From 7152d0fdefc0cb60b26c928342436604479dc610 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 5 Jul 2014 12:33:03 +0200
Subject: Fix security issue in delete-response action - allow only ajax
 request. Unify code for identities and responses deletion.

Conflicts:

	program/steps/settings/func.inc
---
 CHANGELOG                                  |  1 +
 program/js/app.js                          | 22 ++++++++----
 program/steps/settings/delete_identity.inc | 55 ------------------------------
 program/steps/settings/func.inc            |  1 +
 program/steps/settings/identities.inc      | 22 ++++++++++++
 program/steps/settings/responses.inc       |  8 ++---
 6 files changed, 42 insertions(+), 67 deletions(-)
 delete mode 100644 program/steps/settings/delete_identity.inc

diff --git a/CHANGELOG b/CHANGELOG
index 8085b85c9..c3f14e112 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,7 @@ CHANGELOG Roundcube Webmail
 - Fix list reload after sending message in another window (#1489931)
 - Fix so address format errors are ignored when saving a draft (#1489954)
 - Fix incorrect label translation in return receipt (#1489963)
+- Fix security issue in delete-response action - allow only ajax request
 
 RELEASE 1.0.1
 -------------
diff --git a/program/js/app.js b/program/js/app.js
index c9b9050b8..6ca84c315 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -3555,10 +3555,7 @@ function rcube_webmail()
     // submit delete request
     if (key && confirm(this.get_label('deleteresponseconfirm'))) {
       this.http_post('settings/delete-response', { _key: key }, false);
-      return true;
     }
-
-    return false;
   };
 
   this.stop_spellchecking = function()
@@ -5612,10 +5609,8 @@ function rcube_webmail()
       id = this.env.iid ? this.env.iid : selection[0];
 
     // submit request with appended token
-    if (confirm(this.get_label('deleteidentityconfirm')))
-      this.goto_url('delete-identity', { _iid: id, _token: this.env.request_token }, true);
-
-    return true;
+    if (id && confirm(this.get_label('deleteidentityconfirm')))
+      this.http_post('settings/delete-identity', { _iid: id }, true);
   };
 
   this.update_identity_row = function(id, name, add)
@@ -5661,6 +5656,19 @@ function rcube_webmail()
     }
   };
 
+  this.remove_identity = function(id)
+  {
+    var frame, list = this.identity_list,
+      rid = this.html_identifier(id);
+
+    if (list && id) {
+      list.remove_row(rid);
+      if (this.env.contentframe && (frame = this.get_frame_window(this.env.contentframe))) {
+        frame.location.href = this.env.blankpage;
+      }
+    }
+  };
+
 
   /*********************************************************/
   /*********        folder manager methods         *********/
diff --git a/program/steps/settings/delete_identity.inc b/program/steps/settings/delete_identity.inc
deleted file mode 100644
index f77620438..000000000
--- a/program/steps/settings/delete_identity.inc
+++ /dev/null
@@ -1,55 +0,0 @@
-<?php
-
-/*
- +-----------------------------------------------------------------------+
- | program/steps/settings/delete_identity.inc                            |
- |                                                                       |
- | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2013, The Roundcube Dev Team                       |
- |                                                                       |
- | Licensed under the GNU General Public License version 3 or            |
- | any later version with exceptions for skins & plugins.                |
- | See the README file for a full license statement.                     |
- |                                                                       |
- | PURPOSE:                                                              |
- |   Delete the submitted identities (IIDs) from the database            |
- |                                                                       |
- +-----------------------------------------------------------------------+
- | Author: Thomas Bruederli <roundcube@gmail.com>                        |
- +-----------------------------------------------------------------------+
-*/
-
-$iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_GPC);
-
-// check request token
-if (!$OUTPUT->ajax_call && !$RCMAIL->check_request(rcube_utils::INPUT_GPC)) {
-    $OUTPUT->show_message('invalidrequest', 'error');
-    $RCMAIL->overwrite_action('identities');
-    return;
-}
-
-if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
-    $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
-
-    $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
-
-    if ($deleted > 0 && $deleted !== false) {
-        $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
-    }
-    else {
-        $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
-        $OUTPUT->show_message($msg, 'error', null, false);
-    }
-
-    // send response
-    if ($OUTPUT->ajax_call) {
-        $OUTPUT->send();
-    }
-}
-
-if ($OUTPUT->ajax_call) {
-    exit;
-}
-
-// go to identities page
-$RCMAIL->overwrite_action('identities');
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index 0aae19719..82ca5df93 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -44,6 +44,7 @@ $RCMAIL->register_action_map(array(
     'add-response'  => 'edit_response.inc',
     'save-response' => 'edit_response.inc',
     'delete-response' => 'responses.inc',
+    'delete-identity' => 'identities.inc',
 ));
 
 
diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc
index e19c16c79..f43edc1f7 100644
--- a/program/steps/settings/identities.inc
+++ b/program/steps/settings/identities.inc
@@ -19,6 +19,28 @@
  +-----------------------------------------------------------------------+
 */
 
+if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) {
+    $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST);
+
+    if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
+        $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
+
+        $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
+
+        if ($deleted > 0 && $deleted !== false) {
+            $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
+            $OUTPUT->command('remove_identity', $iid);
+        }
+        else {
+            $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
+            $OUTPUT->show_message($msg, 'error', null, false);
+        }
+    }
+
+    $OUTPUT->send();
+}
+
+
 define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
 
 $OUTPUT->set_pagetitle($RCMAIL->gettext('identities'));
diff --git a/program/steps/settings/responses.inc b/program/steps/settings/responses.inc
index 06093b3b8..4374595a7 100644
--- a/program/steps/settings/responses.inc
+++ b/program/steps/settings/responses.inc
@@ -51,8 +51,8 @@ if (!empty($_POST['_insert'])) {
     $RCMAIL->output->send();
 }
 
-if ($RCMAIL->action == 'delete-response') {
-    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_GPC)) {
+if ($RCMAIL->action == 'delete-response' && $RCMAIL->output->ajax_call) {
+    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_POST)) {
         $responses = $RCMAIL->get_compose_responses(false, true);
         foreach ($responses as $i => $response) {
             if (empty($response['key']))
@@ -70,9 +70,7 @@ if ($RCMAIL->action == 'delete-response') {
         $RCMAIL->output->command('remove_response', $key);
     }
 
-    if ($RCMAIL->output->ajax_call) {
-        $RCMAIL->output->send();
-    }
+    $RCMAIL->output->send();
 }
 
 
-- 
cgit v1.2.3