Changeset b46e5b74 in github

Timestamp:

Feb 9, 2011 5:51:50 AM (2 years ago)

Author:

thomascube <thomas@…>

Children:

dcc7900

Parents:

98cb0f1

Message:

Apply more bugfixes from trunk for 0.5.1

Files:

• CHANGELOG (modified) (1 diff)
• config/main.inc.php.dist (modified) (1 diff)
• index.php (modified) (7 diffs)
• program/include/main.inc (modified) (2 diffs)
• program/include/rcmail.php (modified) (1 diff)
• program/include/rcube_config.php (modified) (1 diff)
• program/include/rcube_imap_generic.php (modified) (3 diffs)
• program/include/rcube_ldap.php (modified) (1 diff)
• program/include/rcube_message.php (modified) (1 diff)
• program/include/rcube_session.php (modified) (1 diff)
• program/include/rcube_shared.inc (modified) (1 diff)
• program/include/rcube_smtp.php (modified) (2 diffs)
• program/include/rcube_template.php (modified) (1 diff)
• program/js/common.js (modified) (1 diff)
• program/lib/washtml.php (modified) (2 diffs)
• program/localization/de_DE/labels.inc (modified) (2 diffs)
• program/steps/addressbook/import.inc (modified) (1 diff)
• program/steps/addressbook/save.inc (modified) (1 diff)
• program/steps/mail/addcontact.inc (modified) (1 diff)
• program/steps/mail/compose.inc (modified) (4 diffs)
• program/steps/mail/func.inc (modified) (4 diffs)
• program/steps/mail/sendmail.inc (modified) (2 diffs)
• program/steps/settings/edit_identity.inc (modified) (1 diff)
• program/steps/settings/func.inc (modified) (1 diff)
• program/steps/settings/save_identity.inc (modified) (3 diffs)
• program/steps/utils/error.inc (modified) (1 diff)
• program/steps/utils/modcss.inc (modified) (3 diffs)
• skins/default/common.css (modified) (2 diffs)
• skins/default/functions.js (modified) (1 diff)
• skins/default/mail.css (modified) (1 diff)

CHANGELOG

@@ -4 +4 @@
 RELEASE 0.5.1
 -------------
+- Security: add optional referer check to prevent CSRF in GET requests
+- Fix email_dns_check setting not used for identities/contacts (#1487740)
+- Fix ICANN example addresses doesn't validate (#1487742)
+- Security: protect login form submission from CSRF
+- Security: prevent from relaying malicious requests through modcss.inc
+- Fix handling of non-image attachments in multipart/related messages (#1487750)
+- Fix IDNA support when IDN/INTL modules are in use (#1487742)
+- Fix handling of invalid HTML comments in messages (#1487759)
+- Fix parsing FETCH response for very long headers (#1487753)
+- Fix add/remove columns in message list when message_sort_order isn't set (#1487751)
 - Fix settings UI on IE 6 (#1487724)
 - Remove double borders in folder listing (#1487713)

config/main.inc.php.dist

@@ -213 +213 @@
 // There have been problems reported with this feature.
 $rcmail_config['double_auth'] = false;
+
+// check referer of incoming requests
+$rcmail_config['referer_check'] = false;
 
 // this key is used to encrypt the users imap password which is stored

index.php

@@ -76 +76 @@
 // try to log in
 if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
+  $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
+
   // purge the session in case of new login when a session already exists 
   $RCMAIL->kill_session();
@@ -85 +87 @@
        $RCMAIL->config->get('password_charset', 'ISO-8859-1')),
     'cookiecheck' => true,
+    'valid' => $request_valid,
   ));
 
@@ -91 +94 @@
     $OUTPUT->show_message("cookiesdisabled", 'warning');
   }
-  else if ($_SESSION['temp'] && !$auth['abort'] &&
+  else if ($auth['valid'] && !$auth['abort'] &&
         !empty($auth['host']) && !empty($auth['user']) &&
         $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
@@ -124 +127 @@
     $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
 
-    $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning');
+    $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning');
     $RCMAIL->plugins->exec_hook('login_failed', array(
       'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
@@ -131 +134 @@
 }
 
-// end session
-else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
+// end session (after optional referer check)
+else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) {
   $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
   $OUTPUT->show_message('loggedout');
@@ -168 +171 @@
   }
 
