From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 plugins/managesieve/managesieve.php |   25 ++++++++++++-------------
 1 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php
index 478f26b..68d56a1 100644
--- a/plugins/managesieve/managesieve.php
+++ b/plugins/managesieve/managesieve.php
@@ -51,7 +51,9 @@
         }
         else if ($this->rc->task == 'mail') {
             // register message hook
-            $this->add_hook('message_headers_output', array($this, 'mail_headers'));
+            if ($this->rc->action == 'show') {
+                $this->add_hook('message_headers_output', array($this, 'mail_headers'));
+            }
 
             // inject Create Filter popup stuff
             if (empty($this->rc->action) || $this->rc->action == 'show'
@@ -82,15 +84,11 @@
 
         // include styles
         $skin_path = $this->local_skin_path();
-        if ($this->rc->task == 'settings' || $sieve_action) {
-            if (is_file($this->home . "/$skin_path/managesieve.css")) {
-                $this->include_stylesheet("$skin_path/managesieve.css");
-            }
+        if ($sieve_action || ($this->rc->task == 'settings' && empty($_REQUEST['_framed']))) {
+            $this->include_stylesheet("$skin_path/managesieve.css");
         }
-        else {
-            if (is_file($this->home . "/$skin_path/managesieve_mail.css")) {
-                $this->include_stylesheet("$skin_path/managesieve_mail.css");
-            }
+        else if ($this->rc->task == 'mail') {
+            $this->include_stylesheet("$skin_path/managesieve_mail.css");
         }
 
         $this->ui_initialized = true;
@@ -192,9 +190,10 @@
     function managesieve_actions()
     {
         // handle fetching email headers for the new filter form
-        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GPC)) {
-            $mailbox = $this->rc->get_storage()->get_folder();
-            $message = new rcube_message($uid, $mailbox);
+        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+            $uids    = rcmail::get_uids();
+            $mailbox = key($uids);
+            $message = new rcube_message($uids[$mailbox][0], $mailbox);
             $headers = $this->parse_headers($message->headers);
 
             $this->rc->output->set_env('sieve_headers', $headers);
@@ -240,7 +239,7 @@
             $include_path .= ini_get('include_path');
             set_include_path($include_path);
 
-            $class_name = 'rcube_sieve_' . ($type ? $type : 'engine');
+            $class_name = 'rcube_sieve_' . ($type ?: 'engine');
             $this->engine = new $class_name($this);
         }
 

--
Gitblit v1.9.1