Fix missing CSRF token in message download (#6621)

6 years ago · 136175e445
parent 641a67fe75
commit 136175e445
1 changed files with 3 additions and 2 deletions
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@ -609,6 +609,7 @@ function rcmail_message_body($attrib)
    $safe_mode = $MESSAGE->is_safe || intval($_GET['_safe']);
    $out       = '';
    $part_no   = 0;
+    $token     = $RCMAIL->get_request_token();

    $header_attrib = array();
    foreach ($attrib as $attr => $value) {
@ -647,7 +648,7 @@ function rcmail_message_body($attrib)
                // #1487424: we need up to 10x more memory than the body
                else if (!rcube_utils::mem_check($part->size * 10)) {
                    $out .= html::span('part-notice', $RCMAIL->gettext('messagetoobig'). ' '
-                        . html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id
+                        . html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_token='.$token.'&_part='.$part->mime_id
                            .'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')));
                    continue;
                }
@ -698,7 +699,7 @@ function rcmail_message_body($attrib)
        // #1487424: we need up to 10x more memory than the body
        if (!rcube_utils::mem_check(strlen($MESSAGE->body) * 10)) {
            $out .= html::span('part-notice', $RCMAIL->gettext('messagetoobig'). ' '
-                . html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part=0'
+                . html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_token='.$token.'&_part=0'
                    .'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')));
        }
        else {