From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/js/app.js | 75 ++++++++++++++++++++++---------------
1 files changed, 45 insertions(+), 30 deletions(-)
diff --git a/program/js/app.js b/program/js/app.js
index 78df592..45fba7e 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1019,7 +1019,7 @@
break;
}
- this.goto_url('get', qstring+'&_download=1', false);
+ this.goto_url('get', qstring+'&_download=1', false, true);
break;
case 'select-all':
@@ -1225,10 +1225,10 @@
case 'download':
if (this.env.action == 'get') {
- location.href = location.href.replace(/_frame=/, '_download=');
+ location.href = this.secure_url(location.href.replace(/_frame=/, '_download='));
}
else if (uid = this.get_single_uid()) {
- this.goto_url('viewsource', this.params_from_uid(uid, {_save: 1}));
+ this.goto_url('viewsource', this.params_from_uid(uid, {_save: 1}), false, true);
}
break;
@@ -1316,13 +1316,13 @@
case 'export':
if (this.contact_list.rowcount > 0) {
- this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request });
+ this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request }, false, true);
}
break;
case 'export-selected':
if (this.contact_list.rowcount > 0) {
- this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') });
+ this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') }, false, true);
}
break;
@@ -1437,7 +1437,7 @@
if (task == 'mail')
url += '&_mbox=INBOX';
else if (task == 'logout' && !this.env.server_error) {
- url += '&_token=' + this.env.request_token;
+ url = this.secure_url(url);
this.clear_compose_data();
}
@@ -1485,6 +1485,12 @@
return url + '?' + name + '=' + value;
};
+
+ // append CSRF protection token to the given url
+ this.secure_url = function(url)
+ {
+ return this.add_url(url, '_token', this.env.request_token);
+ },
this.is_framed = function()
{
@@ -3393,12 +3399,12 @@
mailvelope.getKeyring(keyring).then(function(kr) {
ref.mailvelope_keyring = kr;
ref.mailvelope_init(action, kr);
- }).catch(function(err) {
+ }, function(err) {
// attempt to create a new keyring for this app/user
mailvelope.createKeyring(keyring).then(function(kr) {
ref.mailvelope_keyring = kr;
ref.mailvelope_init(action, kr);
- }).catch(function(err) {
+ }, function(err) {
console.error(err);
});
});
@@ -3526,7 +3532,7 @@
ref.remove_from_attachment_list(name);
});
}
- }).catch(function(err) {
+ }, function(err) {
console.error(err);
console.log(options);
});
@@ -3649,15 +3655,15 @@
form.submit();
- }).catch(function(err) {
+ }, function(err) {
console.log(err);
}); // mailvelope_editor.encrypt()
- }).catch(function(err) {
+ }, function(err) {
console.error(err);
}); // mailvelope_keyring.validKeyForAddress(senders)
- }).catch(function(err) {
+ }, function(err) {
console.error(err);
}); // mailvelope_keyring.validKeyForAddress(recipients)
@@ -3671,7 +3677,7 @@
$(selector).addClass('mailvelope').children().not('iframe').hide();
ref.hide_message(msgid);
setTimeout(function() { $(window).resize(); }, 10);
- }).catch(function(err) {
+ }, function(err) {
console.error(err);
ref.hide_message(msgid);
ref.display_message('Message decryption failed: ' + err.message, 'error')
@@ -3727,7 +3733,7 @@
if (missing_keys.length) {
ref.display_message(ref.get_label('nopubkeyfor').replace('$email', missing_keys.join(', ')), 'warning');
}
- }, function() {
+ }).fail(function() {
console.error('Pubkey lookup failed with', arguments);
ref.hide_message(lock);
ref.display_message('pubkeysearcherror', 'error');
@@ -3825,7 +3831,7 @@
btn.closest('.key').fadeOut();
ref.display_message(ref.get_label('keyimportsuccess').replace('$key', $key), 'confirmation');
}
- }).catch(function(err) {
+ }, function(err) {
console.log(err);
});
});
@@ -7894,9 +7900,11 @@
}
};
- this.goto_url = function(action, query, lock)
+ this.goto_url = function(action, query, lock, secure)
{
- this.redirect(this.url(action, query), lock);
+ var url = this.url(action, query)
+ if (secure) url = this.secure_url(url);
+ this.redirect(url, lock);
};
this.location_href = function(url, target, frame)
@@ -8377,7 +8385,7 @@
// html5 file-drop API
this.document_drag_hover = function(e, over)
{
- e.preventDefault();
+ // don't e.preventDefault() here to not block text dragging on the page (#1490619)
$(this.gui_objects.filedrop)[(over?'addClass':'removeClass')]('active');
};
@@ -8755,14 +8763,10 @@
if (!this.env.browser_capabilities)
this.env.browser_capabilities = {};
- if (this.env.browser_capabilities.pdf === undefined)
- this.env.browser_capabilities.pdf = this.pdf_support_check();
-
- if (this.env.browser_capabilities.flash === undefined)
- this.env.browser_capabilities.flash = this.flash_support_check();
-
- if (this.env.browser_capabilities.tif === undefined)
- this.tif_support_check();
+ $.each(['pdf', 'flash', 'tif'], function() {
+ if (ref.env.browser_capabilities[this] === undefined)
+ ref.env.browser_capabilities[this] = ref[this + '_support_check']();
+ });
};
// Returns browser capabilities string
@@ -8781,11 +8785,14 @@
this.tif_support_check = function()
{
- var img = new Image();
+ window.setTimeout(function() {
+ var img = new Image();
+ img.onload = function() { ref.env.browser_capabilities.tif = 1; };
+ img.onerror = function() { ref.env.browser_capabilities.tif = 0; };
+ img.src = ref.assets_path('program/resources/blank.tif');
+ }, 10);
- img.onload = function() { ref.env.browser_capabilities.tif = 1; };
- img.onerror = function() { ref.env.browser_capabilities.tif = 0; };
- img.src = this.assets_path('program/resources/blank.tif');
+ return 0;
};
this.pdf_support_check = function()
@@ -8821,6 +8828,14 @@
return 1;
}
+ window.setTimeout(function() {
+ $('<object>').css({position: 'absolute', left: '-10000px'})
+ .attr({data: ref.assets_path('program/resources/dummy.pdf'), width: 1, height: 1, type: 'application/pdf'})
+ .load(function() { ref.env.browser_capabilities.pdf = 1; })
+ .error(function() { ref.env.browser_capabilities.pdf = 0; })
+ .appendTo($('body'));
+ }, 10);
+
return 0;
};
--
Gitblit v1.9.1