From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/mail/func.inc | 61 +++++++++++++++++++-----------
1 files changed, 38 insertions(+), 23 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 672bbd2..963e696 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -168,7 +168,7 @@
// race condition and unintentional page overwrite in session
if ($RCMAIL->action == 'list' || $RCMAIL->action == 'getunread') {
if (!($page = intval($_GET['_page']))) {
- $page = $_SESSION['page'] ? $_SESSION['page'] : 1;
+ $page = $_SESSION['page'] ?: 1;
}
$_SESSION['page'] = $page;
@@ -179,7 +179,7 @@
// set default sort col/order to session
if (!isset($_SESSION['sort_col'])) {
- $_SESSION['sort_col'] = $message_sort_col ? $message_sort_col : '';
+ $_SESSION['sort_col'] = $message_sort_col ?: '';
}
if (!isset($_SESSION['sort_order'])) {
$_SESSION['sort_order'] = strtoupper($message_sort_order) == 'ASC' ? 'ASC' : 'DESC';
@@ -989,10 +989,12 @@
static $sa_attrib;
// keep header table attrib
- if (is_array($attrib) && !$sa_attrib && !$attrib['valueof'])
+ if (is_array($attrib) && !$sa_attrib && !$attrib['valueof']) {
$sa_attrib = $attrib;
- else if (!is_array($attrib) && is_array($sa_attrib))
+ }
+ else if (!is_array($attrib) && is_array($sa_attrib)) {
$attrib = $sa_attrib;
+ }
if (!isset($MESSAGE)) {
return false;
@@ -1040,10 +1042,12 @@
}
else if ($hkey == 'priority') {
if ($value) {
- $header_value = html::span('prio' . $value, rcmail_localized_priority($value));
+ $header_value = html::span('prio' . $value, rcube::Q(rcmail_localized_priority($value)));
+ $ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'replyto') {
if ($headers['replyto'] != $headers['from']) {
@@ -1051,8 +1055,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'mail-reply-to') {
if ($headers['mail-replyto'] != $headers['reply-to']
@@ -1062,8 +1067,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'sender') {
if ($headers['sender'] != $headers['from']) {
@@ -1071,8 +1077,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'mail-followup-to') {
$header_value = rcmail_address_string($value, $attrib['max'], true,
@@ -1109,14 +1116,15 @@
// single header value is requested
if (!empty($attrib['valueof'])) {
- return rcube::Q($plugin['output'][$attrib['valueof']]['value'], ($attrib['valueof'] == 'subject' ? 'strict' : 'show'));
+ $row = $plugin['output'][$attrib['valueof']];
+ return $row['html'] ? $row['value'] : rcube::Q($row['value']);
}
// compose html table
$table = new html_table(array('cols' => 2));
foreach ($plugin['output'] as $hkey => $row) {
- $val = $row['html'] ? $row['value'] : rcube::Q($row['value'], ($hkey == 'subject' ? 'strict' : 'show'));
+ $val = $row['html'] ? $row['value'] : rcube::Q($row['value']);
$table->add(array('class' => 'header-title'), rcube::Q($row['title']));
$table->add(array('class' => 'header '.$hkey), $val);
@@ -1232,15 +1240,6 @@
// fetch part body
$body = $MESSAGE->get_part_body($part->mime_id, true);
-
- // extract headers from message/rfc822 parts
- if ($part->mimetype == 'message/rfc822') {
- $msgpart = rcube_mime::parse_message($body);
- if (!empty($msgpart->headers)) {
- $part = $msgpart;
- $out .= html::div('message-partheaders', rcmail_message_headers(sizeof($header_attrib) ? $header_attrib : null, $part->headers));
- }
- }
// message is cached but not exists (#1485443), or other error
if ($body === false) {
@@ -1634,7 +1633,7 @@
$content = rcube::Q($name ? sprintf('%s <%s>', $name, $mailto) : $mailto);
}
else {
- $content = rcube::Q($name ? $name : $mailto);
+ $content = rcube::Q($name ?: $mailto);
$attrs['title'] = $mailto;
}
@@ -1642,7 +1641,7 @@
}
else {
$address = html::span(array('title' => $mailto, 'class' => "rcmContactAddress"),
- rcube::Q($name ? $name : $mailto));
+ rcube::Q($name ?: $mailto));
}
if ($addicon && $_SESSION['writeable_abook']) {
@@ -2212,6 +2211,8 @@
function rcmail_save_attachment($message, $pid, $compose_id, $params = array())
{
+ global $COMPOSE;
+
$rcmail = rcmail::get_instance();
$storage = $rcmail->get_storage();
@@ -2274,7 +2275,21 @@
if ($attachment['status']) {
unset($attachment['data'], $attachment['status'], $attachment['content_id'], $attachment['abort']);
- $rcmail->session->append('compose_data_' . $compose_id . '.attachments', $attachment['id'], $attachment);
+
+ // rcube_session::append() replaces current session data with the old values
+ // (in rcube_session::reload()). This is a problem in 'compose' action, because before
+ // the first append() use we set some important data in the session.
+ // It also overwrites attachments list. Fixing reload() is not so simple if possible
+ // as we don't really know what has been added and what removed in meantime.
+ // So, for now we'll do not use append() on 'compose' action (#1490608).
+
+ if ($rcmail->action == 'compose') {
+ $COMPOSE['attachments'][$attachment['id']] = $attachment;
+ }
+ else {
+ $rcmail->session->append('compose_data_' . $compose_id . '.attachments', $attachment['id'], $attachment);
+ }
+
return $attachment;
}
else if ($path) {
--
Gitblit v1.9.1