From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube.php | 81 +++++++++++++++++-----------------------
1 files changed, 35 insertions(+), 46 deletions(-)
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index 4d80dc0..7388472 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -505,7 +505,7 @@
}
ini_set('session.cookie_secure', $is_secure);
- ini_set('session.name', $sess_name ? $sess_name : 'roundcube_sessid');
+ ini_set('session.name', $sess_name ?: 'roundcube_sessid');
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_httponly', 1);
@@ -601,7 +601,7 @@
$attrib = array('name' => $attrib);
}
- $name = $attrib['name'] ? $attrib['name'] : '';
+ $name = (string) $attrib['name'];
// attrib contain text values: use them from now
if (($setval = $attrib[strtolower($_SESSION['language'])]) || ($setval = $attrib['en_us'])) {
@@ -619,7 +619,7 @@
// replace vars in text
if (is_array($attrib['vars'])) {
foreach ($attrib['vars'] as $var_key => $var_value) {
- $text = str_replace($var_key[0]!='$' ? '$'.$var_key : $var_key, $var_value, $text);
+ $text = str_replace($var_key[0] != '$' ? '$'.$var_key : $var_key, $var_value, $text);
}
}
@@ -685,7 +685,7 @@
*/
public function load_language($lang = null, $add = array(), $merge = array())
{
- $lang = $this->language_prop(($lang ? $lang : $_SESSION['language']));
+ $lang = $this->language_prop($lang ?: $_SESSION['language']);
// load localized texts
if (empty($this->texts) || $lang != $_SESSION['language']) {
@@ -810,26 +810,22 @@
}
/**
- * Encrypt using 3DES
+ * Encrypt a string
*
* @param string $clear Clear text input
* @param string $key Encryption key to retrieve from the configuration, defaults to 'des_key'
* @param boolean $base64 Whether or not to base64_encode() the result before returning
*
- * @return string encrypted text
+ * @return string Encrypted text
*/
public function encrypt($clear, $key = 'des_key', $base64 = true)
{
- if (!$clear) {
+ if (!is_string($clear) || !strlen($clear)) {
return '';
}
- // Add a single canary byte to the end of the clear text, which
- // will help find out how much of padding will need to be removed
- // upon decryption; see http://php.net/mcrypt_generic#68082.
- $clear = pack("a*H2", $clear, "80");
$ckey = $this->config->get_crypto_key($key);
- $method = 'DES-EDE3-CBC';
+ $method = $this->config->get_crypto_method();
$opts = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
$iv = rcube_utils::random_bytes(openssl_cipher_iv_length($method), true);
$cipher = $iv . openssl_encrypt($clear, $method, $ckey, $opts, $iv);
@@ -838,13 +834,13 @@
}
/**
- * Decrypt 3DES-encrypted string
+ * Decrypt a string
*
* @param string $cipher Encrypted text
* @param string $key Encryption key to retrieve from the configuration, defaults to 'des_key'
* @param boolean $base64 Whether or not input is base64-encoded
*
- * @return string decrypted text
+ * @return string Decrypted text
*/
public function decrypt($cipher, $key = 'des_key', $base64 = true)
{
@@ -852,10 +848,9 @@
return '';
}
- $cipher = $base64 ? base64_decode($cipher) : $cipher;
- $ckey = $this->config->get_crypto_key($key);
-
- $method = 'DES-EDE3-CBC';
+ $cipher = $base64 ? base64_decode($cipher) : $cipher;
+ $ckey = $this->config->get_crypto_key($key);
+ $method = $this->config->get_crypto_method();
$opts = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
$iv_size = openssl_cipher_iv_length($method);
$iv = substr($cipher, 0, $iv_size);
@@ -867,10 +862,6 @@
$cipher = substr($cipher, $iv_size);
$clear = openssl_decrypt($cipher, $method, $ckey, $opts, $iv);
-
- // Trim PHP's padding and the canary byte; see note in
- // rcube::encrypt() and http://php.net/mcrypt_generic#68082
- $clear = substr(rtrim($clear, "\0"), 0, -1);
return $clear;
}
@@ -909,15 +900,14 @@
*/
public function get_request_token()
{
- $sess_id = $_COOKIE[ini_get('session.name')];
- if (!$sess_id) {
- $sess_id = session_id();
+ if (empty($_SESSION['request_token'])) {
+ $plugin = $this->plugins->exec_hook('request_token', array(
+ 'value' => rcube_utils::random_bytes(32)));
+
+ $_SESSION['request_token'] = $plugin['value'];
}
- $plugin = $this->plugins->exec_hook('request_token', array(
- 'value' => md5('RT' . $this->get_user_id() . $this->config->get('des_key') . $sess_id)));
-
- return $plugin['value'];
+ return $_SESSION['request_token'];
}
/**
@@ -1277,7 +1267,7 @@
*/
public static function log_bug($arg_arr)
{
- $program = strtoupper(!empty($arg_arr['type']) ? $arg_arr['type'] : 'php');
+ $program = strtoupper($arg_arr['type'] ?: 'php');
$level = self::get_instance()->config->get('debug_level');
// disable errors for ajax requests, write to log instead (#1487831)
@@ -1287,11 +1277,18 @@
// write error to local log file
if (($level & 1) || !empty($arg_arr['fatal'])) {
+ $post_query = '';
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
- $post_query = '?_task='.urlencode($_POST['_task']).'&_action='.urlencode($_POST['_action']);
- }
- else {
- $post_query = '';
+ foreach (array('_task', '_action') as $arg) {
+ if ($_POST[$arg] && !$_GET[$arg]) {
+ $post_query[$arg] = $_POST[$arg];
+ }
+ }
+
+ if (!empty($post_query)) {
+ $post_query = (strpos($_SERVER['REQUEST_URI'], '?') != false ? '&' : '?')
+ . http_build_query($post_query, '', '&');
+ }
}
$log_entry = sprintf("%s Error: %s%s (%s %s)",
@@ -1684,18 +1681,10 @@
*/
protected function message_head($message, $unset = array())
{
- // Mail_mime >= 1.9.0
- if (method_exists($message, 'isMultipart')) {
- foreach ($unset as $header) {
- $headers[$header] = null;
- }
- }
- else {
- $headers = $message->headers();
- foreach ($unset as $header) {
- unset($headers[$header]);
- }
- $message->_headers = array();
+ // requires Mail_mime >= 1.9.0
+ $headers = array();
+ foreach ((array) $unset as $header) {
+ $headers[$header] = null;
}
return $message->txtHeaders($headers, true);
--
Gitblit v1.9.1