githubFork/roundcubemail.git

			@@ -138,7 +138,7 @@
			$file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));

			// 1. compare filename suffix with expected suffix derived from mimetype
			$valid = $file_extension && in_array($file_extension, (array)$extensions) \|\| !empty($_REQUEST['_mimeclass']);
			$valid = $file_extension && in_array($file_extension, (array)$extensions) \|\| empty($extensions) \|\| !empty($_REQUEST['_mimeclass']);

			// 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
			if ($valid \|\| !$file_extension \|\| $mimetype == 'application/octet-stream' \|\| stripos($mimetype, 'text/') === 0) {
			@@ -150,21 +150,21 @@

			// accept text/plain with any extension
			if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) {
			$file_extension = 'txt';
			}

			// ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
			if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
			$real_mimetype = $mimetype;
			}

			// get valid file extensions
			$extensions = rcube_mime::get_mime_extensions($real_mimetype);
			$valid_extension = (!$file_extension \|\| in_array($file_extension, (array)$extensions));

			// ignore filename extension if mimeclass matches (#1489029)
			if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
			$valid_extension = true;
			}
			// ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
			else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
			$real_mimetype = $mimetype;
			$valid_extension = true;
			}
			// ignore filename extension if mimeclass matches (#1489029)
			else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
			$valid_extension = true;
			}
			else {
			// get valid file extensions
			$extensions = rcube_mime::get_mime_extensions($real_mimetype);
			$valid_extension = !$file_extension \|\| empty($extensions) \|\| in_array($file_extension, (array)$extensions);
			}

			// fix mimetype for images wrongly declared as octet-stream
			@@ -172,7 +172,10 @@
			$mimetype = $real_mimetype;
			}

			$valid = ($real_mimetype == $mimetype && $valid_extension);
			// "fix" real mimetype the same way the original is before comparison
			$real_mimetype = rcmail_fix_mimetype($real_mimetype);

			$valid = $real_mimetype == $mimetype && $valid_extension;
			}
			else {
			$real_mimetype = $mimetype;
			@@ -183,10 +186,12 @@
			// send blocked.gif for expected images
			if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) {
			// Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed.
			$content = $RCMAIL->get_resource_content('blocked.gif');
			$OUTPUT->nocacheing_headers();
			header("Content-Type: image/gif");
			header("Content-Transfer-Encoding: binary");
			readfile(INSTALL_PATH . 'program/resources/blocked.gif');
			header("Content-Length: " . strlen($content));
			echo $content;
			}
			else { // html warning with a button to load the file anyway
			$OUTPUT = new rcmail_html_page();
			@@ -242,7 +247,7 @@
			if (!rcube_utils::mem_check($part->size * 10)) {
			$out = '<body>' . $RCMAIL->gettext('messagetoobig'). ' '
			. html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id
			.'&_mbox='. urlencode($RCMAIL->storage->get_folder()), $RCMAIL->gettext('download')) . '</body></html>';
			.'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')) . '</body></html>';
			}
			else {
			// get part body if not available