From ca01e25772730cab0117bca0e514140e6c5f67d1 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 05 Jul 2014 06:33:03 -0400
Subject: [PATCH] Fix security issue in delete-response action - allow only ajax request. Unify code for identities and responses deletion.

---
 program/steps/settings/identities.inc |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/program/steps/settings/identities.inc b/program/steps/settings/identities.inc
index e19c16c..f43edc1 100644
--- a/program/steps/settings/identities.inc
+++ b/program/steps/settings/identities.inc
@@ -19,6 +19,28 @@
  +-----------------------------------------------------------------------+
 */
 
+if ($RCMAIL->action == 'delete-identity' && $OUTPUT->ajax_call) {
+    $iid = rcube_utils::get_input_value('_iid', rcube_utils::INPUT_POST);
+
+    if ($iid && preg_match('/^[0-9]+(,[0-9]+)*$/', $iid)) {
+        $plugin = $RCMAIL->plugins->exec_hook('identity_delete', array('id' => $iid));
+
+        $deleted = !$plugin['abort'] ? $RCMAIL->user->delete_identity($iid) : $plugin['result'];
+
+        if ($deleted > 0 && $deleted !== false) {
+            $OUTPUT->show_message('deletedsuccessfully', 'confirmation', null, false);
+            $OUTPUT->command('remove_identity', $iid);
+        }
+        else {
+            $msg = $plugin['message'] ? $plugin['message'] : ($deleted < 0 ? 'nodeletelastidentity' : 'errorsaving');
+            $OUTPUT->show_message($msg, 'error', null, false);
+        }
+    }
+
+    $OUTPUT->send();
+}
+
+
 define('IDENTITIES_LEVEL', intval($RCMAIL->config->get('identities_level', 0)));
 
 $OUTPUT->set_pagetitle($RCMAIL->gettext('identities'));

--
Gitblit v1.9.1