From 5f9f6c660f8576cd79308caabcca45bf5eed9f6e Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 10 Feb 2009 11:55:17 -0700 Subject: [PATCH] Bug #7926: Fix [un]escaping of URLs --- imp/docs/CHANGES | 2 ++ imp/pgp.php | 17 +++++++++++++---- imp/smime.php | 10 +++++++--- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES index 0bf7a6cdc..65a93754f 100644 --- a/imp/docs/CHANGES +++ b/imp/docs/CHANGES @@ -51,6 +51,8 @@ v5.0-git v4.3.4-cvs ---------- +[mms] Fix [un]escaping of various URLs on message screen caused by security + fixes in v4.3.3 (Bug #7926). [mms] Add hook to allow hiding of IMAP folders (Request #7353, Gunnar Wrobel ). [jan] Fix rendering of subjects in RTL scripts when using LTR translations diff --git a/imp/pgp.php b/imp/pgp.php index 3076ea553..2bec464a9 100644 --- a/imp/pgp.php +++ b/imp/pgp.php @@ -25,7 +25,7 @@ function _importKeyDialog($target) $t->setOption('gettext', true); $t->set('selfurl', Horde::applicationUrl('pgp.php')); $t->set('broken_mp_form', $GLOBALS['browser']->hasQuirk('broken_multipart_form')); - $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload')))); + $t->set('reload', htmlspecialchars(Util::getFormData('reload'))); $t->set('target', $target); $t->set('forminput', Util::formInput()); $t->set('import_public_key', $target == 'process_import_public_key'); @@ -56,6 +56,14 @@ function _textWindowOutput($filename, $msg) echo $msg; } +function _reloadWindow() +{ + $cacheSess = &Horde_SessionObjects::singleton(); + $reload = Util::getFormData('reload'); + $cacheSess->setPruneFlag($reload, true); + Util::closeWindowJS('opener.focus();opener.location.href="' . $cacheSess->query($reload) . '";'); +} + require_once dirname(__FILE__) . '/lib/base.php'; $imp_pgp = &Horde_Crypt::singleton(array('imp', 'pgp')); @@ -116,7 +124,7 @@ case 'process_import_public_key': foreach ($key_info['signature'] as $sig) { $notification->push(sprintf(_("PGP Public Key for \"%s (%s)\" was successfully added."), $sig['name'], $sig['email']), 'horde.success'); } - Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";'); + _reloadWindow(); } } exit; @@ -166,7 +174,7 @@ case 'process_import_personal_private_key': * successfully - close the import popup window. */ $imp_pgp->addPersonalPrivateKey($privateKey); $notification->push(_("PGP private key successfully added."), 'horde.success'); - Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";'); + _reloadWindow(); } else { /* Invalid private key imported - Redo private key import * screen. */ @@ -331,7 +339,8 @@ if ($prefs->getValue('use_pgp')) { if (!$t->get('no_file_upload')) { $t->set('no_source', !$GLOBALS['prefs']->getValue('add_source')); if (!$t->get('no_source')) { - $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $selfURL)); + $cacheSess = &Horde_SessionObjects::singleton(); + $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $cacheSess->storeOid($selfURL, false))); $t->set('import_pubkey-help', Help::link('imp', 'pgp-import-pubkey')); } } diff --git a/imp/smime.php b/imp/smime.php index 07ca1083e..84940898a 100644 --- a/imp/smime.php +++ b/imp/smime.php @@ -20,7 +20,7 @@ function _importKeyDialog($target) $t->setOption('gettext', true); $t->set('selfurl', Horde::applicationUrl('smime.php')); $t->set('broken_mp_form', $GLOBALS['browser']->hasQuirk('broken_multipart_form')); - $t->set('reload', htmlspecialchars(html_entity_decode(Util::getFormData('reload')))); + $t->set('reload', htmlspecialchars(Util::getFormData('reload'))); $t->set('target', $target); $t->set('forminput', Util::formInput()); $t->set('import_public_key', $target == 'process_import_public_key'); @@ -54,7 +54,10 @@ function _actionWindow() function _reloadWindow() { - Util::closeWindowJS('opener.focus();opener.location.href="' . htmlspecialchars(html_entity_decode(Util::getFormData('reload'))) . '";'); + $cacheSess = &Horde_SessionObjects::singleton(); + $reload = Util::getFormData('reload'); + $cacheSess->setPruneFlag($reload, true); + Util::closeWindowJS('opener.focus();opener.location.href="' . $cacheSess->query($reload) . '";'); } function _textWindowOutput($filename, $msg, $html = false) @@ -265,7 +268,8 @@ if (!is_a($openssl_check, 'PEAR_Error') && $prefs->getValue('use_smime')) { if (!$t->get('no_file_upload')) { $t->set('no_source', !$GLOBALS['prefs']->getValue('add_source')); if (!$t->get('no_source')) { - $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $selfURL)); + $cacheSess = &Horde_SessionObjects::singleton(); + $t->set('public_import_url', Util::addParameter(Util::addParameter($selfURL, 'actionID', 'import_public_key'), 'reload', $cacheSess->storeOid($selfURL, false))); $t->set('import_pubkey-help', Help::link('imp', 'smime-import-pubkey')); } } -- 2.11.0