githubFork/roundcubemail.git

			@@ -22,7 +22,7 @@

			// show loading page
			if (!empty($_GET['_preload'])) {
			$url = str_replace('&_preload=1', '', $_SERVER['REQUEST_URI']);
			$url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']);
			$message = rcube_label('loadingdata');

			header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
			@@ -64,8 +64,6 @@
			$MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
			}

			send_nocacheing_headers();

			// show part page
			if (!empty($_GET['_frame'])) {
			$OUTPUT->send('messagepart');
			@@ -79,10 +77,23 @@
			$ctype_secondary = strtolower($part->ctype_secondary);
			$mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);

			// allow post-processing of the message body
			$plugin = $RCMAIL->plugins->exec_hook('message_part_get',
			array('id' => $part->mime_id, 'mimetype' => $mimetype, 'part' => $part, 'download' => !empty($_GET['_download'])));

			if ($plugin['abort'])
			exit;

			// overwrite modified vars from plugin
			$mimetype = $plugin['mimetype'];
			list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
			if ($plugin['body'])
			$part->body = $plugin['body'];

			$browser = $RCMAIL->output->browser;

			// send download headers
			if ($_GET['_download']) {
			if ($plugin['download']) {
			header("Content-Type: application/octet-stream");
			if ($browser->ie)
			header("Content-Type: application/force-download");
			@@ -97,7 +108,7 @@
			}

			// deliver part content
			if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($_GET['_download'])) {
			if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) {
			// get part body if not available
			if (!$part->body)
			$part->body = $MESSAGE->get_part_content($part->mime_id);
			@@ -119,15 +130,28 @@
			else
			$filename = addcslashes($filename, '"');

			$disposition = !empty($_GET['_download']) ? 'attachment' : 'inline';
			$disposition = !empty($plugin['download']) ? 'attachment' : 'inline';

			header("Content-Disposition: $disposition; filename=\"$filename\"");

			// turn off output buffering and print part content
			if ($part->body)
			echo $part->body;
			else if ($part->size)
			$IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
			// do content filtering to avoid XSS through fake images
			if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
			if ($part->body)
			echo preg_match('/<(script\|iframe\|object)/i', $part->body) ? '' : $part->body;
			else if ($part->size) {
			$stdout = fopen('php://output', 'w');
			stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
			stream_filter_append($stdout, 'rcube_content');
			$IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
			}
			}
			else {
			// turn off output buffering and print part content
			if ($part->body)
			echo $part->body;
			else if ($part->size)
			$IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
			}
			}

			exit;
			@@ -155,3 +179,39 @@
			exit;



			/**
			* PHP stream filter to detect html/javascript code in attachments
			*/
			class rcube_content_filter extends php_user_filter
			{
			private $buffer = '';
			private $cutoff = 2048;

			function onCreate()
			{
			$this->cutoff = rand(2048, 3027);
			return true;
			}

			function filter($in, $out, &$consumed, $closing)
			{
			while ($bucket = stream_bucket_make_writeable($in)) {
			$this->buffer .= $bucket->data;

			// check for evil content and abort
			if (preg_match('/<(script\|iframe\|object)/i', $this->buffer))
			return PSFS_ERR_FATAL;

			// keep buffer small enough
			if (strlen($this->buffer) > 4096)
			$this->buffer = substr($this->buffer, $this->cutoff);

			$consumed += $bucket->datalen;
			stream_bucket_append($out, $bucket);
			}

			return PSFS_PASS_ON;
			}
			}