From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 program/steps/settings/responses.inc |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/program/steps/settings/responses.inc b/program/steps/settings/responses.inc
index 06093b3..1b88640 100644
--- a/program/steps/settings/responses.inc
+++ b/program/steps/settings/responses.inc
@@ -1,6 +1,6 @@
 <?php
 
-/*
+/**
  +-----------------------------------------------------------------------+
  | program/steps/settings/responses.inc                                  |
  |                                                                       |
@@ -51,8 +51,8 @@
     $RCMAIL->output->send();
 }
 
-if ($RCMAIL->action == 'delete-response') {
-    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_GPC)) {
+if ($RCMAIL->action == 'delete-response' && $RCMAIL->output->ajax_call) {
+    if ($key = rcube_utils::get_input_value('_key', rcube_utils::INPUT_POST)) {
         $responses = $RCMAIL->get_compose_responses(false, true);
         foreach ($responses as $i => $response) {
             if (empty($response['key']))
@@ -70,9 +70,7 @@
         $RCMAIL->output->command('remove_response', $key);
     }
 
-    if ($RCMAIL->output->ajax_call) {
-        $RCMAIL->output->send();
-    }
+    $RCMAIL->output->send();
 }
 
 
@@ -95,7 +93,7 @@
 {
     global $RCMAIL, $OUTPUT;
 
-    $attrib += array('id' => 'rcmresponseslist', 'tagname' => 'table', 'cols' => 1);
+    $attrib += array('id' => 'rcmresponseslist', 'tagname' => 'table');
 
     $plugin = $RCMAIL->plugins->exec_hook('responses_list', array(
         'list' => $RCMAIL->get_compose_responses(true),

--
Gitblit v1.9.1