summaryrefslogtreecommitdiff
path: root/program/steps
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
committerAleksander Machniak <alec@alec.pl>2014-12-16 13:28:48 +0100
commit681ba6fc3c296cd6cd11050531b8f4e785141786 (patch)
tree77cd99edc9536c1e85e5ee057d231aa3aa5e0aba /program/steps
parent53b7421d4419ce12c62d47e5b1231240cefdc3d5 (diff)
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
Diffstat (limited to 'program/steps')
-rw-r--r--program/steps/addressbook/delete.inc5
-rw-r--r--program/steps/addressbook/func.inc11
-rw-r--r--program/steps/addressbook/photo.inc10
-rw-r--r--program/steps/mail/compose.inc2
-rw-r--r--program/steps/mail/show.inc8
-rw-r--r--program/steps/settings/func.inc18
-rw-r--r--program/steps/utils/error.inc12
7 files changed, 44 insertions, 22 deletions
diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc
index f5b8e4eb5..9a23c59bb 100644
--- a/program/steps/addressbook/delete.inc
+++ b/program/steps/addressbook/delete.inc
@@ -20,10 +20,11 @@
*/
// process ajax requests only
-if (!$OUTPUT->ajax_call)
+if (!$OUTPUT->ajax_call) {
return;
+}
-$cids = rcmail_get_cids();
+$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST);
$delcnt = 0;
// remove previous deletes
diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 008d20174..c40b517dc 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib)
if ($result = $CONTACTS->get_result())
$record = $result->first();
- $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif';
+ $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif';
if ($record['_type'] == 'group' && $attrib['placeholdergroup'])
- $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']);
+ $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true);
+
+ $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img));
- $RCMAIL->output->set_env('photo_placeholder', $photo_img);
unset($attrib['placeholder']);
$plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo']));
@@ -896,13 +897,13 @@ function rcmail_search_update($return = false)
*
* @return array List of contact IDs per-source
*/
-function rcmail_get_cids($filter = null)
+function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC)
{
// contact ID (or comma-separated list of IDs) is provided in two
// forms. If _source is an empty string then the ID is a string
// containing contact ID and source name in form: <ID>-<SOURCE>
- $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC);
+ $cid = rcube_utils::get_input_value('_cid', $request_type);
$source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
if (is_array($cid)) {
diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc
index 30d09ffcc..962ca3126 100644
--- a/program/steps/addressbook/photo.inc
+++ b/program/steps/addressbook/photo.inc
@@ -90,6 +90,12 @@ if (!$cid && $email) {
$RCMAIL->output->future_expire_header(86400);
}
-header('Content-Type: ' . rcube_mime::image_content_type($data));
-echo $data ? $data : file_get_contents('program/resources/blank.gif');
+if ($data) {
+ header('Content-Type: ' . rcube_mime::image_content_type($data));
+ echo $data;
+}
+else {
+ header('Content-Type: image/gif');
+ echo base64_decode(rcmail_output::BLANK_GIF);
+}
exit;
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 5492f390d..fd25cf402 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -951,7 +951,7 @@ function rcmail_compose_body($attrib)
"googie.setCurrentLanguage('%s');\n".
"googie.setDecoration(false);\n".
