From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php | 61 +++++++++++++++++++++++++-----
1 files changed, 50 insertions(+), 11 deletions(-)
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
index b8af037..3fb1684 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_engine.php
@@ -63,7 +63,7 @@
1 => 'notifyimportancehigh'
);
- const VERSION = '8.3';
+ const VERSION = '8.5';
const PROGNAME = 'Roundcube (Managesieve)';
const PORT = 4190;
@@ -397,6 +397,8 @@
}
}
else if ($action == 'setget') {
+ $this->rc->request_security_check(rcube_utils::INPUT_GET);
+
$script_name = rcube_utils::get_input_value('_set', rcube_utils::INPUT_GPC, true);
$script = $this->sieve->get_script($script_name);
@@ -440,6 +442,11 @@
$content = $this->action_div($fid, $id, false);
$this->rc->output->command('managesieve_actionfill', $content, $id, $aid);
+ }
+ else if ($action == 'addresses') {
+ $aid = rcube_utils::get_input_value('_aid', rcube_utils::INPUT_POST);
+
+ $this->rc->output->command('managesieve_vacation_addresses_update', $aid, $this->user_emails());
}
$this->rc->output->send();
@@ -611,6 +618,7 @@
$addresses = rcube_utils::get_input_value('_action_addresses', rcube_utils::INPUT_POST, true);
$intervals = rcube_utils::get_input_value('_action_interval', rcube_utils::INPUT_POST);
$interval_types = rcube_utils::get_input_value('_action_interval_type', rcube_utils::INPUT_POST);
+ $from = rcube_utils::get_input_value('_action_from', rcube_utils::INPUT_POST);
$subject = rcube_utils::get_input_value('_action_subject', rcube_utils::INPUT_POST, true);
$flags = rcube_utils::get_input_value('_action_flags', rcube_utils::INPUT_POST);
$varnames = rcube_utils::get_input_value('_action_varname', rcube_utils::INPUT_POST);
@@ -627,8 +635,8 @@
foreach ($sizeitems as $item)
$items[] = $item;
- $this->form['disabled'] = $_POST['_disabled'] ? true : false;
- $this->form['join'] = $join=='allof' ? true : false;
+ $this->form['disabled'] = !empty($_POST['_disabled']);
+ $this->form['join'] = $join == 'allof';
$this->form['name'] = $name;
$this->form['tests'] = array();
$this->form['actions'] = array();
@@ -976,10 +984,11 @@
$interval_type = $interval_types[$idx] == 'seconds' ? 'seconds' : 'days';
$this->form['actions'][$i]['reason'] = str_replace("\r\n", "\n", $reason);
+ $this->form['actions'][$i]['from'] = $from[$idx];
$this->form['actions'][$i]['subject'] = $subject[$idx];
$this->form['actions'][$i]['addresses'] = array_shift($addresses);
$this->form['actions'][$i][$interval_type] = $intervals[$idx];
-// @TODO: vacation :mime, :from, :handle
+// @TODO: vacation :mime, :handle
foreach ((array)$this->form['actions'][$i]['addresses'] as $aidx => $address) {
$this->form['actions'][$i]['addresses'][$aidx] = $address = trim($address);
@@ -991,6 +1000,10 @@
$this->errors['actions'][$i]['addresses'] = $this->plugin->gettext('noemailwarning');
break;
}
+ }
+
+ if (!empty($this->form['actions'][$i]['from']) && !rcube_utils::check_email($this->form['actions'][$i]['from'])) {
+ $this->errors['actions'][$i]['from'] = $this->plugin->gettext('noemailwarning');
}
if ($this->form['actions'][$i]['reason'] == '')
@@ -1601,7 +1614,7 @@
$mout .= '<div id="rule_date_header_div' .$id. '" class="adv"'. ($rule['test'] != 'date' ? ' style="display:none"' : '') .'>';
$mout .= '<span class="label">' . rcube::Q($this->plugin->gettext('dateheader')) . '</span>';
$mout .= '<input type="text" name="_rule_date_header[]" id="rule_date_header'.$id
- . '" value="'. Q($rule['test'] == 'date' ? $rule['header'] : '')
