summaryrefslogtreecommitdiff
path: root/program/lib/Roundcube
diff options
context:
space:
mode:
Diffstat (limited to 'program/lib/Roundcube')
-rw-r--r--program/lib/Roundcube/html.php23
-rw-r--r--program/lib/Roundcube/rcube_imap.php53
-rw-r--r--program/lib/Roundcube/rcube_imap_generic.php40
-rw-r--r--program/lib/Roundcube/rcube_ldap_generic.php10
-rw-r--r--program/lib/Roundcube/rcube_output.php36
-rw-r--r--program/lib/Roundcube/rcube_session.php18
-rw-r--r--program/lib/Roundcube/rcube_spellchecker.php13
-rw-r--r--program/lib/Roundcube/rcube_washtml.php6
8 files changed, 114 insertions, 85 deletions
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php
index a88570d75..3aae7cfe7 100644
--- a/program/lib/Roundcube/html.php
+++ b/program/lib/Roundcube/html.php
@@ -32,7 +32,7 @@ class html
public static $doctype = 'xhtml';
public static $lc_tags = true;
- public static $common_attrib = array('id','class','style','title','align','unselectable');
+ public static $common_attrib = array('id','class','style','title','align','unselectable','tabindex','role');
public static $containers = array('iframe','div','span','p','h1','h2','h3','ul','form','textarea','table','thead','tbody','tr','th','td','style','script');
@@ -283,9 +283,11 @@ class html
continue;
}
- // ignore not allowed attributes, except data-*
+ // ignore not allowed attributes, except aria-* and data-*
if (!empty($allowed)) {
- if (!isset($allowed_f[$key]) && @substr_compare($key, 'data-', 0, 5) !== 0) {
+ $is_data_attr = @substr_compare($key, 'data-', 0, 5) === 0;
+ $is_aria_attr = @substr_compare($key, 'aria-', 0, 5) === 0;
+ if (!$is_aria_attr && !$is_data_attr && !isset($allowed_f[$key])) {
continue;
}
}
@@ -835,7 +837,7 @@ class html_table extends html
if (!empty($this->header)) {
$rowcontent = '';
foreach ($this->header as $c => $col) {
- $rowcontent .= self::tag($this->_col_tagname(), $col->attrib, $col->content);
+ $rowcontent .= self::tag($this->_head_tagname(), $col->attrib, $col->content);
}
$thead = $this->tagname == 'table' ? self::tag('thead', null, self::tag('tr', null, $rowcontent, parent::$common_attrib)) :
self::tag($this->_row_tagname(), array('class' => 'thead'), $rowcontent, parent::$common_attrib);
@@ -888,7 +890,16 @@ class html_table extends html
private function _row_tagname()
{
static $row_tagnames = array('table' => 'tr', 'ul' => 'li', '*' => 'div');
- return $row_tagnames[$this->tagname] ? $row_tagnames[$this->tagname] : $row_tagnames['*'];
+ return $row_tagnames[$this->tagname] ?: $row_tagnames['*'];
+ }
+
+ /**
+ * Getter for the corresponding tag name for table row elements
+ */
+ private function _head_tagname()
+ {
+ static $head_tagnames = array('table' => 'th', '*' => 'span');
+ return $head_tagnames[$this->tagname] ?: $head_tagnames['*'];
}
/**
@@ -897,7 +908,7 @@ class html_table extends html
private function _col_tagname()
{
static $col_tagnames = array('table' => 'td', '*' => 'span');
- return $col_tagnames[$this->tagname] ? $col_tagnames[$this->tagname] : $col_tagnames['*'];
+ return $col_tagnames[$this->tagname] ?: $col_tagnames['*'];
}
}
diff --git a/program/lib/Roundcube/rcube_imap.php b/program/lib/Roundcube/rcube_imap.php
index e4b77a0a3..e29bfc46b 100644
--- a/program/lib/Roundcube/rcube_imap.php
+++ b/program/lib/Roundcube/rcube_imap.php
@@ -2990,7 +2990,7 @@ class rcube_imap extends rcube_storage
* @param array $result Reference to folders list
* @param string $type Listing type (ext-subscribed, subscribed or all)
*/
- private function list_folders_update(&$result, $type = null)
+ protected function list_folders_update(&$result, $type = null)
{
$namespace = $this->get_namespace();
$search = array();
@@ -4142,19 +4142,15 @@ class rcube_imap extends rcube_storage
*/
public function sort_folder_list($a_folders, $skip_default = false)
{
- $delimiter = $this->get_hierarchy_delimiter();
$specials = array_merge(array('INBOX'), array_values($this->get_special_folders()));
- $folders = array_flip($a_folders);
+ $folders = array();
// convert names to UTF-8 and skip folders starting with '.'
