From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/include/rcmail_install.php | 155 ++++++++++++++++++---------------------------------
1 files changed, 55 insertions(+), 100 deletions(-)
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index ca06f10..af27e29 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| rcmail_install.php |
| |
@@ -13,13 +13,12 @@
+-----------------------------------------------------------------------+
*/
-
/**
* Class to control the installation process of the Roundcube Webmail package
*
* @category Install
* @package Roundcube
- * @author Thomas Bruederli
+ * @author Thomas Bruederli
*/
class rcmail_install
{
@@ -55,6 +54,7 @@
'SQLite (v2)' => 'pdo_sqlite2',
'SQL Server (SQLSRV)' => 'pdo_sqlsrv',
'SQL Server (DBLIB)' => 'pdo_dblib',
+ 'Oracle' => 'oci8',
);
@@ -162,7 +162,7 @@
$value = $this->config[$name];
if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
- $value = self::random_key(24);
+ $value = rcube_utils::random_bytes(24);
return $value !== null && $value !== '' ? $value : $default;
}
@@ -192,7 +192,7 @@
// generate new encryption key, never use the default value
if ($prop == 'des_key' && $value == $this->defaults[$prop])
- $value = $this->random_key(24);
+ $value = rcube_utils::random_bytes(24);
// convert some form data
if ($prop == 'debug_level' && !$is_default) {
@@ -232,6 +232,13 @@
}
else if (is_numeric($value)) {
$value = intval($value);
+ }
+ else if ($prop == 'plugins' && !empty($_POST['submit'])) {
+ $value = array();
+ foreach (array_keys($_POST) as $key) {
+ if (preg_match('/^_plugins_*/', $key))
+ array_push($value, $_POST[$key]);
+ }
}
// skip this property
@@ -289,7 +296,7 @@
$out = $seen = array();
// iterate over the current configuration
- foreach ($this->config as $prop => $value) {
+ foreach (array_keys($this->config) as $prop) {
if ($replacement = $this->replaced_config[$prop]) {
$out['replaced'][] = array('prop' => $prop, 'replacement' => $replacement);
$seen[$replacement] = true;
@@ -476,7 +483,7 @@
$types = array(
'application/zip' => 'zip',
'application/x-tar' => 'tar',
- 'application/java-archive' => 'jar',
+ 'application/pdf' => 'pdf',
'image/gif' => 'gif',
'image/svg+xml' => 'svg',
);
@@ -484,7 +491,7 @@
$errors = array();
foreach ($types as $mimetype => $expected) {
$ext = rcube_mime::get_mime_extensions($mimetype);
- if ($ext[0] != $expected) {
+ if (!in_array($expected, (array) $ext)) {
$errors[] = array($mimetype, $ext, $expected);
}
}
@@ -515,7 +522,7 @@
foreach ($default_hosts as $key => $name) {
if (!empty($name))
- $out[] = rcube_parse_host(is_numeric($key) ? $name : $key);
+ $out[] = rcube_utils::parse_host(is_numeric($key) ? $name : $key);
}
return $out;
@@ -558,6 +565,35 @@
}
/**
+ * Return a list with available subfolders of the plugins directory
+ * (with their associated description in composer.json)
+ */
+ function list_plugins()
+ {
+ $plugins = array();
+ $plugin_dir = INSTALL_PATH . 'plugins/';
+
+ foreach (glob($plugin_dir . '*') as $path)
+ {
+
+ if (is_dir($path) && is_readable($path.'/composer.json'))
+ {
+ $file_json = json_decode(file_get_contents($path.'/composer.json'));
+ $plugin_desc = $file_json->description ?: 'N/A';
+ }
+ else
+ {
+ $plugin_desc = 'N/A';
+ }
+
+ $name = substr($path, strlen($plugin_dir));
+ $plugins[] = array('name' => $name, 'desc' => $plugin_desc, 'enabled' => in_array($name, $this->config['plugins']));
+ }
+
+ return $plugins;
+ }
+
+ /**
* Display OK status
*
* @param string Test name
@@ -565,7 +601,7 @@
*/
function pass($name, $message = '')
{
- echo Q($name) . ': <span class="success">OK</span>';
+ echo rcube::Q($name) . ': <span class="success">OK</span>';
$this->_showhint($message);
}
