From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/include/rcmail.php | 161 ++++++++++++++++++++++++++++++++---------------------
1 files changed, 96 insertions(+), 65 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 04b87e4..01f7d1c 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -56,8 +56,6 @@
private $action_map = array();
- const JS_OBJECT_NAME = 'rcmail';
-
const ERROR_STORAGE = -2;
const ERROR_INVALID_REQUEST = 1;
const ERROR_INVALID_HOST = 2;
@@ -100,7 +98,10 @@
// reset some session parameters when changing task
if ($this->task != 'utils') {
- if ($this->session && $_SESSION['task'] != $this->task)
+ // we reset list page when switching to another task
+ // but only to the main task interface - empty action (#1489076)
+ // this will prevent from unintentional page reset on cross-task requests
+ if ($this->session && $_SESSION['task'] != $this->task && empty($this->action))
$this->session->remove('page');
// set current task to session
$_SESSION['task'] = $this->task;
@@ -207,18 +208,31 @@
}
}
+ // when user requested default writeable addressbook
+ // we need to check if default is writeable, if not we
+ // will return first writeable book (if any exist)
+ if ($contacts && $default && $contacts->readonly && $writeable) {
+ $contacts = null;
+ }
+
// Get first addressbook from the list if configured default doesn't exist
// This can happen when user deleted the addressbook (e.g. Kolab folder)
if (!$contacts && (!$id || $default)) {
- $source = reset($this->get_address_sources($writeable));
+ $source = reset($this->get_address_sources($writeable, !$default));
if (!empty($source)) {
$contacts = $this->get_address_book($source['id']);
- if ($contacts)
+ if ($contacts) {
$id = $source['id'];
+ }
}
}
if (!$contacts) {
+ // there's no default, just return
+ if ($default) {
+ return null;
+ }
+
self::raise_error(array(
'code' => 700, 'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
@@ -226,18 +240,36 @@
true, true);
}
+ // add to the 'books' array for shutdown function
+ $this->address_books[$id] = $contacts;
+
if ($writeable && $contacts->readonly) {
return null;
}
// set configured sort order
- if ($sort_col = $this->config->get('addressbook_sort_col'))
+ if ($sort_col = $this->config->get('addressbook_sort_col')) {
$contacts->set_sort_order($sort_col);
-
- // add to the 'books' array for shutdown function
- $this->address_books[$id] = $contacts;
+ }
return $contacts;
+ }
+
+
+ /**
+ * Return identifier of the address book object
+ *
+ * @param rcube_addressbook Addressbook source object
+ *
+ * @return string Source identifier
+ */
+ public function get_address_book_id($object)
+ {
+ foreach ($this->address_books as $index => $book) {
+ if ($book === $object) {
+ return $index;
+ }
+ }
}
@@ -245,10 +277,11 @@
* Return address books list
*
* @param boolean True if the address book needs to be writeable
+ * @param boolean True if the address book needs to be not hidden
*
* @return array Address books array
*/
- public function get_address_sources($writeable = false)
+ public function get_address_sources($writeable = false, $skip_hidden = false)
{
$abook_type = strtolower($this->config->get('address_book_type'));
$ldap_config = $this->config->get('ldap_public');
@@ -279,7 +312,7 @@
$list[$id] = array(
'id' => $id,
'name' => html::quote($prop['name']),
- 'groups' => is_array($prop['groups']),
+ 'groups' => !empty($prop['groups']) || !empty($prop['group_filters']),
'readonly' => !$prop['writable'],
'hidden' => $prop['hidden'],
'autocomplete' => in_array($id, $autocomplete)
@@ -292,11 +325,17 @@
foreach ($list as $idx => $item) {
// register source for shutdown function
- if (!is_object($this->address_books[$item['id']]))
+ if (!is_object($this->address_books[$item['id']])) {
$this->address_books[$item['id']] = $item;
+ }
// remove from list if not writeable as requested
- if ($writeable && $item['readonly'])
+ if ($writeable && $item['readonly']) {
unset($list[$idx]);
+ }
+ // remove from list if hidden as requested
+ else if ($skip_hidden && $item['hidden']) {
+ unset($list[$idx]);
+ }
}
return $list;
@@ -305,20 +344,20 @@
/**
* Init output object for GUI and add common scripts.
