From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 plugins/zipdownload/zipdownload.php |   35 +++++++++++++++++++----------------
 1 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index edb8188..241de54 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -63,7 +63,7 @@
                 '_action' => 'plugin.zipdownload.attachments',
                 '_mbox'   => $rcmail->output->env['mailbox'],
                 '_uid'    => $rcmail->output->env['uid'],
-            ));
+            ), false, false, true);
 
             $link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
                 rcube::Q($this->gettext('downloadall'))
@@ -120,6 +120,10 @@
     public function download_attachments()
     {
         $rcmail    = rcmail::get_instance();
+
+        // require CSRF protected request
+        $rcmail->request_security_check(rcube_utils::INPUT_GET);
+
         $imap      = $rcmail->get_storage();
         $temp_dir  = $rcmail->config->get('temp_dir');
         $tmpfname  = tempnam($temp_dir, 'zipdownload');
@@ -144,25 +148,19 @@
                 }
             }
 
-            $disp_name = $this->_convert_filename($filename);
+            $disp_name   = $this->_convert_filename($filename);
+            $tmpfn       = tempnam($temp_dir, 'zipattach');
+            $tmpfp       = fopen($tmpfn, 'w');
+            $tempfiles[] = $tmpfn;
 
-            if ($part->body) {
-                $orig_message_raw = $part->body;
-                $zip->addFromString($disp_name, $orig_message_raw);
-            }
-            else {
-                $tmpfn = tempnam($temp_dir, 'zipattach');
-                $tmpfp = fopen($tmpfn, 'w');
-                $imap->get_message_part($message->uid, $part->mime_id, $part, null, $tmpfp, true);
-                $tempfiles[] = $tmpfn;
-                fclose($tmpfp);
-                $zip->addFile($tmpfn, $disp_name);
-            }
+            $message->get_part_body($part->mime_id, false, 0, $tmpfp);
+            $zip->addFile($tmpfn, $disp_name);
+            fclose($tmpfp);
         }
 
         $zip->close();
 
-        $filename = ($message->subject ? $message->subject : 'roundcube') . '.zip';
+        $filename = ($message->subject ?: 'roundcube') . '.zip';
         $this->_deliver_zipfile($tmpfname, $filename);
 
         // delete temporary files from disk
@@ -217,6 +215,11 @@
             $imap->set_folder($mbox);
             $path = $folders ? str_replace($imap->get_hierarchy_delimiter(), '/', $mbox) . '/' : '';
 
+            if ($uids === '*') {
+                $index = $imap->index($mbox, null, null, true);
+                $uids  = $index->get();
+            }
+
             foreach ($uids as $uid) {
                 $headers = $imap->get_message_headers($uid);
 
@@ -248,7 +251,7 @@
                     $subject = $this->_convert_filename($subject);
                     $subject = substr($subject, 0, 16);
 
-                    $disp_name = ($subject ? $subject : 'message_rfc822') . ".eml";
+                    $disp_name = ($subject ?: 'message_rfc822') . ".eml";
                     $disp_name = $path . $uid . "_" . $disp_name;
 
                     $tmpfn = tempnam($temp_dir, 'zipmessage');

--
Gitblit v1.9.1