foreach ($a_folders as $folder) {
if ($folder[0] != '.') {
// for better performance skip encoding conversion
// if the string does not look like UTF7-IMAP
- $folders[$folder] = strpos($folder, '+') === false ? $folder : rcube_charset::convert($folder, 'UTF7-IMAP');
- }
- else {
- unset($folders[$idx]);
+ $folders[$folder] = strpos($folder, '&') === false ? $folder : rcube_charset::convert($folder, 'UTF7-IMAP');
}
}
@@ -4170,39 +4166,46 @@ class rcube_imap extends rcube_storage
// force the type of folder name variable (#1485527)
$folders = array_map('strval', $folders);
+ $out = array();
+
+ // finally we must put special folders on top and rebuild the list
+ // to move their subfolders where they belong...
$specials = array_unique(array_intersect($specials, $folders));
- $head = array();
+ $folders = array_merge($specials, array_diff($folders, $specials));
- // place default folders on top
- foreach ($specials as $special) {
- $prefix = $special . $delimiter;
+ $this->sort_folder_specials(null, $folders, $specials, $out);
- foreach ($folders as $idx => $folder) {
- if ($folder === $special) {
- $head[] = $special;
- unset($folders[$idx]);
- }
- // put subfolders of default folders on their place...
- else if (strpos($folder, $prefix) === 0) {
- $head[] = $folder;
- unset($folders[$idx]);
+ return $out;
+ }
+
+ /**
+ * Recursive function to put subfolders of special folders in place
+ */
+ protected function sort_folder_specials($folder, &$list, &$specials, &$out)
+ {
+ while (list($key, $name) = each($list)) {
+ if ($folder === null || strpos($name, $folder.$this->delimiter) === 0) {
+ $out[] = $name;
+ unset($list[$key]);
+
+ if (!empty($specials) && ($found = array_search($name, $specials)) !== false) {
+ unset($specials[$found]);
+ $this->sort_folder_specials($name, $list, $specials, $out);
}
}
}
- return array_merge($head, $folders);
+ reset($list);
}
-
/**
* Callback for uasort() that implements correct
* locale-aware case-sensitive sorting
*/
protected function sort_folder_comparator($str1, $str2)
{
- $delimiter = $this->get_hierarchy_delimiter();
- $path1 = explode($delimiter, $str1);
- $path2 = explode($delimiter, $str2);
+ $path1 = explode($this->delimiter, $str1);
+ $path2 = explode($this->delimiter, $str2);
foreach ($path1 as $idx => $folder1) {
$folder2 = $path2[$idx];
diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
index 3b5be15db..e4c9b7eb8 100644
--- a/program/lib/Roundcube/rcube_imap_generic.php
+++ b/program/lib/Roundcube/rcube_imap_generic.php
@@ -50,17 +50,17 @@ class rcube_imap_generic
public static $mupdate;
- private $fp;
- private $host;
- private $logged = false;
- private $capability = array();
- private $capability_readed = false;
- private $prefs;
- private $cmd_tag;
- private $cmd_num = 0;
- private $resourceid;
- private $_debug = false;
- private $_debug_handler = false;
+ protected $fp;
+ protected $host;
+ protected $logged = false;
+ protected $capability = array();
+ protected $capability_readed = false;
+ protected $prefs;
+ protected $cmd_tag;
+ protected $cmd_num = 0;
+ protected $resourceid;
+ protected $_debug = false;
+ protected $_debug_handler = false;
const ERROR_OK = 0;
const ERROR_NO = -1;
@@ -352,7 +352,7 @@ class rcube_imap_generic
*
* @return bool True if connection is closed
*/
- private function eof()
+ protected function eof()
{
if (!is_resource($this->fp)) {
return true;
@@ -375,7 +375,7 @@ class rcube_imap_generic
/**
* Closes connection stream.
*/
- private function closeSocket()
+ protected function closeSocket()
{
@fclose($this->fp);
$this->fp = null;
@@ -421,7 +421,7 @@ class rcube_imap_generic
return false;
}
- private function hasCapability($name)
+ protected function hasCapability($name)
{
if (empty($this->capability) || $name == '') {
return false;
@@ -1310,7 +1310,7 @@ class rcube_imap_generic
* @return array List of mailboxes or hash of options if $status_ops argument
* is non-empty.
