From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/enigma/lib/enigma_ui.php | 2 ++
plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 2 ++
plugins/enigma/enigma.js | 2 +-
program/steps/addressbook/export.inc | 2 ++
plugins/managesieve/managesieve.js | 2 +-
program/js/app.js | 4 ++--
6 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/plugins/enigma/enigma.js b/plugins/enigma/enigma.js
index bd52d04..a5497f4 100644
--- a/plugins/enigma/enigma.js
+++ b/plugins/enigma/enigma.js
@@ -157,7 +157,7 @@
if (!keys.length)
return;
- this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys});
+ this.goto_url('plugin.enigmakeys', {_a: 'export', _keys: keys}, false, true);
};
// Submit key(s) import form
diff --git a/plugins/enigma/lib/enigma_ui.php b/plugins/enigma/lib/enigma_ui.php
index c12ac41..9c138f2 100644
--- a/plugins/enigma/lib/enigma_ui.php
+++ b/plugins/enigma/lib/enigma_ui.php
@@ -459,6 +459,8 @@
*/
private function key_export()
{
+ $this->rc->request_security_check(rcube_utils::INPUT_GET);
+
$keys = rcube_utils::get_input_value('_keys', rcube_utils::INPUT_GPC);
$engine = $this->enigma->load_engine();
$list = $keys == '*' ? $engine->list_keys() : explode(',', $keys);
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
index 67c9211..3fb1684 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
@@ -397,6 +397,8 @@
}
}
else if ($action == 'setget') {
+ $this->rc->request_security_check(rcube_utils::INPUT_GET);
+
$script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true);
$script = $this->sieve->get_script($script_name);
diff --git a/plugins/managesieve/managesieve.js b/plugins/managesieve/managesieve.js
index a69fa5a..117f01a 100644
--- a/plugins/managesieve/managesieve.js
+++ b/plugins/managesieve/managesieve.js
@@ -181,7 +181,7 @@
var id = this.filtersets_list.get_single_selection(),
script = this.env.filtersets[id];
- location.href = this.env.comm_path+'&_action=plugin.managesieve-action&_act=setget&_set='+urlencode(script);
+ this.goto_url('plugin.managesieve-action', {_act: 'setget', _set: script}, false, true);
};
// Set activate/deactivate request
diff --git a/program/js/app.js b/program/js/app.js
index d525d0a..45fba7e 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -1316,13 +1316,13 @@
case 'export':
if (this.contact_list.rowcount > 0) {
- this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request });
+ this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _search: this.env.search_request }, false, true);
}
break;
case 'export-selected':
if (this.contact_list.rowcount > 0) {
- this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') });
+ this.goto_url('export', { _source: this.env.source, _gid: this.env.group, _cid: this.contact_list.get_selection().join(',') }, false, true);
}
break;
diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc
index 8d62ecd..c1eaa7f 100644
--- a/program/steps/addressbook/export.inc
+++ b/program/steps/addressbook/export.inc
@@ -21,6 +21,8 @@
+-----------------------------------------------------------------------+
*/
+$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
+
// Use search result
if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
$sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
--
Gitblit v1.9.1