Changeset 719a257 in github

Timestamp:

Aug 10, 2007 4:27:40 AM (6 years ago)

Author:

thomascube <thomas@…>

Branches:

master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8

Children:

31d9efd

Parents:

4b9efbb

Message:

Some bugfixes, security issues + minor improvements

Files:

• CHANGELOG (modified) (2 diffs)
• index.php (modified) (3 diffs)
• program/include/main.inc (modified) (1 diff)
• program/include/rcmail_template.inc (modified) (1 diff)
• program/include/rcube_imap.inc (modified) (4 diffs)
• program/js/app.js (modified) (4 diffs)
• program/steps/mail/func.inc (modified) (5 diffs)
• program/steps/mail/get.inc (modified) (2 diffs)
• program/steps/mail/show.inc (modified) (1 diff)
• program/steps/settings/manage_folders.inc (modified) (2 diffs)

CHANGELOG

@@ -1 +1 @@
 CHANGELOG RoundCube Webmail
 ---------------------------
+
+2007/08/09 (thomasb)
+----------
+- Identify mailboxes case-sensitive
+- Sort mailbox list case-insensitive (closes #1484338)
+- Fix display of multipart messages from Apple Mail (closes #1484027)
+- Protect AJAX request from being fetched by a foreign site (XSS)
+- Make autocomplete for loginform configurable by the skin template
+
 
 2007/07/09 (richs)
@@ -13 +22 @@
 - Increased "mailboxcontrols" mail.css width from 160 to 170px to fix non-english languages 
 - Fixed empty-message sending with TinyMCE plain-text mode, or if it's not installed
+
 
 2007/07/03 (thomasb)

index.php

@@ -3 +3 @@
  +-----------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                         |
- | Version 0.1-20070518                                                  |
+ | Version 0.1-20070809                                                  |
  |                                                                       |
  | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland                 |
@@ -42 +42 @@
 
 // application constants
-define('RCMAIL_VERSION', '0.1-20070517');
+define('RCMAIL_VERSION', '0.1-20070809');
 define('RCMAIL_CHARSET', 'UTF-8');
 define('JS_OBJECT_NAME', 'rcmail');
@@ -218 +218 @@
 }
 
+
+// check client X-header to verify request origin
+if ($OUTPUT->ajax_call)
+{
+  $hdrs = getallheaders();
+  if (empty($hdrs['X-RoundCube-Referer']) && empty($CONFIG['devel_mode']))
+  {
+    header('HTTP/1.1 404 Not Found');
+    die("Invalid Request");
+  }
+}
 
 

program/include/main.inc

@@ -235 +235 @@
   if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time())
     $valid = false;
+    
+  if (!$valid)
+    write_log('timeouts', $_SESSION + array('SESS_CLIENT_IP' => $SESS_CLIENT_IP, 'SESS_CHANGED' => $SESS_CHANGED, 'COOKIE' => $_COOKIE));
 
   return $valid;

program/include/rcmail_template.inc

@@ -746 +746 @@
   $labels['host'] = rcube_label('server');
   
-  $input_user = new textfield(array('name' => '_user', 'id' => 'rcmloginuser', 'size' => 30, 'autocomplete' => 'off'));
-  $input_pass = new passwordfield(array('name' => '_pass', 'id' => 'rcmloginpwd', 'size' => 30));
+  $input_user = new textfield(array('name' => '_user', 'id' => 'rcmloginuser', 'size' => 30) + $attrib);
+  $input_pass = new passwordfield(array('name' => '_pass', 'id' => 'rcmloginpwd', 'size' => 30) + $attrib);
   $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login'));
     

program/include/rcube_imap.inc

@@ -1375 +1375 @@
     if (!in_array($to_mbox, $this->_list_mailboxes()))
       {
-      if (in_array(strtolower($to_mbox), $this->default_folders))
+      if (in_array($to_mbox, $this->default_folders))
         $this->create_mailbox($to_mbox, TRUE);
       else
@@ -1659 +1659 @@
     $a_mailbox_cache = $this->get_cache('mailboxes');
 
-    if (strlen($abs_name) && (!is_array($a_mailbox_cache) || !in_array_nocase($abs_name, $a_mailbox_cache)))
+    if (strlen($abs_name) && (!is_array($a_mailbox_cache) || !in_array($abs_name, $a_mailbox_cache)))
       $result = iil_C_CreateFolder($this->conn, $abs_name);
 
     // try to subscribe it
-    if ($subscribe)
+    if ($result && $subscribe)
       $this->subscribe($name);
 
@@ -1769 +1769 @@
       {
       $abs_name = $this->_mod_mailbox($folder);
-      if (!in_array_nocase($abs_name, $a_subscribed))
-        {
-        if (!in_array_nocase($abs_name, $a_folders))
-          $this->create_mailbox($folder, TRUE);
-        else
-          $this->subscribe($folder);
-        }
-      else if (!in_array_nocase($abs_name, $a_folders))
-        {
-        $this->create_mailbox($folder, FALSE);
-        }
+      if (!in_array_nocase($abs_name, $a_folders))
+        $this->create_mailbox($folder, TRUE);
+      else if (!in_array_nocase($abs_name, $a_subscribed))
+        $this->subscribe($folder);
       }
     }
@@ -2434 +2427 @@
       }
 