*/
- private function _listMailboxes($ref, $mailbox, $subscribed=false,
+ protected function _listMailboxes($ref, $mailbox, $subscribed=false,
$status_opts=array(), $select_opts=array())
{
if (!strlen($mailbox)) {
@@ -1985,7 +1985,7 @@ class rcube_imap_generic
*
* @return bool True on success, False on failure
*/
- private function modFlag($mailbox, $messages, $flag, $mod = '+')
+ protected function modFlag($mailbox, $messages, $flag, $mod = '+')
{
if ($mod != '+' && $mod != '-') {
$mod = '+';
@@ -3681,7 +3681,7 @@ class rcube_imap_generic
return $result;
}
- private function _xor($string, $string2)
+ protected function _xor($string, $string2)
{
$result = '';
$size = strlen($string);
@@ -3700,7 +3700,7 @@ class rcube_imap_generic
*
* @return string Space-separated list of flags
*/
- private function flagsToStr($flags)
+ protected function flagsToStr($flags)
{
foreach ((array)$flags as $idx => $flag) {
if ($flag = $this->flags[strtoupper($flag)]) {
@@ -3752,7 +3752,7 @@ class rcube_imap_generic
/**
* CAPABILITY response parser
*/
- private function parseCapability($str, $trusted=false)
+ protected function parseCapability($str, $trusted=false)
{
$str = preg_replace('/^\* CAPABILITY /i', '', $str);
@@ -3829,7 +3829,7 @@ class rcube_imap_generic
*
* @since 0.5-stable
*/
- private function debug($message)
+ protected function debug($message)
{
if (($len = strlen($message)) > self::DEBUG_LINE_LENGTH) {
$diff = $len - self::DEBUG_LINE_LENGTH;
diff --git a/program/lib/Roundcube/rcube_ldap_generic.php b/program/lib/Roundcube/rcube_ldap_generic.php
index 252eafabe..25fe2e5d2 100644
--- a/program/lib/Roundcube/rcube_ldap_generic.php
+++ b/program/lib/Roundcube/rcube_ldap_generic.php
@@ -175,9 +175,11 @@ class rcube_ldap_generic
$this->_debug("C: Connect to $hostname [{$this->config['name']}]");
if ($lc = @ldap_connect($host, $this->config['port'])) {
- if ($this->config['use_tls'] === true)
- if (!ldap_start_tls($lc))
- continue;
+ if ($this->config['use_tls'] === true) {
+ if (!ldap_start_tls($lc)) {
+ return false;
+ }
+ }
$this->_debug("S: OK");
@@ -186,7 +188,7 @@ class rcube_ldap_generic
$this->conn = $lc;
if (!empty($this->config['network_timeout']))
- ldap_set_option($lc, LDAP_OPT_NETWORK_TIMEOUT, $this->config['network_timeout']);
+ ldap_set_option($lc, LDAP_OPT_NETWORK_TIMEOUT, $this->config['network_timeout']);
if (isset($this->config['referrals']))
ldap_set_option($lc, LDAP_OPT_REFERRALS, $this->config['referrals']);
diff --git a/program/lib/Roundcube/rcube_output.php b/program/lib/Roundcube/rcube_output.php
index 1907645b0..55a38b240 100644
--- a/program/lib/Roundcube/rcube_output.php
+++ b/program/lib/Roundcube/rcube_output.php
@@ -44,7 +44,6 @@ abstract class rcube_output
$this->browser = new rcube_browser();
}
-
/**
* Magic getter
*/
@@ -60,7 +59,6 @@ abstract class rcube_output
return null;
}
-
/**
* Setter for output charset.
* To be specified in a meta tag and sent as http-header
@@ -72,7 +70,6 @@ abstract class rcube_output
$this->charset = $charset;
}
-
/**
* Getter for output charset
*
@@ -83,7 +80,6 @@ abstract class rcube_output
return $this->charset;
}
-
/**
* Set environment variable
*
@@ -95,7 +91,6 @@ abstract class rcube_output
$this->env[$name] = $value;
}
-
/**
* Environment variable getter.
*
@@ -108,7 +103,6 @@ abstract class rcube_output
return $this->env[$name];
}
-
/**
* Delete all stored env variables and commands
*/
@@ -117,7 +111,6 @@ abstract class rcube_output
$this->env = array();
}
-
/**
* Invoke display_message command
*
@@ -129,7 +122,6 @@ abstract class rcube_output
*/
abstract function show_message($message, $type = 'notice', $vars = null, $override = true, $timeout = 0);
-
/**
* Redirect to a certain url.
*
@@ -138,13 +130,11 @@ abstract class rcube_output
*/
abstract function redirect($p = array(), $delay = 1);
-
/**
* Send output to the client.
