From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/zipdownload/zipdownload.php |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index be4ece4..443fef7 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -22,7 +22,7 @@
 	{
 		// check requirements first
 		if (!class_exists('ZipArchive', false)) {
-			rcube::raise_error(array(
+			rcmail::raise_error(array(
 				'code' => 520, 'type' => 'php',
 				'file' => __FILE__, 'line' => __LINE__,
 				'message' => "php_zip extension is required for the zipdownload plugin"), true, false);
@@ -30,9 +30,9 @@
 		}
 
 		$rcmail = rcmail::get_instance();
-		$this->charset = $rcmail->config->get('zipdownload_charset', RCMAIL_CHARSET);
 
 		$this->load_config();
+		$this->charset = $rcmail->config->get('zipdownload_charset', RCUBE_CHARSET);
 		$this->add_texts('localization');
 
 		if ($rcmail->config->get('zipdownload_attachments', 1) > -1 && ($rcmail->action == 'show' || $rcmail->action == 'preview'))
@@ -70,7 +70,7 @@
 			);
 
 			// append link to attachments list, slightly different in some skins
-			switch (rcube::get_instance()->config->get('skin')) {
+			switch (rcmail::get_instance()->config->get('skin')) {
 				case 'classic':
 					$p['content'] = str_replace('</ul>', html::tag('li', array('class' => 'zipdownload'), $link) . '</ul>', $p['content']);
 					break;
@@ -105,7 +105,7 @@
 		foreach ($message->attachments as $part) {
 			$pid = $part->mime_id;
 			$part = $message->mime_parts[$pid];
-			$disp_name = $this->_convert_filename($part->filename, $part->charset);
+			$disp_name = $this->_convert_filename($part->filename);
 
 			if ($part->body) {
 				$orig_message_raw = $part->body;
@@ -208,7 +208,7 @@
 				$disp_name = "message_rfc822.eml";
 
 			$disp_name = $uid . "_" . $disp_name;
-			
+
 			$tmpfn = tempnam($temp_dir, 'zipmessage');
 			$tmpfp = fopen($tmpfn, 'w');
 			$imap->get_raw_body($uid, $tmpfp);
@@ -258,10 +258,10 @@
 	/**
 	 * Helper function to convert filenames to the configured charset
 	 */
-	private function _convert_filename($str, $from = RCMAIL_CHARSET)
+	private function _convert_filename($str)
 	{
-		return strtr(rcube_charset_convert($str, $from, $this->charset), array(':'=>'', '/'=>'-'));
+        $str = rcube_charset::convert($str, RCUBE_CHARSET, $this->charset);
+
+		return strtr($str, array(':'=>'', '/'=>'-'));
 	}
 }
-
-?>
\ No newline at end of file

--
Gitblit v1.9.1