From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 installer/index.php |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/installer/index.php b/installer/index.php
index 4443d76..3e9c6b7 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
  | Version 1.2-git                                                         |
@@ -66,7 +66,13 @@
 
 if (isset($_GET['_getconfig'])) {
   $filename = 'config.inc.php';
-  if (!empty($_SESSION['config'])) {
+  if (!empty($_SESSION['config']) && $_GET['_getconfig'] == 2) {
+    $path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . $filename;
+    @unlink($path);
+    file_put_contents($path, $_SESSION['config']);
+    exit;
+  }
+  else if (!empty($_SESSION['config'])) {
     header('Content-type: text/plain');
     header('Content-Disposition: attachment; filename="'.$filename.'"');
     echo $_SESSION['config'];
@@ -158,7 +164,7 @@
 
   foreach (array('Check environment', 'Create config', 'Test config') as $i => $item) {
     $j = $i + 1;
-    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="./index.php?_step='.$j.'">' . Q($item) . '</a>' : Q($item);
+    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="./index.php?_step='.$j.'">' . rcube::Q($item) . '</a>' : rcube::Q($item);
     printf('<li class="step%d%s">%s</li>', $j+1, $RCI->step > $j ? ' passed' : ($RCI->step == $j ? ' current' : ''), $link);
   }
 ?>

--
Gitblit v1.9.1