From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)

---
 plugins/virtuser_query/virtuser_query.php |   26 +++++++++++++++++++++++---
 1 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/plugins/virtuser_query/virtuser_query.php b/plugins/virtuser_query/virtuser_query.php
index 88001d4..a0b7482 100644
--- a/plugins/virtuser_query/virtuser_query.php
+++ b/plugins/virtuser_query/virtuser_query.php
@@ -12,17 +12,19 @@
  * The email query could optionally select identity data columns in specified order:
  *    name, organization, reply-to, bcc, signature, html_signature
  *
- * $rcmail_config['virtuser_query'] = array('email' => '', 'user' => '', 'host' => '');
+ * $config['virtuser_query'] = array('email' => '', 'user' => '', 'host' => '', 'alias' => '');
  *
  * The email query can return more than one record to create more identities.
  * This requires identities_level option to be set to value less than 2.
  *
  * By default Roundcube database is used. To use different database (or host)
- * you can specify DSN string in $rcmail_config['virtuser_query_dsn'] option.
+ * you can specify DSN string in $config['virtuser_query_dsn'] option.
  *
  * @version @package_version@
  * @author Aleksander Machniak <alec@alec.pl>
  * @author Steffen Vogel
+ * @author Tim Gerundt
+ * @license GNU GPLv3+
  */
 class virtuser_query extends rcube_plugin
 {
@@ -48,6 +50,9 @@
             }
             if ($this->config['host']) {
                 $this->add_hook('authenticate', array($this, 'user2host'));
+            }
+            if ($this->config['alias']) {
+                $this->add_hook('authenticate', array($this, 'alias2user'));
             }
         }
     }
@@ -122,6 +127,22 @@
     }
 
     /**
+     * Alias > User
+     */
+    function alias2user($p)
+    {
+        $dbh = $this->get_dbh();
+
+        $sql_result = $dbh->query(preg_replace('/%u/', $dbh->escape($p['user']), $this->config['alias']));
+
+        if ($sql_arr = $dbh->fetch_array($sql_result)) {
+            $p['user'] = $sql_arr[0];
+        }
+
+        return $p;
+    }
+
+    /**
      * Initialize database handler
      */
     function get_dbh()
@@ -142,4 +163,3 @@
     }
 
 }
-

--
Gitblit v1.9.1