From 5b7e9a2c960eb4fd2364921297020a5dcd2d7dbc Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Tue, 17 Apr 2018 13:44:26 +0200
Subject: [PATCH] Fix check_request() bypass in places using get_uids() (#6238)

[CVE-2018-9846]
---
 CHANGELOG                           | 1 +
 plugins/archive/archive.php         | 2 +-
 plugins/managesieve/managesieve.php | 4 ++--
 plugins/markasjunk/markasjunk.php   | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 6ab0bce3f..52c01e8b5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
 - Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
 
diff --git a/plugins/archive/archive.php b/plugins/archive/archive.php
index a472174a0..98d6fc091 100644
--- a/plugins/archive/archive.php
+++ b/plugins/archive/archive.php
@@ -123,7 +123,7 @@ class archive extends rcube_plugin
       $messageset = array($current_mbox => $index->get());
     }
     else {
-      $messageset = rcmail::get_uids();
+      $messageset = rcmail::get_uids($uids, $current_mbox);
     }
 
     foreach ($messageset as $mbox => $uids) {
diff --git a/plugins/managesieve/managesieve.php b/plugins/managesieve/managesieve.php
index 68d56a1ab..9375a2e4f 100644
--- a/plugins/managesieve/managesieve.php
+++ b/plugins/managesieve/managesieve.php
@@ -190,8 +190,8 @@ class managesieve extends rcube_plugin
     function managesieve_actions()
     {
         // handle fetching email headers for the new filter form
-        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
-            $uids    = rcmail::get_uids();
+        if ($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
+            $uids    = rcmail::get_uids($_uid);
             $mailbox = key($uids);
             $message = new rcube_message($uids[$mailbox][0], $mailbox);
             $headers = $this->parse_headers($message->headers);
diff --git a/plugins/markasjunk/markasjunk.php b/plugins/markasjunk/markasjunk.php
index 1f92390e5..981e774cd 100644
--- a/plugins/markasjunk/markasjunk.php
+++ b/plugins/markasjunk/markasjunk.php
@@ -63,7 +63,7 @@ class markasjunk extends rcube_plugin
         $rcmail  = rcmail::get_instance();
         $storage = $rcmail->get_storage();
 
-        foreach (rcmail::get_uids() as $mbox => $uids) {
+        foreach (rcmail::get_uids(rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) as $mbox => $uids) {
             $storage->unset_flag($uids, 'NONJUNK', $mbox);
             $storage->set_flag($uids, 'JUNK', $mbox);
         }