-  $OUTPUT->set_env('task', 'login');
+  $RCMAIL->set_task('login');
   $OUTPUT->send('login');
 }
@@ -187 +190 @@
     $OUTPUT->show_message('invalidrequest', 'error');
     $OUTPUT->send($RCMAIL->task);
+  }
+
+  // check referer if configured
+  if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
+    raise_error(array(
+      'code' => 403,
+      'type' => 'php',
+      'message' => "Referer check failed"), true, true);
   }
 }

program/include/main.inc

@@ -1225 +1225 @@
 
 /**
+ * Check whether the HTTP referer matches the current request
+ *
+ * @return boolean True if referer is the same host+path, false if not
+ */
+function rcube_check_referer()
+{
+  $uri = parse_url($_SERVER['REQUEST_URI']);
+  $referer = parse_url(rc_request_header('Referer'));
+  return $referer['host'] == rc_request_header('Host') && $referer['path'] == $uri['path'];
+}
+
+
+/**
  * @access private
  * @return mixed
@@ -1864 +1877 @@
 }
 
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_ascii($str)
+{
+  return rcube_idn_convert($str, true);
+}
+
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_utf8($str)
+{
+  return rcube_idn_convert($str, false);
+}
+
+function rcube_idn_convert($input, $is_utf=false)
+{
+  if ($at = strpos($input, '@')) {
+    $user   = substr($input, 0, $at);
+    $domain = substr($input, $at+1);
+  }
+  else {
+    $domain = $input;
+  }
+
+  $domain = $is_utf ? idn_to_ascii($domain) : idn_to_utf8($domain);
+
+  return $at ? $user . '@' . $domain : $domain;
+}
+
 
 /**

program/include/rcmail.php

@@ -692 +692 @@
     // Here we need IDNA ASCII
     // Only rcube_contacts class is using domain names in Unicode
-    $host = idn_to_ascii($host);
+    $host = rcube_idn_to_ascii($host);
     if (strpos($username, '@')) {
       // lowercase domain name
       list($local, $domain) = explode('@', $username);
       $username = $local . '@' . mb_strtolower($domain);
-      $username = idn_to_ascii($username);
+      $username = rcube_idn_to_ascii($username);
     }
 

program/include/rcube_config.php

@@ -288 +288 @@
 
         if ($encode)
-            $domain = idn_to_ascii($domain);
+            $domain = rcube_idn_to_ascii($domain);
 
         return $domain;

program/include/rcube_imap_generic.php

@@ -1495 +1495 @@
                 // BODY[HEADER.FIELDS ...
 
-                if (preg_match('/^\* [0-9]+ FETCH \((.*) BODY/s', $line, $matches)) {
+                if (preg_match('/^\* [0-9]+ FETCH \((.*) BODY/sU', $line, $matches)) {
                     $str = $matches[1];
 
@@ -1532 +1532 @@
                     // BODYSTRUCTURE
                     if ($bodystr) {
-                        while (!preg_match('/ BODYSTRUCTURE (.*) BODY\[HEADER.FIELDS/s', $line, $m)) {
+                        while (!preg_match('/ BODYSTRUCTURE (.*) BODY\[HEADER.FIELDS/sU', $line, $m)) {
                             $line2 = $this->readLine(1024);
                             $line .= $this->multLine($line2, true);
@@ -1632 +1632 @@
                         case 'content-type':
                             $ctype_parts = preg_split('/[; ]/', $string);
-                            $result[$id]->ctype = array_shift($ctype_parts);
+                            $result[$id]->ctype = strtolower(array_shift($ctype_parts));
                             if (preg_match('/charset\s*=\s*"?([a-z0-9\-\.\_]+)"?/i', $string, $regs)) {
                                 $result[$id]->charset = $regs[1];

program/include/rcube_ldap.php

@@ -100 +100 @@
     foreach ($this->prop['hosts'] as $host)
     {
-      $host = idn_to_ascii(rcube_parse_host($host));
+      $host = rcube_idn_to_ascii(rcube_parse_host($host));
       $this->_debug("C: Connect [$host".($this->prop['port'] ? ':'.$this->prop['port'] : '')."]");
 

program/include/rcube_message.php

@@ -507 +507 @@
                         $this->attachments[] = $inline_object;
                     }
+                    // MS Outlook sometimes also adds non-image attachments as related
+                    // We'll add all such attachments to the attachments list
+                    // Warning: some browsers support pdf in <img/>
+                    // @TODO: we should fetch HTML body and find attachment's content-id
+                    // to handle also image attachments without reference in the body
+                    if (!empty($inline_object->filename)
+                        && !preg_match('/^image\/(gif|jpe?g|png|tiff|bmp|svg)/', $inline_object->mimetype)
+                    ) {
+                        $this->attachments[] = $inline_object;
+                    }
                 }
 

program/include/rcube_session.php

@@ -155 +155 @@
       $key);
 
