From c5799618997716288169b6fbcd1251f76788cd49 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Sun, 25 Nov 2007 17:34:19 +0000
Subject: Fixed some potential security risks + updatedd changelog

---
 CHANGELOG                           | 13 +++++++++++++
 program/include/main.inc            |  2 +-
 program/include/rcmail_template.inc |  4 ++--
 program/include/rcube_html.inc      |  8 ++------
 program/steps/addressbook/func.inc  |  5 +----
 program/steps/mail/func.inc         | 19 +++++++------------
 program/steps/mail/get.inc          |  6 +++---
 program/steps/mail/sendmail.inc     |  2 +-
 program/steps/mail/show.inc         |  4 ++--
 9 files changed, 32 insertions(+), 31 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 33a7a11e7..f646061a2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,19 @@
 CHANGELOG RoundCube Webmail
 ---------------------------
 
+2007/11/25 (thomasb)
+----------
+- Applied UID fetch patch by Glen Ogilvie
+- Applied patch for correct Postgres instructions from ticket #1484674
+- Fix overriding of session vars when register_globals is on (#1484670)
+- Fix wrong Postgres setup instructions in INSTALL (#1484674)
+- Fix bug with case-sensitive folder names (#1484245)
+- Don't create default folders by default
+- Added Georgian localization by Zaza Zviadadze
+- Updated Russian localization
+- Fixed some potential security risks (audited by Andris)
+
+
 2007/11/20 (tomekp)
 ----------
 - add Korean (kr) localization
diff --git a/program/include/main.inc b/program/include/main.inc
index 49dd2aaff..f0c603090 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -1432,7 +1432,7 @@ function rcmail_get_edit_field($col, $value, $attrib, $type='text')
 
   // use value from post
   if (!empty($_POST[$fname]))
-    $value = $_POST[$fname];
+    $value = get_input_value($fname, RCUBE_INPUT_POST);
 
   $out = $input->show($value);
          
diff --git a/program/include/rcmail_template.inc b/program/include/rcmail_template.inc
index 15752f8bc..558bd4bf6 100644
--- a/program/include/rcmail_template.inc
+++ b/program/include/rcmail_template.inc
@@ -831,12 +831,12 @@ function rcmail_login_form($attrib)
         }
     }
       
-    $fields['host'] = isset($select_host) ? $select_host->show($_POST['_host']) : null;
+    $fields['host'] = isset($select_host) ? $select_host->show(get_input_value('_host', RCUBE_INPUT_POST)) : null;
     }
   else if (!strlen($CONFIG['default_host']))
     {
     $input_host = new textfield(array('name' => '_host', 'id' => 'rcmloginhost', 'size' => 30));
-    $fields['host'] = $input_host->show($_POST['_host']);
+    $fields['host'] = $input_host->show(get_input_value('_host', RCUBE_INPUT_POST));
     }
 
   $form_name = strlen($attrib['form']) ? $attrib['form'] : 'form';
diff --git a/program/include/rcube_html.inc b/program/include/rcube_html.inc
index a31594a56..18983a15a 100644
--- a/program/include/rcube_html.inc
+++ b/program/include/rcube_html.inc
@@ -292,10 +292,6 @@ class rcube_form_element
       if ((strpos($key,'on')===0 && $value==''))
         continue;
 
-      // encode textarea content
-      if ($key=='value')
-        $value = Q($value, 'strict', FALSE);
-
       // attributes with no value
       if (in_array($key, array('checked', 'multiple', 'disabled', 'selected', 'nowrap')))
       {
@@ -304,11 +300,11 @@ class rcube_form_element
       }
       // don't convert size of value attribute
       else if ($key=='value')
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $value);
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), Q($value, 'strict', false));
         
       // regular tag attributes
       else
-        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case($value, 'value'));
+        $attrib_arr[] = sprintf('%s="%s"', $this->_conv_case($key, 'attrib'), $this->_conv_case(Q($value), 'value'));
     }
 
     return sizeof($attrib_arr) ? ' '.implode(' ', $attrib_arr) : '';
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 574ef874e..b916ad796 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -32,10 +32,7 @@ $CONTACTS->set_pagesize($CONFIG['pagesize']);
 
 // set list properties and session vars
 if (!empty($_GET['_page']))
-  {
-  $CONTACTS->set_page(intval($_GET['_page']));
-  $_SESSION['page'] = $_GET['_page'];
-  }
+  $CONTACTS->set_page(($_SESSION['page'] = intval($_GET['_page'])));
 else
   $CONTACTS->set_page(isset($_SESSION['page']) ?$_SESSION['page'] : 1);
 
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index c072c9118..95deaa4b9 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -30,16 +30,10 @@ if (empty($_SESSION['mbox']))
 