- * This will instantiate a rcube_output_html object and set
+ * This will instantiate a rcmail_output_html object and set
* environment vars according to the current session and configuration
*
* @param boolean True if this request is loaded in a (i)frame
- * @return rcube_output_html Reference to HTML output object
+ * @return rcube_output Reference to HTML output object
*/
public function load_gui($framed = false)
{
// init output page
- if (!($this->output instanceof rcube_output_html))
- $this->output = new rcube_output_html($this->task, $framed);
+ if (!($this->output instanceof rcmail_output_html))
+ $this->output = new rcmail_output_html($this->task, $framed);
- // set keep-alive interval
- $this->output->set_env('keep_alive', $this->config->get('keep_alive', 0));
+ // set refresh interval
+ $this->output->set_env('refresh_interval', $this->config->get('refresh_interval', 0));
$this->output->set_env('session_lifetime', $this->config->get('session_lifetime', 0) * 60);
if ($framed) {
@@ -329,7 +368,7 @@
$this->output->set_env('task', $this->task);
$this->output->set_env('action', $this->action);
$this->output->set_env('comm_path', $this->comm_path);
- $this->output->set_charset(RCMAIL_CHARSET);
+ $this->output->set_charset(RCUBE_CHARSET);
// add some basic labels to client
$this->output->add_label('loading', 'servererror', 'requesttimedout', 'refreshing');
@@ -341,12 +380,12 @@
/**
* Create an output object for JSON responses
*
- * @return rcube_output_json Reference to JSON output object
+ * @return rcube_output Reference to JSON output object
*/
public function json_init()
{
- if (!($this->output instanceof rcube_output_json))
- $this->output = new rcube_output_json($this->task);
+ if (!($this->output instanceof rcmail_output_json))
+ $this->output = new rcmail_output_json($this->task);
return $this->output;
}
@@ -920,15 +959,30 @@
* @param object $message Reference to Mail_MIME object
* @param string $from Sender address string
* @param array $mailto Array of recipient address strings
- * @param array $smtp_error SMTP error array (reference)
+ * @param array $error SMTP error array (reference)
* @param string $body_file Location of file with saved message body (reference),
* used when delay_file_io is enabled
- * @param array $smtp_opts SMTP options (e.g. DSN request)
+ * @param array $options SMTP options (e.g. DSN request)
*
* @return boolean Send status.
*/
- public function deliver_message(&$message, $from, $mailto, &$smtp_error, &$body_file = null, $smtp_opts = null)
+ public function deliver_message(&$message, $from, $mailto, &$error, &$body_file = null, $options = null)
{
+ $plugin = $this->plugins->exec_hook('message_before_send', array(
+ 'message' => $message,
+ 'from' => $from,
+ 'mailto' => $mailto,
+ 'options' => $options,
+ ));
+
+ if ($plugin['abort']) {
+ return isset($plugin['result']) ? $plugin['result'] : false;
+ }
+
+ $from = $plugin['from'];
+ $mailto = $plugin['mailto'];
+ $options = $plugin['options'];
+ $message = $plugin['message'];
$headers = $message->headers();
// send thru SMTP server using custom SMTP library
@@ -971,15 +1025,15 @@
$this->smtp_init(true);
}
- $sent = $this->smtp->send_mail($from, $a_recipients, $smtp_headers, $msg_body, $smtp_opts);
- $smtp_response = $this->smtp->get_response();
- $smtp_error = $this->smtp->get_error();
+ $sent = $this->smtp->send_mail($from, $a_recipients, $smtp_headers, $msg_body, $options);
+ $response = $this->smtp->get_response();
