fix check_request() bypass in places using get_uids() [CVE-2018-9846]

johndoh · johndoh · commit 30f0dbacea64 · 2018-04-18T11:22:23.000+01:00
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,10 @@
 Roundcube Webmail MarkAsJunk2
 =============================
 
+Version 1.10.1 (2018-04-17, rc-1.1.11)
+=================================================
+ * Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
+
 Version 1.10 (2017-01-02, rc-1.1)
 =================================================
  * Add JS event markasjunk2-update to allow other plugins to influence the spam/ham options show
diff --git a/composer.json b/composer.json
@@ -5,7 +5,7 @@
   "homepage": "http://github.com/JohnDoh/Roundcube-Plugin-Mark-as-Junk-2/",
   "license": "GPL-3.0",
   "type": "roundcube-plugin",
-  "version": "1.10",
+  "version": "1.10.1",
   "authors": [
     {
       "name": "Philip Weir",
diff --git a/markasjunk2.php b/markasjunk2.php
@@ -89,8 +89,9 @@ function mark_message()
 
 		$is_spam = rcube::get_instance()->action == 'plugin.markasjunk2.junk' ? true : false;
 		$multi_folder = $_POST['_multifolder'] == 'true' ? true : false;
-		$messageset = rcmail::get_uids();
+		$uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
 		$mbox_name = rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST);
+		$messageset = !empty($uids) ? rcmail::get_uids($uids, $mbox_name) : array();
 		$dest_mbox = $is_spam ? $this->spam_mbox : $this->ham_mbox;
 		$result = $is_spam ? $this->_spam($messageset, $dest_mbox) : $this->_ham($messageset, $dest_mbox);
 

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`"homepage": "http://github.com/JohnDoh/Roundcube-Plugin-Mark-as-Junk-2/",`
`6`	`6`	`"license": "GPL-3.0",`
`7`	`7`	`"type": "roundcube-plugin",`
`8`		`- "version": "1.10",`
	`8`	`+ "version": "1.10.1",`
`9`	`9`	`"authors": [`
`10`	`10`	`{`
`11`	`11`	`"name": "Philip Weir",`