From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php | 43 +++++++++++++++++++++++++++++++++++--------
1 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php b/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
index 419989e..932aaaa 100644
--- a/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
+++ b/plugins/managesieve/lib/Roundcube/rcube_sieve_vacation.php
@@ -49,9 +49,11 @@
/**
* Find and load sieve script with/for vacation rule
*
+ * @param string $script_name Optional script name
+ *
* @return int Connection status: 0 on success, >0 on failure
*/
- protected function load_script()
+ protected function load_script($script_name = null)
{
if ($this->script_name !== null) {
return 0;
@@ -179,6 +181,7 @@
}
$status = rcube_utils::get_input_value('vacation_status', rcube_utils::INPUT_POST);
+ $from = rcube_utils::get_input_value('vacation_from', rcube_utils::INPUT_POST);
$subject = rcube_utils::get_input_value('vacation_subject', rcube_utils::INPUT_POST, true);
$reason = rcube_utils::get_input_value('vacation_reason', rcube_utils::INPUT_POST, true);
$addresses = rcube_utils::get_input_value('vacation_addresses', rcube_utils::INPUT_POST, true);
@@ -196,7 +199,8 @@
$interval_type = $interval_type == 'seconds' ? 'seconds' : 'days';
$vacation_action['type'] = 'vacation';
$vacation_action['reason'] = $this->strip_value(str_replace("\r\n", "\n", $reason));
- $vacation_action['subject'] = $subject;
+ $vacation_action['subject'] = trim($subject);
+ $vacation_action['from'] = trim($from);
$vacation_action['addresses'] = $addresses;
$vacation_action[$interval_type] = $interval;
$vacation_tests = (array) $this->vacation['tests'];
@@ -211,6 +215,10 @@
$error = 'noemailwarning';
break;
}
+ }
+
+ if (!empty($vacation_action['from']) && !rcube_utils::check_email($vacation_action['from'])) {
+ $error = 'noemailwarning';
}
if ($vacation_action['reason'] == '') {
@@ -304,7 +312,7 @@
}
}
- $this->rc->output->show_message($error ? $error : 'managesieve.saveerror', 'error');
+ $this->rc->output->show_message($error ?: 'managesieve.saveerror', 'error');
$this->rc->output->send();
}
@@ -319,7 +327,7 @@
$seconds_extension = in_array('vacation-seconds', $this->exts);
// build FORM tag
- $form_id = !empty($attrib['id']) ? $attrib['id'] : 'form';
+ $form_id = $attrib['id'] ?: 'form';
$out = $this->rc->output->request_form(array(
'id' => $form_id,
'name' => $form_id,
@@ -329,14 +337,24 @@
'noclose' => true
) + $attrib);
+ $auto_addr = $this->rc->config->get('managesieve_vacation_addresses_init');
+ $addresses = !$auto_addr || count($this->vacation) > 1 ? (array) $this->vacation['addresses'] : $this->user_emails();
+
// form elements
+ $from = new html_inputfield(array('name' => 'vacation_from', 'id' => 'vacation_from', 'size' => 50));
$subject = new html_inputfield(array('name' => 'vacation_subject', 'id' => 'vacation_subject', 'size' => 50));
$reason = new html_textarea(array('name' => 'vacation_reason', 'id' => 'vacation_reason', 'cols' => 60, 'rows' => 8));
$interval = new html_inputfield(array('name' => 'vacation_interval', 'id' => 'vacation_interval', 'size' => 5));
$addresses = '<textarea name="vacation_addresses" id="vacation_addresses" data-type="list" data-size="30" style="display: none">'
- . rcube::Q(implode("\n", (array) $this->vacation['addresses']), 'strict', false) . '</textarea>';
+ . rcube::Q(implode("\n", $addresses), 'strict', false) . '</textarea>';
$status = new html_select(array('name' => 'vacation_status', 'id' => 'vacation_status'));
$action = new html_select(array('name' => 'vacation_action', 'id' => 'vacation_action', 'onchange' => 'vacation_action_select()'));
+ $addresses_link = new html_inputfield(array(
+ 'type' => 'button',
+ 'href' => '#',
+ 'class' => 'button',
+ 'onclick' => rcmail_output::JS_OBJECT_NAME . '.managesieve_vacation_addresses()'
+ ));
$status->add($this->plugin->gettext('vacation.on'), 'on');
$status->add($this->plugin->gettext('vacation.off'), 'off');
@@ -460,8 +478,10 @@
// Advanced tab
$table = new html_table(array('cols' => 2));
+ $table->add('title', html::label('vacation_from', $this->plugin->gettext('vacation.from')));
+ $table->add(null, $from->show($this->vacation['from']));
$table->add('title', html::label('vacation_addresses', $this->plugin->gettext('vacation.addresses')));
- $table->add(null, $addresses);
+ $table->add(null, $addresses . $addresses_link->show($this->plugin->gettext('filladdresses')));
$table->add('title', html::label('vacation_interval', $this->plugin->gettext('vacation.interval')));
$table->add(null, $interval_txt);
@@ -577,7 +597,7 @@
}
}
- return $interval ? $interval : '';
+ return $interval ?: '';
}
/**
@@ -742,6 +762,7 @@
'action' => $this->vacation['action'],
'target' => $this->vacation['target'],
'addresses' => $this->vacation['addresses'],
+ 'from' => $this->vacation['from'],
);
return $vacation;
@@ -770,7 +791,8 @@
$vacation['type'] = 'vacation';
$vacation['reason'] = $this->strip_value(str_replace("\r\n", "\n", $data['message']));
$vacation['addresses'] = $data['addresses'];
- $vacation['subject'] = $data['subject'];
+ $vacation['subject'] = trim($data['subject']);
+ $vacation['from'] = trim($data['from']);
$vacation_tests = (array) $this->vacation['tests'];
foreach ((array) $vacation['addresses'] as $aidx => $address) {
@@ -785,6 +807,11 @@
}
}
+ if (!empty($vacation['from']) && !rcube_utils::check_email($vacation['from'])) {
+ $this->error = "Invalid address in 'from': " . $vacation['from'];
+ return false;
+ }
+
if ($vacation['reason'] == '') {
$this->error = "No vacation message specified";
return false;
--
Gitblit v1.9.1