From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
plugins/new_user_dialog/new_user_dialog.php | 94 ++++++++++++++++++++++++++++++----------------
1 files changed, 61 insertions(+), 33 deletions(-)
diff --git a/plugins/new_user_dialog/new_user_dialog.php b/plugins/new_user_dialog/new_user_dialog.php
index 9c9dcce..4203f93 100644
--- a/plugins/new_user_dialog/new_user_dialog.php
+++ b/plugins/new_user_dialog/new_user_dialog.php
@@ -10,10 +10,12 @@
* @version @package_version@
* @license GNU GPLv3+
* @author Thomas Bruederli
+ * @author Aleksander Machniak
*/
class new_user_dialog extends rcube_plugin
{
public $task = 'login|mail';
+ public $noframe = true;
function init()
{
@@ -32,8 +34,9 @@
function create_identity($p)
{
// set session flag when a new user was created and the default identity seems to be incomplete
- if ($p['login'] && !$p['complete'])
+ if ($p['login'] && !$p['complete']) {
$_SESSION['plugin.newuserdialog'] = true;
+ }
}
/**
@@ -56,22 +59,24 @@
$table->add(null, html::tag('input', array(
'type' => 'text',
'name' => '_name',
- 'value' => $identity['name']
+ 'value' => $identity['name'],
+ 'disabled' => $identities_level == 4
)));
$table->add('title', $this->gettext('email'));
$table->add(null, html::tag('input', array(
'type' => 'text',
'name' => '_email',
- 'value' => rcube_idn_to_utf8($identity['email']),
- 'disabled' => ($identities_level == 1 || $identities_level == 3)
+ 'value' => rcube_utils::idn_to_utf8($identity['email']),
+ 'disabled' => in_array($identities_level, array(1, 3, 4))
)));
$table->add('title', $this->gettext('organization'));
$table->add(null, html::tag('input', array(
'type' => 'text',
'name' => '_organization',
- 'value' => $identity['organization']
+ 'value' => $identity['organization'],
+ 'disabled' => $identities_level == 4
)));
$table->add('title', $this->gettext('signature'));
@@ -86,20 +91,30 @@
'id' => 'newuserdialog',
'action' => $rcmail->url('plugin.newusersave'),
'method' => 'post'),
- html::tag('h3', null, Q($this->gettext('identitydialogtitle'))) .
- html::p('hint', Q($this->gettext('identitydialoghint'))) .
+ html::p('hint', rcube::Q($this->gettext('identitydialoghint'))) .
$table->show() .
html::p(array('class' => 'formbuttons'),
html::tag('input', array('type' => 'submit',
'class' => 'button mainaction', 'value' => $this->gettext('save'))))
));
+ $title = rcube::JQ($this->gettext('identitydialogtitle'));
+
// disable keyboard events for messages list (#1486726)
- $rcmail->output->add_script(
- "rcmail.message_list.key_press = function(){};
- rcmail.message_list.key_down = function(){};
- $('#newuserdialog').show().dialog({ modal:true, resizable:false, closeOnEscape:false, width:420 });
- $('input[name=_name]').focus();
+ $rcmail->output->add_script("
+ $('#newuserdialog').show()
+ .dialog({modal:true, resizable:false, closeOnEscape:false, width:450, title:'$title'})
+ .submit(function() {
+ var i, request = {}, form = $(this).serializeArray();
+
+ for (i in form)
+ request[form[i].name] = form[i].value;
+
+ rcmail.http_post('plugin.newusersave', request, true);
+ return false;
+ });
+ $('input[name=_name]').focus();
+ rcube_webmail.prototype.new_user_dialog_close = function() { $('#newuserdialog').dialog('close'); }
", 'docready');
$this->include_stylesheet('newuserdialog.css');
@@ -107,39 +122,52 @@
}
/**
- * Handler for submitted form
+ * Handler for submitted form (ajax request)
*
* Check fields and save to default identity if valid.
* Afterwards the session flag is removed and we're done.
*/
function save_data()
{
- $rcmail = rcmail::get_instance();
- $identity = $rcmail->user->get_identity();
- $identities_level = intval($rcmail->config->get('identities_level', 0));
+ $rcmail = rcmail::get_instance();
+ $identity = $rcmail->user->get_identity();
+ $ident_level = intval($rcmail->config->get('identities_level', 0));
+ $disabled = array();
$save_data = array(
- 'name' => get_input_value('_name', RCUBE_INPUT_POST),
- 'email' => get_input_value('_email', RCUBE_INPUT_POST),
- 'organization' => get_input_value('_organization', RCUBE_INPUT_POST),
- 'signature' => get_input_value('_signature', RCUBE_INPUT_POST),
+ 'name' => rcube_utils::get_input_value('_name', rcube_utils::INPUT_POST),
+ 'email' => rcube_utils::get_input_value('_email', rcube_utils::INPUT_POST),
+ 'organization' => rcube_utils::get_input_value('_organization', rcube_utils::INPUT_POST),
+ 'signature' => rcube_utils::get_input_value('_signature', rcube_utils::INPUT_POST),
);
- // don't let the user alter the e-mail address if disabled by config
- if ($identities_level == 1 || $identities_level == 3)
- $save_data['email'] = $identity['email'];
- else
- $save_data['email'] = rcube_idn_to_ascii($save_data['email']);
-
- // save data if not empty
- if (!empty($save_data['name']) && !empty($save_data['email'])) {
- $rcmail->user->update_identity($identity['identity_id'], $save_data);
- $rcmail->session->remove('plugin.newuserdialog');
+ if ($ident_level == 4) {
+ $disabled = array('name', 'email', 'organization');
+ }
+ else if (in_array($ident_level, array(1, 3))) {
+ $disabled = array('email');
}
- $rcmail->output->redirect('');
+ foreach ($disabled as $key) {
+ $save_data[$key] = $identity[$key];
+ }
+
+ if (empty($save_data['name']) || empty($save_data['email'])) {
+ $rcmail->output->show_message('formincomplete', 'error');
+ }
+ else if (!rcube_utils::check_email($save_data['email'] = rcube_utils::idn_to_ascii($save_data['email']))) {
+ $rcmail->output->show_message('emailformaterror', 'error', array('email' => $save_data['email']));
+ }
+ else {
+ // save data
+ $rcmail->user->update_identity($identity['identity_id'], $save_data);
+ $rcmail->session->remove('plugin.newuserdialog');
+ // hide dialog
+ $rcmail->output->command('new_user_dialog_close');
+ $rcmail->output->show_message('successfullysaved', 'confirmation');
+ }
+
+ $rcmail->output->send();
}
}
-
-?>
--
Gitblit v1.9.1