fix check_request() bypass in places using get_uids() [CVE-2018-9846]

johndoh · Apr 18, 2018 · 30f0dba · 30f0dba
1 parent 31a703f
commit 30f0dba
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,10 @@
 Roundcube Webmail MarkAsJunk2
 =============================
 
+Version 1.10.1 (2018-04-17, rc-1.1.11)
+=================================================
+ * Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
+
 Version 1.10 (2017-01-02, rc-1.1)
 =================================================
  * Add JS event markasjunk2-update to allow other plugins to influence the spam/ham options show

diff --git a/composer.json b/composer.json
@@ -5,7 +5,7 @@
   "homepage": "http://github.com/JohnDoh/Roundcube-Plugin-Mark-as-Junk-2/",
   "license": "GPL-3.0",
   "type": "roundcube-plugin",
-  "version": "1.10",
+  "version": "1.10.1",
   "authors": [
     {
       "name": "Philip Weir",

diff --git a/markasjunk2.php b/markasjunk2.php
@@ -89,8 +89,9 @@ function mark_message()
 
 		$is_spam = rcube::get_instance()->action == 'plugin.markasjunk2.junk' ? true : false;
 		$multi_folder = $_POST['_multifolder'] == 'true' ? true : false;
-		$messageset = rcmail::get_uids();
+		$uids = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_POST);
 		$mbox_name = rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_POST);
+		$messageset = !empty($uids) ? rcmail::get_uids($uids, $mbox_name) : array();
 		$dest_mbox = $is_spam ? $this->spam_mbox : $this->ham_mbox;
 		$result = $is_spam ? $this->_spam($messageset, $dest_mbox) : $this->_ham($messageset, $dest_mbox);