From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/mail/show.inc |   41 +++++++++++++++++++++++------------------
 1 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 0ebdd62..59ae134 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/mail/show.inc                                           |
  |                                                                       |
@@ -46,13 +46,12 @@
         $RCMAIL->config->set('prefer_html', $_SESSION['msg_formats'][$mbox_name.':'.$uid]);
     }
 
-    $MESSAGE = new rcube_message($uid);
+    $MESSAGE = new rcube_message($uid, $mbox_name, intval($_GET['_safe']));
 
     // if message not found (wrong UID)...
     if (empty($MESSAGE->headers)) {
         rcmail_message_error($uid);
     }
-
 
     // show images?
     rcmail_check_safe($MESSAGE);
@@ -69,6 +68,7 @@
     $OUTPUT->set_env('safemode', $MESSAGE->is_safe);
     $OUTPUT->set_env('sender', $MESSAGE->sender['string']);
     $OUTPUT->set_env('mailbox', $mbox_name);
+    $OUTPUT->set_env('username', $RCMAIL->get_user_name());
     $OUTPUT->set_env('permaurl', $RCMAIL->url(array('_action' => 'show', '_uid' => $MESSAGE->uid, '_mbox' => $mbox_name)));
 
     if ($MESSAGE->headers->get('list-post', false)) {
@@ -80,7 +80,7 @@
 
     // set configuration
     $RCMAIL->set_env_config(array('delete_junk', 'flag_for_deletion', 'read_when_deleted',
-        'skip_deleted', 'display_next', 'compose_extwin', 'forward_attachment'));
+        'skip_deleted', 'display_next', 'forward_attachment'));
 
     // set special folders
     foreach (array('drafts', 'trash', 'junk') as $mbox) {
@@ -178,15 +178,19 @@
 
 // mark message as read
 if (!empty($set_seen_flag)) {
-    if ($RCMAIL->storage->set_flag($MESSAGE->uid, 'SEEN')) {
+    if ($RCMAIL->storage->set_flag($MESSAGE->uid, 'SEEN', $mbox_name)) {
         if ($count = rcmail_get_unseen_count($mbox_name)) {
             rcmail_set_unseen_count($mbox_name, $count - 1);
         }
     }
 }
 
-exit;
+// Save preview_pane preference, if not set yet (#1490362)
+if ($RCMAIL->action == 'preview' && !$RCMAIL->config->get('preview_pane')) {
+    $RCMAIL->user->save_prefs(array('preview_pane' => true));
+}
 
+exit;
 
 
 function rcmail_message_attachments($attrib)
@@ -199,11 +203,10 @@
     if (sizeof($MESSAGE->attachments)) {
         foreach ($MESSAGE->attachments as $attach_prop) {
             $filename = rcmail_attachment_name($attach_prop, true);
-            $size = '';
+            $filesize = $RCMAIL->message_part_size($attach_prop);
 
             if ($PRINT_MODE) {
-                $size = $RCMAIL->message_part_size($attach_prop);
-                $ol .= html::tag('li', null, rcube::Q(sprintf("%s (%s)", $filename, $size)));
+                $ol .= html::tag('li', null, rcube::Q(sprintf("%s (%s)", $filename, $filesize)));
             }
             else {
                 if ($attrib['maxlength'] && mb_strlen($filename) > $attrib['maxlength']) {
@@ -215,7 +218,7 @@
                 }
 
                 if ($attach_prop->size) {
-                    $size = ' ' . html::span('attachment-size', '(' . $RCMAIL->show_bytes($attach_prop->size) . ')');
+                    $size = ' ' . html::span('attachment-size', '(' . rcube::Q($filesize) . ')');
                 }
 
                 $mimetype = rcmail_fix_mimetype($attach_prop->mimetype);
@@ -238,6 +241,7 @@
         $out = html::tag('ul', $attrib, $ol, html::$common_attrib);
 
         $RCMAIL->output->set_env('attachments', $attachments);
+        $RCMAIL->output->add_gui_object('attachments', $attrib['id']);
     }
 
     return $out;
@@ -275,14 +279,13 @@
 
 function rcmail_message_buttons()
 {
-    global $RCMAIL;
+    global $RCMAIL, $MESSAGE;
 
-    $mbox  = $RCMAIL->storage->get_folder();
     $delim = $RCMAIL->storage->get_hierarchy_delimiter();
     $dbox  = $RCMAIL->config->get('drafts_mbox');
 
     // the message is not a draft
-    if ($mbox != $dbox && strpos($mbox, $dbox.$delim) !== 0) {
+    if ($MESSAGE->folder != $dbox && strpos($MESSAGE->folder, $dbox.$delim) !== 0) {
         return '';
     }
 
@@ -328,7 +331,7 @@
         $CONTACTS = $RCMAIL->get_address_book(-1, true);
 
         if (is_object($CONTACTS)) {
-            $existing = $CONTACTS->search('email', $email, true, false);
+            $existing = $CONTACTS->search('email', $email, 1, false);
             if ($existing->count) {
                 return true;
             }
@@ -342,19 +345,21 @@
 {
     global $RCMAIL, $MESSAGE;
 
-    $placeholder = $attrib['placeholder'] ? $RCMAIL->config->get('skin_path') . $attrib['placeholder'] : null;
+    $placeholder = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : null;
+    $placeholder = $RCMAIL->output->asset_url($placeholder ?: 'program/resources/blank.gif');
 
     if ($MESSAGE->sender) {
         $photo_img = $RCMAIL->url(array(
             '_task'   => 'addressbook',
             '_action' => 'photo',
             '_email'  => $MESSAGE->sender['mailto'],
-            '_alt'    => $placeholder
         ));
+
+        $attrib['onerror'] = "this.src = '$placeholder'";
     }
     else {
-        $photo_img = $placeholder ? $placeholder : 'program/resources/blank.gif';
+        $photo_img = $placeholder;
     }
 
-    return html::img(array('src' => $photo_img) + $attrib);
+    return html::img(array('src' => $photo_img, 'alt' => $RCMAIL->gettext('contactphoto')) + $attrib);
 }

--
Gitblit v1.9.1