From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/Roundcube/rcube_utils.php |   45 +++++++++++++++++++++++++++++++--------------
 1 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 4b68711..81b6a9b 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -156,7 +156,7 @@
     {
         // IPv6, but there's no build-in IPv6 support
         if (strpos($ip, ':') !== false && !defined('AF_INET6')) {
-            $parts = explode(':', $domain_part);
+            $parts = explode(':', $ip);
             $count = count($parts);
 
             if ($count > 8 || $count < 2) {
@@ -360,12 +360,8 @@
             return $value;
         }
 
-        // strip single quotes if magic_quotes_sybase is enabled
-        if (ini_get('magic_quotes_sybase')) {
-            $value = str_replace("''", "'", $value);
-        }
         // strip slashes if magic_quotes enabled
-        else if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
+        if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
             $value = stripslashes($value);
         }
 
@@ -721,16 +717,37 @@
      */
     public static function strtotime($date)
     {
+        $date = trim($date);
+
         // check for MS Outlook vCard date format YYYYMMDD
-        if (preg_match('/^([12][90]\d\d)([01]\d)(\d\d)$/', trim($date), $matches)) {
-            return mktime(0,0,0, intval($matches[2]), intval($matches[3]), intval($matches[1]));
-        }
-        else if (is_numeric($date)) {
-            return $date;
+        if (preg_match('/^([12][90]\d\d)([01]\d)([0123]\d)$/', $date, $m)) {
+            return mktime(0,0,0, intval($m[2]), intval($m[3]), intval($m[1]));
         }
 
-        // support non-standard "GMTXXXX" literal
-        $date = preg_replace('/GMT\s*([+-][0-9]+)/', '\\1', $date);
+        // common little-endian formats, e.g. dd/mm/yyyy (not all are supported by strtotime)
+        if (preg_match('/^(\d{1,2})[.\/-](\d{1,2})[.\/-](\d{4})$/', $date, $m)
+            && $m[1] > 0 && $m[1] <= 31 && $m[2] > 0 && $m[2] <= 12 && $m[3] >= 1970
+        ) {
+            return mktime(0,0,0, intval($m[2]), intval($m[1]), intval($m[3]));
+        }
+
+        // unix timestamp
+        if (is_numeric($date)) {
+            return (int) $date;
+        }
+
+        // Clean malformed data
+        $date = preg_replace(
+            array(
+                '/GMT\s*([+-][0-9]+)/',                   // support non-standard "GMTXXXX" literal
+                '/[^a-z0-9\x20\x09:+-]/i',                // remove any invalid characters
+                '/\s*(Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s*/i', // remove weekday names
+            ),
+            array(
+                '\\1',
+                '',
+                '',
+            ), $date);
 
         // if date parsing fails, we have a date in non-rfc format.
         // remove token from the end and try again
@@ -743,7 +760,7 @@
             $date = implode(' ', $d);
         }
 
-        return $ts;
+        return (int) $ts;
     }
 
 

--
Gitblit v1.9.1