From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 installer/index.php |   23 +++++++++++++++++------
 1 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/installer/index.php b/installer/index.php
index 044eb3f..3e9c6b7 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -1,11 +1,11 @@
 <?php
 
-/*
+/**
  +-------------------------------------------------------------------------+
  | Roundcube Webmail setup tool                                            |
- | Version 0.9-git                                                         |
+ | Version 1.2-git                                                         |
  |                                                                         |
- | Copyright (C) 2009-2013, The Roundcube Dev Team                         |
+ | Copyright (C) 2009-2015, The Roundcube Dev Team                         |
  |                                                                         |
  | This program is free software: you can redistribute it and/or modify    |
  | it under the terms of the GNU General Public License (with exceptions   |
@@ -39,7 +39,7 @@
 ini_set('error_reporting', E_ALL &~ (E_NOTICE | E_STRICT));
 ini_set('display_errors', 1);
 
-define('INSTALL_PATH', realpath(dirname(__FILE__) . '/../').'/');
+define('INSTALL_PATH', realpath(__DIR__ . '/../').'/');
 define('RCUBE_INSTALL_PATH', INSTALL_PATH);
 define('RCUBE_CONFIG_DIR', INSTALL_PATH . 'config/');
 
@@ -48,6 +48,11 @@
 $include_path .= ini_get('include_path');
 
 set_include_path($include_path);
+
+// include composer autoloader (if available)
+if (@file_exists(INSTALL_PATH . 'vendor/autoload.php')) {
+    require INSTALL_PATH . 'vendor/autoload.php';
+}
 
 require_once 'Roundcube/bootstrap.php';
 // deprecated aliases (to be removed)
@@ -61,7 +66,13 @@
 
 if (isset($_GET['_getconfig'])) {
   $filename = 'config.inc.php';
-  if (!empty($_SESSION['config'])) {
+  if (!empty($_SESSION['config']) && $_GET['_getconfig'] == 2) {
+    $path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . $filename;
+    @unlink($path);
+    file_put_contents($path, $_SESSION['config']);
+    exit;
+  }
+  else if (!empty($_SESSION['config'])) {
     header('Content-type: text/plain');
     header('Content-Disposition: attachment; filename="'.$filename.'"');
     echo $_SESSION['config'];
@@ -153,7 +164,7 @@
 
   foreach (array('Check environment', 'Create config', 'Test config') as $i => $item) {
     $j = $i + 1;
-    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="./index.php?_step='.$j.'">' . Q($item) . '</a>' : Q($item);
+    $link = ($RCI->step >= $j || $RCI->configured) ? '<a href="./index.php?_step='.$j.'">' . rcube::Q($item) . '</a>' : rcube::Q($item);
     printf('<li class="step%d%s">%s</li>', $j+1, $RCI->step > $j ? ' passed' : ($RCI->step == $j ? ' current' : ''), $link);
   }
 ?>

--
Gitblit v1.9.1