From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/addressbook/export.inc |   29 ++++++++++++++++++-----------
 1 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/program/steps/addressbook/export.inc b/program/steps/addressbook/export.inc
index c2f22cb..c1eaa7f 100644
--- a/program/steps/addressbook/export.inc
+++ b/program/steps/addressbook/export.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/addressbook/export.inc                                  |
  |                                                                       |
@@ -20,6 +20,8 @@
  | Author: Aleksander Machniak <machniak@kolabsys.com>                   |
  +-----------------------------------------------------------------------+
 */
+
+$RCMAIL->request_security_check(rcube_utils::INPUT_GET);
 
 // Use search result
 if (!empty($_REQUEST['_search']) && isset($_SESSION['search'][$_REQUEST['_search']])) {
@@ -121,14 +123,11 @@
  */
 function prepare_for_export(&$record, $source = null)
 {
-    $groups = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
+    $groups   = $source && $source->groups && $source->export_groups ? $source->get_record_groups($record['ID']) : null;
+    $fieldmap = $source ? $source->vcard_map : null;
 
     if (empty($record['vcard'])) {
-        $vcard = new rcube_vcard();
-        if ($source) {
-            $vcard->extend_fieldmap($source->vcard_map);
-        }
-        $vcard->load($record['vcard']);
+        $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
         $vcard->reset();
 
         foreach ($record as $key => $values) {
@@ -151,11 +150,19 @@
             $vcard->set('groups', join(',', $groups), null);
         }
 
-        $record['vcard'] = $vcard->export(true);
+        $record['vcard'] = $vcard->export();
     }
     // patch categories to alread existing vcard block
-    else if ($record['vcard'] && !empty($groups) && !strpos($record['vcard'], 'CATEGORIES:')) {
-        $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote(join(',', $groups));
-        $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
+    else if ($record['vcard']) {
+        $vcard = new rcube_vcard($record['vcard'], RCUBE_CHARSET, false, $fieldmap);
+
+        // unset CATEGORIES entry, it might be not up-to-date (#1490277)
+        $vcard->set('groups', null);
+        $record['vcard'] = $vcard->export();
+
+        if (!empty($groups)) {
+            $vgroups = 'CATEGORIES:' . rcube_vcard::vcard_quote($groups, ',');
+            $record['vcard'] = str_replace('END:VCARD', $vgroups . rcube_vcard::$eol . 'END:VCARD', $record['vcard']);
+        }
     }
 }

--
Gitblit v1.9.1