-    sort($a_out);
+    natcasesort($a_out);
     ksort($a_defaults);
     

program/js/app.js

@@ -464 +464 @@
 
       case 'logout':
-        this.goto_url('logout');
+        this.goto_url('logout', true);
         break;      
 
@@ -3196 +3196 @@
   this.redirect = function(url, lock)
     {
-    if (lock || lock == NULL)
+    if (lock || lock === null)
       this.set_busy(true);
 
@@ -3499 +3499 @@
       }
 
-    var ref = this;
+    var _ref = this;
     this.url = url;
     this.busy = true;
 
-    this.xmlhttp.onreadystatechange = function(){ ref.xmlhttp_onreadystatechange(); };
+    this.xmlhttp.onreadystatechange = function(){ _ref.xmlhttp_onreadystatechange(); };
     this.xmlhttp.open('GET', url);
+    this.xmlhttp.setRequestHeader('X-RoundCube-Referer', bw.get_cookie('sessid'));
     this.xmlhttp.send(null);
     };
@@ -3538 +3539 @@
     this.xmlhttp.open('POST', url, true);
     this.xmlhttp.setRequestHeader('Content-Type', contentType);
+    this.xmlhttp.setRequestHeader('X-RoundCube-Referer', bw.get_cookie('sessid'));
     this.xmlhttp.send(req_body);
     };

program/steps/mail/func.inc

@@ -647 +647 @@
     foreach ($structure->parts as $p => $sub_part)
       {
+      $rel_parts = $attachmnts = null;
       $sub_ctype_primary = strtolower($sub_part->ctype_primary);
       $sub_ctype_secondary = strtolower($sub_part->ctype_secondary);
@@ -657 +658 @@
       else if ($sub_ctype_primary=='text' && $sub_ctype_secondary=='enriched')
         $enriched_part = $p;
-      else if ($sub_ctype_primary=='multipart' && $sub_ctype_secondary=='related')
+      else if ($sub_ctype_primary=='multipart' && ($sub_ctype_secondary=='related' || $sub_ctype_secondary=='mixed'))
         $related_part = $p;
       }
-
+      
     // parse related part (alternative part could be in here)
-    if ($related_part!==NULL && $prefer_html)
-      {
-      list($parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE);
-      $a_return_parts = array_merge($a_return_parts, $parts);
+    if ($related_part!==NULL)
+    {
+      list($rel_parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE);
       $a_attachments = array_merge($a_attachments, $attachmnts);
-      }
-
-    // print html/plain part
+    }
+    
+    // merge related parts if any
+    if ($rel_parts && $prefer_html && !$html_part)
+      $a_return_parts = array_merge($a_return_parts, $rel_parts);
+
+    // choose html/plain part to print
     else if ($html_part!==NULL && $prefer_html)
       $print_part = &$structure->parts[$html_part];
@@ -684 +688 @@
       }
     // show plaintext warning
-    else if ($html_part!==NULL)
+    else if ($html_part!==NULL && empty($a_return_parts))
       {
       $c = new stdClass;
@@ -914 +918 @@
   
   // list images after mail body
-  if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' && $ctype_secondary=='mixed' &&
-      sizeof($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL))
+  if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' &&
+      !empty($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL))
     {
     foreach ($MESSAGE['attachments'] as $attach_prop)
@@ -1240 +1244 @@
   $ctype_primary = strtolower($part->ctype_primary);
 
-  $attrib['src'] = './?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']);
+  $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
 
   $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'src', 'width', 'height'));

program/steps/mail/get.inc

@@ -30 +30 @@
 
   print "<html>\n<head>\n" .
-        '<meta http-equiv="refresh" content="0; url='.htmlspecialchars($url).'">' .
+        '<meta http-equiv="refresh" content="0; url='.Q($url).'">' .
         "\n</head>\n<body>" .
         $message .
@@ -108 +108 @@
       {
       header(sprintf('Content-Disposition: %s; filename="%s";',
-                     $part->disposition ? $part->disposition : 'attachment',
+                     $_GET['_download'] ? 'attachment' : 'inline',
                      $part->filename ? $part->filename : "roundcube.$ctype_secondary"));
 

program/steps/mail/show.inc

@@ -49 +49 @@
   if ((bool)get_input_value('_safe', RCUBE_INPUT_GET))
     send_nocacheing_headers();
-  else
+  else if (empty($CONFIG['devel_mode']))
     send_modified_header($_SESSION['login_time'], $etag);
 

program/steps/settings/manage_folders.inc

@@ -28 +28 @@
   {
   if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_POST))
-    $IMAP->subscribe(array($mboxes));
+    $IMAP->subscribe($mboxes);
 
   if ($OUTPUT->ajax_call)
@@ -38 +38 @@
   {
   if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_POST))
-    $IMAP->unsubscribe(array($mboxes));
+    $IMAP->unsubscribe($mboxes);
 
   if ($OUTPUT->ajax_call)