From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/zipdownload/zipdownload.php | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index 983db12..241de54 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -63,7 +63,7 @@
'_action' => 'plugin.zipdownload.attachments',
'_mbox' => $rcmail->output->env['mailbox'],
'_uid' => $rcmail->output->env['uid'],
- ));
+ ), false, false, true);
$link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
rcube::Q($this->gettext('downloadall'))
@@ -120,6 +120,10 @@
public function download_attachments()
{
$rcmail = rcmail::get_instance();
+
+ // require CSRF protected request
+ $rcmail->request_security_check(rcube_utils::INPUT_GET);
+
$imap = $rcmail->get_storage();
$temp_dir = $rcmail->config->get('temp_dir');
$tmpfname = tempnam($temp_dir, 'zipdownload');
@@ -156,7 +160,7 @@
$zip->close();
- $filename = ($message->subject ? $message->subject : 'roundcube') . '.zip';
+ $filename = ($message->subject ?: 'roundcube') . '.zip';
$this->_deliver_zipfile($tmpfname, $filename);
// delete temporary files from disk
@@ -247,7 +251,7 @@
$subject = $this->_convert_filename($subject);
$subject = substr($subject, 0, 16);
- $disp_name = ($subject ? $subject : 'message_rfc822') . ".eml";
+ $disp_name = ($subject ?: 'message_rfc822') . ".eml";
$disp_name = $path . $uid . "_" . $disp_name;
$tmpfn = tempnam($temp_dir, 'zipmessage');
--
Gitblit v1.9.1