From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/addressbook/upload_photo.inc |   44 +++++++++++++++++++++++---------------------
 1 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/program/steps/addressbook/upload_photo.inc b/program/steps/addressbook/upload_photo.inc
index f0430ae..4661ed2 100644
--- a/program/steps/addressbook/upload_photo.inc
+++ b/program/steps/addressbook/upload_photo.inc
@@ -1,12 +1,15 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/addressbook/upload_photo.inc                            |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
  | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
- | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
  |                                                                       |
  | PURPOSE:                                                              |
  |   Handles contact photo uploads                                       |
@@ -14,9 +17,6 @@
  +-----------------------------------------------------------------------+
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
-
- $Id$
-
 */
 
 // Supported image format types
@@ -28,20 +28,19 @@
 
 if ($filepath = $_FILES['_photo']['tmp_name']) {
     // check file type and resize image
-    $imageprop = rcmail::imageprops($_FILES['_photo']['tmp_name']);
+    $image     = new rcube_image($_FILES['_photo']['tmp_name']);
+    $imageprop = $image->props();
 
     if (in_array(strtolower($imageprop['type']), $IMAGE_TYPES)
-	&& $imageprop['width'] && $imageprop['height']
+        && $imageprop['width'] && $imageprop['height']
     ) {
-        $maxsize = intval($RCMAIL->config->get('contact_photo_size', 160));
-        $tmpfname = tempnam($RCMAIL->config->get('temp_dir'), 'rcmImgConvert');
+        $maxsize   = intval($RCMAIL->config->get('contact_photo_size', 160));
+        $tmpfname  = tempnam($RCMAIL->config->get('temp_dir'), 'rcmImgConvert');
         $save_hook = 'attachment_upload';
 
         // scale image to a maximum size
-        if (($imageprop['width'] > $maxsize || $imageprop['height'] > $maxsize) &&
-            (rcmail::imageconvert(array('in' => $filepath, 'out' => $tmpfname,
-                'size' => $maxsize.'x'.$maxsize, 'type' => $imageprop['type'])) !== false)) {
-            $filepath = $tmpfname;
+        if (($imageprop['width'] > $maxsize || $imageprop['height'] > $maxsize) && $image->resize($maxsize, $tmpfname)) {
+            $filepath  = $tmpfname;
             $save_hook = 'attachment_save';
         }
 
@@ -54,8 +53,9 @@
             'group' => 'contact',
         ));
     }
-    else
-        $attachment['error'] = rcube_label('invalidimageformat');
+    else {
+        $attachment['error'] = $RCMAIL->gettext('invalidimageformat');
+    }
 
     if ($attachment['status'] && !$attachment['abort']) {
         $file_id = $attachment['id'];
@@ -63,14 +63,16 @@
         $OUTPUT->command('replace_contact_photo', $file_id);
     }
     else {  // upload failed
-        $err = $_FILES['_photo']['error'];
+        $err  = $_FILES['_photo']['error'];
+        $size = $RCMAIL->show_bytes(parse_bytes(ini_get('upload_max_filesize')));
+
         if ($err == UPLOAD_ERR_INI_SIZE || $err == UPLOAD_ERR_FORM_SIZE)
-            $msg = rcube_label(array('name' => 'filesizeerror', 'vars' => array('size' => show_bytes(parse_bytes(ini_get('upload_max_filesize'))))));
+            $msg = $RCMAIL->gettext(array('name' => 'filesizeerror', 'vars' => array('size' => $size)));
         else if ($attachment['error'])
             $msg = $attachment['error'];
         else
-            $msg = rcube_label('fileuploaderror');
-            
+            $msg = $RCMAIL->gettext('fileuploaderror');
+
         $OUTPUT->command('display_message', $msg, 'error');
     }
 }
@@ -78,9 +80,9 @@
     // if filesize exceeds post_max_size then $_FILES array is empty,
     // show filesizeerror instead of fileuploaderror
     if ($maxsize = ini_get('post_max_size'))
-        $msg = rcube_label(array('name' => 'filesizeerror', 'vars' => array('size' => show_bytes(parse_bytes($maxsize)))));
+        $msg = $RCMAIL->gettext(array('name' => 'filesizeerror', 'vars' => array('size' => $RCMAIL->show_bytes(parse_bytes($maxsize)))));
     else
-        $msg = rcube_label('fileuploaderror');
+        $msg = $RCMAIL->gettext('fileuploaderror');
 
     $OUTPUT->command('display_message', $msg, 'error');
 }

--
Gitblit v1.9.1