From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/lib/Roundcube/html.php | 39 ++++++++++++++++++++++++++-------------
1 files changed, 26 insertions(+), 13 deletions(-)
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php
index 8ff685a..1a4c3be 100644
--- a/program/lib/Roundcube/html.php
+++ b/program/lib/Roundcube/html.php
@@ -2,8 +2,6 @@
/*
+-----------------------------------------------------------------------+
- | program/include/html.php |
- | |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2005-2011, The Roundcube Dev Team |
| |
@@ -13,7 +11,6 @@
| |
| PURPOSE: |
| Helper class to create valid XHTML code |
- | |
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
@@ -37,6 +34,7 @@
public static $lc_tags = true;
public static $common_attrib = array('id','class','style','title','align');
public static $containers = array('iframe','div','span','p','h1','h2','h3','form','textarea','table','thead','tbody','tr','th','td','style','script');
+
/**
* Constructor
@@ -172,7 +170,7 @@
$attr = array('href' => $attr);
}
return self::tag('a', $attr, $cont, array_merge(self::$common_attrib,
- array('href','target','name','rel','onclick','onmouseover','onmouseout','onmousedown','onmouseup')));
+ array('href','target','name','rel','onclick','onmouseover','onmouseout','onmousedown','onmouseup')));
}
/**
@@ -335,7 +333,16 @@
*/
public static function quote($str)
{
- return @htmlspecialchars($str, ENT_COMPAT, RCMAIL_CHARSET);
+ static $flags;
+
+ if (!$flags) {
+ $flags = ENT_COMPAT;
+ if (defined('ENT_SUBSTITUTE')) {
+ $flags |= ENT_SUBSTITUTE;
+ }
+ }
+
+ return @htmlspecialchars($str, $flags, RCUBE_CHARSET);
}
}
@@ -678,7 +685,7 @@
}
$cell = new stdClass;
- $cell->attrib = $attr;
+ $cell->attrib = $attr;
$cell->content = $cont;
$this->rows[$this->rowindex]->cells[$this->colindex] = $cell;
@@ -702,16 +709,16 @@
}
$cell = new stdClass;
- $cell->attrib = $attr;
- $cell->content = $cont;
+ $cell->attrib = $attr;
+ $cell->content = $cont;
$this->header[] = $cell;
}
- /**
+ /**
* Remove a column from a table
* Useful for plugins making alterations
- *
- * @param string $class
+ *
+ * @param string $class
*/
public function remove_column($class)
{
@@ -764,6 +771,11 @@
$index = $this->rowindex;
}
+ // make sure row object exists (#1489094)
+ if (!$this->rows[$index]) {
+ $this->rows[$index] = new stdClass;
+ }
+
$this->rows[$index]->attrib = $attr;
}
@@ -791,8 +803,9 @@
*/
public function show($attrib = null)
{
- if (is_array($attrib))
+ if (is_array($attrib)) {
$this->attrib = array_merge($this->attrib, $attrib);
+ }
$thead = $tbody = "";
@@ -834,7 +847,7 @@
*/
public function size()
{
- return count($this->rows);
+ return count($this->rows);
}
/**
--
Gitblit v1.9.1