*/
abstract function send();
-
/**
* Send HTTP headers to prevent caching a page
*/
@@ -157,9 +147,6 @@ abstract class rcube_output
header("Expires: ".gmdate("D, d M Y H:i:s")." GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
- // Request browser to disable DNS prefetching (CVE-2010-0464)
- header("X-DNS-Prefetch-Control: off");
-
// We need to set the following headers to make downloads work using IE in HTTPS mode.
if ($this->browser->ie && rcube_utils::https_check()) {
header('Pragma: private');
@@ -178,14 +165,32 @@ abstract class rcube_output
*/
public function future_expire_header($offset = 2600000)
{
- if (headers_sent())
+ if (headers_sent()) {
return;
+ }
header("Expires: " . gmdate("D, d M Y H:i:s", time()+$offset) . " GMT");
header("Cache-Control: max-age=$offset");
header("Pragma: ");
}
+ /**
+ * Send browser compatibility/security/etc. headers
+ */
+ public function common_headers()
+ {
+ if (headers_sent()) {
+ return;
+ }
+
+ // Unlock IE compatibility mode
+ if ($this->browser->ie) {
+ header('X-UA-Compatible: IE=edge');
+ }
+
+ // Request browser to disable DNS prefetching (CVE-2010-0464)
+ header("X-DNS-Prefetch-Control: off");
+ }
/**
* Show error page and terminate script execution
@@ -200,7 +205,6 @@ abstract class rcube_output
exit(-1);
}
-
/**
* Create an edit field for inclusion on a form
*
@@ -253,7 +257,6 @@ abstract class rcube_output
return $out;
}
-
/**
* Convert a variable into a javascript object notation
*
@@ -269,5 +272,4 @@ abstract class rcube_output
// that's why we have @ here
return @json_encode($input);
}
-
}
diff --git a/program/lib/Roundcube/rcube_session.php b/program/lib/Roundcube/rcube_session.php
index f04f47a21..26f78433a 100644
--- a/program/lib/Roundcube/rcube_session.php
+++ b/program/lib/Roundcube/rcube_session.php
@@ -44,10 +44,16 @@ class rcube_session
private $secret = '';
private $ip_check = false;
private $logging = false;
- private $nowrite = false;
private $storage;
private $memcache;
+ /**
+ * Blocks session data from being written to database.
+ * Can be used if write-race conditions are to be expected
+ * @var boolean
+ */
+ public $nowrite = false;
+
/**
* Default constructor
@@ -730,16 +736,6 @@ class rcube_session
/**
- * Blocks session data from being written to database.
- * Can be used if write-race conditions are to be expected
- */
- function nowrite($block = true)
- {
- $this->nowrite = $block;
- }
-
-
- /**
* Check session authentication cookie
*
* @return boolean True if valid, False if not
diff --git a/program/lib/Roundcube/rcube_spellchecker.php b/program/lib/Roundcube/rcube_spellchecker.php
index e9a36072d..43bab08c4 100644
--- a/program/lib/Roundcube/rcube_spellchecker.php
+++ b/program/lib/Roundcube/rcube_spellchecker.php
@@ -226,7 +226,18 @@ class rcube_spellchecker
else {
$word = mb_substr($this->content, $item[1], $item[2], RCUBE_CHARSET);
}
- $result[$word] = is_array($item[4]) ? implode("\t", $item[4]) : $item[4];
+
+ if (is_array($item[4])) {
+ $suggestions = $item[4];
+ }
+ else if (empty($item[4])) {
+ $suggestions = array();
+ }
+ else {
+ $suggestions = explode("\t", $item[4]);
+ }
+
+ $result[$word] = $suggestions;
}
return $result;
diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
index 984294376..b93d3b117 100644
--- a/program/lib/Roundcube/rcube_washtml.php
+++ b/program/lib/Roundcube/rcube_washtml.php
@@ -95,6 +95,7 @@ class rcube_washtml
'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q',
's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table',
'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img',
+ 'video', 'source',
// form elements
'button', 'input', 'textarea', 'select', 'option', 'optgroup'
);
@@ -246,7 +247,10 @@ class rcube_washtml
$quot = strpos($style, '"') !== false ? "'" : '"';
$t .= ' style=' . $quot . $style . $quot;
}
- else if ($key == 'background' || ($key == 'src' && strtolower($node->tagName) == 'img')) { //check tagName anyway
+ else if ($key == 'background'
+ || ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName))
+ || ($key == 'poster' && strtolower($node->tagName) == 'video')
+ ) {
if (($src = $this->config['cid_map'][$value])
|| ($src = $this->config['cid_map'][$this->config['base_url'].$value])
) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-05 06:48:07 +0000