From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 05 Feb 2016 07:25:27 -0500 Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports --- program/steps/addressbook/edit.inc | 164 +++++++++++++++++++++++++++++++----------------------- 1 files changed, 94 insertions(+), 70 deletions(-) diff --git a/program/steps/addressbook/edit.inc b/program/steps/addressbook/edit.inc index 0f1fd66..a826f17 100644 --- a/program/steps/addressbook/edit.inc +++ b/program/steps/addressbook/edit.inc @@ -1,11 +1,11 @@ <?php -/* +/** +-----------------------------------------------------------------------+ | program/steps/addressbook/edit.inc | | | | This file is part of the Roundcube Webmail client | - | Copyright (C) 2005-2007, The Roundcube Dev Team | + | Copyright (C) 2005-2013, The Roundcube Dev Team | | | | Licensed under the GNU General Public License version 3 or | | any later version with exceptions for skins & plugins. | @@ -36,23 +36,21 @@ // editing not allowed here if ($CONTACTS->readonly || $record['readonly']) { $OUTPUT->show_message('sourceisreadonly'); - rcmail_overwrite_action('show'); + $RCMAIL->overwrite_action('show'); return; } } else { - $source = get_input_value('_source', RCUBE_INPUT_GPC); + $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); - if (!strlen($source)) { - // Give priority to configured default - $source = $RCMAIL->config->get('default_addressbook'); + if (strlen($source)) { + $CONTACTS = $RCMAIL->get_address_book($source, true); } - $CONTACTS = $RCMAIL->get_address_book($source, true); - - // find writable addressbook - if (!$CONTACTS || $CONTACTS->readonly) - $source = rcmail_default_source(true); + if (!$CONTACTS || $CONTACTS->readonly) { + $CONTACTS = $RCMAIL->get_address_book(-1, true); + $source = $RCMAIL->get_address_book_id($CONTACTS); + } // Initialize addressbook $CONTACTS = rcmail_contact_source($source, true); @@ -60,6 +58,27 @@ $SOURCE_ID = $source; rcmail_set_sourcename($CONTACTS); + + +$OUTPUT->add_handlers(array( + 'contactedithead' => 'rcmail_contact_edithead', + 'contacteditform' => 'rcmail_contact_editform', + 'contactphoto' => 'rcmail_contact_photo', + 'photouploadform' => 'rcmail_upload_photo_form', + 'sourceselector' => 'rcmail_source_selector', + 'filedroparea' => 'rcmail_photo_drop_area', +)); + +$OUTPUT->set_pagetitle($RCMAIL->gettext(($RCMAIL->action == 'add' ? 'addcontact' : 'editcontact'))); + +if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd')) { + $OUTPUT->send('contactadd'); +} + +// this will be executed if no template for addcontact exists +$OUTPUT->send('contactedit'); + + function rcmail_get_edit_record() { @@ -72,7 +91,7 @@ else if ($RCMAIL->action != 'add' && !(($result = $CONTACTS->get_result()) && ($record = $result->first())) ) { - $RCMAIL->output->show_message('contactnotfound'); + $RCMAIL->output->show_message('contactnotfound', 'error'); return false; } @@ -81,12 +100,15 @@ function rcmail_contact_edithead($attrib) { + global $RCMAIL; + // check if we have a valid result $record = rcmail_get_edit_record(); - $i_size = !empty($attrib['size']) ? $attrib['size'] : 20; + $i_size = $attrib['size'] ?: 20; $form = array( 'head' => array( + 'name' => $RCMAIL->gettext('contactnameandorg'), 'content' => array( 'prefix' => array('size' => $i_size), 'firstname' => array('size' => $i_size, 'visible' => true), @@ -117,20 +139,17 @@ $record = rcmail_get_edit_record(); - // add