From 395b74051ce974ced8a5abe378f66e9bcf0c8e34 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 27 Mar 2013 16:32:51 +0100 Subject: Whitelist configuration options (user preferences) that can be changed using save-pref command Conflicts: program/lib/Roundcube/rcube_plugin.php program/lib/Roundcube/rcube_plugin_api.php Conflicts: CHANGELOG program/steps/utils/save_pref.inc --- CHANGELOG | 1 + program/include/rcube_plugin.php | 8 ++++++++ program/include/rcube_plugin_api.php | 4 ++++ program/steps/utils/save_pref.inc | 22 +++++++++++++++++----- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 754576e42..87dd6ae75 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix security issue in save-pref command - Fix XSS vulnerability in handling of text/enriched messages (#1488806) - Fix compatybility with MDB2 2.5.0b4 (#1488779) - Fix lower-casing email address on replies (#1488598) diff --git a/program/include/rcube_plugin.php b/program/include/rcube_plugin.php index 49bec043c..550c8420b 100644 --- a/program/include/rcube_plugin.php +++ b/program/include/rcube_plugin.php @@ -61,6 +61,14 @@ abstract class rcube_plugin */ public $noframe = false; + /** + * A list of config option names that can be modified + * by the user via user interface (with save-pref command) + * + * @var array + */ + public $allowed_prefs; + protected $home; protected $urlbase; private $mytask; diff --git a/program/include/rcube_plugin_api.php b/program/include/rcube_plugin_api.php index 4846cd91b..f9e067fdf 100644 --- a/program/include/rcube_plugin_api.php +++ b/program/include/rcube_plugin_api.php @@ -32,6 +32,7 @@ class rcube_plugin_api public $url = 'plugins/'; public $output; public $config; + public $allowed_prefs = array(); public $handlers = array(); private $plugins = array(); @@ -182,6 +183,9 @@ class rcube_plugin_api $plugin->init(); $this->plugins[$plugin_name] = $plugin; } + if (!empty($plugin->allowed_prefs)) { + $this->allowed_prefs = array_merge($this->allowed_prefs, $plugin->allowed_prefs); + } return true; } } diff --git a/program/steps/utils/save_pref.inc b/program/steps/utils/save_pref.inc index 616d13bc1..0bc731abf 100644 --- a/program/steps/utils/save_pref.inc +++ b/program/steps/utils/save_pref.inc @@ -5,7 +5,7 @@ | program/steps/utils/save_pref.inc | | | | This file is part of the Roundcube Webmail client | - | Copyright (C) 2005-2010, The Roundcube Dev Team | + | Copyright (C) 2005-2013, The Roundcube Dev Team | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -14,13 +14,26 @@ +-----------------------------------------------------------------------+ | Author: Aleksander Machniak | +-----------------------------------------------------------------------+ - - $Id$ - */ $name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); +$whitelist = array( + 'preview_pane', + 'list_cols', + 'collapsed_folders', + 'collapsed_abooks', +); + +if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { + raise_error(array('code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), + true, false); + + $OUTPUT->reset(); + $OUTPUT->send(); +} // save preference value $RCMAIL->user->save_prefs(array($name => $value)); @@ -42,4 +55,3 @@ if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { $OUTPUT->reset(); $OUTPUT->send(); - -- cgit v1.2.3