diff options
| author | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2014-12-16 13:28:48 +0100 |
| commit | 681ba6fc3c296cd6cd11050531b8f4e785141786 (patch) | |
| tree | 77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps/addressbook/func.inc | |
| parent | 53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff) | |
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps/addressbook/func.inc')
| -rw-r--r-- | program/steps/addressbook/func.inc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 008d20174..c40b517dc 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib) if ($result = $CONTACTS->get_result()) $record = $result->first(); - $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif'; + $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif'; if ($record['_type'] == 'group' && $attrib['placeholdergroup']) - $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']); + $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true); + + $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img)); - $RCMAIL->output->set_env('photo_placeholder', $photo_img); unset($attrib['placeholder']); $plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo'])); @@ -896,13 +897,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: <ID>-<SOURCE> - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { |