Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback

git-svn-id: https://svn.roundcube.net/trunk@2187 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2008-12-24 14:19:27 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2008-12-24 14:19:27 +0000
commit: 3e3fafb16ed867f82123931de222286bd34a05c3 (patch)
tree: 70bcd0c2623c2f05e86312b1366390434795b3cc /roundcubemail/bin/modcss.php
parent: ed39505e00f9db64f1f029f07a320bd2cd142ccd (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/roundcubemail/bin/modcss.php b/roundcubemail/bin/modcss.php
index 08da36707..d0a3cc934 100644
--- a/roundcubemail/bin/modcss.php
+++ b/roundcubemail/bin/modcss.php
@@ -20,10 +20,12 @@
 */
 
 define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/');
-require INSTALL_PATH.'program/include/iniset.php';
+require INSTALL_PATH . 'program/include/iniset.php';
+
+$RCMAIL = rcmail::get_instance();
 
 $source = "";
-if ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']))
+if (!empty($RCMAIL->user->ID) && ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u'])))
 {
 	$a_uri = parse_url($url);
 	$port = $a_uri['port'] ? $a_uri['port'] : 80;
@@ -59,7 +61,9 @@ if (!empty($source))
 	header("Content-Type: text/css");
 	echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']), $url);
 }
-else
+else {
 	header("HTTP/1.0 404 Not Found");
+	echo "Requires a valid user session and source url";
+}
 
 ?>
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2008-12-24 14:19:27 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2008-12-24 14:19:27 +0000
commit	3e3fafb16ed867f82123931de222286bd34a05c3 (patch)
tree	70bcd0c2623c2f05e86312b1366390434795b3cc /roundcubemail/bin/modcss.php
parent	ed39505e00f9db64f1f029f07a320bd2cd142ccd (diff)