@@ -584,7 +620,7 @@
$this->failures++;
}
- echo Q($name) . ': <span class="fail">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="fail">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -598,7 +634,7 @@
*/
function optfail($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT OK</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT OK</span>';
$this->_showhint($message, $url);
}
@@ -612,17 +648,17 @@
*/
function na($name, $message = '', $url = '')
{
- echo Q($name) . ': <span class="na">NOT AVAILABLE</span>';
+ echo rcube::Q($name) . ': <span class="na">NOT AVAILABLE</span>';
$this->_showhint($message, $url);
}
function _showhint($message, $url = '')
{
- $hint = Q($message);
+ $hint = rcube::Q($message);
if ($url)
- $hint .= ($hint ? '; ' : '') . 'See <a href="' . Q($url) . '" target="_blank">' . Q($url) . '</a>';
+ $hint .= ($hint ? '; ' : '') . 'See <a href="' . rcube::Q($url) . '" target="_blank">' . rcube::Q($url) . '</a>';
if ($hint)
echo '<span class="indent">(' . $hint . ')</span>';
@@ -710,7 +746,8 @@
// read schema file from /SQL/*
$fname = INSTALL_PATH . "SQL/$engine.initial.sql";
if ($sql = @file_get_contents($fname)) {
- $this->exec_sql($sql, $DB);
+ $DB->set_option('table_prefix', $this->config['db_prefix']);
+ $DB->exec_script($sql);
}
else {
$this->fail('DB Schema', "Cannot read the schema file: $fname");
@@ -735,69 +772,8 @@
*/
function update_db($version)
{
- system(INSTALL_PATH . "bin/updatedb.sh --package=roundcube"
- . " --version=" . escapeshellarg($version)
- . " --dir=" . INSTALL_PATH . "SQL"
- . " 2>&1", $result);
-
- return !$result;
- }
-
-
- /**
- * Execute the given SQL queries on the database connection
- *
- * @param string SQL queries to execute
- * @param object rcube_db Database connection
- * @return boolen True on success, False on error
- */
- function exec_sql($sql, $DB)
- {
- $sql = $this->fix_table_names($sql, $DB);
- $buff = '';
- foreach (explode("\n", $sql) as $line) {
- if (preg_match('/^--/', $line) || trim($line) == '')
- continue;
-
- $buff .= $line . "\n";
- if (preg_match('/(;|^GO)$/', trim($line))) {
- $DB->query($buff);
- $buff = '';
- if ($DB->is_error())
- break;
- }
- }
-
- return !$DB->is_error();
- }
-
-
- /**
- * Parse SQL file and fix table names according to db_prefix
- * Note: This need to be a complete database initial file
- */
- private function fix_table_names($sql, $DB)
- {
- if (empty($this->config['db_prefix'])) {
- return $sql;
- }
-
- // replace table names
- if (preg_match_all('/CREATE TABLE (\[dbo\]\.|IF NOT EXISTS )?[`"\[\]]*([^`"\[\] \r\n]+)/i', $sql, $matches)) {
- foreach ($matches[2] as $table) {
- $real_table = $this->config['db_prefix'] . $table;
- $sql = preg_replace("/([^a-zA-Z0-9_])$table([^a-zA-Z0-9_])/", "\\1$real_table\\2", $sql);
- }
- }
- // replace sequence names
- if ($DB->db_provider == 'postgres' && preg_match_all('/CREATE SEQUENCE (IF NOT EXISTS )?"?([^" \n\r]+)/i', $sql, $matches)) {
- foreach ($matches[2] as $sequence) {
- $real_sequence = $this->config['db_prefix'] . $sequence;
- $sql = preg_replace("/([^a-zA-Z0-9_])$sequence([^a-zA-Z0-9_])/", "\\1$real_sequence\\2", $sql);
- }
- }
-
- return $sql;
+ return rcmail_utils::db_update(INSTALL_PATH . 'SQL', 'roundcube', $version,
+ array('quiet' => true));
}
@@ -808,25 +784,4 @@
{
$this->last_error = $p;
}
-
-
- /**
- * Generarte a ramdom string to be used as encryption key
- *
- * @param int Key length
- * @return string The generated random string
- * @static
- */
- function random_key($length)
- {
- $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
- $out = '';
-
- for ($i=0; $i < $length; $i++)
- $out .= $alpha{rand(0, strlen($alpha)-1)};
-
- return $out;
- }
-
}
-
--
Gitblit v1.9.1