From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 05 Feb 2016 07:25:27 -0500 Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports --- plugins/enigma/lib/enigma_ui.php | 2 ++ plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 2 ++ plugins/enigma/enigma.js | 2 +- program/steps/addressbook/export.inc | 2 ++ plugins/managesieve/managesieve.js | 2 +- program/js/app.js | 4 ++-- 6 files changed, 10 insertions(+), 4 deletions(-) diff --git a/plugins/enigma/enigma.js b/plugins/enigma/enigma.js index bd52d04..a5497f4 100644 --- a/plugins/enigma/enigma.js +++ b/plugins/enigma/enigma.js @@ -157,7 +157,7 @@ if (!keys.length) return; - this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys}); + this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys}, false, true); }; // Submit key(s) import form diff --git a/plugins/enigma/lib/enigma_ui.php b/plugins/enigma/lib/enigma_ui.php index c12ac41..9c138f2 100644 --- a/plugins/enigma/lib/enigma_ui.php +++ b/plugins/enigma/lib/enigma_ui.php @@ -459,6 +459,8 @@ */ private function key_export() { + $this->rc->request_security_check(rcube_utils::INPUT_GET); + $keys = rcube_utils::get_input_value('_keys', rcube_utils::INPUT_GPC); $engine = $this->enigma->load_engine(); $list = $keys == '*' ? $engine->list_keys() : explode(',', $keys); diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php index 67c9211..3fb1684 100644 --- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php +++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php @@ -397,6 +397,8 @@ } } else if ($action == 'setget') { + $this->rc->request_security_check(rcube_utils::INPUT_GET); + $script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true); $script = $this->sieve->get_script($script_name); diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js index a69fa5a..117f01a 100644 --- a/plugins/managesieve/managesieve.js +++ b/plugins/managesieve/managesieve.js @@ -181,7 +181,7 @@ var id = this.filtersets_list.get_single_selection(), script = this.env.filtersets[id]; - location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script); + this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true); }; // Set activate/deactivate request diff --git a/program/js/app.js b/program/js/app.js index d525d0a..45fba7e 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -1316,13 +1316,13 @@ case 'export': if (this.contact_list.rowcount > 0) { - this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request }); + this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request }, false, true); } break; case 'export-selected': if (this.contact_list.rowcount > 0) { - this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') }); + this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') }, false, true); } break; diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc index 8d62ecd..c1eaa7f 100644 --- a/program/steps/addressbook/export.inc +++ b/program/steps/addressbook/export.inc @@ -21,6 +21,8 @@ +-----------------------------------------------------------------------+ */ +$RCMAIL->request_security_check(rcube_utils::INPUT_GET); + // Use search result if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) { $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name'); -- Gitblit v1.9.1