From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/mail/get.inc |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 96cdd77..8d7adfe 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -129,6 +129,10 @@
             exit;
         }
 
+        // require CSRF protected url for downloads
+        if ($plugin['download'])
+            $RCMAIL->request_security_check(rcube_utils::INPUT_GET);
+
         // overwrite modified vars from plugin
         $mimetype   = $plugin['mimetype'];
         $extensions = rcube_mime::get_mime_extensions($mimetype);

--
Gitblit v1.9.1