From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/addressbook/save.inc |   63 +++++++++++++++----------------
 1 files changed, 30 insertions(+), 33 deletions(-)

diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 94556f9..3f2a75c 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/addressbook/save.inc                                    |
  |                                                                       |
@@ -124,7 +124,7 @@
     else if ($tempfile = $_SESSION['contacts']['files'][$a_record['photo']]) {
         $tempfile = $RCMAIL->plugins->exec_hook('attachment_get', $tempfile);
         if ($tempfile['status'])
-            $a_record['photo'] = $tempfile['data'] ? $tempfile['data'] : @file_get_contents($tempfile['path']);
+            $a_record['photo'] = $tempfile['data'] ?: @file_get_contents($tempfile['path']);
     }
     else
         unset($a_record['photo']);
@@ -148,6 +148,15 @@
         $result = $plugin['result'];
 
     if ($result) {
+        // show confirmation
+        $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);
+
+        // in search mode, just reload the list (#1490015)
+        if ($_REQUEST['_search']) {
+            $OUTPUT->command('parent.command', 'list');
+            $OUTPUT->send('iframe');
+        }
+
         // LDAP DN change
         if (is_string($result) && strlen($result)>1) {
             $newcid = $result;
@@ -157,7 +166,7 @@
 
         // define list of cols to be displayed
         $a_js_cols = array();
-        $record = $CONTACTS->get_record($newcid ? $newcid : $cid, true);
+        $record = $CONTACTS->get_record($newcid ?: $cid, true);
         $record['email'] = reset($CONTACTS->get_col_values('email', $record, true));
         $record['name']  = rcube_addressbook::compose_list_name($record);
 
@@ -165,17 +174,19 @@
             $a_js_cols[] = rcube::Q((string)$record[$col]);
         }
 
+        // performance: unset some big data items we don't need here
+        $record = array_intersect_key($record, array('ID' => 1,'email' => 1,'name' => 1));
+        $record['_type'] = 'person';
+
         // update the changed col in list
         $OUTPUT->command('parent.update_contact_row', $cid, $a_js_cols, $newcid, $source, $record);
 
-        // show confirmation
-        $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);
         $RCMAIL->overwrite_action('show');
     }
     else {
         // show error message
         $err = $CONTACTS->get_error();
-        $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : ($err['message'] ? $err['message'] : 'errorsaving'), 'error', null, false);
+        $OUTPUT->show_message($plugin['message'] ?: ($err['message'] ?: 'errorsaving'), 'error', null, false);
         $RCMAIL->overwrite_action('show');
     }
 }
@@ -215,44 +226,30 @@
             $plugin = $RCMAIL->plugins->exec_hook('group_addmembers', array(
                 'group_id' => $CONTACTS->group_id, 'ids' => $insert_id, 'source' => $source));
 
-            $counts = $CONTACTS->count();
-
             if (!$plugin['abort']) {
-                if (($maxnum = $RCMAIL->config->get('max_group_members', 0)) && ($counts->count + 1 > $maxnum))
-                    $OUTPUT->show_message('maxgroupmembersreached', 'warning', array('max' => $maxnum));
-
-                $CONTACTS->add_to_group($plugin['group_id'], $plugin['ids']);
+                if (($maxnum = $RCMAIL->config->get('max_group_members', 0)) && ($CONTACTS->count()->count + 1 > $maxnum)) {
+                    // @FIXME: should we remove the contact?
+                    $msgtext = $RCMAIL->gettext(array('name' => 'maxgroupmembersreached', 'vars' => array('max' => $maxnum)));
+                    $OUTPUT->command('parent.display_message', $msgtext, 'warning');
+                }
+                else {
+                    $CONTACTS->add_to_group($plugin['group_id'], $plugin['ids']);
+                }
             }
-        }
-        else {
-            $counts = $CONTACTS->count();
-        }
-
-        if ((string)$source === (string)$orig_source) {
-            // add contact row or jump to the page where it should appear
-            $CONTACTS->reset();
-            $result = $CONTACTS->search($CONTACTS->primary_key, $insert_id);
-
-            rcmail_js_contacts_list($result, 'parent.');
-            $OUTPUT->command('parent.contact_list.select', rcube_utils::html_identifier($insert_id));
-
-            // update record count display
-            $CONTACTS->reset();
-            $OUTPUT->command('parent.set_rowcount', rcmail_get_rowcount_text($counts));
-        }
-        else {
-            // re-set iframe
-            $OUTPUT->command('parent.show_contentframe');
         }
 
         // show confirmation
         $OUTPUT->show_message('successfullysaved', 'confirmation', null, false);
+
+        $OUTPUT->command('parent.set_rowcount', $RCMAIL->gettext('loading'));
+        $OUTPUT->command('parent.list_contacts');
+
         $OUTPUT->send('iframe');
     }
     else {
         // show error message
         $err = $CONTACTS->get_error();
-        $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : ($err['message'] ? $err['message'] : 'errorsaving'), 'error', null, false);
+        $OUTPUT->show_message($plugin['message'] ?: ($err['message'] ?: 'errorsaving'), 'error', null, false);
         $RCMAIL->overwrite_action('add');
     }
 }

--
Gitblit v1.9.1