From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 07:28:48 -0500
Subject: [PATCH] Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests

---
 program/lib/Roundcube/rcube_plugin_api.php |   26 +++++++++++++++++++-------
 1 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/program/lib/Roundcube/rcube_plugin_api.php b/program/lib/Roundcube/rcube_plugin_api.php
index dae3a93..c741626 100644
--- a/program/lib/Roundcube/rcube_plugin_api.php
+++ b/program/lib/Roundcube/rcube_plugin_api.php
@@ -46,7 +46,7 @@
     protected $actionmap = array();
     protected $objectsmap = array();
     protected $template_contents = array();
-    protected $active_hook = false;
+    protected $exec_stack = array();
 
     // Deprecated names of hooks, will be removed after 0.5-stable release
     protected $deprecated_hooks = array(
@@ -188,8 +188,7 @@
             return true;
         }
 
-        $fn = $plugins_dir . DIRECTORY_SEPARATOR . $plugin_name
-            . DIRECTORY_SEPARATOR . $plugin_name . '.php';
+        $fn = "$plugins_dir/$plugin_name/$plugin_name.php";
 
         if (is_readable($fn)) {
             if (!class_exists($plugin_name, false)) {
@@ -253,6 +252,7 @@
         'GPLv2'      => 'http://www.gnu.org/licenses/gpl-2.0.html',
         'GPL-2.0'    => 'http://www.gnu.org/licenses/gpl-2.0.html',
         'GPLv3'      => 'http://www.gnu.org/licenses/gpl-3.0.html',
+        'GPLv3+'     => 'http://www.gnu.org/licenses/gpl-3.0.html',
         'GPL-3.0'    => 'http://www.gnu.org/licenses/gpl-3.0.html',
         'GPL-3.0+'   => 'http://www.gnu.org/licenses/gpl.html',
         'GPL-2.0+'   => 'http://www.gnu.org/licenses/gpl.html',
@@ -279,7 +279,7 @@
       );
 
       $dir = dir($this->dir);
-      $fn = unslashify($dir->path) . DIRECTORY_SEPARATOR . $plugin_name . DIRECTORY_SEPARATOR . $plugin_name . '.php';
+      $fn = unslashify($dir->path) . "/$plugin_name/$plugin_name.php";
       $info = false;
 
       if (!class_exists($plugin_name, false)) {
@@ -423,8 +423,10 @@
             $args = array('arg' => $args);
         }
 
+        // TODO: avoid recusion by checking in_array($hook, $this->exec_stack) ?
+
         $args += array('abort' => false);
-        $this->active_hook = $hook;
+        array_push($this->exec_stack, $hook);
 
         foreach ((array)$this->handlers[$hook] as $callback) {
             $ret = call_user_func($callback, $args);
@@ -437,7 +439,7 @@
             }
         }
 
-        $this->active_hook = false;
+        array_pop($this->exec_stack);
         return $args;
     }
 
@@ -573,7 +575,7 @@
      */
     public function is_processing($hook = null)
     {
-        return $this->active_hook && (!$hook || $this->active_hook == $hook);
+        return count($this->exec_stack) > 0 && (!$hook || in_array($hook, $this->exec_stack));
     }
 
     /**
@@ -625,6 +627,16 @@
     }
 
     /**
+     * Returns loaded plugin
+     *
+     * @return rcube_plugin Plugin instance
+     */
+    public function get_plugin($name)
+    {
+        return $this->plugins[$name];
+    }
+
+    /**
      * Callback for template_container hooks
      *
      * @param array $attrib

--
Gitblit v1.9.1