From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
program/steps/addressbook/export.inc | 109 ++++++++++++++++++++++++++++++++----------------------
1 files changed, 65 insertions(+), 44 deletions(-)
diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc
index c112f08..b056a3e 100644
--- a/program/steps/addressbook/export.inc
+++ b/program/steps/addressbook/export.inc
@@ -1,12 +1,12 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/steps/addressbook/export.inc |
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2013, The Roundcube Dev Team |
- | Copyright (C) 2011, Kolab Systems AG |
+ | Copyright (C) 2011-2013, Kolab Systems AG |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -21,49 +21,10 @@
+-----------------------------------------------------------------------+
*/
-
-/**
- * Copy contact record properties into a vcard object
- */
-function prepare_for_export(&$record, $source = null)
-{
- $groups = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
-
- if (empty($record['vcard'])) {
- $vcard = new rcube_vcard();
- if ($source) {
- $vcard->extend_fieldmap($source->vcard_map);
- }
- $vcard->load($record['vcard']);
- $vcard->reset();
-
- foreach ($record as $key => $values) {
- list($field, $section) = explode(':', $key);
- foreach ((array)$values as $value) {
- if (is_array($value) || @strlen($value)) {
- $vcard->set($field, $value, strtoupper($section));
- }
- }
- }
-
- // append group names
- if ($groups) {
- $vcard->set('groups', join(',', $groups), null);
- }
-
- $record['vcard'] = $vcard->export(true);
- }
- // patch categories to alread existing vcard block
- else if ($record['vcard'] && !empty($groups) && !strpos($record['vcard'], 'CATEGORIES:')) {
- $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote(join(',', $groups));
- $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
- }
-}
-
+$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
-{
+if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$search = (array)$_SESSION['search'][$_REQUEST['_search']];
$records = array();
@@ -139,12 +100,22 @@
$result = $CONTACTS->list_records(null, 0, true);
}
+// Give plugins a possibility to implement other output formats or modify the result
+$plugin = $RCMAIL->plugins->exec_hook('addressbook_export', array('result' => $result));
+$result = $plugin['result'];
+
+if ($plugin['abort']) {
+ exit;
+}
+
// send downlaod headers
header('Content-Type: text/x-vcard; charset='.RCUBE_CHARSET);
header('Content-Disposition: attachment; filename="contacts.vcf"');
while ($result && ($row = $result->next())) {
- prepare_for_export($row, $CONTACTS);
+ if ($CONTACTS) {
+ prepare_for_export($row, $CONTACTS);
+ }
// fix folding and end-of-line chars
$row['vcard'] = preg_replace('/\r|\n\s+/', '', $row['vcard']);
@@ -153,3 +124,53 @@
}
exit;
+
+
+/**
+ * Copy contact record properties into a vcard object
+ */
+function prepare_for_export(&$record, $source = null)
+{
+ $groups = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
+ $fieldmap = $source ? $source->vcard_map : null;
+
+ if (empty($record['vcard'])) {
+ $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+ $vcard->reset();
+
+ foreach ($record as $key => $values) {
+ list($field, $section) = explode(':', $key);
+ // avoid unwanted casting of DateTime objects to an array
+ // (same as in rcube_contacts::convert_save_data())
+ if (is_object($values) && is_a($values, 'DateTime')) {
+ $values = array($values);
+ }
+
+ foreach ((array) $values as $value) {
+ if (is_array($value) || is_a($value, 'DateTime') || @strlen($value)) {
+ $vcard->set($field, $value, strtoupper($section));
+ }
+ }
+ }
+
+ // append group names
+ if ($groups) {
+ $vcard->set('groups', join(',', $groups), null);
+ }
+
+ $record['vcard'] = $vcard->export();
+ }
+ // patch categories to alread existing vcard block
+ else if ($record['vcard']) {
+ $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+
+ // unset CATEGORIES entry, it might be not up-to-date (#1490277)
+ $vcard->set('groups', null);
+ $record['vcard'] = $vcard->export();
+
+ if (!empty($groups)) {
+ $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote($groups, ',');
+ $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
+ }
+ }
+}
--
Gitblit v1.9.1