From 1608f432826a41e035ee7ddb0dd409bbcf559b43 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 24 Dec 2008 09:19:27 -0500
Subject: [PATCH] Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback

---
 bin/quotaimg.php |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/bin/quotaimg.php b/bin/quotaimg.php
index dfec241..a15c4c3 100644
--- a/bin/quotaimg.php
+++ b/bin/quotaimg.php
@@ -18,6 +18,11 @@
 
 */
 
+define('INSTALL_PATH', realpath(dirname(__FILE__).'/..') . '/');
+require INSTALL_PATH . 'program/include/iniset.php';
+
+$RCMAIL = rcmail::get_instance();
+
 $used   = isset($_GET['u']) ? intval($_GET['u']) : '??';
 $quota  = isset($_GET['q']) ? intval($_GET['q']) : '??';
 $width  = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
@@ -186,11 +191,12 @@
 	imagedestroy($im);
 }
 
-if ($width > 1 && $height > 1) {
-	genQuota($used, $quota, $width, $height);  
+if (!empty($RCMAIL->user->ID) && $width > 1 && $height > 1) {
+	genQuota($used, $quota, $width, $height);
 }
 else {
-	header("HTTP/1.0 404 Not Found");
+	header("HTTP/1.0 403 Forbidden");
+	echo "Requires a valid user session and positive values";
 }
 
 exit;

--
Gitblit v1.9.1