+    if ($key == $this->key)
+        $this->vars = false;
     return true;
   }

program/include/rcube_shared.inc

@@ -701 +701 @@
         }
 
-        if ($idn && $domain && preg_match('/(^|@|\.)xn--/i', $domain)) {
+        if ($idn && $domain && preg_match('/(^|\.)xn--/i', $domain)) {
             try {
                 $domain = $idn->decode($domain);

program/include/rcube_smtp.php

@@ -102 +102 @@
 
     // IDNA Support
-    $smtp_host = idn_to_ascii($smtp_host);
+    $smtp_host = rcube_idn_to_ascii($smtp_host);
 
     $this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host);
@@ -133 +133 @@
     {
       // IDNA Support
-      if (strpos($smtp_user, '@'))
-        $smtp_user = idn_to_ascii($smtp_user);
+      if (strpos($smtp_user, '@')) {
+        $smtp_user = rcube_idn_to_ascii($smtp_user);
+      }
 
       $result = $this->conn->auth($smtp_user, $smtp_pass, $smtp_auth_type, $use_tls, $smtp_authz);

program/include/rcube_template.php

@@ -1032 +1032 @@
         }
 
-        return idn_to_utf8($username);
+        return rcube_idn_to_utf8($username);
     }
 

program/js/common.js

@@ -494 +494 @@
       //domain_literal = '\\x5b('+dtext+'|'+quoted_pair+')*\\x5d',
       //sub_domain = '('+atom+'|'+domain_literal+')',
-      domain = '([^@\\x2e]+\\x2e)+[a-z]{2,}',
+      // allow punycode in last domain part for ICANN test domains
+      domain = '([^@\\x2e]+\\x2e)+([a-z]{2,}|xn--[a-z0-9]{2,})',
+      // ICANN e-mail test (http://idn.icann.org/E-mail_test)
+      icann_domains = [
+        '\\u0645\\u062b\\u0627\\u0644\\x2e\\u0625\\u062e\\u062a\\u0628\\u0627\\u0631',
+        '\\u4f8b\\u5b50\\x2e\\u6d4b\\u8bd5',
+        '\\u4f8b\\u5b50\\x2e\\u6e2c\\u8a66',
+        '\\u03c0\\u03b1\\u03c1\\u03ac\\u03b4\\u03b5\\u03b9\\u03b3\\u03bc\\u03b1\\x2e\\u03b4\\u03bf\\u03ba\\u03b9\\u03bc\\u03ae',
+        '\\u0909\\u0926\\u093e\\u0939\\u0930\\u0923\\x2e\\u092a\\u0930\\u0940\\u0915\\u094d\\u0937\\u093e',
+        '\\u4f8b\\u3048\\x2e\\u30c6\\u30b9\\u30c8',
+        '\\uc2e4\\ub840\\x2e\\ud14c\\uc2a4\\ud2b8',
+        '\\u0645\\u062b\\u0627\\u0644\\x2e\\u0622\\u0632\\u0645\\u0627\\u06cc\\u0634\u06cc',
+        '\\u043f\\u0440\\u0438\\u043c\\u0435\\u0440\\x2e\\u0438\\u0441\\u043f\\u044b\\u0442\\u0430\\u043d\\u0438\\u0435',
+        '\\u0b89\\u0ba4\\u0bbe\\u0bb0\\u0ba3\\u0bae\\u0bcd\\x2e\\u0baa\\u0bb0\\u0bbf\\u0b9f\\u0bcd\\u0b9a\\u0bc8',
+        '\\u05d1\\u05f2\\u05b7\\u05e9\\u05e4\\u05bc\\u05d9\\u05dc\\x2e\\u05d8\\u05e2\\u05e1\\u05d8'
+      ],
+      icann_addr = 'mailtest\\x40('+icann_domains.join('|')+')',
       word = '('+atom+'|'+quoted_string+')',
       delim = '[,;\s\n]',
       local_part = word+'(\\x2e'+word+')*',
-      addr_spec = local_part+'\\x40'+domain,
+      addr_spec = '(('+local_part+'\\x40'+domain+')|('+icann_addr+'))',
       reg1 = inline ? new RegExp('(^|<|'+delim+')'+addr_spec+'($|>|'+delim+')', 'i') : new RegExp('^'+addr_spec+'$', 'i');
 

program/lib/washtml.php

@@ -76 +76 @@
  * - added RFC2397 support
  * - base URL support
+ * - invalid HTML comments removal before parsing
  */
 
