From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 13:28:48 +0100
Subject: Improve system security by using optional special URL with security
 token Allows to define separate server/path for image/js/css files Fix bugs
 where CSRF attacks were still possible on some requests

---
 program/steps/addressbook/func.inc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'program/steps/addressbook/func.inc')

diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc
index 008d20174..c40b517dc 100644
--- a/program/steps/addressbook/func.inc
+++ b/program/steps/addressbook/func.inc
@@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib)
     if ($result = $CONTACTS->get_result())
         $record = $result->first();
 
-    $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif';
+    $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif';
     if ($record['_type'] == 'group' && $attrib['placeholdergroup'])
-        $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']);
+        $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true);
+
+    $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img));
 
-    $RCMAIL->output->set_env('photo_placeholder', $photo_img);
     unset($attrib['placeholder']);
 
     $plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo']));
@@ -896,13 +897,13 @@ function rcmail_search_update($return = false)
  *
  * @return array List of contact IDs per-source
  */
-function rcmail_get_cids($filter = null)
+function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC)
 {
     // contact ID (or comma-separated list of IDs) is provided in two
     // forms. If _source is an empty string then the ID is a string
     // containing contact ID and source name in form: <ID>-<SOURCE>
 
-    $cid    = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC);
+    $cid    = rcube_utils::get_input_value('_cid', $request_type);
     $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC);
 
     if (is_array($cid)) {
-- 
cgit v1.2.3