From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/mail/search.inc |   58 ++++++++++++++++++++++++++++++++++++++++++++++++----------
 1 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/program/steps/mail/search.inc b/program/steps/mail/search.inc
index b505934..ee6ba88 100644
--- a/program/steps/mail/search.inc
+++ b/program/steps/mail/search.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | steps/mail/search.inc                                                 |
  |                                                                       |
@@ -38,16 +38,15 @@
 $filter  = rcube_utils::get_input_value('_filter', rcube_utils::INPUT_GET);
 $headers = rcube_utils::get_input_value('_headers', rcube_utils::INPUT_GET);
 $scope   = rcube_utils::get_input_value('_scope', rcube_utils::INPUT_GET);
+$interval = rcube_utils::get_input_value('_interval', rcube_utils::INPUT_GET);
 $continue = rcube_utils::get_input_value('_continue', rcube_utils::INPUT_GET);
 $subject = array();
 
 $filter         = trim($filter);
-$search_request = md5($mbox.$scope.$filter.$str);
+$search_request = md5($mbox.$scope.$interval.$filter.$str);
 
 // add list filter string
 $search_str = $filter && $filter != 'ALL' ? $filter : '';
-
-$_SESSION['search_filter'] = $filter;
 
 // Check the search string for type of search
 if (preg_match("/^from:.*/i", $str)) {
@@ -102,6 +101,10 @@
 
 $search = isset($srch) ? trim($srch) : trim($str);
 
+if ($search_interval = rcmail_search_interval_criteria($interval)) {
+    $search_str .= ' ' . $search_interval;
+}
+
 if (!empty($subject)) {
     $search_str .= str_repeat(' OR', count($subject)-1);
     foreach ($subject as $sub) {
@@ -144,19 +147,22 @@
     $_SESSION['search'] = $RCMAIL->storage->get_search_set();
     $_SESSION['last_text_search'] = $str;
 }
-$_SESSION['search_request'] = $search_request;
-$_SESSION['search_scope']   = $scope;
-
+$_SESSION['search_request']  = $search_request;
+$_SESSION['search_scope']    = $scope;
+$_SESSION['search_interval'] = $interval;
+$_SESSION['search_filter']   = $filter;
 
 // Get the headers
 if (!$result->incomplete) {
     $result_h = $RCMAIL->storage->list_messages($mbox, 1, $sort_column, rcmail_sort_order());
-    $count    = $RCMAIL->storage->count($mbox, $RCMAIL->storage->get_threading() ? 'THREADS' : 'ALL');
 }
 
 // Make sure we got the headers
 if (!empty($result_h)) {
+    $count = $RCMAIL->storage->count($mbox, $RCMAIL->storage->get_threading() ? 'THREADS' : 'ALL');
+
     rcmail_js_message_list($result_h, false);
+
     if ($search_str) {
         $OUTPUT->show_message('searchsuccessful', 'confirmation', array('nr' => $RCMAIL->storage->count(NULL, 'ALL')));
     }
@@ -172,6 +178,7 @@
 }
 // handle IMAP errors (e.g. #1486905)
 else if ($err_code = $RCMAIL->storage->get_error_code()) {
+    $count = 0;
     $RCMAIL->display_server_error();
 }
 // advice the client to re-send the (cross-folder) search request
@@ -180,14 +187,13 @@
     $OUTPUT->command('continue_search', $search_request);
 }
 else {
+    $count = 0;
     $OUTPUT->show_message('searchnomatch', 'notice');
     $OUTPUT->set_env('multifolder_listing', (bool)$result->multi);
     if ($result->multi && $scope == 'all') {
         $OUTPUT->command('select_folder', '');
     }
 }
-
-$OUTPUT->set_pagetitle($RCMAIL->gettext(array('name' => 'searchfor', 'vars' => array('q' => $str))));
 
 // update message count display
 $OUTPUT->set_env('search_request', $search_str ? $search_request : '');
@@ -198,8 +204,40 @@
 $OUTPUT->set_env('exists', $mbox === null ? 0 : $RCMAIL->storage->count($mbox, 'EXISTS'));
 $OUTPUT->command('set_rowcount', rcmail_get_messagecount_text($count, 1), $mbox);
 
+rcmail_list_pagetitle();
+
+// update unseen messages count
+if (empty($search_str)) {
+    rcmail_send_unread_count($mbox, false, empty($result_h) ? 0 : null);
+}
+
 if (!$result->incomplete) {
     $OUTPUT->command('set_quota', $RCMAIL->quota_content(null, $result->multi ? 'INBOX' : $mbox));
 }
 
 $OUTPUT->send();
+
+
+// Creates BEFORE/SINCE search criteria from the specified interval
+// Interval can be: 1W, 1M, 1Y, -1W, -1M, -1Y
+function rcmail_search_interval_criteria($interval)
+{
+    if (empty($interval)) {
+        return;
+    }
+
+    if ($interval[0] == '-') {
+        $search   = 'BEFORE';
+        $interval = substr($interval, 1);
+    }
+    else {
+        $search = 'SINCE';
+    }
+
+    $date     = new DateTime('now');
+    $interval = new DateInterval('P' . $interval);
+
+    $date->sub($interval);
+
+    return $search . ' ' . $date->format('j-M-Y');
+}

--
Gitblit v1.9.1