From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/addressbook/export.inc |  103 +++++++++++++++++++++++++++++----------------------
 1 files changed, 58 insertions(+), 45 deletions(-)

diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc
index 1e988fe..c1eaa7f 100644
--- a/program/steps/addressbook/export.inc
+++ b/program/steps/addressbook/export.inc
@@ -1,12 +1,12 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/addressbook/export.inc                                  |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2008-2013, The Roundcube Dev Team                       |
- | Copyright (C) 2011, Kolab Systems AG                                  |
+ | Copyright (C) 2011-2013, Kolab Systems AG                             |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
@@ -21,49 +21,10 @@
  +-----------------------------------------------------------------------+
 */
 
-
-/**
- * Copy contact record properties into a vcard object
- */
-function prepare_for_export(&$record, $source = null)
-{
-    $groups = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
-
-    if (empty($record['vcard'])) {
-        $vcard = new rcube_vcard();
-        if ($source) {
-            $vcard->extend_fieldmap($source->vcard_map);
-        }
-        $vcard->load($record['vcard']);
-        $vcard->reset();
-
-        foreach ($record as $key => $values) {
-            list($field, $section) = explode(':', $key);
-            foreach ((array)$values as $value) {
-                if (is_array($value) || @strlen($value)) {
-                    $vcard->set($field, $value, strtoupper($section));
-                }
-            }
-        }
-
-        // append group names
-        if ($groups) {
-            $vcard->set('groups', join(',', $groups), null);
-        }
-
-        $record['vcard'] = $vcard->export(true);
-    }
-    // patch categories to alread existing vcard block
-    else if ($record['vcard'] && !empty($groups) && !strpos($record['vcard'], 'CATEGORIES:')) {
-        $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote(join(',', $groups));
-        $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
-    }
-}
-
+$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
 
 // Use search result
-if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']]))
-{
+if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
     $sort_col = $RCMAIL->config->get('addressbook_sort_col', 'name');
     $search  = (array)$_SESSION['search'][$_REQUEST['_search']];
     $records = array();
@@ -140,11 +101,13 @@
 }
 
 // send downlaod headers
-header('Content-Type: text/x-vcard; charset='.RCMAIL_CHARSET);
+header('Content-Type: text/x-vcard; charset='.RCUBE_CHARSET);
 header('Content-Disposition: attachment; filename="contacts.vcf"');
 
 while ($result && ($row = $result->next())) {
-    prepare_for_export($row, $CONTACTS);
+    if ($CONTACTS) {
+        prepare_for_export($row, $CONTACTS);
+    }
 
     // fix folding and end-of-line chars
     $row['vcard'] = preg_replace('/\r|\n\s+/', '', $row['vcard']);
@@ -153,3 +116,53 @@
 }
 
 exit;
+
+
+/**
+ * Copy contact record properties into a vcard object
+ */
+function prepare_for_export(&$record, $source = null)
+{
+    $groups   = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
+    $fieldmap = $source ? $source->vcard_map : null;
+
+    if (empty($record['vcard'])) {
+        $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+        $vcard->reset();
+
+        foreach ($record as $key => $values) {
+            list($field, $section) = explode(':', $key);
+            // avoid unwanted casting of DateTime objects to an array
+            // (same as in rcube_contacts::convert_save_data())
+            if (is_object($values) && is_a($values, 'DateTime')) {
+                $values = array($values);
+            }
+
+            foreach ((array) $values as $value) {
+                if (is_array($value) || is_a($value, 'DateTime') || @strlen($value)) {
+                    $vcard->set($field, $value, strtoupper($section));
+                }
+            }
+        }
+
+        // append group names
+        if ($groups) {
+            $vcard->set('groups', join(',', $groups), null);
+        }
+
+        $record['vcard'] = $vcard->export();
+    }
+    // patch categories to alread existing vcard block
+    else if ($record['vcard']) {
+        $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+
+        // unset CATEGORIES entry, it might be not up-to-date (#1490277)
+        $vcard->set('groups', null);
+        $record['vcard'] = $vcard->export();
+
+        if (!empty($groups)) {
+            $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote($groups, ',');
+            $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
+        }
+    }
+}

--
Gitblit v1.9.1