From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/vcard_attachments/vcard_attachments.php | 110 ++++++++++++++++++++++++++++++++++++++-----------------
1 files changed, 76 insertions(+), 34 deletions(-)
diff --git a/plugins/vcard_attachments/vcard_attachments.php b/plugins/vcard_attachments/vcard_attachments.php
index c321e84..74718be 100644
--- a/plugins/vcard_attachments/vcard_attachments.php
+++ b/plugins/vcard_attachments/vcard_attachments.php
@@ -45,7 +45,7 @@
}
}
// the same with message bodies
- foreach ((array)$this->message->parts as $idx => $part) {
+ foreach ((array)$this->message->parts as $part) {
if ($this->is_vcard($part)) {
$this->vcard_parts[] = $part->mime_id;
$this->vcard_bodies[] = $part->mime_id;
@@ -63,32 +63,36 @@
function html_output($p)
{
$attach_script = false;
- $icon = 'plugins/vcard_attachments/' .$this->local_skin_path(). '/vcard_add_contact.png';
foreach ($this->vcard_parts as $part) {
- $vcards = rcube_vcard::import($this->message->get_part_content($part));
+ $vcards = rcube_vcard::import($this->message->get_part_body($part, true));
// successfully parsed vcards?
- if (empty($vcards))
+ if (empty($vcards)) {
continue;
+ }
// remove part's body
- if (in_array($part, $this->vcard_bodies))
+ if (in_array($part, $this->vcard_bodies)) {
$p['content'] = '';
+ }
foreach ($vcards as $idx => $vcard) {
- $display = $vcard->displayname;
- if ($vcard->email[0])
- $display .= ' <'.$vcard->email[0].'>';
+ // skip invalid vCards
+ if (empty($vcard->email) || empty($vcard->email[0])) {
+ continue;
+ }
- // add box below messsage body
+ $display = $vcard->displayname . ' <'.$vcard->email[0].'>';
+
+ // add box below message body
$p['content'] .= html::p(array('class' => 'vcardattachment'),
html::a(array(
'href' => "#",
- 'onclick' => "return plugin_vcard_save_contact('" . JQ($part.':'.$idx) . "')",
+ 'onclick' => "return plugin_vcard_save_contact('" . rcube::JQ($part.':'.$idx) . "')",
'title' => $this->gettext('addvcardmsg'),
),
- html::span(null, Q($display)))
+ html::span(null, rcube::Q($display)))
);
}
@@ -108,52 +112,65 @@
*/
function save_vcard()
{
- $this->add_texts('localization', true);
+ $this->add_texts('localization', true);
- $uid = get_input_value('_uid', RCUBE_INPUT_POST);
- $mbox = get_input_value('_mbox', RCUBE_INPUT_POST);
- $mime_id = get_input_value('_part', RCUBE_INPUT_POST);
+ $uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
+ $mbox = rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST);
+ $mime_id = rcube_utils::get_input_value('_part', rcube_utils::INPUT_POST);
- $rcmail = rcmail::get_instance();
+ $rcmail = rcmail::get_instance();
+ $storage = $rcmail->get_storage();
+ $storage->set_folder($mbox);
if ($uid && $mime_id) {
list($mime_id, $index) = explode(':', $mime_id);
- $part = $rcmail->storage->get_message_part($uid, $mime_id);
+ $part = $storage->get_message_part($uid, $mime_id, null, null, null, true);
}
$error_msg = $this->gettext('vcardsavefailed');
if ($part && ($vcards = rcube_vcard::import($part))
- && ($vcard = $vcards[$index]) && $vcard->displayname && $vcard->email) {
+ && ($vcard = $vcards[$index]) && $vcard->displayname && $vcard->email
+ ) {
+ $CONTACTS = $this->get_address_book();
+ $email = $vcard->email[0];
+ $contact = $vcard->get_assoc();
+ $valid = true;
- $contacts = $rcmail->get_address_book(null, true);
-
- // check for existing contacts
- $existing = $contacts->search('email', $vcard->email[0], true, false);
- if ($existing->count) {
- $rcmail->output->command('display_message', $this->gettext('contactexists'), 'warning');
+ // skip entries without an e-mail address or invalid
+ if (empty($email) || !$CONTACTS->validate($contact, true)) {
+ $valid = false;
}
else {
- // add contact
- $contact = array(
- 'name' => $vcard->displayname,
- 'firstname' => $vcard->firstname,
- 'surname' => $vcard->surname,
- 'email' => $vcard->email[0],
- 'vcard' => $vcard->export(),
- );
+ // We're using UTF8 internally
+ $email = rcube_utils::idn_to_utf8($email);
+ // compare e-mail address
+ $existing = $CONTACTS->search('email', $email, 1, false);
+ // compare display name
+ if (!$existing->count && $vcard->displayname) {
+ $existing = $CONTACTS->search('name', $vcard->displayname, 1, false);
+ }
+
+ if ($existing->count) {
+ $rcmail->output->command('display_message', $this->gettext('contactexists'), 'warning');
+ $valid = false;
+ }
+ }
+
+ if ($valid) {
$plugin = $rcmail->plugins->exec_hook('contact_create', array('record' => $contact, 'source' => null));
$contact = $plugin['record'];
- if (!$plugin['abort'] && ($done = $contacts->insert($contact)))
+ if (!$plugin['abort'] && $CONTACTS->insert($contact))
$rcmail->output->command('display_message', $this->gettext('addedsuccessfully'), 'confirmation');
else
$rcmail->output->command('display_message', $error_msg, 'error');
}
}
- else
+ else {
$rcmail->output->command('display_message', $error_msg, 'error');
+ }
$rcmail->output->send();
}
@@ -182,4 +199,29 @@
)
);
}
+
+ /**
+ * Getter for default (writable) addressbook
+ */
+ private function get_address_book()
+ {
+ if ($this->abook) {
+ return $this->abook;
+ }
+
+ $rcmail = rcmail::get_instance();
+ $abook = $rcmail->config->get('default_addressbook');
+
+ // Get configured addressbook
+ $CONTACTS = $rcmail->get_address_book($abook, true);
+
+ // Get first writeable addressbook if the configured doesn't exist
+ // This can happen when user deleted the addressbook (e.g. Kolab folder)
+ if ($abook === null || $abook === '' || !is_object($CONTACTS)) {
+ $source = reset($rcmail->get_address_sources(true));
+ $CONTACTS = $rcmail->get_address_book($source['id'], true);
+ }
+
+ return $this->abook = $CONTACTS;
+ }
}
--
Gitblit v1.9.1