diff options
| author | Aleksander Machniak <alec@alec.pl> | 2018-04-09 10:07:27 +0300 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2018-04-09 10:10:01 +0300 |
| commit | e3dd5b66d236867572e68fcb80281e9268a0cfb0 (patch) | |
| tree | a6cb93a65b4f7e781664bd3651918782d87fb33d /plugins | |
| parent | dc9c9c36a8c7fbb821e55cd5c3cd13f36ab15ef0 (diff) | |
Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/archive/archive.php | 6 | ||||
| -rw-r--r-- | plugins/managesieve/managesieve.php | 5 | ||||
| -rw-r--r-- | plugins/markasjunk/markasjunk.php | 2 | ||||
| -rw-r--r-- | plugins/zipdownload/zipdownload.php | 4 |
4 files changed, 8 insertions, 9 deletions
diff --git a/plugins/archive/archive.php b/plugins/archive/archive.php index 286df074f..58a102e81 100644 --- a/plugins/archive/archive.php +++ b/plugins/archive/archive.php @@ -127,9 +127,7 @@ class archive extends rcube_plugin $archive_type = $rcmail->config->get('archive_type', ''); $archive_folder = $rcmail->config->get('archive_mbox'); $archive_prefix = $archive_folder . $delimiter; - $current_mbox = rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST); $search_request = rcube_utils::get_input_value('_search', rcube_utils::INPUT_GPC); - $uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST); // count messages before changing anything if ($_POST['_from'] != 'show') { @@ -149,8 +147,8 @@ class archive extends rcube_plugin 'destinations' => array(), ); - foreach (rcmail::get_uids(null, null, $multifolder) as $mbox => $uids) { - if (!$archive_folder || strpos($mbox, $archive_prefix) === 0) { + foreach (rcmail::get_uids(null, null, $multifolder, rcube_utils::INPUT_POST) as $mbox => $uids) { + if (!$archive_folder || strpos($mbox, $archive_prefix) === 0) { $count = count($uids); continue; } diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php index c8241303c..259e91b09 100644 --- a/plugins/managesieve/managesieve.php +++ b/plugins/managesieve/managesieve.php @@ -189,9 +189,10 @@ class managesieve extends rcube_plugin */ function managesieve_actions() { + $uids = rcmail::get_uids(null, null, $multifolder, rcube_utils::INPUT_POST); + // handle fetching email headers for the new filter form - if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) { - $uids = rcmail::get_uids(); + if (!empty($uids)) { $mailbox = key($uids); $message = new rcube_message($uids[$mailbox][0], $mailbox); $headers = $this->parse_headers($message->headers); diff --git a/plugins/markasjunk/markasjunk.php b/plugins/markasjunk/markasjunk.php index aff3acc84..b022f3bb9 100644 --- a/plugins/markasjunk/markasjunk.php +++ b/plugins/markasjunk/markasjunk.php @@ -62,7 +62,7 @@ class markasjunk extends rcube_plugin $rcmail = rcmail::get_instance(); $storage = $rcmail->get_storage(); - foreach (rcmail::get_uids() as $mbox => $uids) { + foreach (rcmail::get_uids(null, null, $multifolder, rcube_utils::INPUT_POST) as $mbox => $uids) { $storage->unset_flag($uids, 'NONJUNK', $mbox); $storage->set_flag($uids, 'JUNK', $mbox); } diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php index 383d40063..4759549f9 100644 --- a/plugins/zipdownload/zipdownload.php +++ b/plugins/zipdownload/zipdownload.php @@ -175,8 +175,8 @@ class zipdownload extends rcube_plugin { $rcmail = rcmail::get_instance(); - if ($rcmail->config->get('zipdownload_selection') && !empty($_POST['_uid'])) { - $messageset = rcmail::get_uids(); + if ($rcmail->config->get('zipdownload_selection')) { + $messageset = rcmail::get_uids(null, null, $multi, rcube_utils::INPUT_POST); if (count($messageset)) { $this->_download_messages($messageset); } |