From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 13:28:48 +0100
Subject: Improve system security by using optional special URL with security
 token Allows to define separate server/path for image/js/css files Fix bugs
 where CSRF attacks were still possible on some requests

---
 program/steps/addressbook/photo.inc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'program/steps/addressbook/photo.inc')

diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc
index 30d09ffcc..962ca3126 100644
--- a/program/steps/addressbook/photo.inc
+++ b/program/steps/addressbook/photo.inc
@@ -90,6 +90,12 @@ if (!$cid && $email) {
     $RCMAIL->output->future_expire_header(86400);
 }
 
-header('Content-Type: ' . rcube_mime::image_content_type($data));
-echo $data ? $data : file_get_contents('program/resources/blank.gif');
+if ($data) {
+    header('Content-Type: ' . rcube_mime::image_content_type($data));
+    echo $data;
+}
+else {
+    header('Content-Type: image/gif');
+    echo base64_decode(rcmail_output::BLANK_GIF);
+}
 exit;
-- 
cgit v1.2.3