From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/mail/mark.inc |   25 ++++++++++++++++---------
 1 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/program/steps/mail/mark.inc b/program/steps/mail/mark.inc
index daa8c7e..8a49114 100644
--- a/program/steps/mail/mark.inc
+++ b/program/steps/mail/mark.inc
@@ -1,10 +1,11 @@
 <?php
-/*
+
+/**
  +-----------------------------------------------------------------------+
  | program/steps/mail/mark.inc                                           |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2013, The Roundcube Dev Team                       |
+ | Copyright (C) 2005-2014, The Roundcube Dev Team                       |
  |                                                                       |
  | Licensed under the GNU General Public License version 3 or            |
  | any later version with exceptions for skins & plugins.                |
@@ -36,19 +37,21 @@
     'unflagged' => 'UNFLAGGED',
 );
 
-if (($uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST))
+if (($_uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST))
     && ($flag = rcube_utils::get_input_value('_flag', rcube_utils::INPUT_POST))
 ) {
-    $flag = $a_flags_map[$flag] ? $a_flags_map[$flag] : strtoupper($flag);
+    $flag = $a_flags_map[$flag] ?: strtoupper($flag);
 
     if ($flag == 'DELETED' && $skip_deleted && $_POST['_from'] != 'show') {
         // count messages before changing anything
         $old_count = $RCMAIL->storage->count(NULL, $threading ? 'THREADS' : 'ALL');
         $old_pages = ceil($old_count / $RCMAIL->storage->get_pagesize());
-        $count     = sizeof(explode(',', $uids));
     }
 
-    $marked = $RCMAIL->storage->set_flag($uids, $flag);
+    foreach (rcmail::get_uids() as $mbox => $uids) {
+        $marked += (int)$RCMAIL->storage->set_flag($uids, $flag, $mbox);
+        $count += count($uids);
+    }
 
     if (!$marked) {
         // send error message
@@ -66,7 +69,9 @@
 
     if ($flag == 'DELETED' && $read_deleted && !empty($_POST['_ruid'])) {
         $ruids = rcube_utils::get_input_value('_ruid', rcube_utils::INPUT_POST);
-        $read  = $RCMAIL->storage->set_flag($ruids, 'SEEN');
+        foreach (rcmail::get_uids($ruids) as $mbox => $uids) {
+            $read += (int)$RCMAIL->storage->set_flag($uids, 'SEEN', $mbox);
+        }
 
         if ($read && !$skip_deleted) {
             $OUTPUT->command('flag_deleted_as_read', $ruids);
@@ -74,7 +79,9 @@
     }
 
     if ($flag == 'SEEN' || $flag == 'UNSEEN' || ($flag == 'DELETED' && !$skip_deleted)) {
-        rcmail_send_unread_count($RCMAIL->storage->get_folder());
+        foreach (rcmail::get_uids() as $mbox => $uids) {
+            rcmail_send_unread_count($mbox);
+        }
     }
     else if ($flag == 'DELETED' && $skip_deleted) {
         if ($_POST['_from'] == 'show') {
@@ -128,7 +135,7 @@
             }
 
             // add new rows from next page (if any)
-            if ($count && $uids != '*' && ($jump_back || $nextpage_count > 0)) {
+            if ($old_count && $_uids != '*' && ($jump_back || $nextpage_count > 0)) {
                 $a_headers = $RCMAIL->storage->list_messages($mbox, NULL,
                     rcmail_sort_column(), rcmail_sort_order(), $jump_back ? NULL : $count);
 

--
Gitblit v1.9.1