From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Tue, 16 Dec 2014 13:28:48 +0100 Subject: Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests --- program/steps/addressbook/delete.inc | 5 +++-- program/steps/addressbook/func.inc | 11 ++++++----- program/steps/addressbook/photo.inc | 10 ++++++++-- 3 files changed, 17 insertions(+), 9 deletions(-) (limited to 'program/steps/addressbook') diff --git a/program/steps/addressbook/delete.inc b/program/steps/addressbook/delete.inc index f5b8e4eb5..9a23c59bb 100644 --- a/program/steps/addressbook/delete.inc +++ b/program/steps/addressbook/delete.inc @@ -20,10 +20,11 @@ */ // process ajax requests only -if (!$OUTPUT->ajax_call) +if (!$OUTPUT->ajax_call) { return; +} -$cids = rcmail_get_cids(); +$cids = rcmail_get_cids(null, rcube_utils::INPUT_POST); $delcnt = 0; // remove previous deletes diff --git a/program/steps/addressbook/func.inc b/program/steps/addressbook/func.inc index 008d20174..c40b517dc 100644 --- a/program/steps/addressbook/func.inc +++ b/program/steps/addressbook/func.inc @@ -785,11 +785,12 @@ function rcmail_contact_photo($attrib) if ($result = $CONTACTS->get_result()) $record = $result->first(); - $photo_img = $attrib['placeholder'] ? $RCMAIL->output->get_skin_file($attrib['placeholder']) : 'program/resources/blank.gif'; + $photo_img = $attrib['placeholder'] ? $RCMAIL->output->abs_url($attrib['placeholder'], true) : 'program/resources/blank.gif'; if ($record['_type'] == 'group' && $attrib['placeholdergroup']) - $photo_img = $RCMAIL->output->get_skin_file($attrib['placeholdergroup']); + $photo_img = $RCMAIL->output->abs_url($attrib['placeholdergroup'], true); + + $RCMAIL->output->set_env('photo_placeholder', $RCMAIL->output->asset_url($photo_img)); - $RCMAIL->output->set_env('photo_placeholder', $photo_img); unset($attrib['placeholder']); $plugin = $RCMAIL->plugins->exec_hook('contact_photo', array('record' => $record, 'data' => $record['photo'])); @@ -896,13 +897,13 @@ function rcmail_search_update($return = false) * * @return array List of contact IDs per-source */ -function rcmail_get_cids($filter = null) +function rcmail_get_cids($filter = null, $request_type = rcube_utils::INPUT_GPC) { // contact ID (or comma-separated list of IDs) is provided in two // forms. If _source is an empty string then the ID is a string // containing contact ID and source name in form: - - $cid = rcube_utils::get_input_value('_cid', rcube_utils::INPUT_GPC); + $cid = rcube_utils::get_input_value('_cid', $request_type); $source = (string) rcube_utils::get_input_value('_source', rcube_utils::INPUT_GPC); if (is_array($cid)) { diff --git a/program/steps/addressbook/photo.inc b/program/steps/addressbook/photo.inc index 30d09ffcc..962ca3126 100644 --- a/program/steps/addressbook/photo.inc +++ b/program/steps/addressbook/photo.inc @@ -90,6 +90,12 @@ if (!$cid && $email) { $RCMAIL->output->future_expire_header(86400); } -header('Content-Type: ' . rcube_mime::image_content_type($data)); -echo $data ? $data : file_get_contents('program/resources/blank.gif'); +if ($data) { + header('Content-Type: ' . rcube_mime::image_content_type($data)); + echo $data; +} +else { + header('Content-Type: image/gif'); + echo base64_decode(rcmail_output::BLANK_GIF); +} exit; -- cgit v1.2.3