From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/lib/Roundcube/rcube.php |   15 +++++++++++----
 1 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index 3b17d99..7388472 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -1277,11 +1277,18 @@
 
         // write error to local log file
         if (($level & 1) || !empty($arg_arr['fatal'])) {
+            $post_query = '';
             if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-                $post_query = '?_task='.urlencode($_POST['_task']).'&_action='.urlencode($_POST['_action']);
-            }
-            else {
-                $post_query = '';
+                foreach (array('_task', '_action') as $arg) {
+                    if ($_POST[$arg] && !$_GET[$arg]) {
+                        $post_query[$arg] = $_POST[$arg];
+                    }
+                }
+
+                if (!empty($post_query)) {
+                    $post_query = (strpos($_SERVER['REQUEST_URI'], '?') != false ? '&' : '?')
+                        . http_build_query($post_query, '', '&');
+                }
             }
 
             $log_entry = sprintf("%s Error: %s%s (%s %s)",

--
Gitblit v1.9.1