From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/zipdownload/zipdownload.php | 43 +++++++++++++++++++++++++------------------
1 files changed, 25 insertions(+), 18 deletions(-)
diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index 90a3144..241de54 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -63,7 +63,7 @@
'_action' => 'plugin.zipdownload.attachments',
'_mbox' => $rcmail->output->env['mailbox'],
'_uid' => $rcmail->output->env['uid'],
- ));
+ ), false, false, true);
$link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
rcube::Q($this->gettext('downloadall'))
@@ -96,7 +96,10 @@
$rcmail = rcmail::get_instance();
$menu = array();
- $ul_attr = $rcmail->config->get('skin') == 'classic' ? null : array('class' => 'toolbarmenu');
+ $ul_attr = array('role' => 'menu', 'aria-labelledby' => 'aria-label-zipdownloadmenu');
+ if ($rcmail->config->get('skin') != 'classic') {
+ $ul_attr['class'] = 'toolbarmenu';
+ }
foreach (array('eml', 'mbox', 'maildir') as $type) {
$menu[] = html::tag('li', null, $rcmail->output->button(array(
@@ -106,7 +109,8 @@
)));
}
- $rcmail->output->add_footer(html::div(array('id' => 'zipdownload-menu', 'class' => 'popupmenu'),
+ $rcmail->output->add_footer(html::div(array('id' => 'zipdownload-menu', 'class' => 'popupmenu', 'aria-hidden' => 'true'),
+ html::tag('h2', array('class' => 'voice', 'id' => 'aria-label-zipdownloadmenu'), "Message Download Options Menu") .
html::tag('ul', $ul_attr, implode('', $menu))));
}
@@ -116,6 +120,10 @@
public function download_attachments()
{
$rcmail = rcmail::get_instance();
+
+ // require CSRF protected request
+ $rcmail->request_security_check(rcube_utils::INPUT_GET);
+
$imap = $rcmail->get_storage();
$temp_dir = $rcmail->config->get('temp_dir');
$tmpfname = tempnam($temp_dir, 'zipdownload');
@@ -140,25 +148,19 @@
}
}
- $disp_name = $this->_convert_filename($filename);
+ $disp_name = $this->_convert_filename($filename);
+ $tmpfn = tempnam($temp_dir, 'zipattach');
+ $tmpfp = fopen($tmpfn, 'w');
+ $tempfiles[] = $tmpfn;
- if ($part->body) {
- $orig_message_raw = $part->body;
- $zip->addFromString($disp_name, $orig_message_raw);
- }
- else {
- $tmpfn = tempnam($temp_dir, 'zipattach');
- $tmpfp = fopen($tmpfn, 'w');
- $imap->get_message_part($message->uid, $part->mime_id, $part, null, $tmpfp, true);
- $tempfiles[] = $tmpfn;
- fclose($tmpfp);
- $zip->addFile($tmpfn, $disp_name);
- }
+ $message->get_part_body($part->mime_id, false, 0, $tmpfp);
+ $zip->addFile($tmpfn, $disp_name);
+ fclose($tmpfp);
}
$zip->close();
- $filename = ($message->subject ? $message->subject : 'roundcube') . '.zip';
+ $filename = ($message->subject ?: 'roundcube') . '.zip';
$this->_deliver_zipfile($tmpfname, $filename);
// delete temporary files from disk
@@ -213,6 +215,11 @@
$imap->set_folder($mbox);
$path = $folders ? str_replace($imap->get_hierarchy_delimiter(), '/', $mbox) . '/' : '';
+ if ($uids === '*') {
+ $index = $imap->index($mbox, null, null, true);
+ $uids = $index->get();
+ }
+
foreach ($uids as $uid) {
$headers = $imap->get_message_headers($uid);
@@ -244,7 +251,7 @@
$subject = $this->_convert_filename($subject);
$subject = substr($subject, 0, 16);
- $disp_name = ($subject ? $subject : 'message_rfc822') . ".eml";
+ $disp_name = ($subject ?: 'message_rfc822') . ".eml";
$disp_name = $path . $uid . "_" . $disp_name;
$tmpfn = tempnam($temp_dir, 'zipmessage');
--
Gitblit v1.9.1