From 0032911784f4b0d41d3a5d44f64add46849ade63 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Wed, 27 Mar 2013 12:06:40 -0400
Subject: [PATCH] Sanity check the file path for generic message footer before adding it
---
program/steps/mail/sendmail.inc | 98 ++++++++++++++++++++++++++++++------------------
1 files changed, 61 insertions(+), 37 deletions(-)
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 5c2c6de..f24f207 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -49,7 +49,7 @@
if(!empty($CONFIG['sendmail_delay'])) {
$wait_sec = time() - intval($CONFIG['sendmail_delay']) - intval($CONFIG['last_message_time']);
- if($wait_sec < 0) {
+ if ($wait_sec < 0) {
$OUTPUT->show_message('senttooquickly', 'error', array('sec' => $wait_sec * -1));
$OUTPUT->send('iframe');
}
@@ -72,13 +72,19 @@
// get identity record
function rcmail_get_identity($id)
{
- global $RCMAIL, $OUTPUT;
+ global $RCMAIL, $message_charset;
+ global $RCMAIL;
if ($sql_arr = $RCMAIL->user->get_identity($id)) {
$out = $sql_arr;
+
+ if ($message_charset != RCMAIL_CHARSET) {
+ foreach ($out as $k => $v)
+ $out[$k] = rcube_charset_convert($v, RCMAIL_CHARSET, $message_charset);
+ }
+
$out['mailto'] = $sql_arr['email'];
- $out['string'] = format_email_recipient($sql_arr['email'],
- rcube_charset_convert($sql_arr['name'], RCMAIL_CHARSET, $OUTPUT->get_charset()));
+ $out['string'] = format_email_recipient($sql_arr['email'], $sql_arr['name']);
return $out;
}
@@ -96,7 +102,7 @@
*/
function rcmail_fix_emoticon_paths($mime_message)
{
- global $CONFIG;
+ global $RCMAIL;
$body = $mime_message->getHTMLBody();
@@ -121,8 +127,9 @@
if (! in_array($image_name, $included_images)) {
// add the image to the MIME message
- if (! $mime_message->addHTMLImage($img_file, 'image/gif', '', true, $image_name))
- $OUTPUT->show_message("emoticonerror", 'error');
+ if (!$mime_message->addHTMLImage($img_file, 'image/gif', '', true, $image_name)) {
+ $RCMAIL->output->show_message("emoticonerror", 'error');
+ }
array_push($included_images, $image_name);
}
@@ -212,11 +219,11 @@
// address in brackets without name (do nothing)
if (preg_match('/^<'.$email_regexp.'>$/', $item)) {
$item = rcube_idn_to_ascii(trim($item, '<>'));
- $result[] = '<' . $item . '>';
+ $result[] = $item;
// address without brackets and without name (add brackets)
} else if (preg_match('/^'.$email_regexp.'$/', $item)) {
$item = rcube_idn_to_ascii($item);
- $result[] = '<' . $item . '>';
+ $result[] = $item;
// address with name (handle name)
} else if (preg_match('/<*'.$email_regexp.'>*$/', $item, $matches)) {
$address = $matches[0];
@@ -248,6 +255,33 @@
}
+function rcmail_generic_message_footer($isHtml)
+{
+ global $CONFIG;
+
+ if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {
+ $file = $CONFIG['generic_message_footer_html'];
+ $html_footer = true;
+ }
+ else {
+ $file = $CONFIG['generic_message_footer'];
+ $html_footer = false;
+ }
+
+ if ($file && realpath($file)) {
+ // sanity check
+ if (!preg_match('/\.(php|ini|conf)$/', $file) && strpos($file, '/etc/') === false) {
+ $footer = file_get_contents($file);
+ if ($isHtml && !$html_footer)
+ $footer = '<pre>' . $footer . '</pre>';
+ return $footer;
+ }
+ }
+
+ return false;
+}
+
+
/****** compose message ********/
if (strlen($_POST['_draft_saveid']) > 3)
@@ -256,8 +290,7 @@
$message_id = rcmail_gen_message_id();
// set default charset
-$input_charset = $OUTPUT->get_charset();
-$message_charset = isset($_POST['_charset']) ? $_POST['_charset'] : $input_charset;
+$message_charset = isset($_POST['_charset']) ? $_POST['_charset'] : $OUTPUT->get_charset();
$EMAIL_FORMAT_ERROR = NULL;
$RECIPIENT_COUNT = 0;
@@ -358,7 +391,7 @@
if (!empty($mailbcc)) {
$headers['Bcc'] = $mailbcc;
}
-if (!empty($identity_arr['bcc'])) {
+if (!empty($identity_arr['bcc']) && stripos($headers['Bcc'], $identity_arr['bcc']) === false) {
$headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];
$RECIPIENT_COUNT ++;
}
@@ -469,6 +502,7 @@
if ($CONFIG['spellcheck_before_send'] && $CONFIG['enable_spellcheck']
&& empty($COMPOSE['spell_checked']) && !empty($message_body)
) {
+ $message_body = str_replace("\r\n", "\n", $message_body);
$spellchecker = new rcube_spellchecker(get_input_value('_lang', RCUBE_INPUT_GPC));
$spell_result = $spellchecker->check($message_body, $isHtml);
@@ -483,19 +517,10 @@
}
// generic footer for all messages
- if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {
- $footer = file_get_contents(realpath($CONFIG['generic_message_footer_html']));
- $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset);
- }
- else if (!empty($CONFIG['generic_message_footer'])) {
- $footer = file_get_contents(realpath($CONFIG['generic_message_footer']));
+ if ($footer = rcmail_generic_message_footer($isHtml)) {
$footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset);
- if ($isHtml)
- $footer = '<pre>'.$footer.'</pre>';
- }
-
- if ($footer)
$message_body .= "\r\n" . $footer;
+ }
}
if ($isHtml) {
@@ -552,8 +577,8 @@
$plugin['body'] = rcmail_replace_emoticons($plugin['body']);
// add a plain text version of the e-mail as an alternative part.
