Fix check_request() bypass in plugins using get_uids() (#6238)

[CVE-2018-9846]
6 years ago · aaafe8f917
parent 498ff0a283
commit aaafe8f917
4 changed files with 12 additions and 6 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ CHANGELOG Roundcube Webmail

 - Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
 - Fix security issue in remote content blocking on HTML image and style tags (#6178)
+- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
 - Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)

 RELEASE 1.1.10
--- a/plugins/archive/archive.php
+++ b/plugins/archive/archive.php
@ -122,8 +122,10 @@ class archive extends rcube_plugin
      $index = $storage->index(null, rcmail_sort_column(), rcmail_sort_order());
      $messageset = array($current_mbox => $index->get());
    }
-    else {
-      $messageset = rcmail::get_uids();
+    else if (!empty($uids)) {
+      $messageset = rcmail::get_uids($uids, $current_mbox);
+    } else {
+      $messageset = array();
    }

    foreach ($messageset as $mbox => $uids) {
--- a/plugins/managesieve/managesieve.php
+++ b/plugins/managesieve/managesieve.php
@ -191,7 +191,7 @@ class managesieve extends rcube_plugin
    {
        // handle fetching email headers for the new filter form
        if ($uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST)) {
-            $uids    = rcmail::get_uids();
+            $uids    = rcmail::get_uids($uid);
            $mailbox = key($uids);
            $message = new rcube_message($uids[$mailbox][0], $mailbox);
            $headers = $this->parse_headers($message->headers);
--- a/plugins/markasjunk/markasjunk.php
+++ b/plugins/markasjunk/markasjunk.php
@ -58,10 +58,13 @@ class markasjunk extends rcube_plugin

    $rcmail  = rcmail::get_instance();
    $storage = $rcmail->get_storage();
+    $uids    = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);

-    foreach (rcmail::get_uids() as $mbox => $uids) {
-      $storage->unset_flag($uids, 'NONJUNK', $mbox);
-      $storage->set_flag($uids, 'JUNK', $mbox);
+    if (!empty($uids)) {
+      foreach (rcmail::get_uids($uids) as $mbox => $uids) {
+        $storage->unset_flag($uids, 'NONJUNK', $mbox);
+        $storage->set_flag($uids, 'JUNK', $mbox);
+      }
    }

    if (($junk_mbox = $rcmail->config->get('junk_mbox'))) {