Changeset 930 in subversion

Timestamp:

Nov 25, 2007 12:34:19 PM (5 years ago)

Author:

thomasb

Message:

Fixed some potential security risks + updatedd changelog

Location:

trunk/roundcubemail

Files:

• CHANGELOG (modified) (1 diff)
• program/include/main.inc (modified) (1 diff)
• program/include/rcmail_template.inc (modified) (1 diff)
• program/include/rcube_html.inc (modified) (2 diffs)
• program/steps/addressbook/func.inc (modified) (1 diff)
• program/steps/mail/func.inc (modified) (4 diffs)
• program/steps/mail/get.inc (modified) (3 diffs)
• program/steps/mail/sendmail.inc (modified) (1 diff)
• program/steps/mail/show.inc (modified) (2 diffs)

trunk/roundcubemail/CHANGELOG

@@ -1 +1 @@
 CHANGELOG RoundCube Webmail
 ---------------------------
+
+2007/11/25 (thomasb)
+----------
+- Applied UID fetch patch by Glen Ogilvie
+- Applied patch for correct Postgres instructions from ticket #1484674
+- Fix overriding of session vars when register_globals is on (#1484670)
+- Fix wrong Postgres setup instructions in INSTALL (#1484674)
+- Fix bug with case-sensitive folder names (#1484245)
+- Don't create default folders by default
+- Added Georgian localization by Zaza Zviadadze
+- Updated Russian localization
+- Fixed some potential security risks (audited by Andris)
+
 
 2007/11/20 (tomekp)

trunk/roundcubemail/program/include/main.inc

@@ -1433 +1433 @@
   // use value from post
   if (!empty($_POST[$fname]))
-    $value = $_POST[$fname];
+    $value = get_input_value($fname, RCUBE_INPUT_POST);
 
   $out = $input->show($value);

trunk/roundcubemail/program/include/rcmail_template.inc

@@ -832 +832 @@
     }
       
-    $fields['host'] = isset($select_host) ? $select_host->show($_POST['_host']) : null;
+    $fields['host'] = isset($select_host) ? $select_host->show(get_input_value('_host', RCUBE_INPUT_POST)) : null;
     }
   else if (!strlen($CONFIG['default_host']))
     {
     $input_host = new textfield(array('name' => '_host', 'id' => 'rcmloginhost', 'size' => 30));
-    $fields['host'] = $input_host->show($_POST['_host']);
+    $fields['host'] = $input_host->show(get_input_value('_host', RCUBE_INPUT_POST));
     }
 

trunk/roundcubemail/program/include/rcube_html.inc

@@ -293 +293 @@
         continue;
 
-      // encode textarea content
-      if ($key=='value')
-        $value = Q($value, 'strict', FALSE);
-
       // attributes with no value
       if (in_array($key, array('checked', 'multiple', 'disabled', 'selected', 'nowrap')))
@@ -305 +301 @@
       // don't convert size of value attribute
       else if ($key=='value')
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $value);
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), Q($value, 'strict', false));
         
       // regular tag attributes
       else
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case($value, 'value'));
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case(Q($value), 'value'));
     }
 

trunk/roundcubemail/program/steps/addressbook/func.inc

@@ -33 +33 @@
 // set list properties and session vars
 if (!empty($_GET['_page']))
-  {
-  $CONTACTS->set_page(intval($_GET['_page']));
-  $_SESSION['page'] = $_GET['_page'];
-  }
+  $CONTACTS->set_page(($_SESSION['page'] = intval($_GET['_page'])));
 else
   $CONTACTS->set_page(isset($_SESSION['page']) ?$_SESSION['page'] : 1);

trunk/roundcubemail/program/steps/mail/func.inc

@@ -31 +31 @@
 // set imap properties and session vars
 if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
-  {
-  $IMAP->set_mailbox($mbox);
-  $_SESSION['mbox'] = $mbox;
-  }
+  $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox));
 
 if (!empty($_GET['_page']))
-  {
-  $IMAP->set_page((int)$_GET['_page']);
-  $_SESSION['page'] = (int)$_GET['_page'];
-  }
+  $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page'])));
 
 // set mailbox to INBOX if not set
@@ -863 +857 @@
     $attrib['id'] = 'rcmailMsgBody';
 
-  $safe_mode = (bool)$_GET['_safe'];
+  $safe_mode = intval($_GET['_safe']);
   $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
   $out = '<div '. $attrib_str . ">\n";
@@ -1198 +1192 @@
   global $CONFIG, $IMAP, $MESSAGE;
   
-  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']])
+  $part = get_input_value('_part', RCUBE_INPUT_GPC);
+  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
     return '';
     
-  $part = &$MESSAGE['parts'][$_GET['_part']];
+  $part = &$MESSAGE['parts'][$part];
   
   $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary'));
@@ -1231 +1226 @@
   global $MESSAGE;
   
-  $part = $MESSAGE['parts'][$_GET['_part']];
+  $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)];
   $ctype_primary = strtolower($part->ctype_primary);
 

trunk/roundcubemail/program/steps/mail/get.inc

@@ -89 +89 @@
       list($new_parts, $new_attachments) =
         rcmail_parse_message($MESSAGE['structure'],
-                             array('safe' => (bool)$_GET['_safe'],
+                             array('safe' => intval($_GET['_safe']),
                                    'prefer_html' => TRUE,
                                    'get_url' => $GET_URL.'&_part=%s'));
@@ -103 +103 @@
 
       $OUTPUT = new rcube_html_page();
-      $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe']));
+      $OUTPUT->write(rcmail_print_body($part, intval($_GET['_safe'])));
       }
     else
@@ -131 +131 @@
   $cont = ''; 
   list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'],
-                                                 array('safe' => (bool)$_GET['_safe'],
+                                                 array('safe' => intval($_GET['_safe']),
                                                  'get_url' => $GET_URL.'&_part=%s'));
 

trunk/roundcubemail/program/steps/mail/sendmail.inc

@@ -200 +200 @@
 if (!empty($_POST['_priority']))
   {
-  $priority = (int)$_POST['_priority'];
+  $priority = intval($_POST['_priority']);
   $a_priorities = array(1=>'highest', 2=>'high', 4=>'low', 5=>'lowest');
   if ($str_priority = $a_priorities[$priority])

trunk/roundcubemail/program/steps/mail/show.inc

@@ -58 +58 @@
     list($MESSAGE['parts'], $MESSAGE['attachments']) = rcmail_parse_message(
       $MESSAGE['structure'],
-      array('safe' => (bool)$_GET['_safe'],
+      array('safe' => intval($_GET['_safe']),
             'prefer_html' => $CONFIG['prefer_html'],
             'get_url' => $GET_URL.'&_part=%s')
@@ -72 +72 @@
   // give message uid to the client
   $OUTPUT->set_env('uid', $MESSAGE['UID']);
-  $OUTPUT->set_env('safemode', (bool)$_GET['_safe']);
+  $OUTPUT->set_env('safemode', intval($_GET['_safe']));
 
   $next = $prev = -1;