From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/addressbook/photo.inc |   26 +++++++++++++++++---------
 1 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc
index 4821857..1d3d950 100644
--- a/program/steps/addressbook/photo.inc
+++ b/program/steps/addressbook/photo.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/addressbook/photo.inc                                   |
  |                                                                       |
@@ -72,13 +72,12 @@
 if ($plugin['url']) {
     $RCMAIL->output->redirect($plugin['url']);
 }
-else {
-    $data = $plugin['data'];
-}
 
-// deliver alt image
-if (!$data && ($alt_img = rcube_utils::get_input_value('_alt', rcube_utils::INPUT_GPC)) && is_file($alt_img)) {
-    $data = file_get_contents($alt_img);
+$data = $plugin['data'];
+
+// detect if photo data is an URL
+if (strlen($data) < 1024 && filter_var($data, FILTER_VALIDATE_URL)) {
+    $RCMAIL->output->redirect($data);
 }
 
 // cache for one day if requested by email
@@ -86,6 +85,15 @@
     $RCMAIL->output->future_expire_header(86400);
 }
 
-header('Content-Type: ' . rcube_mime::image_content_type($data));
-echo $data ? $data : file_get_contents('program/resources/blank.gif');
+if ($data) {
+    header('Content-Type: ' . rcube_mime::image_content_type($data));
+    echo $data;
+}
+else if (!empty($_GET['_error'])) {
+    header('HTTP/1.0 404 Photo not found');
+}
+else {
+    header('Content-Type: image/gif');
+    echo base64_decode(rcmail_output::BLANK_GIF);
+}
 exit;

--
Gitblit v1.9.1