 // set imap properties and session vars
 if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
-  {
-  $IMAP->set_mailbox($mbox);
-  $_SESSION['mbox'] = $mbox;
-  }
+  $IMAP->set_mailbox(($_SESSION['mbox'] = $mbox));
 
 if (!empty($_GET['_page']))
-  {
-  $IMAP->set_page((int)$_GET['_page']);
-  $_SESSION['page'] = (int)$_GET['_page'];
-  }
+  $IMAP->set_page(($_SESSION['page'] = intval($_GET['_page'])));
 
 // set mailbox to INBOX if not set
 if (empty($_SESSION['mbox']))
@@ -862,7 +856,7 @@ function rcmail_message_body($attrib)
   if (!$attrib['id'])
     $attrib['id'] = 'rcmailMsgBody';
 
-  $safe_mode = (bool)$_GET['_safe'];
+  $safe_mode = intval($_GET['_safe']);
   $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id'));
   $out = '<div '. $attrib_str . ">\n";
   
@@ -1197,10 +1191,11 @@ function rcmail_message_part_controls()
   {
   global $CONFIG, $IMAP, $MESSAGE;
   
-  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$_GET['_part']])
+  $part = get_input_value('_part', RCUBE_INPUT_GPC);
+  if (!is_array($MESSAGE) || !is_array($MESSAGE['parts']) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE['parts'][$part])
     return '';
     
-  $part = &$MESSAGE['parts'][$_GET['_part']];
+  $part = &$MESSAGE['parts'][$part];
   
   $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'cellspacing', 'cellpadding', 'border', 'summary'));
   $out = '<table '. $attrib_str . ">\n";
@@ -1230,7 +1225,7 @@ function rcmail_message_part_frame($attrib)
   {
   global $MESSAGE;
   
-  $part = $MESSAGE['parts'][$_GET['_part']];
+  $part = $MESSAGE['parts'][get_input_value('_part', RCUBE_INPUT_GPC)];
   $ctype_primary = strtolower($part->ctype_primary);
 
   $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']));
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index c9e40ac77..dad49d370 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -88,7 +88,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET))
       // we have to analyze the whole structure again to find inline objects
       list($new_parts, $new_attachments) =
         rcmail_parse_message($MESSAGE['structure'],
-                             array('safe' => (bool)$_GET['_safe'],
+                             array('safe' => intval($_GET['_safe']),
                                    'prefer_html' => TRUE,
                                    'get_url' => $GET_URL.'&_part=%s'));
 
@@ -102,7 +102,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET))
         $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part);
 
       $OUTPUT = new rcube_html_page();
-      $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe']));
+      $OUTPUT->write(rcmail_print_body($part, intval($_GET['_safe'])));
       }
     else
       {
@@ -130,7 +130,7 @@ else
 
   $cont = ''; 
   list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'],
-                                                 array('safe' => (bool)$_GET['_safe'],
+                                                 array('safe' => intval($_GET['_safe']),
                                                  'get_url' => $GET_URL.'&_part=%s'));
 
   $cont = "<html>\n<head><title></title>\n</head>\n<body>";
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index f1fd090d9..d118af53f 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -199,7 +199,7 @@ if (!empty($_SESSION['compose']['references']))
 
 if (!empty($_POST['_priority']))
   {
-  $priority = (int)$_POST['_priority'];
+  $priority = intval($_POST['_priority']);
   $a_priorities = array(1=>'highest', 2=>'high', 4=>'low', 5=>'lowest');
   if ($str_priority = $a_priorities[$priority])
     $headers['X-Priority'] = sprintf("%d (%s)", $priority, ucfirst($str_priority));
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index e25da03a6..4dcdec362 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -57,7 +57,7 @@ if ($_GET['_uid'])
   if ($MESSAGE['structure'] = $IMAP->get_structure($MESSAGE['UID']))
     list($MESSAGE['parts'], $MESSAGE['attachments']) = rcmail_parse_message(
       $MESSAGE['structure'],
-      array('safe' => (bool)$_GET['_safe'],
+      array('safe' => intval($_GET['_safe']),
             'prefer_html' => $CONFIG['prefer_html'],
             'get_url' => $GET_URL.'&_part=%s')
       );
@@ -71,7 +71,7 @@ if ($_GET['_uid'])
 
   // give message uid to the client
   $OUTPUT->set_env('uid', $MESSAGE['UID']);
-  $OUTPUT->set_env('safemode', (bool)$_GET['_safe']);
+  $OUTPUT->set_env('safemode', intval($_GET['_safe']));
 
   $next = $prev = -1;
   // get previous, first, next and last message UID
-- 
cgit v1.2.3