From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/addressbook/mailto.inc | 51 +++++++++++++++++++++++----------------------------
1 files changed, 23 insertions(+), 28 deletions(-)
diff --git a/program/steps/addressbook/mailto.inc b/program/steps/addressbook/mailto.inc
index 965d717..4258b7c 100644
--- a/program/steps/addressbook/mailto.inc
+++ b/program/steps/addressbook/mailto.inc
@@ -1,11 +1,11 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/steps/addressbook/mailto.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2007, The Roundcube Dev Team |
+ | Copyright (C) 2007-2013, The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
@@ -17,35 +17,29 @@
+-----------------------------------------------------------------------+
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
-
- $Id: copy.inc 471 2007-02-09 21:25:50Z thomasb $
-
*/
-$cids = rcmail_get_cids();
-$mailto = array();
-$recipients = null;
+$cids = rcmail_get_cids();
+$mailto = array();
+$sources = array();
-foreach ($cids as $source => $cid)
-{
+foreach ($cids as $source => $cid) {
$CONTACTS = $RCMAIL->get_address_book($source);
- if ($CONTACTS->ready)
- {
+ if ($CONTACTS->ready) {
$CONTACTS->set_page(1);
$CONTACTS->set_pagesize(count($cid) + 2); // +2 to skip counting query
- $recipients = $CONTACTS->search($CONTACTS->primary_key, $cid, 0, true, true, 'email');
+ $sources[] = $CONTACTS->search($CONTACTS->primary_key, $cid, 0, true, true, 'email');
}
}
-if (!empty($_REQUEST['_gid']) && isset($_REQUEST['_source']))
-{
- $source = get_input_value('_source', RCUBE_INPUT_GPC);
+if (!empty($_REQUEST['_gid']) && isset($_REQUEST['_source'])) {
+ $source = rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
$CONTACTS = $RCMAIL->get_address_book($source);
-
- $group_id = get_input_value('_gid', RCUBE_INPUT_GPC);
+
+ $group_id = rcube_utils::get_input_value('_gid', rcube_utils::INPUT_GPC);
$group_data = $CONTACTS->get_group($group_id);
-
+
// group has an email address assigned: use that
if ($group_data['email']) {
$mailto[] = format_email_recipient($group_data['email'][0], $group_data['name']);
@@ -54,24 +48,25 @@
$CONTACTS->set_group($group_id);
$CONTACTS->set_page(1);
$CONTACTS->set_pagesize(200); // limit somehow
- $recipients = $CONTACTS->list_records();
+ $sources[] = $CONTACTS->list_records();
}
}
-if ($recipients)
-{
- while (is_object($recipients) && ($rec = $recipients->iterate())) {
+foreach ($sources as $source) {
+ while (is_object($source) && ($rec = $source->iterate())) {
$emails = $CONTACTS->get_col_values('email', $rec, true);
- $mailto[] = format_email_recipient($emails[0], $rec['name']);
+
+ if (!empty($emails)) {
+ $mailto[] = format_email_recipient($emails[0], $rec['name']);
+ }
}
}
-if (!empty($mailto))
-{
+if (!empty($mailto)) {
$mailto_str = join(', ', $mailto);
- $mailto_id = substr(md5($mailto_str), 0, 16);
+ $mailto_id = substr(md5($mailto_str), 0, 16);
$_SESSION['mailto'][$mailto_id] = urlencode($mailto_str);
- $OUTPUT->redirect(array('task' => 'mail', '_action' => 'compose', '_mailto' => $mailto_id));
+ $OUTPUT->command('open_compose_step', array('_mailto' => $mailto_id));
}
else {
$OUTPUT->show_message('nocontactsfound', 'warning');
--
Gitblit v1.9.1