From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/include/main.inc |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/program/include/main.inc b/program/include/main.inc
index fae289b..7a3e1c0 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -169,14 +169,16 @@
   // get target timestamp
   $ts = get_offset_time($rcmail->config->get('message_cache_lifetime', '30d'), -1);
 
-  $db->query("DELETE FROM ".get_table_name('cache_messages')
+  if ($rcmail->config->get('messages_cache') || $rcmail->config->get('enable_caching')) {
+    $db->query("DELETE FROM ".get_table_name('cache_messages')
         ." WHERE changed < " . $db->fromunixtime($ts));
 
-  $db->query("DELETE FROM ".get_table_name('cache_index')
+    $db->query("DELETE FROM ".get_table_name('cache_index')
         ." WHERE changed < " . $db->fromunixtime($ts));
 
-  $db->query("DELETE FROM ".get_table_name('cache_thread')
+    $db->query("DELETE FROM ".get_table_name('cache_thread')
         ." WHERE changed < " . $db->fromunixtime($ts));
+  }
 
   $db->query("DELETE FROM ".get_table_name('cache')
         ." WHERE created < " . $db->fromunixtime($ts));

--
Gitblit v1.9.1