From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/js/googiespell.js |   40 +++++++++++++++++++++++-----------------
 1 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/program/js/googiespell.js b/program/js/googiespell.js
index 96d612c..478858b 100644
--- a/program/js/googiespell.js
+++ b/program/js/googiespell.js
@@ -1,16 +1,22 @@
 /*
- SpellCheck
-    jQuery'fied spell checker based on GoogieSpell 4.0
-      (which was published under GPL "version 2 or any later version")
-
- Copyright (C) 2006 Amir Salihefendic
- Copyright (C) 2009 Aleksander Machniak
- Copyright (C) 2011 Kolab Systems AG
-     LICENSE
-         GPL
-     AUTHORS
-         4mir Salihefendic (http://amix.dk) - amix@amix.dk
-	    Aleksander Machniak - alec [at] alec.pl
+ +-----------------------------------------------------------------------+
+ | Roundcube SpellCheck script                                           |
+ |   jQuery'fied spell checker based on GoogieSpell 4.0                  |
+ |    (which was published under GPL "version 2 or any later version")   |
+ |                                                                       |
+ | This file is part of the Roundcube Webmail client                     |
+ | Copyright (C) 2006 Amir Salihefendic                                  |
+ | Copyright (C) 2009 The Roundcube Dev Team                             |
+ | Copyright (C) 2011 Kolab Systems AG                                   |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
+ |                                                                       |
+ +-----------------------------------------------------------------------+
+ | Authors: 4mir Salihefendic <amix@amix.dk>                             |
+ |          Aleksander Machniak - <alec [at] alec.pl>                    |
+ +-----------------------------------------------------------------------+
 */
 
 var GOOGIE_CUR_LANG,
@@ -19,7 +25,7 @@
 function GoogieSpell(img_dir, server_url, has_dict)
 {
     var ref = this,
-        cookie_value = getCookie('language');
+        cookie_value = rcmail.get_cookie('language');
 
     GOOGIE_CUR_LANG = cookie_value != null ? cookie_value : GOOGIE_DEFAULT_LANG;
 
@@ -34,9 +40,9 @@
 
     this.org_lang_to_word = {
 	    "da": "Dansk", "de": "Deutsch", "en": "English",
-        "es": "Espa&#241;ol", "fr": "Fran&#231;ais", "it": "Italiano", 
-        "nl": "Nederlands", "pl": "Polski", "pt": "Portugu&#234;s",
-        "fi": "Suomi", "sv": "Svenska"
+        "es": "Español", "fr": "Français", "it": "Italiano",
+        "nl": "Nederlands", "pl": "Polski", "pt": "Português",
+        "ru": "Русский", "fi": "Suomi", "sv": "Svenska"
     };
     this.lang_to_word = this.org_lang_to_word;
     this.langlist_codes = this.array_keys(this.lang_to_word);
@@ -144,7 +150,7 @@
     //Set cookie
     var now = new Date();
     now.setTime(now.getTime() + 365 * 24 * 60 * 60 * 1000);
-    setCookie('language', lan_code, now);
+    rcmail.set_cookie('language', lan_code, now);
 };
 
 this.setForceWidthHeight = function(width, height)

--
Gitblit v1.9.1