@@ -272 +273 @@
       $this->config['base_url'] = '';
 
+    // Remove invalid HTML comments (#1487759)
+    $html = preg_replace('/<![^>]*>/', '', $html);
+
     @$node->loadHTML($html);
     return $this->dumpHtml($node);

program/localization/de_DE/labels.inc

@@ -198 +198 @@
 $labels['addreplyto'] = 'Antwortadresse hinzufÃŒgen';
 $labels['addfollowupto'] = 'Followup-To hinzufÃŒgen';
-$labels['mdnrequest'] = 'Der Sender dieser Nachricht möchte gerne eine LesebestÀtigung. Wollen Sie dieses bestÀtigen?';
+$labels['mdnrequest'] = 'Der Sender dieser Nachricht möchte gerne eine EmpfangsbestÀtigung. Wollen Sie dieses bestÀtigen?';
 $labels['receiptread'] = 'EmpfangsbestÀtigung (gelesen)';
 $labels['yourmessage'] = 'Dies ist eine EmpfangsbestÀtigung fÌr Ihre Nachricht';
@@ -298 +298 @@
 $labels['mdnrequests'] = 'EmpfangsbestÀtigung senden';
 $labels['askuser'] = 'immer fragen';
-$labels['autosend'] = 'LesebestÀtigung automatisch senden';
-$labels['autosendknown'] = 'LesebestÀtigung nur an meine Kontakte senden';
+$labels['autosend'] = 'automatisch senden';
+$labels['autosendknown'] = 'nur an meine Kontakte senden';
 $labels['autosendknownignore'] = 'fÃŒr bekannte Absender, sonst ignorieren';
 $labels['ignore'] = 'ignorieren';

program/steps/addressbook/import.inc

@@ -137 +137 @@
 
       // We're using UTF8 internally
-      $email = idn_to_utf8($email);
+      $email = rcube_idn_to_utf8($email);
       
       if (!$replace) {

program/steps/addressbook/save.inc

@@ -50 +50 @@
 
 // Validity checks
-$_email = idn_to_ascii($a_record['email']);
-if (!check_email($_email, false)) {
+$_email = rcube_idn_to_ascii($a_record['email']);
+if (!check_email($_email)) {
   $OUTPUT->show_message('emailformaterror', 'warning', array('email' => $_email));
   rcmail_overwrite_action($return_action);

program/steps/mail/addcontact.inc

@@ -47 +47 @@
     }
 
-    $contact['email'] = idn_to_utf8($contact['email']);
+    $contact['email'] = rcube_idn_to_utf8($contact['email']);
 
     // use email address part for name

program/steps/mail/compose.inc

@@ -322 +322 @@
           continue;
 
-        $mailto = idn_to_utf8($addr_part['mailto']);
+        $mailto = rcube_idn_to_utf8($addr_part['mailto']);
 
         if (!in_array($mailto, $sa_recipients)
@@ -361 +361 @@
         continue;
 
-      $mailto = idn_to_utf8($addr_part['mailto']);
+      $mailto = rcube_idn_to_utf8($addr_part['mailto']);
 
       if ($addr_part['name'] && $addr_part['mailto'] != $addr_part['name'])
@@ -438 +438 @@
     foreach ($user_identities as $sql_arr)
     {
-      $email = mb_strtolower(idn_to_utf8($sql_arr['email']));
+      $email = mb_strtolower(rcube_idn_to_utf8($sql_arr['email']));
       $identity_id = $sql_arr['identity_id'];
       $select_from->add(format_email_recipient($email, $sql_arr['name']), $identity_id);
@@ -733 +733 @@
 
