From 1608f432826a41e035ee7ddb0dd409bbcf559b43 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 24 Dec 2008 09:19:27 -0500
Subject: [PATCH] Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback

---
 bin/html2text.php |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/bin/html2text.php b/bin/html2text.php
index 3839f5d..82a4044 100644
--- a/bin/html2text.php
+++ b/bin/html2text.php
@@ -20,11 +20,19 @@
 */
 
 define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
 
-$converter = new html2text($HTTP_RAW_POST_DATA);
+$RCMAIL = rcmail::get_instance();
 
-header('Content-Type: text/plain; charset=UTF-8');
-print trim($converter->get_text());
+if (!empty($RCMAIL->user->ID)) {
+  $converter = new html2text($HTTP_RAW_POST_DATA);
+
+  header('Content-Type: text/plain; charset=UTF-8');
+  print trim($converter->get_text());
+}
+else {
+  header("HTTP/1.0 403 Forbidden");
+  echo "Requires a valid user session";
+}
 
 ?>

--
Gitblit v1.9.1