- $h2t = new html2text($plugin['body'], false, true, 0);
- $plainTextPart = rc_wordwrap($h2t->get_text(), $LINE_LENGTH, "\r\n");
+ $h2t = new rcube_html2text($plugin['body'], false, true, 0, $message_charset);
+ $plainTextPart = rc_wordwrap($h2t->get_text(), $LINE_LENGTH, "\r\n", false, $message_charset);
$plainTextPart = wordwrap($plainTextPart, 998, "\r\n", true);
// make sure all line endings are CRLF (#1486712)
@@ -578,10 +603,10 @@
$message_body = $plugin['body'];
// compose format=flowed content if enabled
- if ($flowed = $RCMAIL->config->get('send_format_flowed', true))
- $message_body = rcube_mime::format_flowed($message_body, min($LINE_LENGTH+2, 79));
+ if ($flowed = ($savedraft || $RCMAIL->config->get('send_format_flowed', true)))
+ $message_body = rcube_mime::format_flowed($message_body, min($LINE_LENGTH+2, 79), $message_charset);
else
- $message_body = rc_wordwrap($message_body, $LINE_LENGTH, "\r\n");
+ $message_body = rc_wordwrap($message_body, $LINE_LENGTH, "\r\n", false, $message_charset);
$message_body = wordwrap($message_body, 998, "\r\n", true);
@@ -610,13 +635,12 @@
$ctype = str_replace('image/pjpeg', 'image/jpeg', $attachment['mimetype']); // #1484914
$file = $attachment['data'] ? $attachment['data'] : $attachment['path'];
- // .eml attachments send inline
$MAIL_MIME->addAttachment($file,
$ctype,
$attachment['name'],
($attachment['data'] ? false : true),
($ctype == 'message/rfc822' ? '8bit' : 'base64'),
- ($ctype == 'message/rfc822' ? 'inline' : 'attachment'),
+ 'attachment',
'', '', '',
$CONFIG['mime_param_folding'] ? 'quoted-printable' : NULL,
$CONFIG['mime_param_folding'] == 2 ? 'quoted-printable' : NULL,
@@ -669,19 +693,18 @@
$smtp_error, $mailbody_file, $smtp_opts);
// return to compose page if sending failed
- if (!$sent)
- {
+ if (!$sent) {
// remove temp file
if ($mailbody_file) {
unlink($mailbody_file);
- }
+ }
if ($smtp_error)
$OUTPUT->show_message($smtp_error['label'], 'error', $smtp_error['vars']);
else
$OUTPUT->show_message('sendingfailed', 'error');
$OUTPUT->send('iframe');
- }
+ }
// save message sent time
if (!empty($CONFIG['sendmail_delay']))
@@ -699,7 +722,7 @@
// Determine which folder to save message
if ($savedraft)
$store_target = $CONFIG['drafts_mbox'];
-else
+else if (!$RCMAIL->config->get('no_save_sent_messages'))
$store_target = isset($_POST['_store_target']) ? get_input_value('_store_target', RCUBE_INPUT_POST) : $CONFIG['sent_mbox'];
if ($store_target) {
@@ -739,7 +762,8 @@
'message' => "Could not create message: ".$msg->getMessage()),
TRUE, FALSE);
else {
- $saved = $RCMAIL->storage->save_message($store_target, $msg, $headers, $mailbody_file ? true : false);
+ $saved = $RCMAIL->storage->save_message($store_target, $msg, $headers,
+ $mailbody_file ? true : false, array('SEEN'));
}
if ($mailbody_file) {
@@ -814,6 +838,6 @@
if ($store_folder && !$saved)
$OUTPUT->command('sent_successfully', 'error', rcube_label('errorsavingsent'));
else
- $OUTPUT->command('sent_successfully', 'confirmation', rcube_label('messagesent'));
+ $OUTPUT->command('sent_successfully', 'confirmation', rcube_label('messagesent'), $store_target);
$OUTPUT->send('iframe');
}
--
Gitblit v1.9.1