From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/include/rcmail_output_json.php |   31 ++++++++++++-------------------
 1 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/program/include/rcmail_output_json.php b/program/include/rcmail_output_json.php
index fa35824..9cf43d9 100644
--- a/program/include/rcmail_output_json.php
+++ b/program/include/rcmail_output_json.php
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/include/rcmail_output_json.php                                |
  |                                                                       |
@@ -19,7 +19,6 @@
  +-----------------------------------------------------------------------+
 */
 
-
 /**
  * View class to produce JSON responses
  *
@@ -28,12 +27,12 @@
  */
 class rcmail_output_json extends rcmail_output
 {
-    protected $texts = array();
-    protected $commands = array();
+    protected $texts     = array();
+    protected $commands  = array();
     protected $callbacks = array();
-    protected $message = null;
+    protected $message   = null;
 
-    public $type = 'js';
+    public $type      = 'js';
     public $ajax_call = true;
 
 
@@ -49,9 +48,8 @@
         else
             $name = $this->config->get('product_name');
 
-        $this->command('set_pagetitle', empty($name) ? $title : $name.' :: '.$title);
+        $this->command('set_pagetitle', empty($name) ? $title : $name . ' :: ' . $title);
     }
-
 
     /**
      * Register a template object handler
@@ -64,7 +62,6 @@
         // ignore
     }
 
-
     /**
      * Register a list of template object handlers
      *
@@ -74,7 +71,6 @@
     {
         // ignore
     }
-
 
     /**
      * Call a client method
@@ -92,7 +88,6 @@
           $this->commands[] = $cmd;
     }
 
-
     /**
      * Add a localized label to the client environment
      */
@@ -106,7 +101,6 @@
             $this->texts[$name] = $this->app->gettext($name);
         }
     }
-
 
     /**
      * Invoke display_message command
@@ -135,17 +129,15 @@
         }
     }
 
-
     /**
      * Delete all stored env variables and commands
      */
     public function reset()
     {
         parent::reset();
-        $this->texts = array();
+        $this->texts    = array();
         $this->commands = array();
     }
-
 
     /**
      * Redirect to a certain url
@@ -162,7 +154,6 @@
         exit;
     }
 
-
     /**
      * Send an AJAX response to the client.
      */
@@ -172,7 +163,6 @@
         exit;
     }
 
-
     /**
      * Show error page and terminate script execution
      *
@@ -181,11 +171,15 @@
      */
     public function raise_error($code, $message)
     {
+        if ($code == 403) {
+            header('HTTP/1.1 403 Forbidden');
+            die("Invalid Request");
+        }
+
         $this->show_message("Application Error ($code): $message", 'error');
         $this->remote_response();
         exit;
     }
-
 
     /**
      * Send an AJAX response with executable JS code
@@ -236,7 +230,6 @@
 
         echo self::json_serialize($response);
     }
-
 
     /**
      * Return executable javascript code for all registered commands

--
Gitblit v1.9.1