From c6efcf5e6d11a0f236daff3aa3bd6532c77726d3 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 12 Jan 2015 05:44:28 -0500
Subject: [PATCH] Fix blocked.gif image usage with assets_dir set

---
 program/include/rcmail.php |  102 ++++++++++++++++++++++++++++++++-------------------
 1 files changed, 64 insertions(+), 38 deletions(-)

diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 527b74e..2327109 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -439,7 +439,7 @@
 
         // add some basic labels to client
         $this->output->add_label('loading', 'servererror', 'connerror', 'requesttimedout',
-            'refreshing', 'windowopenerror');
+            'refreshing', 'windowopenerror', 'uploadingmany');
 
         return $this->output;
     }
@@ -760,49 +760,16 @@
     }
 
     /**
-     * Generate a unique token to be used in a form request
-     *
-     * @return string The request token
-     */
-    public function get_request_token()
-    {
-        $sess_id = $_COOKIE[ini_get('session.name')];
-
-        if (!$sess_id) {
-            $sess_id = session_id();
-        }
-
-        $plugin = $this->plugins->exec_hook('request_token', array(
-            'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id)));
-
-        return $plugin['value'];
-    }
-
-    /**
-     * Check if the current request contains a valid token
-     *
-     * @param int Request method
-     *
-     * @return boolean True if request token is valid false if not
-     */
-    public function check_request($mode = rcube_utils::INPUT_POST)
-    {
-        $token   = rcube_utils::get_input_value('_token', $mode);
-        $sess_id = $_COOKIE[ini_get('session.name')];
-
-        return !empty($sess_id) && $token == $this->get_request_token();
-    }
-
-    /**
      * Build a valid URL to this instance of Roundcube
      *
      * @param mixed   Either a string with the action or url parameters as key-value pairs
      * @param boolean Build an URL absolute to document root
      * @param boolean Create fully qualified URL including http(s):// and hostname
+     * @param bool    Return absolute URL in secure location
      *
      * @return string Valid application URL
      */
-    public function url($p, $absolute = false, $full = false)
+    public function url($p, $absolute = false, $full = false, $secure = false)
     {
         if (!is_array($p)) {
             if (strpos($p, 'http') === 0) {
@@ -828,9 +795,23 @@
             }
         }
 
+        $base_path = strval($_SERVER['REDIRECT_SCRIPT_URL'] ?: $_SERVER['SCRIPT_NAME']);
+        $base_path = preg_replace('![^/]+$!', '', $base_path);
+
+        if ($secure && ($token = $this->get_secure_url_token(true))) {
+            // add token to the url
+            $url = $token . '/' . $url;
+
+            // remove old token from the path
+            $base_path = rtrim($base_path, '/');
+            $base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path);
+
+            // this need to be full url to make redirects work
+            $absolute = true;
+        }
+
         if ($absolute || $full) {
             // add base path to this Roundcube installation
-            $base_path = preg_replace('![^/]+$!', '', strval($_SERVER['SCRIPT_NAME']));
             if ($base_path == '') $base_path = '/';
             $prefix = $base_path;
 
@@ -876,6 +857,28 @@
                 self::print_timer(RCMAIL_START, $log);
             else
                 self::console($log);
+        }
+    }
+
+    /**
+     * CSRF attack prevention code
+     *
+     * @param int Request mode
+     */
+    public function request_security_check($mode = rcube_utils::INPUT_POST)
+    {
+        // check request token
+        if (!$this->check_request($mode)) {
+            self::raise_error(array(
+                'code' => 403, 'type' => 'php',
+                'message' => "Request security check failed"), false, true);
+        }
+
+        // check referer if configured
+        if ($this->config->get('referer_check') && !rcube_utils::check_referer()) {
+            self::raise_error(array(
+                'code' => 403, 'type' => 'php',
+                'message' => "Referer check failed"), true, true);
         }
     }
 
@@ -2192,7 +2195,7 @@
         }
         else {
             $unit = 'B';
-            $str  = sprintf('%d ', $bytes) . $this->gettext();
+            $str  = sprintf('%d ', $bytes) . $this->gettext($unit);
         }
 
         return $str;
@@ -2281,6 +2284,29 @@
         return $result;
     }
 
+    /**
+     * Get resource file content (with assets_dir support)
+     *
+     * @param string $name File name
+     */
+    public function get_resource_content($name)
+    {
+        if (!strpos($name, '/')) {
+            $name = "program/resources/$name";
+        }
+
+        $assets_dir = $this->config->get('assets_dir');
+
+        if ($assets_dir) {
+            $path = slashify($assets_dir) . $name;
+            if (@file_exists($path)) {
+                $name = $path;
+            }
+        }
+
+        return file_get_contents($name, false);
+    }
+
 
     /************************************************************************
      *********          Deprecated methods (to be removed)          *********

--
Gitblit v1.9.1