From 6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 07 May 2015 03:02:29 -0400
Subject: [PATCH] Fix security issue in contact photo handling (#1490379)

---
 CHANGELOG                           |    1 +
 program/steps/addressbook/photo.inc |    5 -----
 program/steps/mail/show.inc         |    1 -
 3 files changed, 1 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 71ec2d3..ab8b3c7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@
 - Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#1490293)
 - Fix handling of %-encoded entities in mailto: URLs (#1490346)
 - Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372)
+- Fix security issue in contact photo handling (#1490379)
 
 RELEASE 1.0.5
 -------------
diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc
index 30d09ff..cd0ddd7 100644
--- a/program/steps/addressbook/photo.inc
+++ b/program/steps/addressbook/photo.inc
@@ -80,11 +80,6 @@
     $RCMAIL->output->redirect($data);
 }
 
-// deliver alt image
-if (!$data && ($alt_img = rcube_utils::get_input_value('_alt', rcube_utils::INPUT_GPC)) && is_file($alt_img)) {
-    $data = file_get_contents($alt_img);
-}
-
 // cache for one day if requested by email
 if (!$cid && $email) {
     $RCMAIL->output->future_expire_header(86400);
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index ea148d5..5d9aff4 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -343,7 +343,6 @@
             '_task'   => 'addressbook',
             '_action' => 'photo',
             '_email'  => $MESSAGE->sender['mailto'],
-            '_alt'    => $placeholder,
         ));
 
         $attrib['onerror'] = "this.src = '" . ($placeholder ? $placeholder : 'program/resources/blank.gif') . "'";

--
Gitblit v1.9.1