From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/mail/check_recent.inc | 68 ++++++++++++++++++++++++++--------
1 files changed, 52 insertions(+), 16 deletions(-)
diff --git a/program/steps/mail/check_recent.inc b/program/steps/mail/check_recent.inc
index 3649d14..984c53c 100644
--- a/program/steps/mail/check_recent.inc
+++ b/program/steps/mail/check_recent.inc
@@ -1,11 +1,11 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/steps/mail/check_recent.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2005-2010, The Roundcube Dev Team |
+ | Copyright (C) 2005-2014, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -21,16 +21,27 @@
// If there's no folder or messages list, there's nothing to update
// This can happen on 'refresh' request
-if (empty($_REQUEST['_folderlist']) && empty($_REQUEST['_list'])) {
+if (empty($_POST['_folderlist']) && empty($_POST['_list'])) {
return;
}
+$trash = $RCMAIL->config->get('trash_mbox');
$current = $RCMAIL->storage->get_folder();
$check_all = $RCMAIL->action != 'refresh' || (bool)$RCMAIL->config->get('check_all_folders');
+$page = $RCMAIL->storage->get_page();
+$page_size = $RCMAIL->storage->get_pagesize();
+
+$search_request = rcube_utils::get_input_value('_search', rcube_utils::INPUT_GPC);
+if ($search_request && $_SESSION['search_request'] != $search_request) {
+ $search_request = null;
+}
// list of folders to check
if ($check_all) {
$a_mailboxes = $RCMAIL->storage->list_folders_subscribed('', '*', 'mail');
+}
+else if ($search_request && is_object($_SESSION['search'][1])) {
+ $a_mailboxes = (array) $_SESSION['search'][1]->get_parameters('MAILBOX');
}
else {
$a_mailboxes = (array) $current;
@@ -45,7 +56,7 @@
// check recent/unseen counts
foreach ($a_mailboxes as $mbox_name) {
- $is_current = $mbox_name == $current;
+ $is_current = $mbox_name == $current || ($search_request && is_object($_SESSION['search'][1]) && in_array($mbox_name, (array)$_SESSION['search'][1]->get_parameters('MAILBOX')));
if ($is_current) {
// Synchronize mailbox cache, handle flag changes
$RCMAIL->storage->folder_sync($mbox_name);
@@ -65,27 +76,29 @@
if ($status && $is_current) {
// refresh saved search set
- $search_request = get_input_value('_search', RCUBE_INPUT_GPC);
- if ($search_request && isset($_SESSION['search'])
- && $_SESSION['search_request'] == $search_request
- ) {
+ if ($search_request && isset($_SESSION['search'])) {
+ unset($search_request); // only do this once
$_SESSION['search'] = $RCMAIL->storage->refresh_search();
+ if ($_SESSION['search'][1]->multi) {
+ $mbox_name = '';
+ }
}
- if (!empty($_GET['_quota']))
- $OUTPUT->command('set_quota', rcmail_quota_content());
+ if (!empty($_POST['_quota'])) {
+ $OUTPUT->command('set_quota', $RCMAIL->quota_content(null, $mbox_name));
+ }
- $OUTPUT->set_env('exists', $RCMAIL->storage->count($mbox_name, 'EXISTS'));
+ $OUTPUT->set_env('exists', $RCMAIL->storage->count($mbox_name, 'EXISTS', true));
// "No-list" mode, don't get messages
- if (empty($_GET['_list']))
+ if (empty($_POST['_list'])) {
continue;
+ }
- // get overall message count; allow caching because rcube_storage::folder_status() did a refresh
+ // get overall message count; allow caching because rcube_storage::folder_status()
+ // did a refresh but only in list mode
$list_mode = $RCMAIL->storage->get_threading() ? 'THREADS' : 'ALL';
- $all_count = $RCMAIL->storage->count($mbox_name, $list_mode, false, false);
- $page = $RCMAIL->storage->get_page();
- $page_size = $RCMAIL->storage->get_pagesize();
+ $all_count = $RCMAIL->storage->count($mbox_name, $list_mode, $list_mode == 'THREADS', false);
// check current page if we're not on the first page
if ($all_count && $page > 1) {
@@ -113,6 +126,29 @@
$OUTPUT->command('update_selection');
}
}
+ // handle flag updates
+ else if ($is_current && ($uids = rcube_utils::get_input_value('_uids', rcube_utils::INPUT_GPC)) && empty($search_request)) {
+ $data = $RCMAIL->storage->folder_data($mbox_name);
+
+ if (empty($_SESSION['list_mod_seq']) || $_SESSION['list_mod_seq'] != $data['HIGHESTMODSEQ']) {
+ $flags = $RCMAIL->storage->list_flags($mbox_name, explode(',', $uids), $_SESSION['list_mod_seq']);
+ foreach ($flags as $idx => $row) {
+ $flags[$idx] = array_change_key_case(array_map('intval', $row));
+ }
+
+ // remember last HIGHESTMODSEQ value (if supported)
+ if (!empty($data['HIGHESTMODSEQ'])) {
+ $_SESSION['list_mod_seq'] = $data['HIGHESTMODSEQ'];
+ }
+
+ $RCMAIL->output->set_env('recent_flags', $flags);
+ }
+ }
+
+ // set trash folder state
+ if ($mbox_name === $trash) {
+ $OUTPUT->command('set_trash_count', $RCMAIL->storage->count($mbox_name, 'EXISTS', true));
+ }
}
// trigger refresh hook
--
Gitblit v1.9.1