summaryrefslogtreecommitdiff
path: root/bin
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2008-12-24 14:19:27 +0000
committerthomascube <thomas@roundcube.net>2008-12-24 14:19:27 +0000
commit1608f432826a41e035ee7ddb0dd409bbcf559b43 (patch)
tree6133278a5f2e3a3e146734530a283cdfe9188b0b /bin
parent4e0419b9cb984249b823e9484a2d63eb74fd156c (diff)
Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback
Diffstat (limited to 'bin')
-rw-r--r--bin/html2text.php16
-rw-r--r--bin/modcss.php10
-rw-r--r--bin/quotaimg.php12
3 files changed, 28 insertions, 10 deletions
diff --git a/bin/html2text.php b/bin/html2text.php
index 3839f5d34..82a4044f8 100644
--- a/bin/html2text.php
+++ b/bin/html2text.php
@@ -20,11 +20,19 @@
*/
define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
-$converter = new html2text($HTTP_RAW_POST_DATA);
+$RCMAIL = rcmail::get_instance();
-header('Content-Type: text/plain; charset=UTF-8');
-print trim($converter->get_text());
+if (!empty($RCMAIL->user->ID)) {
+ $converter = new html2text($HTTP_RAW_POST_DATA);
+
+ header('Content-Type: text/plain; charset=UTF-8');
+ print trim($converter->get_text());
+}
+else {
+ header("HTTP/1.0 403 Forbidden");
+ echo "Requires a valid user session";
+}
?>
diff --git a/bin/modcss.php b/bin/modcss.php
index 08da36707..d0a3cc934 100644
--- a/bin/modcss.php
+++ b/bin/modcss.php
@@ -20,10 +20,12 @@
*/
define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
+
+$RCMAIL = rcmail::get_instance();
$source = "";
-if ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']))
+if (!empty($RCMAIL->user->ID) && ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u'])))
{
$a_uri = parse_url($url);
$port = $a_uri['port'] ? $a_uri['port'] : 80;
@@ -59,7 +61,9 @@ if (!empty($source))
header("Content-Type: text/css");
echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']), $url);
}
-else
+else {
header("HTTP/1.0 404 Not Found");
+ echo "Requires a valid user session and source url";
+}
?>
diff --git a/bin/quotaimg.php b/bin/quotaimg.php
index dfec24150..a15c4c372 100644
--- a/bin/quotaimg.php
+++ b/bin/quotaimg.php
@@ -18,6 +18,11 @@
*/
+define('INSTALL_PATH', realpath(dirname(__FILE__).'/..') . '/');
+require INSTALL_PATH . 'program/include/iniset.php';
+
+$RCMAIL = rcmail::get_instance();
+
$used = isset($_GET['u']) ? intval($_GET['u']) : '??';
$quota = isset($_GET['q']) ? intval($_GET['q']) : '??';
$width = empty($_GET['w']) ? 100 : min(300, intval($_GET['w']));
@@ -186,11 +191,12 @@ function genQuota($used, $total, $width, $height)
imagedestroy($im);
}
-if ($width > 1 && $height > 1) {
- genQuota($used, $quota, $width, $height);
+if (!empty($RCMAIL->user->ID) && $width > 1 && $height > 1) {
+ genQuota($used, $quota, $width, $height);
}
else {
- header("HTTP/1.0 404 Not Found");
+ header("HTTP/1.0 403 Forbidden");
+ echo "Requires a valid user session and positive values";
}
exit;