some labels to client - $RCMAIL->output->add_label('noemailwarning', 'nonamewarning'); - // copy (parsed) address template to client if (preg_match_all('/\{([a-z0-9]+)\}([^{]*)/i', $RCMAIL->config->get('address_template', ''), $templ, PREG_SET_ORDER)) $RCMAIL->output->set_env('address_template', $templ); - $i_size = !empty($attrib['size']) ? $attrib['size'] : 40; - $t_rows = !empty($attrib['textarearows']) ? $attrib['textarearows'] : 10; - $t_cols = !empty($attrib['textareacols']) ? $attrib['textareacols'] : 40; + $i_size = $attrib['size'] ?: 40; + $t_rows = $attrib['textarearows'] ?: 10; + $t_cols = $attrib['textareacols'] ?: 40; $form = array( 'contact' => array( - 'name' => rcube_label('properties'), + 'name' => $RCMAIL->gettext('properties'), 'content' => array( 'email' => array('size' => $i_size, 'visible' => true), 'phone' => array('size' => $i_size, 'visible' => true), @@ -140,7 +159,7 @@ ), ), 'personal' => array( - 'name' => rcube_label('personalinfo'), + 'name' => $RCMAIL->gettext('personalinfo'), 'content' => array( 'gender' => array('visible' => true), 'maidenname' => array('size' => $i_size), @@ -155,7 +174,7 @@ if (isset($CONTACT_COLTYPES['notes'])) { $form['notes'] = array( - 'name' => rcube_label('notes'), + 'name' => $RCMAIL->gettext('notes'), 'content' => array( 'notes' => array('size' => $t_cols, 'rows' => $t_rows, 'label' => false, 'visible' => true, 'limit' => 1), ), @@ -174,37 +193,56 @@ function rcmail_upload_photo_form($attrib) { - global $OUTPUT; + global $RCMAIL, $OUTPUT; - // set defaults - $attrib += array('id' => 'rcmUploadform', 'buttons' => 'yes'); + // set defaults + $attrib += array('id' => 'rcmUploadform', 'buttons' => 'yes'); - // find max filesize value - $max_filesize = parse_bytes(ini_get('upload_max_filesize')); - $max_postsize = parse_bytes(ini_get('post_max_size')); - if ($max_postsize && $max_postsize < $max_filesize) - $max_filesize = $max_postsize; - $max_filesize = show_bytes($max_filesize); + // find max filesize value + $max_filesize = parse_bytes(ini_get('upload_max_filesize')); + $max_postsize = parse_bytes(ini_get('post_max_size')); - $hidden = new html_hiddenfield(array('name' => '_cid', 'value' => $GLOBALS['cid'])); - $input = new html_inputfield(array('type' => 'file', 'name' => '_photo', 'size' => $attrib['size'])); - $button = new html_inputfield(array('type' => 'button')); + if ($max_postsize && $max_postsize < $max_filesize) { + $max_filesize = $max_postsize; + } + $max_filesize = $RCMAIL->show_bytes($max_filesize); - $out = html::div($attrib, - $OUTPUT->form_tag(array('id' => $attrib['id'].'Frm', 'name' => 'uploadform', 'method' => 'post', 'enctype' => 'multipart/form-data'), - $hidden->show() . - html::div(null, $input->show()) . - html::div('hint', rcube_label(array('name' => 'maxuploadsize', 'vars' => array('size' => $max_filesize)))) . - (get_boolean($attrib['buttons']) ? html::div('buttons', - $button->show(rcube_label('close'), array('class' => 'button', 'onclick' => "$('#$attrib[id]').hide()")) . ' ' . - $button->show(rcube_label('upload'), array('class' => 'button mainaction', 'onclick' => JS_OBJECT_NAME . ".command('upload-photo', this.form)")) - ) : '') - ) - ); + $hidden = new html_hiddenfield(array('name' => '_cid', 'value' => $GLOBALS['cid'])); + $input = new html_inputfield(array('type' => 'file', 'name' => '_photo', 'size' => $attrib['size'])); + $button = new html_inputfield(array('type' => 'button')); - $OUTPUT->add_label('addphoto','replacephoto'); - $OUTPUT->add_gui_object('uploadform', $attrib['id'].'Frm'); - return $out; + $content = $hidden->show() . html::div(null, $input->show()) + . html::div('hint', $RCMAIL->gettext(array('name' => 'maxuploadsize', 'vars' => array('size' => $max_filesize)))); + + if (rcube_utils::get_boolean($attrib['buttons'])) { + $content .