From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 plugins/zipdownload/zipdownload.php |   15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index 2e103ce..241de54 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -63,7 +63,7 @@
                 '_action' => 'plugin.zipdownload.attachments',
                 '_mbox'   => $rcmail->output->env['mailbox'],
                 '_uid'    => $rcmail->output->env['uid'],
-            ));
+            ), false, false, true);
 
             $link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
                 rcube::Q($this->gettext('downloadall'))
@@ -120,6 +120,10 @@
     public function download_attachments()
     {
         $rcmail    = rcmail::get_instance();
+
+        // require CSRF protected request
+        $rcmail->request_security_check(rcube_utils::INPUT_GET);
+
         $imap      = $rcmail->get_storage();
         $temp_dir  = $rcmail->config->get('temp_dir');
         $tmpfname  = tempnam($temp_dir, 'zipdownload');
@@ -156,7 +160,7 @@
 
         $zip->close();
 
-        $filename = ($message->subject ? $message->subject : 'roundcube') . '.zip';
+        $filename = ($message->subject ?: 'roundcube') . '.zip';
         $this->_deliver_zipfile($tmpfname, $filename);
 
         // delete temporary files from disk
@@ -211,6 +215,11 @@
             $imap->set_folder($mbox);
             $path = $folders ? str_replace($imap->get_hierarchy_delimiter(), '/', $mbox) . '/' : '';
 
+            if ($uids === '*') {
+                $index = $imap->index($mbox, null, null, true);
+                $uids  = $index->get();
+            }
+
             foreach ($uids as $uid) {
                 $headers = $imap->get_message_headers($uid);
 
@@ -242,7 +251,7 @@
                     $subject = $this->_convert_filename($subject);
                     $subject = substr($subject, 0, 16);
 
-                    $disp_name = ($subject ? $subject : 'message_rfc822') . ".eml";
+                    $disp_name = ($subject ?: 'message_rfc822') . ".eml";
                     $disp_name = $path . $uid . "_" . $disp_name;
 
                     $tmpfn = tempnam($temp_dir, 'zipmessage');

--
Gitblit v1.9.1