From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/Roundcube/rcube_utils.php |  101 +++++++++++++++-----------------------------------
 1 files changed, 31 insertions(+), 70 deletions(-)

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index df77dfe..81b6a9b 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -2,8 +2,6 @@
 
 /*
  +-----------------------------------------------------------------------+
- | program/include/rcube_utils.php                                       |
- |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2008-2012, The Roundcube Dev Team                       |
  | Copyright (C) 2011-2012, Kolab Systems AG                             |
@@ -19,7 +17,6 @@
  | Author: Aleksander Machniak <alec@alec.pl>                            |
  +-----------------------------------------------------------------------+
 */
-
 
 /**
  * Utility class providing common functions
@@ -159,7 +156,7 @@
     {
         // IPv6, but there's no build-in IPv6 support
         if (strpos($ip, ':') !== false && !defined('AF_INET6')) {
-            $parts = explode(':', $domain_part);
+            $parts = explode(':', $ip);
             $count = count($parts);
 
             if ($count > 8 || $count < 2) {
@@ -363,12 +360,8 @@
             return $value;
         }
 
-        // strip single quotes if magic_quotes_sybase is enabled
-        if (ini_get('magic_quotes_sybase')) {
-            $value = str_replace("''", "'", $value);
-        }
         // strip slashes if magic_quotes enabled
-        else if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
+        if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
             $value = stripslashes($value);
         }
 
@@ -430,59 +423,6 @@
         else {
             return asciiwords($str, true, '_');
         }
-    }
-
-
-    /**
-     * Create an edit field for inclusion on a form
-     *
-     * @param string col field name
-     * @param string value field value
-     * @param array attrib HTML element attributes for field
-     * @param string type HTML element type (default 'text')
-     *
-     * @return string HTML field definition
-     */
-    public static function get_edit_field($col, $value, $attrib, $type = 'text')
-    {
-        static $colcounts = array();
-
-        $fname = '_'.$col;
-        $attrib['name']  = $fname . ($attrib['array'] ? '[]' : '');
-        $attrib['class'] = trim($attrib['class'] . ' ff_' . $col);
-
-        if ($type == 'checkbox') {
-            $attrib['value'] = '1';
-            $input = new html_checkbox($attrib);
-        }
-        else if ($type == 'textarea') {
-            $attrib['cols'] = $attrib['size'];
-            $input = new html_textarea($attrib);
-        }
-        else if ($type == 'select') {
-            $input = new html_select($attrib);
-            $input->add('---', '');
-            $input->add(array_values($attrib['options']), array_keys($attrib['options']));
-        }
-        else if ($attrib['type'] == 'password') {
-            $input = new html_passwordfield($attrib);
-        }
-        else {
-            if ($attrib['type'] != 'text' && $attrib['type'] != 'hidden') {
-                $attrib['type'] = 'text';
-            }
-            $input = new html_inputfield($attrib);
-        }
-
-        // use value from post
-        if (isset($_POST[$fname])) {
-            $postvalue = self::get_input_value($fname, self::INPUT_POST, true);
-            $value = $attrib['array'] ? $postvalue[intval($colcounts[$col]++)] : $postvalue;
-        }
-
-        $out = $input->show($value);
-
-        return $out;
     }
 
 
@@ -777,16 +717,37 @@
      */
     public static function strtotime($date)
     {
+        $date = trim($date);
+
         // check for MS Outlook vCard date format YYYYMMDD
-        if (preg_match('/^([12][90]\d\d)([01]\d)(\d\d)$/', trim($date), $matches)) {
-            return mktime(0,0,0, intval($matches[2]), intval($matches[3]), intval($matches[1]));
-        }
-        else if (is_numeric($date)) {
-            return $date;
+        if (preg_match('/^([12][90]\d\d)([01]\d)([0123]\d)$/', $date, $m)) {
+            return mktime(0,0,0, intval($m[2]), intval($m[3]), intval($m[1]));
         }
 
-        // support non-standard "GMTXXXX" literal
-        $date = preg_replace('/GMT\s*([+-][0-9]+)/', '\\1', $date);
+        // common little-endian formats, e.g. dd/mm/yyyy (not all are supported by strtotime)
+        if (preg_match('/^(\d{1,2})[.\/-](\d{1,2})[.\/-](\d{4})$/', $date, $m)
+            && $m[1] > 0 && $m[1] <= 31 && $m[2] > 0 && $m[2] <= 12 && $m[3] >= 1970
+        ) {
+            return mktime(0,0,0, intval($m[2]), intval($m[1]), intval($m[3]));
+        }
+
+        // unix timestamp
+        if (is_numeric($date)) {
+            return (int) $date;
+        }
+
+        // Clean malformed data
+        $date = preg_replace(
+            array(
+                '/GMT\s*([+-][0-9]+)/',                   // support non-standard "GMTXXXX" literal
+                '/[^a-z0-9\x20\x09:+-]/i',                // remove any invalid characters
+                '/\s*(Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s*/i', // remove weekday names
+            ),
+            array(
+                '\\1',
+                '',
+                '',
+            ), $date);
 
         // if date parsing fails, we have a date in non-rfc format.
         // remove token from the end and try again
@@ -799,7 +760,7 @@
             $date = implode(' ', $d);
         }
 
-        return $ts;
+        return (int) $ts;
     }
 
 

--
Gitblit v1.9.1