From 9ff7b78c7e1f2b02d87a67c193dafe97408341ca Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 4 May 2017 11:40:42 +0200 Subject: [PATCH] Fix conflict with _gid cookie of Google Analytics (#5748) TODO: Review the whole code base and don't use INPUT_GPC when it's not really needed, in most cases we should not read $_COOKIE. --- CHANGELOG | 1 + program/lib/Roundcube/rcube_utils.php | 37 +++++++++++---------------- program/steps/addressbook/delete.inc | 4 +-- program/steps/addressbook/func.inc | 3 +-- program/steps/addressbook/mailto.inc | 6 ++--- program/steps/mail/autocomplete.inc | 2 +- program/steps/mail/list_contacts.inc | 2 +- 7 files changed, 24 insertions(+), 31 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 210eb6cdf..c8c64d5b6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail =========================== - Fix bug where invalid recipients could be silently discarded (#5739) +- Fix conflict with _gid cookie of Google Analytics (#5748) RELEASE 1.3-rc -------------- diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php index ea2ef2906..4bb83b120 100644 --- a/program/lib/Roundcube/rcube_utils.php +++ b/program/lib/Roundcube/rcube_utils.php @@ -27,9 +27,12 @@ class rcube_utils { // define constants for input reading - const INPUT_GET = 0x0101; - const INPUT_POST = 0x0102; - const INPUT_GPC = 0x0103; + const INPUT_GET = 1; + const INPUT_POST = 2; + const INPUT_COOKIE = 4; + const INPUT_GP = 3; // GET + POST + const INPUT_GPC = 7; // GET + POST + COOKIE + /** * Helper method to set a cookie with the current path and host settings @@ -254,7 +257,7 @@ class rcube_utils * Performs stripslashes() and charset conversion if necessary * * @param string Field name to read - * @param int Source to get value from (GPC) + * @param int Source to get value from (see self::INPUT_*) * @param boolean Allow HTML tags in field value * @param string Charset to convert into * @@ -264,26 +267,16 @@ class rcube_utils { $value = null; - if ($source == self::INPUT_GET) { - if (isset($_GET[$fname])) { - $value = $_GET[$fname]; - } + if (($source & self::INPUT_GET) && isset($_GET[$fname])) { + $value = $_GET[$fname]; } - else if ($source == self::INPUT_POST) { - if (isset($_POST[$fname])) { - $value = $_POST[$fname]; - } + + if (($source & self::INPUT_POST) && isset($_POST[$fname])) { + $value = $_POST[$fname]; } - else if ($source == self::INPUT_GPC) { - if (isset($_POST[$fname])) { - $value = $_POST[$fname]; - } - else if (isset($_GET[$fname])) { - $value = $_GET[$fname]; - } - else if (isset($_COOKIE[$fname])) { - $value = $_COOKIE[$fname]; - } + + if (($source & self::INPUT_COOKIE) && isset($_COOKIE[$fname])) { + $value = $_COOKIE[$fname]; } return self::parse_input_value($value, $allow_html, $charset); diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index fb860df95..d600c4a88 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -61,8 +61,8 @@ foreach ($cids as $source => $cid) { $error = 'contactdelerror'; } - $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); - $group = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC); + $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GP); + $group = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GP); $OUTPUT->show_message($error, 'error'); $OUTPUT->command('list_contacts', $source, $group); diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index e2f9e4542..0b30363bd 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -152,8 +152,7 @@ function rcmail_contact_source($source=null, $init_env=false, $writable=false) else $CONTACTS->set_page(isset($_SESSION['page']) ? $_SESSION['page'] : 1); - if (!empty($_REQUEST['_gid'])) { - $group = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC); + if ($group = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GP)) { $CONTACTS->set_group($group); } diff --git a/program/steps/addressbook/mailto.inc b/program/steps/addressbook/mailto.inc index 4258b7c6a..3cde674aa 100644 --- a/program/steps/addressbook/mailto.inc +++ b/program/steps/addressbook/mailto.inc @@ -34,10 +34,10 @@ foreach ($cids as $source => $cid) { } if (!empty($_REQUEST['_gid']) && isset($_REQUEST['_source'])) { - $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); - $CONTACTS = $RCMAIL->get_address_book($source); + $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GP); + $group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GP); - $group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC); + $CONTACTS = $RCMAIL->get_address_book($source); $group_data = $CONTACTS->get_group($group_id); // group has an email address assigned: use that diff --git a/program/steps/mail/autocomplete.inc b/program/steps/mail/autocomplete.inc index 2b3e714dc..8bee48552 100644 --- a/program/steps/mail/autocomplete.inc +++ b/program/steps/mail/autocomplete.inc @@ -22,7 +22,7 @@ if ($RCMAIL->action == 'group-expand') { $abook = $RCMAIL->get_address_book(rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC)); - if ($gid = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC)) { + if ($gid = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GET)) { $abook->set_group($gid); $abook->set_pagesize(9999); // TODO: limit number of group members by config? diff --git a/program/steps/mail/list_contacts.inc b/program/steps/mail/list_contacts.inc index 50cf387c3..45e0acc67 100644 --- a/program/steps/mail/list_contacts.inc +++ b/program/steps/mail/list_contacts.inc @@ -80,7 +80,7 @@ else { $CONTACTS->set_pagesize($page_size); $CONTACTS->set_page($list_page); - if ($group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC)) { + if ($group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GET)) { $CONTACTS->set_group($group_id); } // list groups of this source (on page one)