From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/managesieve/managesieve.php | 40 ++++++++++++++++++++++------------------
1 files changed, 22 insertions(+), 18 deletions(-)
diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php
index 6adba4e..68d56a1 100644
--- a/plugins/managesieve/managesieve.php
+++ b/plugins/managesieve/managesieve.php
@@ -37,7 +37,7 @@
function init()
{
- $this->rc = rcmail::get_instance();
+ $this->rc = rcube::get_instance();
// register actions
$this->register_action('plugin.managesieve', array($this, 'managesieve_actions'));
@@ -51,10 +51,14 @@
}
else if ($this->rc->task == 'mail') {
// register message hook
- $this->add_hook('message_headers_output', array($this, 'mail_headers'));
+ if ($this->rc->action == 'show') {
+ $this->add_hook('message_headers_output', array($this, 'mail_headers'));
+ }
// inject Create Filter popup stuff
- if (empty($this->rc->action) || $this->rc->action == 'show') {
+ if (empty($this->rc->action) || $this->rc->action == 'show'
+ || strpos($this->rc->action, 'plugin.managesieve') === 0
+ ) {
$this->mail_task_handler();
}
}
@@ -72,23 +76,20 @@
// load localization
$this->add_texts('localization/');
- if ($this->rc->task == 'mail' || strpos($this->rc->action, 'plugin.managesieve') === 0) {
+ $sieve_action = strpos($this->rc->action, 'plugin.managesieve') === 0;
+
+ if ($this->rc->task == 'mail' || $sieve_action) {
$this->include_script('managesieve.js');
}
// include styles
$skin_path = $this->local_skin_path();
- if ($this->rc->task == 'settings') {
- if (is_file($this->home . "/$skin_path/managesieve.css")) {
- $this->include_stylesheet("$skin_path/managesieve.css");
- }
+ if ($sieve_action || ($this->rc->task == 'settings' && empty($_REQUEST['_framed']))) {
+ $this->include_stylesheet("$skin_path/managesieve.css");
}
- else {
- if (is_file($this->home . "/$skin_path/managesieve_mail.css")) {
- $this->include_stylesheet("$skin_path/managesieve_mail.css");
- }
+ else if ($this->rc->task == 'mail') {
+ $this->include_stylesheet("$skin_path/managesieve_mail.css");
}
-
$this->ui_initialized = true;
}
@@ -109,6 +110,7 @@
'class' => 'filter',
'label' => 'filters',
'domain' => 'managesieve',
+ 'title' => 'filterstitle',
);
}
@@ -119,6 +121,7 @@
'class' => 'vacation',
'label' => 'vacation',
'domain' => 'managesieve',
+ 'title' => 'vacationtitle',
);
}
@@ -187,9 +190,10 @@
function managesieve_actions()
{
// handle fetching email headers for the new filter form
- if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GPC)) {
- $mailbox = $this->rc->get_storage()->get_folder();
- $message = new rcube_message($uid, $mailbox);
+ if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+ $uids = rcmail::get_uids();
+ $mailbox = key($uids);
+ $message = new rcube_message($uids[$mailbox][0], $mailbox);
$headers = $this->parse_headers($message->headers);
$this->rc->output->set_env('sieve_headers', $headers);
@@ -225,7 +229,7 @@
/**
* Initializes engine object
*/
- private function get_engine($type = null)
+ public function get_engine($type = null)
{
if (!$this->engine) {
$this->load_config();
@@ -235,7 +239,7 @@
$include_path .= ini_get('include_path');
set_include_path($include_path);
- $class_name = 'rcube_sieve_' . ($type ? $type : 'engine');
+ $class_name = 'rcube_sieve_' . ($type ?: 'engine');
$this->engine = new $class_name($this);
}
--
Gitblit v1.9.1