From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/include/rcmail_install.php | 57 +++++++++++++++------------------------------------------
1 files changed, 15 insertions(+), 42 deletions(-)
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index 2ba9069..af27e29 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| rcmail_install.php |
| |
@@ -13,13 +13,12 @@
+-----------------------------------------------------------------------+
*/
-
/**
* Class to control the installation process of the Roundcube Webmail package
*
* @category Install
* @package Roundcube
- * @author Thomas Bruederli
+ * @author Thomas Bruederli
*/
class rcmail_install
{
@@ -163,7 +162,7 @@
$value = $this->config[$name];
if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
- $value = self::random_key(24);
+ $value = rcube_utils::random_bytes(24);
return $value !== null && $value !== '' ? $value : $default;
}
@@ -193,7 +192,7 @@
// generate new encryption key, never use the default value
if ($prop == 'des_key' && $value == $this->defaults[$prop])
- $value = $this->random_key(24);
+ $value = rcube_utils::random_bytes(24);
// convert some form data
if ($prop == 'debug_level' && !$is_default) {
@@ -234,10 +233,9 @@
else if (is_numeric($value)) {
$value = intval($value);
}
- else if ($prop == 'plugins') {
+ else if ($prop == 'plugins' && !empty($_POST['submit'])) {
$value = array();
- foreach(array_keys($_POST) as $key)
- {
+ foreach (array_keys($_POST) as $key) {
if (preg_match('/^_plugins_*/', $key))
array_push($value, $_POST[$key]);
}
@@ -524,7 +522,7 @@
foreach ($default_hosts as $key => $name) {
if (!empty($name))
- $out[] = rcube_parse_host(is_numeric($key) ? $name : $key);
+ $out[] = rcube_utils::parse_host(is_numeric($key) ? $name : $key);
}
return $out;
@@ -603,7 +601,7 @@
*/
function pass($name, $message = '')
{
- echo Q($name) . ': <span class="success">OK</span>';
+ echo rcube::Q($name) . ': <span class="success">OK</span>';
$this->_showhint($message);
}
@@ -622,7 +620,7 @@
$this->failures++;
}
- echo Q($name) . ': <span class="fail">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="fail">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -636,7 +634,7 @@
*/
function optfail($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -650,17 +648,17 @@
*/
function na($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT AVAILABLE</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT AVAILABLE</span>';
$this->_showhint($message, $url);
}
function _showhint($message, $url = '')
{
- $hint = Q($message);
+ $hint = rcube::Q($message);
if ($url)
- $hint .= ($hint ? '; ' : '') . 'See <a href="' . Q($url) . '" target="_blank">' . Q($url) . '</a>';
+ $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';
if ($hint)
echo '<span class="indent">(' . $hint . ')</span>';
@@ -774,12 +772,8 @@
*/
function update_db($version)
{
- system(INSTALL_PATH . "bin/updatedb.sh --package=roundcube"
- . " --version=" . escapeshellarg($version)
- . " --dir=" . INSTALL_PATH . "SQL"
- . " 2>&1", $result);
-
- return !$result;
+ return rcmail_utils::db_update(INSTALL_PATH . 'SQL', 'roundcube', $version,
+ array('quiet' => true));
}
@@ -790,25 +784,4 @@
{
$this->last_error = $p;
}
-
-
- /**
- * Generarte a ramdom string to be used as encryption key
- *
- * @param int Key length
- * @return string The generated random string
- * @static
- */
- function random_key($length)
- {
- $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
- $out = '';
-
- for ($i=0; $i < $length; $i++)
- $out .= $alpha{rand(0, strlen($alpha)-1)};
-
- return $out;
- }
-
}
-
--
Gitblit v1.9.1