[Svn] r4509 - in branches/release-0.5: . config program/include program/js program/lib program/localization/de_DE program/steps/addressbook program/steps/mail program/steps/settings program/steps/utils skins/default

trac at roundcube.net trac at roundcube.net
Wed Feb 9 11:51:51 CET 2011


Author: thomasb
Date: 2011-02-09 04:51:50 -0600 (Wed, 09 Feb 2011)
New Revision: 4509

Modified:
   branches/release-0.5/CHANGELOG
   branches/release-0.5/config/main.inc.php.dist
   branches/release-0.5/index.php
   branches/release-0.5/program/include/main.inc
   branches/release-0.5/program/include/rcmail.php
   branches/release-0.5/program/include/rcube_config.php
   branches/release-0.5/program/include/rcube_imap_generic.php
   branches/release-0.5/program/include/rcube_ldap.php
   branches/release-0.5/program/include/rcube_message.php
   branches/release-0.5/program/include/rcube_session.php
   branches/release-0.5/program/include/rcube_shared.inc
   branches/release-0.5/program/include/rcube_smtp.php
   branches/release-0.5/program/include/rcube_template.php
   branches/release-0.5/program/js/common.js
   branches/release-0.5/program/lib/washtml.php
   branches/release-0.5/program/localization/de_DE/labels.inc
   branches/release-0.5/program/steps/addressbook/import.inc
   branches/release-0.5/program/steps/addressbook/save.inc
   branches/release-0.5/program/steps/mail/addcontact.inc
   branches/release-0.5/program/steps/mail/compose.inc
   branches/release-0.5/program/steps/mail/func.inc
   branches/release-0.5/program/steps/mail/sendmail.inc
   branches/release-0.5/program/steps/settings/edit_identity.inc
   branches/release-0.5/program/steps/settings/func.inc
   branches/release-0.5/program/steps/settings/save_identity.inc
   branches/release-0.5/program/steps/utils/error.inc
   branches/release-0.5/program/steps/utils/modcss.inc
   branches/release-0.5/skins/default/common.css
   branches/release-0.5/skins/default/functions.js
   branches/release-0.5/skins/default/mail.css
Log:
Apply more bugfixes from trunk for 0.5.1

Modified: branches/release-0.5/CHANGELOG
===================================================================
--- branches/release-0.5/CHANGELOG	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/CHANGELOG	2011-02-09 10:51:50 UTC (rev 4509)
@@ -3,6 +3,16 @@
 
 RELEASE 0.5.1
 -------------
+- Security: add optional referer check to prevent CSRF in GET requests
+- Fix email_dns_check setting not used for identities/contacts (#1487740)
+- Fix ICANN example addresses doesn't validate (#1487742)
+- Security: protect login form submission from CSRF
+- Security: prevent from relaying malicious requests through modcss.inc
+- Fix handling of non-image attachments in multipart/related messages (#1487750)
+- Fix IDNA support when IDN/INTL modules are in use (#1487742)
+- Fix handling of invalid HTML comments in messages (#1487759)
+- Fix parsing FETCH response for very long headers (#1487753)
+- Fix add/remove columns in message list when message_sort_order isn't set (#1487751)
 - Fix settings UI on IE 6 (#1487724)
 - Remove double borders in folder listing (#1487713)
 - Separate full message headers UI element from headers table (#1487715)

Modified: branches/release-0.5/config/main.inc.php.dist
===================================================================
--- branches/release-0.5/config/main.inc.php.dist	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/config/main.inc.php.dist	2011-02-09 10:51:50 UTC (rev 4509)
@@ -213,6 +213,9 @@
 // There have been problems reported with this feature.
 $rcmail_config['double_auth'] = false;
 
+// check referer of incoming requests
+$rcmail_config['referer_check'] = false;
+
 // this key is used to encrypt the users imap password which is stored
 // in the session record (and the client cookie if remember password is enabled).
 // please provide a string of exactly 24 chars.

