Fix check_request() bypass in places using get_uids() (#6238)

[CVE-2018-9846]

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
 - Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
 

plugins/archive/archive.php

@@ -123,7 +123,7 @@ class archive extends rcube_plugin
       $messageset = array($current_mbox => $index->get());
     }
     else {
-      $messageset = rcmail::get_uids();
+      $messageset = rcmail::get_uids($uids, $current_mbox);
     }
 
     foreach ($messageset as $mbox => $uids) {

plugins/managesieve/managesieve.php

@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin
     function managesieve_actions()
     {
         // handle fetching email headers for the new filter form
-        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
-            $uids    = rcmail::get_uids();
+        if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+            $uids    = rcmail::get_uids($_uid);
             $mailbox = key($uids);
             $message = new rcube_message($uids[$mailbox][0], $mailbox);
             $headers = $this->parse_headers($message->headers);

plugins/markasjunk/markasjunk.php

@@ -63,7 +63,7 @@ class markasjunk extends rcube_plugin
         $rcmail  = rcmail::get_instance();
         $storage = $rcmail->get_storage();
 
-        foreach (rcmail::get_uids() as $mbox => $uids) {
+        foreach (rcmail::get_uids(rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) as $mbox => $uids) {
             $storage->unset_flag($uids, 'NONJUNK', $mbox);
             $storage->set_flag($uids, 'JUNK', $mbox);
         }