From 77de23fa939338546a3e049459ffd29edd9058c2 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 11 Nov 2012 10:32:05 +0100 Subject: Added cross-task 'refresh' request for system state updates --- program/steps/mail/check_recent.inc | 10 +++++++--- program/steps/mail/func.inc | 1 + 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'program/steps/mail') diff --git a/program/steps/mail/check_recent.inc b/program/steps/mail/check_recent.inc index 1a1b08c60..90d17c15b 100644 --- a/program/steps/mail/check_recent.inc +++ b/program/steps/mail/check_recent.inc @@ -19,8 +19,14 @@ +-----------------------------------------------------------------------+ */ +// If there's no folder or messages list, there's nothing to update +// This can happen on 'refresh' request +if (empty($_REQUEST['_folderlist']) && empty($_REQUEST['_list'])) { + return; +} + $current = $RCMAIL->storage->get_folder(); -$check_all = !empty($_GET['_refresh']) || (bool)$RCMAIL->config->get('check_all_folders'); +$check_all = $RCMAIL->action != 'refresh' || (bool)$RCMAIL->config->get('check_all_folders'); // list of folders to check if ($check_all) { @@ -102,6 +108,4 @@ foreach ($a_mailboxes as $mbox_name) { } } -$RCMAIL->plugins->exec_hook('keep_alive', array()); - $OUTPUT->send(); diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index f128a3834..374ab7571 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1810,6 +1810,7 @@ $OUTPUT->add_handlers(array( // register action aliases $RCMAIL->register_action_map(array( + 'refresh' => 'check_recent.inc', 'preview' => 'show.inc', 'print' => 'show.inc', 'moveto' => 'move_del.inc', -- cgit v1.2.3 From d15163ab6ecabde9d12e8674bee37cbe562bd850 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 14 Nov 2012 13:29:58 +0100 Subject: Fix XSS vulnerability in handling of text/enriched messages (#1488806) --- CHANGELOG | 1 + program/steps/mail/func.inc | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'program/steps/mail') diff --git a/CHANGELOG b/CHANGELOG index dc2d182cf..6ce469cd5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability in handling of text/enriched messages (#1488806) - Fix handling of 'media' attribute on linked css (#1488789) - Fix excessive LFs at the end of composed message with top_posting=true (#1488797) - Option to display attached images as thumbnails below message body diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 5e24a4311..3668cd7b2 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -753,7 +753,9 @@ function rcmail_print_body($part, $p = array()) else if ($data['type'] == 'enriched') { $part->ctype_secondary = 'html'; require_once(INSTALL_PATH . 'program/lib/enriched.inc'); - $body = Q(enriched_to_html($data['body']), 'show'); + $body = enriched_to_html($data['body']); + $body = rcmail_wash_html($body, $data, $part->replaces); + $part->ctype_secondary = 'html'; } else { // assert plaintext -- cgit v1.2.3 From 398238abf23ed74568c77d355c55a405fde730fe Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 14 Nov 2012 13:37:27 +0100 Subject: Remove redundant code --- program/steps/mail/func.inc | 1 - 1 file changed, 1 deletion(-) (limited to 'program/steps/mail') diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 3668cd7b2..961a604a2 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -751,7 +751,6 @@ function rcmail_print_body($part, $p = array()) } // text/enriched else if ($data['type'] == 'enriched') { - $part->ctype_secondary = 'html'; require_once(INSTALL_PATH . 