Roundcubemail devel
blame | history | patch | commit | commitdiff | ignore whitespace
Aleksander Machniak
2014-10-22 48ba4414b33c8982f8232b06f06d68f3213aa986 
 program/steps/mail/get.inc


@@ -130,7 +130,7 @@


        $extensions = rcube_mime::get_mime_extensions($mimetype);




        if ($plugin['body']) {


            $part->body = $plugin['body'];


            $body = $plugin['body'];


        }




        // compare file mimetype with the stated content-type headers and file extension to avoid malicious operations


@@ -142,15 +142,10 @@




            // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension


            if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {


                if ($part->body)  // part body is already loaded


                    $body = $part->body;


                else if ($part->size && $part->size < 1024*1024)   // load the entire part if it's small enough


                    $body = $part->body = $MESSAGE->get_part_content($part->mime_id);


                else  // fetch the first 2K of the message part


                    $body = $MESSAGE->get_part_content($part->mime_id, null, true, 2048);


                $tmp_body = $body ?: $MESSAGE->get_part_body($part->mime_id, false, 2048);




                // detect message part mimetype


                $real_mimetype = rcube_mime::file_content_type($body, $part->filename, $mimetype, true, true);


                $real_mimetype = rcube_mime::file_content_type($tmp_body, $part->filename, $mimetype, true, true);


                list($real_ctype_primary, $real_ctype_secondary) = explode('/', $real_mimetype);




                // accept text/plain with any extension


@@ -221,7 +216,7 @@


        // TIFF to JPEG conversion, if needed


        $tiff_support = !empty($_SESSION['browser_caps']) && !empty($_SESSION['browser_caps']['tif']);


        if (!empty($_REQUEST['_embed']) && !$tiff_support


            && $RCMAIL->config->get('im_convert_path')


            && rcube_image::is_convertable('image/tiff')


            && rcmail_part_image_type($part) == 'image/tiff'


        ) {


            $tiff2jpeg = true;


@@ -251,15 +246,15 @@


            }


            else {


                // get part body if not available


                if (!$part->body) {


                    $part->body = $MESSAGE->get_part_content($part->mime_id);


                if (!isset($body)) {


                    $body = $MESSAGE->get_part_body($part->mime_id, true);


                }




                // show images?


                rcmail_check_safe($MESSAGE);




                // render HTML body


                $out = rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));


                $out = rcmail_print_body($body, $part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false));




                // insert remote objects warning into HTML body


                if ($REMOTE_OBJECTS) {


@@ -280,7 +275,7 @@


            }




            // check connection status


            if ($part->size && empty($part->body)) {


            if ($part->size && empty($body)) {


                check_storage_status();


            }




@@ -320,12 +315,12 @@


                $file_path = tempnam($temp_dir, 'rcmAttmnt');




                // write content to temp file


                if ($part->body) {


                    $saved = file_put_contents($file_path, $part->body);


                if ($body) {


                    $saved = file_put_contents($file_path, $body);


                }


                else if ($part->size) {


                    $fd    = fopen($file_path, 'w');


                    $saved = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $fd);


                    $saved = $MESSAGE->get_part_body($part->mime_id, false, 0, $fd);


                    fclose($fd);


                }




@@ -341,22 +336,22 @@


            }


            // do content filtering to avoid XSS through fake images


            else if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {


                if ($part->body) {


                    echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;


                if ($body) {


                    echo preg_match('/<(script|iframe|object)/i', $body) ? '' : $body;


                    $sent = true;


                }


                else if ($part->size) {


                    $stdout = fopen('php://output', 'w');


                    stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');


                    stream_filter_append($stdout, 'rcube_content');


                    $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);


                    $sent = $MESSAGE->get_part_body($part->mime_id, true, 0, $stdout);


                }


            }


            // send part as-it-is


            else {


                if ($part->body) {


                    header("Content-Length: " . strlen($part->body));


                    echo $part->body;


                if ($body && empty($plugin['download'])) {


                    header("Content-Length: " . strlen($body));


                    echo $body;


                    $sent = true;


                }


                else if ($part->size) {


@@ -364,8 +359,7 @@


                        header("Content-Length: $size");


                    }




                    // 8th argument disables re-formatting of text/* parts (#1489267)


                    $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true, null, false, 0, false);


                    $sent = $MESSAGE->get_part_body($part->mime_id, false, 0, -1);


                }


            }