From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/include/rcmail_install.php | 66 ++++++++++-----------------------
1 files changed, 20 insertions(+), 46 deletions(-)
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index a13cbd2..af27e29 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| rcmail_install.php |
| |
@@ -13,13 +13,12 @@
+-----------------------------------------------------------------------+
*/
-
/**
* Class to control the installation process of the Roundcube Webmail package
*
* @category Install
* @package Roundcube
- * @author Thomas Bruederli
+ * @author Thomas Bruederli
*/
class rcmail_install
{
@@ -163,7 +162,7 @@
$value = $this->config[$name];
if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
- $value = self::random_key(24);
+ $value = rcube_utils::random_bytes(24);
return $value !== null && $value !== '' ? $value : $default;
}
@@ -193,7 +192,7 @@
// generate new encryption key, never use the default value
if ($prop == 'des_key' && $value == $this->defaults[$prop])
- $value = $this->random_key(24);
+ $value = rcube_utils::random_bytes(24);
// convert some form data
if ($prop == 'debug_level' && !$is_default) {
@@ -234,10 +233,9 @@
else if (is_numeric($value)) {
$value = intval($value);
}
- else if ($prop == 'plugins') {
+ else if ($prop == 'plugins' && !empty($_POST['submit'])) {
$value = array();
- foreach(array_keys($_POST) as $key)
- {
+ foreach (array_keys($_POST) as $key) {
if (preg_match('/^_plugins_*/', $key))
array_push($value, $_POST[$key]);
}
@@ -298,7 +296,7 @@
$out = $seen = array();
// iterate over the current configuration
- foreach ($this->config as $prop => $value) {
+ foreach (array_keys($this->config) as $prop) {
if ($replacement = $this->replaced_config[$prop]) {
$out['replaced'][] = array('prop' => $prop, 'replacement' => $replacement);
$seen[$replacement] = true;
@@ -524,7 +522,7 @@
foreach ($default_hosts as $key => $name) {
if (!empty($name))
- $out[] = rcube_parse_host(is_numeric($key) ? $name : $key);
+ $out[] = rcube_utils::parse_host(is_numeric($key) ? $name : $key);
}
return $out;
@@ -578,17 +576,18 @@
foreach (glob($plugin_dir . '*') as $path)
{
- if (is_dir($path) && file_exists($path.'/composer.json'))
+ if (is_dir($path) && is_readable($path.'/composer.json'))
{
$file_json = json_decode(file_get_contents($path.'/composer.json'));
- $plugin_desc = $file_json->description;
+ $plugin_desc = $file_json->description ?: 'N/A';
}
else
{
$plugin_desc = 'N/A';
}
- $plugins[] = array('name' => substr($path, strlen($plugin_dir)), 'desc' => $plugin_desc);
+ $name = substr($path, strlen($plugin_dir));
+ $plugins[] = array('name' => $name, 'desc' => $plugin_desc, 'enabled' => in_array($name, $this->config['plugins']));
}
return $plugins;
@@ -602,7 +601,7 @@
*/
function pass($name, $message = '')
{
- echo Q($name) . ': <span class="success">OK</span>';
+ echo rcube::Q($name) . ': <span class="success">OK</span>';
$this->_showhint($message);
}
@@ -621,7 +620,7 @@
$this->failures++;
}
- echo Q($name) . ': <span class="fail">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="fail">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -635,7 +634,7 @@
*/
function optfail($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -649,17 +648,17 @@
*/
function na($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT AVAILABLE</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT AVAILABLE</span>';
$this->_showhint($message, $url);
}
function _showhint($message, $url = '')
{
- $hint = Q($message);
+ $hint = rcube::Q($message);
if ($url)
- $hint .= ($hint ? '; ' : '') . 'See <a href="' . Q($url) . '" target="_blank">' . Q($url) . '</a>';
+ $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';
if ($hint)
echo '<span class="indent">(' . $hint . ')</span>';
@@ -773,12 +772,8 @@
*/
function update_db($version)
{
- system(INSTALL_PATH . "bin/updatedb.sh --package=roundcube"
- . " --version=" . escapeshellarg($version)
- . " --dir=" . INSTALL_PATH . "SQL"
- . " 2>&1", $result);
-
- return !$result;
+ return rcmail_utils::db_update(INSTALL_PATH . 'SQL', 'roundcube', $version,
+ array('quiet' => true));
}
@@ -789,25 +784,4 @@
{
$this->last_error = $p;
}
-
-
- /**
- * Generarte a ramdom string to be used as encryption key
- *
- * @param int Key length
- * @return string The generated random string
- * @static
- */
- function random_key($length)
- {
- $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
- $out = '';
-
- for ($i=0; $i < $length; $i++)
- $out .= $alpha{rand(0, strlen($alpha)-1)};
-
- return $out;
- }
-
}
-
--
Gitblit v1.9.1