'program/lib/enriched.inc'); $body = enriched_to_html($data['body']); $body = rcmail_wash_html($body, $data, $part->replaces); -- cgit v1.2.3 From 52d0d949104e6b43d8daa39dad64b20cc003440c Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 14 Nov 2012 13:58:15 +0100 Subject: Fix handling of text/enriched content on message reply/forward/edit --- CHANGELOG | 1 + program/include/rcube_message.php | 5 +++-- program/steps/mail/compose.inc | 20 +++++++++++++++++--- 3 files changed, 21 insertions(+), 5 deletions(-) (limited to 'program/steps/mail') diff --git a/CHANGELOG b/CHANGELOG index 6ce469cd5..9f8464c5f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix handling of text/enriched content on message reply/forward/edit - Fix XSS vulnerability in handling of text/enriched messages (#1488806) - Fix handling of 'media' attribute on linked css (#1488789) - Fix excessive LFs at the end of composed message with top_posting=true (#1488797) diff --git a/program/include/rcube_message.php b/program/include/rcube_message.php index 9b8484c15..74bf4574f 100644 --- a/program/include/rcube_message.php +++ b/program/include/rcube_message.php @@ -198,14 +198,15 @@ class rcube_message * Determine if the message contains a HTML part * * @param bool $recursive Enables checking in all levels of the structure + * @param bool $enriched Enables checking for text/enriched parts too * * @return bool True if a HTML is available, False if not */ - function has_html_part($recursive = true) + function has_html_part($recursive = true, $enriched = false) { // check all message parts foreach ($this->parts as $part) { - if ($part->mimetype == 'text/html') { + if ($part->mimetype == 'text/html' || ($enriched && $part->mimetype == 'text/enriched')) { // Level check, we'll skip e.g. HTML attachments if (!$recursive) { $level = explode('.', $part->mime_id); diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 87a06e10d..ffc1c7518 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -611,13 +611,13 @@ function rcmail_compose_editor_mode() $useHtml = !empty($_POST['_is_html']); } else if ($compose_mode == RCUBE_COMPOSE_DRAFT || $compose_mode == RCUBE_COMPOSE_EDIT) { - $useHtml = $MESSAGE->has_html_part(false); + $useHtml = $MESSAGE->has_html_part(false, true); } else if ($compose_mode == RCUBE_COMPOSE_REPLY) { - $useHtml = ($html_editor == 1 || ($html_editor >= 2 && $MESSAGE->has_html_part(false))); + $useHtml = ($html_editor == 1 || ($html_editor >= 2 && $MESSAGE->has_html_part(false, true))); } else if ($compose_mode == RCUBE_COMPOSE_FORWARD) { - $useHtml = ($html_editor == 1 || ($html_editor == 3 && $MESSAGE->has_html_part(false))); + $useHtml = ($html_editor == 1 || ($html_editor == 3 && $MESSAGE->has_html_part(false, true))); } else { $useHtml = ($html_editor == 1); @@ -730,6 +730,10 @@ function rcmail_compose_part_body($part, $isHtml = false) if ($isHtml) { if ($part->ctype_secondary == 'html') { } + else if ($part->ctype_secondary == 'enriched') { + require_once(INSTALL_PATH . 'program/lib/enriched.inc'); + $body = enriched_to_html($body); + } else { // try to remove the signature if ($RCMAIL->config->get('strip_existing_sig', true)) { @@ -743,6 +747,12 @@ function rcmail_compose_part_body($part, $isHtml = false) } } else { + if ($part->ctype_secondary == 'enriched') { + require_once(INSTALL_PATH . 'program/lib/enriched.inc'); + $body = enriched_to_html($body); + $part->ctype_secondary = 'html'; + } + if ($part->ctype_secondary == 'html') { // use html part if it has been used for message (pre)viewing // decrease line length for quoting @@ -750,6 +760,10 @@ function rcmail_compose_part_body($part, $isHtml = false) $txt = new html2text($body, false, true, $len); $body = $txt->get_text(); } + else if ($part->ctype_secondary == 'enriched') { + require_once(INSTALL_PATH . 'program/lib/enriched.inc'); + $body = enriched_to_html($body); + } else { if ($part->ctype_secondary == 'plain' && $part->ctype_parameters['format'] == 'flowed') { $body = rcube_mime::unfold_flowed($body); -- cgit v1.2.3