Fixed some potential security risks + updatedd changelog

17 years ago · c579961899
parent 76b6bff70b
commit c579961899
9 changed files with 32 additions and 31 deletions
--- a/13
+++ b/13
@ -1,6 +1,19 @@
 CHANGELOG RoundCube Webmail
 ---------------------------

+2007/11/25 (thomasb)
+----------
+- Applied UID fetch patch by Glen Ogilvie
+- Applied patch for correct Postgres instructions from ticket #1484674
+- Fix overriding of session vars when register_globals is on (#1484670)
+- Fix wrong Postgres setup instructions in INSTALL (#1484674)
+- Fix bug with case-sensitive folder names (#1484245)
+- Don't create default folders by default
+- Added Georgian localization by Zaza Zviadadze
+- Updated Russian localization
+- Fixed some potential security risks (audited by Andris)
+
+
 2007/11/20 (tomekp)
 ----------
 - add Korean (kr) localization
--- a/program/include/main.inc
+++ b/program/include/main.inc
@ -1432,7 +1432,7 @@ function rcmail_get_edit_field($col, $value, $attrib, $type='text')

  // use value from post
  if (!empty($_POST[$fname]))
-    $value = $_POST[$fname];
+    $value = get_input_value($fname, RCUBE_INPUT_POST);

  $out = $input->show($value);
         
--- a/program/include/rcmail_template.inc
+++ b/program/include/rcmail_template.inc
@ -831,12 +831,12 @@ function rcmail_login_form($attrib)
        }
    }
      
-    $fields['host'] = isset($select_host) ? $select_host->show($_POST['_host']) : null;
+    $fields['host'] = isset($select_host) ? $select_host->show(get_input_value('_host', RCUBE_INPUT_POST)) : null;
    }
  else if (!strlen($CONFIG['default_host']))
    {
    $input_host = new textfield(array('name' => '_host', 'id' => 'rcmloginhost', 'size' => 30));
-    $fields['host'] = $input_host->show($_POST['_host']);
+    $fields['host'] = $input_host->show(get_input_value('_host', RCUBE_INPUT_POST));
    }

  $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
--- a/program/include/rcube_html.inc
+++ b/program/include/rcube_html.inc
@ -292,10 +292,6 @@ class rcube_form_element
      if ((strpos($key,'on')===0 && $value==''))
        continue;

-      // encode textarea content
-      if ($key=='value')
-        $value = Q($value, 'strict', FALSE);
-
      // attributes with no value
      if (in_array($key, array('checked', 'multiple', 'disabled', 'selected', 'nowrap')))
      {
@ -304,11 +300,11 @@ class rcube_form_element
      }
      // don't convert size of value attribute
      else if ($key=='value')
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $value);
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), Q($value, 'strict', false));
        
      // regular tag attributes
      else
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case($value, 'value'));
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case(Q($value), 'value'));
    }

    return sizeof($attrib_arr) ? ' '.implode(' ', $attrib_arr) : '';
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@ -32,10 +32,7 @@ $CONTACTS->set_pagesize($CONFIG['pagesize']);

 // set list properties and session vars
 if (!empty($_GET['_page']))
-  {
-  $CONTACTS->set_page(intval($_GET['_page']));
-  $_SESSION['page'] = $_GET['_page'];
-  }
+  $CONTACTS->set_page(($_SESSION['page'] = intval($_GET['_page'])));
 else
  $CONTACTS->set_page(isset($_SESSION['page']) ?$_SESSION['page'] : 1);

--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@ -30,16 +30,10 @@ if (empty($_SESSION['mbox']))

 // set imap properties and session vars
 if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
-  {
-  $IMAP->set_mailbox($mbox);
-  $_SESSION['mbox'] = $mbox;
-  }
+  $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox));

 if (!empty($_GET['_page']))
-  {
-  $IMAP->set_page((int)$_GET['_page']);
-  $_SESSION['page'] = (int)$_GET['_page'];
-  }
+  $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page'])));

 // set mailbox to INBOX if not set
 if (empty($_SESSION['mbox']))
@ -862,7 +856,7 @@ function rcmail_message_body($attrib)
  if (!$attrib['id'])
    $attrib['id'] = 'rcmailMsgBody';

-  $safe_mode = (bool)$_GET['_safe'];
+  $safe_mode = intval($_GET['_safe']);
  $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
  $out = '<div '. $attrib_str . ">\n";
  
@ -1197,10 +1191,11 @@ function rcmail_message_part_controls()
  {
  global $CONFIG, $IMAP, $MESSAGE;
  
-  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']])
+  $part = get_input_value('_part', RCUBE_INPUT_GPC);
+  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
    return '';
    
-  $part = &$MESSAGE['parts'][$_GET['_part']];
+  $part = &$MESSAGE['parts'][$part];
  
  $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary'));
  $out = '<table '. $attrib_str . ">\n";
@ -1230,7 +1225,7 @@ function rcmail_message_part_frame($attrib)
  {
  global $MESSAGE;
  
-  $part = $MESSAGE['parts'][$_GET['_part']];
+  $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)];
  $ctype_primary = strtolower($part->ctype_primary);

  $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@ -88,7 +88,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET))
      // we have to analyze the whole structure again to find inline objects
      list($new_parts, $new_attachments) =
        rcmail_parse_message($MESSAGE['structure'],
-                             array('safe' => (bool)$_GET['_safe'],
+                             array('safe' => intval($_GET['_safe']),
                                   'prefer_html' => TRUE,
                                   'get_url' => $GET_URL.'&_part=%s'));

@ -102,7 +102,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET))
        $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part);

      $OUTPUT = new rcube_html_page();
-      $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe']));
+      $OUTPUT->write(rcmail_print_body($part, intval($_GET['_safe'])));
      }
    else
      {
@ -130,7 +130,7 @@ else

  $cont = ''; 
  list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'],
-                                                 array('safe' => (bool)$_GET['_safe'],
+                                                 array('safe' => intval($_GET['_safe']),
                                                 'get_url' => $GET_URL.'&_part=%s'));

  $cont = "<html>\n<head><title></title>\n</head>\n<body>";
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@ -199,7 +199,7 @@ if (!empty($_SESSION['compose']['references']))

 if (!empty($_POST['_priority']))
  {
-  $priority = (int)$_POST['_priority'];
+  $priority = intval($_POST['_priority']);
  $a_priorities = array(1=>'highest', 2=>'high', 4=>'low', 5=>'lowest');
  if ($str_priority = $a_priorities[$priority])
    $headers['X-Priority'] = sprintf("%d (%s)", $priority, ucfirst($str_priority));
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@ -57,7 +57,7 @@ if ($_GET['_uid'])
  if ($MESSAGE['structure'] = $IMAP->get_structure($MESSAGE['UID']))
    list($MESSAGE['parts'], $MESSAGE['attachments']) = rcmail_parse_message(
      $MESSAGE['structure'],
-      array('safe' => (bool)$_GET['_safe'],
+      array('safe' => intval($_GET['_safe']),
            'prefer_html' => $CONFIG['prefer_html'],
            'get_url' => $GET_URL.'&_part=%s')
      );
@ -71,7 +71,7 @@ if ($_GET['_uid'])

  // give message uid to the client
  $OUTPUT->set_env('uid', $MESSAGE['UID']);
-  $OUTPUT->set_env('safemode', (bool)$_GET['_safe']);
+  $OUTPUT->set_env('safemode', intval($_GET['_safe']));

  $next = $prev = -1;
  // get previous, first, next and last message UID