From e48f8945b32ab5b67f1cdeb53a37d3d196e31e4d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 20 May 2016 05:19:01 -0400
Subject: [PATCH] Fix bug where message list columns could be in wrong order after column drag-n-drop and list sorting
---
program/include/rcmail.php | 174 +++++++++++++++++++++++++++++++++++++++++----------------
1 files changed, 124 insertions(+), 50 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index f0c3631..a6a61a3 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -174,9 +174,11 @@
// set localization
setlocale(LC_ALL, $lang . '.utf8', $lang . '.UTF-8', 'en_US.utf8', 'en_US.UTF-8');
- // workaround for http://bugs.php.net/bug.php?id=18556
- if (PHP_VERSION_ID < 50500 && in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
- setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8');
+ // Workaround for http://bugs.php.net/bug.php?id=18556
+ // Also strtoupper/strtolower and other methods are locale-aware
+ // for these locales it is problematic (#1490519)
+ if (in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
+ setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8', 'C');
}
}
@@ -590,6 +592,8 @@
// try to log in
if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+ // Wait a second to slow down brute-force attacks (#1490549)
+ sleep(1);
return false;
}
@@ -760,49 +764,16 @@
}
/**
- * Generate a unique token to be used in a form request
- *
- * @return string The request token
- */
- public function get_request_token()
- {
- $sess_id = $_COOKIE[ini_get('session.name')];
-
- if (!$sess_id) {
- $sess_id = session_id();
- }
-
- $plugin = $this->plugins->exec_hook('request_token', array(
- 'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id)));
-
- return $plugin['value'];
- }
-
- /**
- * Check if the current request contains a valid token
- *
- * @param int Request method
- *
- * @return boolean True if request token is valid false if not
- */
- public function check_request($mode = rcube_utils::INPUT_POST)
- {
- $token = rcube_utils::get_input_value('_token', $mode);
- $sess_id = $_COOKIE[ini_get('session.name')];
-
- return !empty($sess_id) && $token == $this->get_request_token();
- }
-
- /**
* Build a valid URL to this instance of Roundcube
*
* @param mixed Either a string with the action or url parameters as key-value pairs
* @param boolean Build an URL absolute to document root
* @param boolean Create fully qualified URL including http(s):// and hostname
+ * @param bool Return absolute URL in secure location
*
* @return string Valid application URL
*/
- public function url($p, $absolute = false, $full = false)
+ public function url($p, $absolute = false, $full = false, $secure = false)
{
if (!is_array($p)) {
if (strpos($p, 'http') === 0) {
@@ -828,9 +799,25 @@
}
}
+ $base_path = strval($_SERVER['REDIRECT_SCRIPT_URL'] ?: $_SERVER['SCRIPT_NAME']);
+ $base_path = preg_replace('![^/]+$!', '', $base_path);
+
+ if ($secure && ($token = $this->get_secure_url_token(true))) {
+ // add token to the url
+ $url = $token . '/' . $url;
+
+ // remove old token from the path
+ $base_path = rtrim($base_path, '/');
+ $base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path);
+
+ // this need to be full url to make redirects work
+ $absolute = true;
+ }
+ else if ($secure && ($token = $this->get_request_token()))
+ $url .= $delm . '_token=' . urlencode($token);
+
if ($absolute || $full) {
// add base path to this Roundcube installation
- $base_path = preg_replace('![^/]+$!', '', strval($_SERVER['SCRIPT_NAME']));
if ($base_path == '') $base_path = '/';
$prefix = $base_path;
@@ -876,6 +863,28 @@
self::print_timer(RCMAIL_START, $log);
else
self::console($log);
+ }
+ }
+
+ /**
+ * CSRF attack prevention code
+ *
+ * @param int Request mode
+ */
+ public function request_security_check($mode = rcube_utils::INPUT_POST)
+ {
+ // check request token
+ if (!$this->check_request($mode)) {
+ self::raise_error(array(
+ 'code' => 403, 'type' => 'php',
+ 'message' => "Request security check failed"), false, true);
+ }
+
+ // check referer if configured
+ if ($this->config->get('referer_check') && !rcube_utils::check_referer()) {
+ self::raise_error(array(
+ 'code' => 403, 'type' => 'php',
+ 'message' => "Referer check failed"), true, true);
}
}
@@ -1581,7 +1590,7 @@
// skip folders in which it isn't possible to create subfolders
if (!empty($opts['skip_noinferiors'])) {
$attrs = $this->storage->folder_attributes($folder['id']);
- if ($attrs && in_array('\\Noinferiors', $attrs)) {
+ if ($attrs && in_array_nocase('\\Noinferiors', $attrs)) {
continue;
}
}
