| | |
|---|
| | | $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION)); |
|---|
| | | |
|---|
| | | // 1. compare filename suffix with expected suffix derived from mimetype |
|---|
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); |
|---|
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']); |
|---|
| | | |
|---|
| | | // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension |
|---|
| | | if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { |
|---|
| | |
|---|
| | | |
|---|
| | | // accept text/plain with any extension |
|---|
| | | if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) { |
|---|
| | | $file_extension = 'txt'; |
|---|
| | | } |
|---|
| | | |
|---|
| | | // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here |
|---|
| | | if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) { |
|---|
| | | $real_mimetype = $mimetype; |
|---|
| | | } |
|---|
| | | |
|---|
| | | // get valid file extensions |
|---|
| | | $extensions = rcube_mime::get_mime_extensions($real_mimetype); |
|---|
| | | $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions)); |
|---|
| | | |
|---|
| | | // ignore filename extension if mimeclass matches (#1489029) |
|---|
| | | if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) { |
|---|
| | | $valid_extension = true; |
|---|
| | | } |
|---|
| | | // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here |
|---|
| | | else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) { |
|---|
| | | $real_mimetype = $mimetype; |
|---|
| | | $valid_extension = true; |
|---|
| | | } |
|---|
| | | // ignore filename extension if mimeclass matches (#1489029) |
|---|
| | | else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) { |
|---|
| | | $valid_extension = true; |
|---|
| | | } |
|---|
| | | else { |
|---|
| | | // get valid file extensions |
|---|
| | | $extensions = rcube_mime::get_mime_extensions($real_mimetype); |
|---|
| | | $valid_extension = !$file_extension || empty($extensions) || in_array($file_extension, (array)$extensions); |
|---|
| | | } |
|---|
| | | |
|---|
| | | // fix mimetype for images wrongly declared as octet-stream |
|---|
| | |
|---|
| | | $mimetype = $real_mimetype; |
|---|
| | | } |
|---|
| | | |
|---|
| | | $valid = ($real_mimetype == $mimetype && $valid_extension); |
|---|
| | | // "fix" real mimetype the same way the original is before comparison |
|---|
| | | $real_mimetype = rcmail_fix_mimetype($real_mimetype); |
|---|
| | | |
|---|
| | | $valid = $real_mimetype == $mimetype && $valid_extension; |
|---|
| | | } |
|---|
| | | else { |
|---|
| | | $real_mimetype = $mimetype; |
|---|
| | |
|---|
| | | // send blocked.gif for expected images |
|---|
| | | if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) { |
|---|
| | | // Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. |
|---|
| | | $content = $RCMAIL->get_resource_content('blocked.gif'); |
|---|
| | | $OUTPUT->nocacheing_headers(); |
|---|
| | | header("Content-Type: image/gif"); |
|---|
| | | header("Content-Transfer-Encoding: binary"); |
|---|
| | | readfile(INSTALL_PATH . 'program/resources/blocked.gif'); |
|---|
| | | header("Content-Length: " . strlen($content)); |
|---|
| | | echo $content; |
|---|
| | | } |
|---|
| | | else { // html warning with a button to load the file anyway |
|---|
| | | $OUTPUT = new rcmail_html_page(); |
|---|