   // build reply prefix
-  $from = array_pop($RCMAIL->imap->decode_address_list($MESSAGE->get_header('from')));
+  $from = array_pop($RCMAIL->imap->decode_address_list($MESSAGE->get_header('from'), 1, false));
   $prefix = sprintf("On %s, %s wrote:",
-    $MESSAGE->headers->date, $from['name'] ? $from['name'] : idn_to_utf8($from['mailto']));
+    $MESSAGE->headers->date, $from['name'] ? $from['name'] : rcube_idn_to_utf8($from['mailto']));
 
   if (!$bodyIsHtml) {

program/steps/mail/func.inc

@@ -57 +57 @@
 // set default sort col/order to session
 if (!isset($_SESSION['sort_col']))
-  $_SESSION['sort_col'] = $CONFIG['message_sort_col'];
+  $_SESSION['sort_col'] = !empty($CONFIG['message_sort_col']) ? $CONFIG['message_sort_col'] : '';
 if (!isset($_SESSION['sort_order']))
-  $_SESSION['sort_order'] = $CONFIG['message_sort_order'];
+  $_SESSION['sort_order'] = strtoupper($CONFIG['message_sort_order']) == 'ASC' ? 'ASC' : 'DESC';
 
 // set threads mode
@@ -1195 +1195 @@
 function rcmail_alter_html_link($matches)
 {
-  global $EMAIL_ADDRESS_PATTERN;
+  global $RCMAIL, $EMAIL_ADDRESS_PATTERN;
 
   $tag = $matches[1];
@@ -1202 +1202 @@
 
   if ($tag == 'link' && preg_match('/^https?:\/\//i', $attrib['href'])) {
-    $attrib['href'] = "?_task=utils&_action=modcss&u=" . urlencode($attrib['href'])
-        . "&c=" . urlencode($GLOBALS['rcmail_html_container_id']);
+    $tempurl = 'tmp-' . md5($attrib['href']) . '.css';
+    $_SESSION['modcssurls'][$tempurl] = $attrib['href'];
+    $attrib['href'] = $RCMAIL->url(array('task' => 'utils', 'action' => 'modcss', 'u' => $tempurl, 'c' => $GLOBALS['rcmail_html_container_id']));
     $end = ' />';
   }
@@ -1251 +1252 @@
     // IDNA ASCII to Unicode
     if ($name == $mailto)
-      $name = idn_to_utf8($name);
+      $name = rcube_idn_to_utf8($name);
     if ($string == $mailto)
-      $string = idn_to_utf8($string);
-    $mailto = idn_to_utf8($mailto);
+      $string = rcube_idn_to_utf8($string);
+    $mailto = rcube_idn_to_utf8($mailto);
 
     if ($PRINT_MODE) {

program/steps/mail/sendmail.inc

@@ -154 +154 @@
     // address in brackets without name (do nothing)
     if (preg_match('/^<\S+@\S+>$/', $item)) {
-      $item = idn_to_ascii($item);
+      $item = rcube_idn_to_ascii($item);
       $result[] = $item;
     // address without brackets and without name (add brackets)
     } else if (preg_match('/^\S+@\S+$/', $item)) {
-      $item = idn_to_ascii($item);
+      $item = rcube_idn_to_ascii($item);
       $result[] = '<'.$item.'>';
     // address with name (handle name)
@@ -169 +169 @@
             $name = '"'.addcslashes($name, '"').'"';
       }
-      $address = idn_to_ascii($address);
+      $address = rcube_idn_to_ascii($address);
       if (!preg_match('/^<\S+@\S+>$/', $address))
         $address = '<'.$address.'>';

program/steps/settings/edit_identity.inc

@@ -95 +95 @@
   }
 
-  $IDENTITY_RECORD['email']    = idn_to_utf8($IDENTITY_RECORD['email']);
-  $IDENTITY_RECORD['reply-to'] = idn_to_utf8($IDENTITY_RECORD['reply-to']);
-  $IDENTITY_RECORD['bcc']      = idn_to_utf8($IDENTITY_RECORD['bcc']);
+  $IDENTITY_RECORD['email']    = rcube_idn_to_utf8($IDENTITY_RECORD['email']);
+  $IDENTITY_RECORD['reply-to'] = rcube_idn_to_utf8($IDENTITY_RECORD['reply-to']);
+  $IDENTITY_RECORD['bcc']      = rcube_idn_to_utf8($IDENTITY_RECORD['bcc']);
 
   // Allow plugins to modify identity form content

program/steps/settings/func.inc

@@ -73 +73 @@
   $list = $USER->list_identities();
   foreach ($list as $idx => $row)
-    $list[$idx]['mail'] = trim($row['name'] . ' <' . idn_to_utf8($row['email']) .'>');
+    $list[$idx]['mail'] = trim($row['name'] . ' <' . rcube_idn_to_utf8($row['email']) .'>');
 
