From e1d9b4824c1e5750dfbf51dc1c8b2d54cf0895c3 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 27 Mar 2013 16:32:51 +0100 Subject: Whitelist configuration options (user preferences) that can be changed using save-pref command Conflicts: program/lib/Roundcube/rcube_plugin.php program/lib/Roundcube/rcube_plugin_api.php --- program/steps/utils/save_pref.inc | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'program/steps/utils') diff --git a/program/steps/utils/save_pref.inc b/program/steps/utils/save_pref.inc index 2c60f6d4e..3c3cfa0ff 100644 --- a/program/steps/utils/save_pref.inc +++ b/program/steps/utils/save_pref.inc @@ -5,7 +5,7 @@ | program/steps/utils/save_pref.inc | | | | This file is part of the Roundcube Webmail client | - | Copyright (C) 2005-2010, The Roundcube Dev Team | + | Copyright (C) 2005-2013, The Roundcube Dev Team | | | | Licensed under the GNU General Public License version 3 or | | any later version with exceptions for skins & plugins. | @@ -17,13 +17,26 @@ +-----------------------------------------------------------------------+ | Author: Aleksander Machniak | +-----------------------------------------------------------------------+ - - $Id$ - */ $name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); +$whitelist = array( + 'preview_pane', + 'list_cols', + 'collapsed_folders', + 'collapsed_abooks', +); + +if (!in_array($name, array_merge($whitelist, $RCMAIL->plugins->allowed_prefs))) { + raise_error(array('code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => sprintf("Hack attempt detected (user: %s)", $_SESSION['username'])), + true, false); + + $OUTPUT->reset(); + $OUTPUT->send(); +} // save preference value $RCMAIL->user->save_prefs(array($name => $value)); @@ -45,4 +58,3 @@ if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { $OUTPUT->reset(); $OUTPUT->send(); - -- cgit v1.2.3