@@ -1788,8 +1797,9 @@
* @param string $fallback Fallback message label
* @param array $fallback_args Fallback message label arguments
* @param string $suffix Message label suffix
+ * @param array $params Additional parameters (type, prefix)
*/
- public function display_server_error($fallback = null, $fallback_args = null, $suffix = '')
+ public function display_server_error($fallback = null, $fallback_args = null, $suffix = '', $params = array())
{
$err_code = $this->storage->get_error_code();
$res_code = $this->storage->get_response_code();
@@ -1810,13 +1820,13 @@
$error = 'errornoperm';
}
// try to detect full mailbox problem and display appropriate message
- // there can be e.g. "Quota exceeded" or "quotum would exceed"
- else if (stripos($err_str, 'quot') !== false && stripos($err_str, 'exceed') !== false) {
+ // there can be e.g. "Quota exceeded" / "quotum would exceed" / "Over quota"
+ else if (stripos($err_str, 'quot') !== false && preg_match('/exceed|over/i', $err_str)) {
$error = 'erroroverquota';
}
else {
$error = 'servererrormsg';
- $args = array('msg' => $err_str);
+ $args = array('msg' => rcube::Q($err_str));
}
}
else if ($err_code < 0) {
@@ -1825,13 +1835,21 @@
else if ($fallback) {
$error = $fallback;
$args = $fallback_args;
+ $params['prefix'] = false;
}
if ($error) {
if ($suffix && $this->text_exists($error . $suffix)) {
$error .= $suffix;
}
- $this->output->show_message($error, 'error', $args);
+
+ $msg = $this->gettext(array('name' => $error, 'vars' => $args));
+
+ if ($params['prefix'] && $fallback) {
+ $msg = $this->gettext(array('name' => $fallback, 'vars' => $fallback_args)) . ' ' . $msg;
+ }
+
+ $this->output->show_message($msg, $params['type'] ?: 'error');
}
}
@@ -1910,7 +1928,8 @@
foreach ($emoticons as $idx => $file) {
// <img title="Cry" src="http://.../program/js/tinymce/plugins/emoticons/img/smiley-cry.gif" border="0" alt="Cry" />
- $search[] = '/<img title="[a-z ]+" src="https?:\/\/[a-z0-9_.\/-]+\/tinymce\/plugins\/emoticons\/img\/'.$file.'.gif"[^>]+\/>/i';
+ $file = preg_quote('program/js/tinymce/plugins/emoticons/img/' . $file . '.gif', '/');
+ $search[] = '/<img (title="[a-z ]+" )?src="[^"]+' . $file . '"[^>]+\/>/i';
$replace[] = $idx;
}
@@ -2059,16 +2078,15 @@
if (!empty($_GET['_thumbnail'])) {
$temp_dir = $this->config->get('temp_dir');
$thumbnail_size = 80;
- list(,$ext) = explode('/', $file['mimetype']);
$mimetype = $file['mimetype'];
$file_ident = $file['id'] . ':' . $file['mimetype'] . ':' . $file['size'];
$cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $this->user->ID . ':' . $thumbnail_size);
- $cache_file = $cache_basename . '.' . $ext;
+ $cache_file = $cache_basename . '.thumb';
// render thumbnail image if not done yet
if (!is_file($cache_file)) {
if (!$file['path']) {
- $orig_name = $filename = $cache_basename . '.orig.' . $ext;
+ $orig_name = $filename = $cache_basename . '.tmp';
file_put_contents($orig_name, $file['data']);
}
else {
@@ -2192,7 +2210,7 @@
}
else {
$unit = 'B';
- $str = sprintf('%d ', $bytes) . $this->gettext();
+ $str = sprintf('%d ', $bytes) . $this->gettext($unit);
}
return $str;
@@ -2281,6 +2299,62 @@
return $result;
}
+ /**
+ * Get resource file content (with assets_dir support)
+ *
+ * @param string $name File name
+ */
+ public function get_resource_content($name)
+ {
+ if (!strpos($name, '/')) {
+ $name = "program/resources/$name";
+ }
+
+ $assets_dir = $this->config->get('assets_dir');
+
+ if ($assets_dir) {
+ $path = slashify($assets_dir) . $name;
+ if (@file_exists($path)) {
+ $name = $path;
+ }
+ }
+
+ return file_get_contents($name, false);
+ }
+
+ /**
+ * Converts HTML content into plain text
+ *
+ * @param string $html HTML content
+ * @param array $options Conversion parameters (width, links, charset)
+ *
+ * @return string Plain text
+ */
+ public function html2text($html, $options = array())
+ {
+ $default_options = array(
+ 'links' => true,
+ 'width' => 75,
+ 'body' => $html,
+ 'charset' => RCUBE_CHARSET,
+ );
+
+ $options = array_merge($default_options, (array) $options);
+
+ // Plugins may want to modify HTML in another/additional way
+ $options = $this->plugins->exec_hook('html2text', $options);
+
+ // Convert to text
+ if (!$options['abort']) {
+ $converter = new rcube_html2text($options['body'],
+ false, $options['links'], $options['width'], $options['charset']);
+
+ $options['body'] = rtrim($converter->get_text());
+ }
+
+ return $options['body'];
+ }
+
/************************************************************************
********* Deprecated methods (to be removed) *********
--
Gitblit v1.9.1