"googie.decorateTextarea('%s');\n",
- $RCMAIL->output->get_skin_path(),
+ $RCMAIL->output->asset_url($RCMAIL->output->get_skin_path()),
$RCMAIL->url(array('_task' => 'utils', '_action' => 'spell', '_remote' => 1)),
!empty($dictionary) ? 'true' : 'false',
rcube::JQ(rcube::Q($RCMAIL->gettext('checkspelling'))),
diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index 5adc97900..d9233a923 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -341,20 +341,20 @@ function rcmail_message_contactphoto($attrib)
{
global $RCMAIL, $MESSAGE;
- $placeholder = $attrib['placeholder'] ? $RCMAIL->config->get('skin_path') . $attrib['placeholder'] : null;
+ $placeholder = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : null;
+ $placeholder = $RCMAIL->output->asset_url($placeholder ? $placeholder : 'program/resources/blank.gif');
if ($MESSAGE->sender) {
$photo_img = $RCMAIL->url(array(
'_task' => 'addressbook',
'_action' => 'photo',
'_email' => $MESSAGE->sender['mailto'],
- '_alt' => $placeholder,
));
- $attrib['onerror'] = "this.src = '" . ($placeholder ? $placeholder : 'program/resources/blank.gif') . "'";
+ $attrib['onerror'] = "this.src = '$placeholder'";
}
else {
- $photo_img = $placeholder ? $placeholder : 'program/resources/blank.gif';
+ $photo_img = $placeholder;
}
return html::img(array('src' => $photo_img, 'alt' => $RCMAIL->gettext('contactphoto')) + $attrib);
diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc
index f700e4f77..486e679c9 100644
--- a/program/steps/settings/func.inc
+++ b/program/steps/settings/func.inc
@@ -334,13 +334,10 @@ function rcmail_user_prefs($current = null)
$input = new html_radiobutton(array('name'=>'_skin'));
foreach ($skins as $skin) {
- $thumbnail = "./skins/$skin/thumbnail.png";
- if (!is_file($thumbnail))
- $thumbnail = './program/resources/blank.gif';
-
+ $thumbnail = "skins/$skin/thumbnail.png";
$skinname = ucfirst($skin);
$author_link = $license_link = '';
- $meta = @json_decode(@file_get_contents("./skins/$skin/meta.json"), true);
+ $meta = @json_decode(@file_get_contents(INSTALL_PATH . "skins/$skin/meta.json"), true);
if (is_array($meta) && $meta['name']) {
$skinname = $meta['name'];
@@ -348,10 +345,19 @@ function rcmail_user_prefs($current = null)
$license_link = $meta['license-url'] ? html::a(array('href' => $meta['license-url'], 'target' => '_blank', 'tabindex' => '-1'), rcube::Q($meta['license'])) : rcube::Q($meta['license']);
}
+ $img = html::img(array(
+ 'src' => $thumbnail,
+ 'class' => 'skinthumbnail',
+ 'alt' => $skin,
+ 'width' => 64,
+ 'height' => 64,
+ 'onerror' => "this.src = rcmail.assets_path('program/resources/blank.gif')",
+ ));
+
$skinnames[] = mb_strtolower($skinname);
$blocks['skin']['options'][$skin]['content'] = html::label(array('class' => 'skinselection'),
html::span('skinitem', $input->show($config['skin'], array('value' => $skin, 'id' => $field_id.$skin))) .
- html::span('skinitem', html::img(array('src' => $thumbnail, 'class' => 'skinthumbnail', 'alt' => $skin, 'width' => 64, 'height' => 64))) .
+ html::span('skinitem', $img) .
html::span('skinitem', html::span('skinname', rcube::Q($skinname)) . html::br() .
html::span('skinauthor', $author_link ? 'by ' . $author_link : '') . html::br() .
html::span('skinlicense', $license_link ? $RCMAIL->gettext('license').':&nbsp;' . $license_link : ''))
diff --git a/program/steps/utils/error.inc b/program/steps/utils/error.inc
index ec0d038f4..6bbc57fda 100644
--- a/program/steps/utils/error.inc
+++ b/program/steps/utils/error.inc
@@ -50,9 +50,17 @@ else if ($ERROR_CODE == 401) {
// forbidden due to request check
else if ($ERROR_CODE == 403) {
+ if ($_SERVER['REQUEST_METHOD'] == 'GET' && $rcmail->request_status == rcube::REQUEST_ERROR_URL) {
+ parse_str($_SERVER['QUERY_STRING'], $url);
+ $url = $rcmail->url($url, true, false, true);
+ $add = "<br /><a href=\"$url\">Click here to try again.<a/>";
+ }
+ else {
+ $add = "Please contact your server-administrator.";
+ }
+
$__error_title = "REQUEST CHECK FAILED";
- $__error_text = "Access to this service was denied due to failing security checks!<br />\n"
- . "Please contact your server-administrator.";
+ $__error_text = "Access to this service was denied due to failing security checks!<br />\n$add";
}
// failed request (wrong step in URL)