+ $error = $this->smtp->get_error();
// log error
if (!$sent) {
self::raise_error(array('code' => 800, 'type' => 'smtp',
'line' => __LINE__, 'file' => __FILE__,
- 'message' => "SMTP error: ".join("\n", $smtp_response)), TRUE, FALSE);
+ 'message' => "SMTP error: ".join("\n", $response)), TRUE, FALSE);
}
}
// send mail using PHP's mail() function
@@ -1021,7 +1075,7 @@
$subject = str_replace("\r\n", $delim, $subject);
}
- if (ini_get('safe_mode'))
+ if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
@@ -1047,7 +1101,7 @@
$this->user->get_username(),
$_SERVER['REMOTE_ADDR'],
$mailto,
- !empty($smtp_response) ? join('; ', $smtp_response) : ''));
+ !empty($response) ? join('; ', $response) : ''));
}
}
@@ -1381,6 +1435,7 @@
$js_mailboxlist = array();
$out = html::tag('ul', $attrib, $rcmail->render_folder_tree_html($a_mailboxes, $mbox_name, $js_mailboxlist, $attrib), html::$common_attrib);
+ $rcmail->output->include_script('treelist.js');
$rcmail->output->add_gui_object('mailboxlist', $attrib['id']);
$rcmail->output->set_env('mailboxes', $js_mailboxlist);
$rcmail->output->set_env('unreadwrap', $attrib['unreadwrap']);
@@ -1550,7 +1605,7 @@
$html_name = $this->Q($foldername) . ($unread ? html::span('unreadcount', sprintf($attrib['unreadwrap'], $unread)) : '');
$link_attrib = $folder['virtual'] ? array() : array(
'href' => $this->url(array('_mbox' => $folder['id'])),
- 'onclick' => sprintf("return %s.command('list','%s',this)", rcmail::JS_OBJECT_NAME, $js_name),
+ 'onclick' => sprintf("return %s.command('list','%s',this)", rcmail_output::JS_OBJECT_NAME, $js_name),
'rel' => $folder['id'],
'title' => $title,
);
@@ -1559,14 +1614,13 @@
'id' => "rcmli".$folder_id,
'class' => join(' ', $classes),
'noclose' => true),
- html::a($link_attrib, $html_name) .
- (!empty($folder['folders']) ? html::div(array(
- 'class' => ($is_collapsed ? 'collapsed' : 'expanded'),
- 'style' => "position:absolute",
- 'onclick' => sprintf("%s.command('collapse-folder', '%s')", rcmail::JS_OBJECT_NAME, $js_name)
- ), ' ') : ''));
+ html::a($link_attrib, $html_name));
- $jslist[$folder_id] = array(
+ if (!empty($folder['folders'])) {
+ $out .= html::div('treetoggle ' . ($is_collapsed ? 'collapsed' : 'expanded'), ' ');
+ }
+
+ $jslist[$folder['id']] = array(
'id' => $folder['id'],
'name' => $foldername,
'virtual' => $folder['virtual']
@@ -1901,7 +1955,8 @@
public function upload_init()
{
// Enable upload progress bar
- if (($seconds = $this->config->get('upload_progress')) && ini_get('apc.rfc1867')) {
+ $rfc1867 = filter_var(ini_get('apc.rfc1867'), FILTER_VALIDATE_BOOLEAN);
+ if ($rfc1867 && ($seconds = $this->config->get('upload_progress'))) {
if ($field_name = ini_get('apc.rfc1867_name')) {
$this->output->set_env('upload_progress_name', $field_name);
$this->output->set_env('upload_progress_time', (int) $seconds);
@@ -2009,30 +2064,6 @@
}
return $str;
- }
-
-
- /**
- * Quote a given string.
- * Shortcut function for rcube_utils::rep_specialchars_output()
- *
- * @return string HTML-quoted string
- */
- public static function Q($str, $mode = 'strict', $newlines = true)
- {
- return rcube_utils::rep_specialchars_output($str, 'html', $mode, $newlines);
- }
-
-
- /**
- * Quote a given string for javascript output.
- * Shortcut function for rcube_utils::rep_specialchars_output()
- *
- * @return string JS-quoted string
- */
- public static function JQ($str)
- {
- return rcube_utils::rep_specialchars_output($str, 'js');
}
--
Gitblit v1.9.1