @@
if (!$disabled && $folder['virtual'] && $folder['level'] == 0 && !empty($namespace)) {
$fname = $folder['id'] . $delimiter;
foreach ($namespace as $ns) {
- foreach ($ns as $item) {
- if ($item[0] === $fname) {
- $disabled = true;
- break 2;
+ if (is_array($ns)) {
+ foreach ($ns as $item) {
+ if ($item[0] === $fname) {
+ $disabled = true;
+ break 2;
+ }
}
}
}
@@ -293,6 +311,16 @@
$fname = $parts[0] . $delimiter;
foreach ($namespace['other'] as $item) {
if ($item[0] === $fname) {
+ $disabled = true;
+ break;
+ }
+ }
+ }
+ // check if the folder is shared, then disable subscription option on it (if not subscribed already)
+ if (!$disabled && !$subscribed && $folder['virtual'] && !empty($namespace)) {
+ $tmp_ns = array_merge((array)$namespace['other'], (array)$namespace['shared']);
+ foreach ($tmp_ns as $item) {
+ if (strpos($folder['id'], $item[0]) === 0) {
$disabled = true;
break;
}
@@ -340,10 +368,19 @@
global $RCMAIL;
$delimiter = $RCMAIL->imap->get_hierarchy_delimiter();
- $rename = $RCMAIL->imap->rename_mailbox($oldname, $newname);
+
+ $plugin = $RCMAIL->plugins->exec_hook('folder_rename', array(
+ 'oldname' => $oldname, 'newname' => $newname));
+
+ if (!$plugin['abort']) {
+ $renamed = $RCMAIL->imap->rename_mailbox($oldname, $newname);
+ }
+ else {
+ $renamed = $plugin['result'];
+ }
// update per-folder options for modified folder and its subfolders
- if ($rename !== false) {
+ if ($renamed) {
$a_threaded = (array) $RCMAIL->config->get('message_threading', array());
$oldprefix = '/^' . preg_quote($oldname . $delimiter, '/') . '/';
--
Gitblit v1.9.1