   // get all identites from DB and define list of cols to be displayed

program/steps/settings/save_identity.inc

@@ -60 +60 @@
 foreach (array('email', 'reply-to', 'bcc') as $item) {
   if ($email = $save_data[$item]) {
-    $ascii_email = idn_to_ascii($email);
-    if (!check_email($ascii_email, false)) {
+    $ascii_email = rcube_idn_to_ascii($email);
+    if (!check_email($ascii_email)) {
       // show error message
       $OUTPUT->show_message('emailformaterror', 'error', array('email' => $email), false);
@@ -78 +78 @@
 
   if ($save_data['email'])
-    $save_data['email'] = idn_to_ascii($save_data['email']);
+    $save_data['email'] = rcube_idn_to_ascii($save_data['email']);
   if ($save_data['bcc'])
-    $save_data['bcc'] = idn_to_ascii($save_data['bcc']);
+    $save_data['bcc'] = rcube_idn_to_ascii($save_data['bcc']);
   if ($save_data['reply-to'])
-    $save_data['reply-to'] = idn_to_ascii($save_data['reply-to']);
+    $save_data['reply-to'] = rcube_idn_to_ascii($save_data['reply-to']);
 
   if (!$plugin['abort'])
@@ -117 +117 @@
   $save_data = $plugin['record'];
 
-  $save_data['email']    = idn_to_ascii($save_data['email']);
-  $save_data['bcc']      = idn_to_ascii($save_data['bcc']);
-  $save_data['reply-to'] = idn_to_ascii($save_data['reply-to']);
+  $save_data['email']    = rcube_idn_to_ascii($save_data['email']);
+  $save_data['bcc']      = rcube_idn_to_ascii($save_data['bcc']);
+  $save_data['reply-to'] = rcube_idn_to_ascii($save_data['reply-to']);
 
   if (!$plugin['abort'])

program/steps/utils/error.inc

@@ -45 +45 @@
   $__error_title = "AUTHORIZATION FAILED";
   $__error_text  = "Could not verify that you are authorized to access this service!<br />\n".
+                   "Please contact your server-administrator.";
+}
+
+// forbidden due to request check
+else if ($ERROR_CODE==403) {
+  $__error_title = "REQUEST CHECK FAILED";
+  $__error_text  = "Access to this service was denied due to failing security checks!<br />\n".
                    "Please contact your server-administrator.";
 }

program/steps/utils/modcss.inc

@@ -6 +6 @@
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2007-2010, Roundcube Dev. - Switzerland                 |
+ | Copyright (C) 2007-2011, Roundcube Dev. - Switzerland                 |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
@@ -22 +22 @@
 $source = '';
 
-$url = preg_replace('![^a-z0-9:./\-_?$&=%]!i', '', $_GET['u']);
-if ($url === null) {
+$url = preg_replace('![^a-z0-9.-]!i', '', $_GET['_u']);
+if ($url === null || !($realurl = $_SESSION['modcssurls'][$url])) {
     header('HTTP/1.1 403 Forbidden');
-    echo $error;
+    echo "Unauthorized request";
     exit;
 }
 
-$a_uri = parse_url($url);
+$a_uri = parse_url($realurl);
 $port  = $a_uri['port'] ? $a_uri['port'] : 80;
 $host  = $a_uri['host'];
@@ -86 +86 @@
 if (!empty($source) && in_array($mimetype, array('text/css','text/plain'))) {
     header('Content-Type: text/css');
-    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']));
+    echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['_c']));
     exit;
 }

skins/default/common.css

@@ -10 +10 @@
 body.iframe
 {
-  margin: 0px;
+  margin: 20px 0 0 0;
   background-color: #FFF;
 }
@@ -253 +253 @@
 {
   float: right;
+}
+
+body.iframe .boxtitle
+{
+  position: fixed;
+  top: 0;
+  left: 0;
+  width: 100%;
 }
 

skins/default/functions.js

@@ -50 +50 @@
     a   = $('<a>').text(legend.text()).attr('href', '#');
     tab = $('<span>').attr({'id': 'tab'+idx, 'class': 'tablink'})
-        .click(function() { return rcube_show_tab(id, idx); })
+        .click(function() { rcube_show_tab(id, idx); return false })
 
     // remove legend

skins/default/mail.css

@@ -1003 +1003 @@
 div.messageheaderbox
 {
-  margin: 6px 8px 0px 8px;
+  margin: -14px 8px 0px 8px;
   border: 1px solid #ccc;
 }