= html::div('buttons', + $button->show($RCMAIL->gettext('close'), array( + 'class' => 'button', + 'onclick' => "$('#$attrib[id]').hide()" + )) + . ' ' . + $button->show($RCMAIL->gettext('upload'), array( + 'class' => 'button mainaction', + 'onclick' => rcmail_output::JS_OBJECT_NAME . ".command('upload-photo', this.form)" + )) + ); + } + + $out = html::div($attrib, + $OUTPUT->form_tag(array( + 'id' => $attrib['id'] . 'Frm', + 'name' => 'uploadform', + 'method' => 'post', + 'enctype' => 'multipart/form-data' + ), + $content + ) + ); + + $OUTPUT->add_label('addphoto','replacephoto'); + $OUTPUT->add_gui_object('uploadform', $attrib['id'].'Frm'); + + return $out; } // similar function as in /steps/settings/edit_identity.inc @@ -220,6 +258,7 @@ if ($RCMAIL->action == 'edit') $hiddenfields->add(array('name' => '_source', 'value' => $SOURCE_ID)); $hiddenfields->add(array('name' => '_gid', 'value' => $CONTACTS->group_id)); + $hiddenfields->add(array('name' => '_search', 'value' => rcube_utils::get_input_value('_search', rcube_utils::INPUT_GPC))); if (($result = $CONTACTS->get_result()) && ($record = $result->first())) $hiddenfields->add(array('name' => '_cid', 'value' => $record['ID'])); @@ -231,7 +270,7 @@ 'noclose' => true) + $attrib, $hiddenfields->show()); $form_end = !strlen($attrib['form']) ? '</form>' : ''; - $EDIT_FORM = !empty($attrib['form']) ? $attrib['form'] : 'form'; + $EDIT_FORM = $attrib['form'] ?: 'form'; $RCMAIL->output->add_gui_object('editform', $EDIT_FORM); } @@ -242,16 +281,17 @@ { global $RCMAIL, $SOURCE_ID; - $sources_list = $RCMAIL->get_address_sources(true); + $sources_list = $RCMAIL->get_address_sources(true, true); if (count($sources_list) < 2) { $source = $sources_list[$SOURCE_ID]; $hiddenfield = new html_hiddenfield(array('name' => '_source', 'value' => $SOURCE_ID)); - return html::span($attrib, Q($source['name']) . $hiddenfield->show()); + return html::span($attrib, $source['name'] . $hiddenfield->show()); } - $attrib['name'] = '_source'; - $attrib['onchange'] = JS_OBJECT_NAME . ".command('save', 'reload', this.form)"; + $attrib['name'] = '_source'; + $attrib['is_escaped'] = true; + $attrib['onchange'] = rcmail_output::JS_OBJECT_NAME . ".command('save', 'reload', this.form)"; $select = new html_select($attrib); @@ -274,19 +314,3 @@ $OUTPUT->set_env('filedrop', array('action' => 'upload-photo', 'fieldname' => '_photo', 'single' => 1, 'filter' => '^image/.+')); } } - - -$OUTPUT->add_handlers(array( - 'contactedithead' => 'rcmail_contact_edithead', - 'contacteditform' => 'rcmail_contact_editform', - 'contactphoto' => 'rcmail_contact_photo', - 'photouploadform' => 'rcmail_upload_photo_form', - 'sourceselector' => 'rcmail_source_selector', - 'filedroparea' => 'rcmail_photo_drop_area', -)); - -if ($RCMAIL->action == 'add' && $OUTPUT->template_exists('contactadd')) - $OUTPUT->send('contactadd'); - -// this will be executed if no template for addcontact exists -$OUTPUT->send('contactedit'); -- Gitblit v1.9.1