From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/Roundcube/rcube_config.php |   32 ++++++++++++++++++++++++++------
 1 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/program/lib/Roundcube/rcube_config.php b/program/lib/Roundcube/rcube_config.php
index 2190dc4..53d22e1 100644
--- a/program/lib/Roundcube/rcube_config.php
+++ b/program/lib/Roundcube/rcube_config.php
@@ -174,7 +174,7 @@
             ob_end_clean();
 
             if (is_array($rcmail_config)) {
-                $this->prop = array_merge($this->prop, $rcmail_config, $this->userprefs);
+                $this->merge($rcmail_config);
                 return true;
             }
         }
@@ -192,11 +192,8 @@
      */
     public function get($name, $def = null)
     {
-        if (isset($this->prop[$name])) {
+        if (array_key_exists($name, $this->prop)) {
             $result = $this->prop[$name];
-        }
-        else if (isset($this->legacy_props[$name])) {
-            return $this->get($this->legacy_props[$name], $def);
         }
         else {
             $result = $def;
@@ -240,6 +237,7 @@
      */
     public function merge($prefs)
     {
+        $prefs = $this->fix_legacy_props($prefs);
         $this->prop = array_merge($this->prop, $prefs, $this->userprefs);
     }
 
@@ -252,6 +250,8 @@
      */
     public function set_user_prefs($prefs)
     {
+        $prefs = $this->fix_legacy_props($prefs);
+
         // Honor the dont_override setting for any existing user preferences
         $dont_override = $this->get('dont_override');
         if (is_array($dont_override) && !empty($dont_override)) {
@@ -285,7 +285,7 @@
     /**
      * Getter for all config options
      *
-     * @return array  Hash array containg all config properties
+     * @return array  Hash array containing all config properties
      */
     public function all()
     {
@@ -435,4 +435,24 @@
         return date_default_timezone_get();
     }
 
+    /**
+     * Convert legacy options into new ones
+     *
+     * @param array $props Hash array with config props
+     *
+     * @return array Converted config props
+     */
+    private function fix_legacy_props($props)
+    {
+        foreach ($this->legacy_props as $new => $old) {
+            if (isset($props[$old])) {
+                if (!isset($props[$new])) {
+                    $props[$new] = $props[$old];
+                }
+                unset($props[$old]);
+            }
+        }
+
+        return $props;
+    }
 }

--
Gitblit v1.9.1