From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response

---
 plugins/zipdownload/zipdownload.js |   40 +++++++++++++++++++---------------------
 1 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/plugins/zipdownload/zipdownload.js b/plugins/zipdownload/zipdownload.js
index 39fb2d8..6f918d2 100644
--- a/plugins/zipdownload/zipdownload.js
+++ b/plugins/zipdownload/zipdownload.js
@@ -1,5 +1,18 @@
 /**
  * ZipDownload plugin script
+ *
+ * @licstart  The following is the entire license notice for the
+ * JavaScript code in this file.
+ *
+ * Copyright (c) 2013-2014, The Roundcube Dev Team
+ *
+ * The JavaScript code in this page is free software: you can redistribute it
+ * and/or modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation, either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * @licend  The above is the entire license notice
+ * for the JavaScript code in this file.
  */
 
 window.rcmail && rcmail.addEventListener('init', function(evt) {
@@ -30,21 +43,10 @@
             link.html('').append(span);
         }
 
-        span.addClass('folder-selector-link').text(rcmail.gettext('zipdownload.download'));
-
+        span.text(rcmail.get_label('zipdownload.download'));
         rcmail.env.download_link = link;
     });
-
-    // hide menu on click out of menu element
-    var fn = function(e) {
-        var menu = $('#zipdownload-menu');
-        if (e.target != menu.get(0))
-            menu.hide();
-    };
-    $(document.body).on('mouseup', fn);
-    $('iframe').contents().on('mouseup', fn)
-        .load(function(e) { try { $(this).contents().on('mouseup', fn); } catch(e) {}; });
-});
+  });
 
 
 function rcmail_zipdownload(mode)
@@ -52,7 +54,7 @@
     // default .eml download of single message
     if (mode == 'eml') {
         var uid = rcmail.get_single_uid();
-        rcmail.goto_url('viewsource', {_uid: uid, _mbox: rcmail.get_message_mailbox(uid), _save: 1});
+        rcmail.goto_url('viewsource', rcmail.params_from_uid(uid, {_save: 1}), false, true);
         return;
     }
 
@@ -87,14 +89,10 @@
 }
 
 // display download options menu
-function rcmail_zipdownload_menu()
+function rcmail_zipdownload_menu(e)
 {
-    // fix menu style and display menu
-    var z_index = rcmail.env.download_link.parents('.popupmenu').css('z-index'),
-        menu = $('#zipdownload-menu').css({'max-height': 'none', 'z-index': z_index + 1}).show();
-
-    // position menu on the screen
-    rcmail.element_position(menu, rcmail.env.download_link);
+    // show (sub)menu for download selection
+    rcmail.command('menu-open', 'zipdownload-menu', e && e.target ? e.target : rcmail.env.download_link, e);
 
     // abort default download action
     return false;

--
Gitblit v1.9.1