summaryrefslogtreecommitdiff
path: root/program/steps/addressbook
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
commit681ba6fc3c296cd6cd11050531b8f4e785141786 (patch)
tree77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps/addressbook
parent53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff)
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps/addressbook')
-rw-r--r--program/steps/addressbook/delete.inc5
-rw-r--r--program/steps/addressbook/func.inc11
-rw-r--r--program/steps/addressbook/photo.inc10
3 files changed, 17 insertions, 9 deletions
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index f5b8e4eb5..9a23c59bb 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -20,10 +20,11 @@
*/
// process ajax requests only
-if (!$OUTPUT->ajax_call)
+if (!$OUTPUT->ajax_call) {
return;
+}
-$cids = rcmail_get_cids();
+$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST);
$delcnt = 0;
// remove previous deletes
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 008d20174..c40b517dc 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib)
if ($result = $CONTACTS->get_result())
$record = $result->first();
- $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif';
+ $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif';
if ($record['_type'] == 'group' && $attrib['placeholdergroup'])
- $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']);
+ $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true);
+
+ $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img));
- $RCMAIL->output->set_env('photo_placeholder', $photo_img);
unset($attrib['placeholder']);
$plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo']));
@@ -896,13 +897,13 @@ function rcmail_search_update($return = false)
*
* @return array List of contact IDs per-source
*/
-function rcmail_get_cids($filter = null)
+function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC)
{
// contact ID (or comma-separated list of IDs) is provided in two
// forms. If _source is an empty string then the ID is a string
// containing contact ID and source name in form: <ID>-<SOURCE>
- $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC);
+ $cid = rcube_utils::get_input_value('_cid', $request_type);
$source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
if (is_array($cid)) {
diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc
index 30d09ffcc..962ca3126 100644
--- a/program/steps/addressbook/photo.inc
+++ b/program/steps/addressbook/photo.inc
@@ -90,6 +90,12 @@ if (!$cid && $email) {
$RCMAIL->output->future_expire_header(86400);
}
-header('Content-Type: ' . rcube_mime::image_content_type($data));
-echo $data ? $data : file_get_contents('program/resources/blank.gif');
+if ($data) {
+ header('Content-Type: ' . rcube_mime::image_content_type($data));
+ echo $data;
+}
+else {
+ header('Content-Type: image/gif');
+ echo base64_decode(rcmail_output::BLANK_GIF);
+}
exit;