Modified: branches/release-0.5/index.php
===================================================================
--- branches/release-0.5/index.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/index.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -75,6 +75,8 @@
 
 // try to log in
 if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
+  $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
+
   // purge the session in case of new login when a session already exists 
   $RCMAIL->kill_session();
 
@@ -84,13 +86,14 @@
     'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
        $RCMAIL->config->get('password_charset', 'ISO-8859-1')),
     'cookiecheck' => true,
+    'valid' => $request_valid,
   ));
 
   // check if client supports cookies
   if ($auth['cookiecheck'] && empty($_COOKIE)) {
     $OUTPUT->show_message("cookiesdisabled", 'warning');
   }
-  else if ($_SESSION['temp'] && !$auth['abort'] &&
+  else if ($auth['valid'] && !$auth['abort'] &&
         !empty($auth['host']) && !empty($auth['user']) &&
         $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
     // create new session ID
@@ -123,15 +126,15 @@
   else {
     $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
 
-    $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning');
+    $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning');
     $RCMAIL->plugins->exec_hook('login_failed', array(
       'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
     $RCMAIL->kill_session();
   }
 }
 
-// end session
-else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
+// end session (after optional referer check)
+else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) {
   $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
   $OUTPUT->show_message('loggedout');
   $RCMAIL->logout_actions();
@@ -167,7 +170,7 @@
     );
   }
 
-  $OUTPUT->set_env('task', 'login');
+  $RCMAIL->set_task('login');
   $OUTPUT->send('login');
 }
 // CSRF prevention
@@ -187,6 +190,14 @@
     $OUTPUT->show_message('invalidrequest', 'error');
     $OUTPUT->send($RCMAIL->task);
   }
+
+  // check referer if configured
+  if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
+    raise_error(array(
+      'code' => 403,
+      'type' => 'php',
+      'message' => "Referer check failed"), true, true);
+  }
 }
 
 // handle special actions

Modified: branches/release-0.5/program/include/main.inc
===================================================================
--- branches/release-0.5/program/include/main.inc	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/main.inc	2011-02-09 10:51:50 UTC (rev 4509)
@@ -1224,6 +1224,19 @@
 
 
 /**
+ * Check whether the HTTP referer matches the current request
+ *
+ * @return boolean True if referer is the same host+path, false if not
+ */
+function rcube_check_referer()
+{
+  $uri = parse_url($_SERVER['REQUEST_URI']);
+  $referer = parse_url(rc_request_header('Referer'));
+  return $referer['host'] == rc_request_header('Host') && $referer['path'] == $uri['path'];
+}
+
+
+/**
  * @access private
  * @return mixed
  */
@@ -1863,7 +1876,40 @@
   return false;
 }
 
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_ascii($str)
+{
+  return rcube_idn_convert($str, true);
+}
 
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_utf8($str)
+{
+  return rcube_idn_convert($str, false);
+}
+
+function rcube_idn_convert($input, $is_utf=false)
+{
+  if ($at = strpos($input, '@')) {
+    $user   = substr($input, 0, $at);
+    $domain = substr($input, $at+1);
+  }
+  else {
+    $domain = $input;
+  }
+
+  $domain = $is_utf ? idn_to_ascii($domain) : idn_to_utf8($domain);
+
+  return $at ? $user . '@' . $domain : $domain;
+}
+
+
 /**
  * Helper class to turn relative urls into absolute ones
  * using a predefined base

Modified: branches/release-0.5/program/include/rcmail.php
===================================================================
--- branches/release-0.5/program/include/rcmail.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcmail.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -691,12 +691,12 @@
 
     // Here we need IDNA ASCII
     // Only rcube_contacts class is using domain names in Unicode
-    $host = idn_to_ascii($host);
+    $host = rcube_idn_to_ascii($host);
     if (strpos($username, '@')) {
       // lowercase domain name
       list($local, $domain) = explode('@', $username);
       $username = $local . '@' . mb_strtolower($domain);
-      $username = idn_to_ascii($username);
+      $username = rcube_idn_to_ascii($username);
     }
 
     // user already registered -> overwrite username

Modified: branches/release-0.5/program/include/rcube_config.php
===================================================================
--- branches/release-0.5/program/include/rcube_config.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_config.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -287,7 +287,7 @@
             $domain = rcube_parse_host($this->prop['mail_domain']);
 
         if ($encode)
-            $domain = idn_to_ascii($domain);
+            $domain = rcube_idn_to_ascii($domain);
 
         return $domain;
     }

Modified: branches/release-0.5/program/include/rcube_imap_generic.php
===================================================================
--- branches/release-0.5/program/include/rcube_imap_generic.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_imap_generic.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -1494,7 +1494,7 @@
                 // INTERNALDATE "16-Nov-2008 21:08:46 +0100" BODYSTRUCTURE (...)
                 // BODY[HEADER.FIELDS ...
 
