From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/utils/spell.inc |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/program/steps/utils/spell.inc b/program/steps/utils/spell.inc
index b59fe79..bc1448e 100644
--- a/program/steps/utils/spell.inc
+++ b/program/steps/utils/spell.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/utils/spell.inc                                         |
  |                                                                       |
@@ -20,7 +20,7 @@
 */
 
 // read input
-$lang = get_input_value('lang', RCUBE_INPUT_GET);
+$lang = rcube_utils::get_input_value('lang', rcube_utils::INPUT_GET);
 $data = file_get_contents('php://input');
 
 $learn_word = strpos($data, '<learnword>');
@@ -29,13 +29,16 @@
 $left = strpos($data, '<text>');
 $right = strrpos($data, '</text>');
 $data = substr($data, $left+6, $right-($left+6));
-$data = html_entity_decode($data, ENT_QUOTES, RCMAIL_CHARSET);
+$data = html_entity_decode($data, ENT_QUOTES, RCUBE_CHARSET);
 
 $spellchecker = new rcube_spellchecker($lang);
 
 if ($learn_word) {
     $spellchecker->add_word($data);
-    $result = '<?xml version="1.0" encoding="'.RCMAIL_CHARSET.'"?><learnwordresult></learnwordresult>';
+    $result = '<?xml version="1.0" encoding="'.RCUBE_CHARSET.'"?><learnwordresult></learnwordresult>';
+}
+else if (empty($data)) {
+    $result = '<?xml version="1.0" encoding="'.RCUBE_CHARSET.'"?><spellresult charschecked="0"></spellresult>';
 }
 else {
     $spellchecker->check($data);
@@ -43,16 +46,19 @@
 }
 
 if ($err = $spellchecker->error()) {
-    raise_error(array('code' => 500, 'type' => 'php',
+    rcube::raise_error(array('code' => 500, 'type' => 'php',
         'file' => __FILE__, 'line' => __LINE__,
-        'message' => sprintf("Spell check engine error: " . $err)),
+        'message' => "Spell check engine error: " . trim($err)),
         true, false);
+
+    header("HTTP/1.0 500 Internal Server Error");
+    exit;
 }
 
 // set response length
 header("Content-Length: " . strlen($result));
 
 // Don't use server's default Content-Type charset (#1486406)
-header("Content-Type: text/xml; charset=" . RCMAIL_CHARSET);
+header("Content-Type: text/xml; charset=" . RCUBE_CHARSET);
 print $result;
 exit;

--
Gitblit v1.9.1