From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/addressbook/export.inc | 132 +++++++++++++++++++++++++++++++++----------
1 files changed, 101 insertions(+), 31 deletions(-)
diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc
index 84a63ae..c1eaa7f 100644
--- a/program/steps/addressbook/export.inc
+++ b/program/steps/addressbook/export.inc
@@ -1,12 +1,12 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/steps/addressbook/export.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2008-2011, The Roundcube Dev Team |
- | Copyright (C) 2011, Kolab Systems AG |
+ | Copyright (C) 2008-2013, The Roundcube Dev Team |
+ | Copyright (C) 2011-2013, Kolab Systems AG |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -21,9 +21,10 @@
+-----------------------------------------------------------------------+
*/
+$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
+
// Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
-{
+if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
$search = (array)$_SESSION['search'][$_REQUEST['_search']];
$records = array();
@@ -40,15 +41,48 @@
// get records
$result = $source->list_records();
- while ($row = $result->next()) {
- $row['sourceid'] = $s;
- $key = rcmail_contact_key($row, $sort_col);
- $records[$key] = $row;
+ while ($record = $result->next()) {
+ // because vcard_map is per-source we need to create vcard here
+ prepare_for_export($record, $source);
+
+ $record['sourceid'] = $s;
+ $key = rcube_addressbook::compose_contact_key($record, $sort_col);
+ $records[$key] = $record;
}
+
unset($result);
}
// sort the records
+ ksort($records, SORT_LOCALE_STRING);
+
+ // create resultset object
+ $count = count($records);
+ $result = new rcube_result_set($count);
+ $result->records = array_values($records);
+}
+// selected contacts
+else if (!empty($_REQUEST['_cid'])) {
+ $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
+ $records = array();
+
+ // Selected contact IDs (with multi-source support)
+ $cids = rcmail_get_cids();
+
+ foreach ($cids as $s => $ids) {
+ $source = $RCMAIL->get_address_book($s);
+ $result = $source->search('ID', $ids, 1, true, true);
+
+ while ($record = $result->next()) {
+ // because vcard_map is per-source we need to create vcard here
+ prepare_for_export($record, $source);
+
+ $record['sourceid'] = $s;
+ $key = rcube_addressbook::compose_contact_key($record, $sort_col);
+ $records[$key] = $record;
+ }
+ }
+
ksort($records, SORT_LOCALE_STRING);
// create resultset object
@@ -67,32 +101,68 @@
}
// send downlaod headers
-header('Content-Type: text/x-vcard; charset='.RCMAIL_CHARSET);
-header('Content-Disposition: attachment; filename="rcube_contacts.vcf"');
+header('Content-Type: text/x-vcard; charset='.RCUBE_CHARSET);
+header('Content-Disposition: attachment; filename="contacts.vcf"');
while ($result && ($row = $result->next())) {
- // we already have a vcard record
- if ($row['vcard'] && $row['name']) {
- $row['vcard'] = preg_replace('/\r?\n/', rcube_vcard::$eol, $row['vcard']);
- echo rcube_vcard::rfc2425_fold($row['vcard']) . rcube_vcard::$eol;
+ if ($CONTACTS) {
+ prepare_for_export($row, $CONTACTS);
}
- // copy values into vcard object
- else {
- $vcard = new rcube_vcard();
- $vcard->extend_fieldmap($CONTACTS->vcard_map);
- $vcard->load($row['vcard']);
- $vcard->reset();
- foreach ($row as $key => $values) {
- list($field, $section) = explode(':', $key);
- foreach ((array)$values as $value) {
- if (is_array($value) || strlen($value))
- $vcard->set($field, $value, strtoupper($section));
- }
- }
-
- echo $vcard->export(true) . rcube_vcard::$eol;
- }
+ // fix folding and end-of-line chars
+ $row['vcard'] = preg_replace('/\r|\n\s+/', '', $row['vcard']);
+ $row['vcard'] = preg_replace('/\n/', rcube_vcard::$eol, $row['vcard']);
+ echo rcube_vcard::rfc2425_fold($row['vcard']) . rcube_vcard::$eol;
}
exit;
+
+
+/**
+ * Copy contact record properties into a vcard object
+ */
+function prepare_for_export(&$record, $source = null)
+{
+ $groups = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
+ $fieldmap = $source ? $source->vcard_map : null;
+
+ if (empty($record['vcard'])) {
+ $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+ $vcard->reset();
+
+ foreach ($record as $key => $values) {
+ list($field, $section) = explode(':', $key);
+ // avoid unwanted casting of DateTime objects to an array
+ // (same as in rcube_contacts::convert_save_data())
+ if (is_object($values) && is_a($values, 'DateTime')) {
+ $values = array($values);
+ }
+
+ foreach ((array) $values as $value) {
+ if (is_array($value) || is_a($value, 'DateTime') || @strlen($value)) {
+ $vcard->set($field, $value, strtoupper($section));
+ }
+ }
+ }
+
+ // append group names
+ if ($groups) {
+ $vcard->set('groups', join(',', $groups), null);
+ }
+
+ $record['vcard'] = $vcard->export();
+ }
+ // patch categories to alread existing vcard block
+ else if ($record['vcard']) {
+ $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+
+ // unset CATEGORIES entry, it might be not up-to-date (#1490277)
+ $vcard->set('groups', null);
+ $record['vcard'] = $vcard->export();
+
+ if (!empty($groups)) {
+ $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote($groups, ',');
+ $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
+ }
+ }
+}
--
Gitblit v1.9.1