banananetwork
/
roundcubemail
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix check_request() bypass in plugins using get_uids() (#6238)

Browse Source 
[CVE-2018-9846]
pull/6833/head
Thomas Bruederli 7 years ago
parent 498ff0a283
commit aaafe8f917
4 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File

1
CHANGELOG
Unescape Escape View File

@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode - Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Fix security issue in remote content blocking on HTML image and style tags (#6178) - Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229) - Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
RELEASE 1.1.10 RELEASE 1.1.10

6
plugins/archive/archive.php
Unescape Escape View File

@ -122,8 +122,10 @@ class archive extends rcube_plugin
$index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order()); $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order());
$messageset = array($current_mbox => $index->get()); $messageset = array($current_mbox => $index->get());
} }
else { else if (!empty($uids)) {
$messageset = rcmail::get_uids(); $messageset = rcmail::get_uids($uids, $current_mbox);
} else {
$messageset = array();
} }
foreach ($messageset as $mbox => $uids) { foreach ($messageset as $mbox => $uids) {

2
plugins/managesieve/managesieve.php
Unescape Escape View File

@ -191,7 +191,7 @@ class managesieve extends rcube_plugin
{ {
// handle fetching email headers for the new filter form // handle fetching email headers for the new filter form
if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
$uids = rcmail::get_uids(); $uids = rcmail::get_uids($uid);
$mailbox = key($uids); $mailbox = key($uids);
$message = new rcube_message($uids[$mailbox][0], $mailbox); $message = new rcube_message($uids[$mailbox][0], $mailbox);
$headers = $this->parse_headers($message->headers); $headers = $this->parse_headers($message->headers);

5
plugins/markasjunk/markasjunk.php
Unescape Escape View File

@ -58,11 +58,14 @@ class markasjunk extends rcube_plugin
$rcmail = rcmail::get_instance(); $rcmail = rcmail::get_instance();
$storage = $rcmail->get_storage(); $storage = $rcmail->get_storage();
$uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
foreach (rcmail::get_uids() as $mbox => $uids) { if (!empty($uids)) {
foreach (rcmail::get_uids($uids) as $mbox => $uids) {
$storage->unset_flag($uids, 'NONJUNK', $mbox); $storage->unset_flag($uids, 'NONJUNK', $mbox);
$storage->set_flag($uids, 'JUNK', $mbox); $storage->set_flag($uids, 'JUNK', $mbox);
} }
}
if (($junk_mbox = $rcmail->config->get('junk_mbox'))) { if (($junk_mbox = $rcmail->config->get('junk_mbox'))) {
$rcmail->output->command('move_messages', $junk_mbox); $rcmail->output->command('move_messages', $junk_mbox);

Write Preview
Loading…
Cancel
Save