+ . '" value="'. rcube::Q($rule['test'] == 'date' ? $rule['header'] : '')
. '" size="15"' . $this->error_class($id, 'test', 'dateheader', 'rule_date_header') .' />';
$mout .= '</div>';
}
@@ -1674,7 +1687,7 @@
$test = $rule['type'];
}
else if (in_array($rule['test'], $set)) {
- $test = ($rule['not'] ? 'not' : '') . ($rule['type'] ? $rule['type'] : 'is');
+ $test = ($rule['not'] ? 'not' : '') . ($rule['type'] ?: 'is');
}
else {
$test = ($rule['not'] ? 'not' : '') . $rule['test'];
@@ -1769,19 +1782,28 @@
. "</textarea>\n";
// vacation
- $vsec = in_array('vacation-seconds', $this->exts);
+ $vsec = in_array('vacation-seconds', $this->exts);
+ $auto_addr = $this->rc->config->get('managesieve_vacation_addresses_init');
+ $addresses = isset($action['addresses']) || !$auto_addr ? (array) $action['addresses'] : $this->user_emails();
+
$out .= '<div id="action_vacation' .$id.'" style="display:' .($action['type']=='vacation' ? 'inline' : 'none') .'">';
$out .= '<span class="label">'. rcube::Q($this->plugin->gettext('vacationreason')) .'</span><br />'
.'<textarea name="_action_reason['.$id.']" id="action_reason' .$id. '" '
.'rows="3" cols="35" '. $this->error_class($id, 'action', 'reason', 'action_reason') . '>'
- . Q($action['reason'], 'strict', false) . "</textarea>\n";
+ . rcube::Q($action['reason'], 'strict', false) . "</textarea>\n";
$out .= '<br /><span class="label">' .rcube::Q($this->plugin->gettext('vacationsubject')) . '</span><br />'
.'<input type="text" name="_action_subject['.$id.']" id="action_subject'.$id.'" '
.'value="' . (is_array($action['subject']) ? rcube::Q(implode(', ', $action['subject']), 'strict', false) : $action['subject']) . '" size="35" '
. $this->error_class($id, 'action', 'subject', 'action_subject') .' />';
+ $out .= '<br /><span class="label">' .rcube::Q($this->plugin->gettext('vacationfrom')) . '</span><br />'
+ .'<input type="text" name="_action_from['.$id.']" id="action_from'.$id.'" '
+ .'value="' . $action['from'] . '" size="35" '
+ . $this->error_class($id, 'action', 'from', 'action_from') .' />';
$out .= '<br /><span class="label">' .rcube::Q($this->plugin->gettext('vacationaddr')) . '</span><br />'
- . $this->list_input($id, 'action_addresses', $action['addresses'], true,
- $this->error_class($id, 'action', 'addresses', 'action_addresses'), 30);
+ . $this->list_input($id, 'action_addresses', $addresses, true,
+ $this->error_class($id, 'action', 'addresses', 'action_addresses'), 30)
+ . html::a(array('href' => '#', 'onclick' => rcmail_output::JS_OBJECT_NAME . ".managesieve_vacation_addresses($id)"),
+ rcube::Q($this->plugin->gettext('filladdresses')));
$out .= '<br /><span class="label">' . rcube::Q($this->plugin->gettext($vsec ? 'vacationinterval' : 'vacationdays')) . '</span><br />'
.'<input type="text" name="_action_interval['.$id.']" id="action_interval'.$id.'" '
.'value="' .rcube::Q(rcube_sieve_vacation::vacation_interval($action), 'strict', false) . '" size="2" '
@@ -2338,7 +2360,7 @@
if (empty($filter['actions'])) {
continue;
}
- $fname = $filter['name'] ? $filter['name'] : "#$i";
+ $fname = $filter['name'] ?: "#$i";
$result[] = array(
'id' => $idx,
'name' => $fname,
@@ -2389,4 +2411,21 @@
$this->headers += $headers;
}
+
+ /**
+ * Get all e-mail addresses of the user
+ */
+ protected function user_emails()
+ {
+ $addresses = $this->rc->user->list_emails();
+
+ foreach ($addresses as $idx => $email) {
+ $addresses[$idx] = $email['email'];
+ }
+
+ $addresses = array_unique($addresses);
+ sort($addresses);
+
+ return $addresses;
+ }
}
--
Gitblit v1.9.1