-                if (preg_match('/^\* [0-9]+ FETCH \((.*) BODY/s', $line, $matches)) {
+                if (preg_match('/^\* [0-9]+ FETCH \((.*) BODY/sU', $line, $matches)) {
                     $str = $matches[1];
 
                     // swap parents with quotes, then explode
@@ -1531,7 +1531,7 @@
 
                     // BODYSTRUCTURE
                     if ($bodystr) {
-                        while (!preg_match('/ BODYSTRUCTURE (.*) BODY\[HEADER.FIELDS/s', $line, $m)) {
+                        while (!preg_match('/ BODYSTRUCTURE (.*) BODY\[HEADER.FIELDS/sU', $line, $m)) {
                             $line2 = $this->readLine(1024);
                             $line .= $this->multLine($line2, true);
                         }
@@ -1631,7 +1631,7 @@
                         break;
                         case 'content-type':
                             $ctype_parts = preg_split('/[; ]/', $string);
-                            $result[$id]->ctype = array_shift($ctype_parts);
+                            $result[$id]->ctype = strtolower(array_shift($ctype_parts));
                             if (preg_match('/charset\s*=\s*"?([a-z0-9\-\.\_]+)"?/i', $string, $regs)) {
                                 $result[$id]->charset = $regs[1];
                             }

Modified: branches/release-0.5/program/include/rcube_ldap.php
===================================================================
--- branches/release-0.5/program/include/rcube_ldap.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_ldap.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -99,7 +99,7 @@
 
     foreach ($this->prop['hosts'] as $host)
     {
-      $host = idn_to_ascii(rcube_parse_host($host));
+      $host = rcube_idn_to_ascii(rcube_parse_host($host));
       $this->_debug("C: Connect [$host".($this->prop['port'] ? ':'.$this->prop['port'] : '')."]");
 
       if ($lc = @ldap_connect($host, $this->prop['port']))

Modified: branches/release-0.5/program/include/rcube_message.php
===================================================================
--- branches/release-0.5/program/include/rcube_message.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_message.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -506,6 +506,16 @@
                     ) {
                         $this->attachments[] = $inline_object;
                     }
+                    // MS Outlook sometimes also adds non-image attachments as related
+                    // We'll add all such attachments to the attachments list
+                    // Warning: some browsers support pdf in <img/>
+                    // @TODO: we should fetch HTML body and find attachment's content-id
+                    // to handle also image attachments without reference in the body
+                    if (!empty($inline_object->filename)
+                        && !preg_match('/^image\/(gif|jpe?g|png|tiff|bmp|svg)/', $inline_object->mimetype)
+                    ) {
+                        $this->attachments[] = $inline_object;
+                    }
                 }
 
                 // add replace array to each content part

Modified: branches/release-0.5/program/include/rcube_session.php
===================================================================
--- branches/release-0.5/program/include/rcube_session.php	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_session.php	2011-02-09 10:51:50 UTC (rev 4509)
@@ -154,6 +154,8 @@
       sprintf("DELETE FROM %s WHERE sess_id = ?", get_table_name('session')),
       $key);
 
+    if ($key == $this->key)
+        $this->vars = false;
     return true;
   }
 

Modified: branches/release-0.5/program/include/rcube_shared.inc
===================================================================
--- branches/release-0.5/program/include/rcube_shared.inc	2011-02-09 10:33:26 UTC (rev 4508)
+++ branches/release-0.5/program/include/rcube_shared.inc	2011-02-09 10:51:50 UTC (rev 4509)
@@ -700,7 +700,7 @@
             $loaded = true;
         }
 
-