From 4a2a62de30eae35398dc1e6fcca99c469dd218e6 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 19 Feb 2015 07:43:43 -0500
Subject: [PATCH] Fix needless security warning on BMP attachments display (#1490282)
---
program/steps/mail/get.inc | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 256af52..02ec5a4 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -138,7 +138,7 @@
$file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
// 1. compare filename suffix with expected suffix derived from mimetype
- $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
+ $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']);
// 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {
@@ -164,7 +164,7 @@
else {
// get valid file extensions
$extensions = rcube_mime::get_mime_extensions($real_mimetype);
- $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
+ $valid_extension = !$file_extension || in_array($file_extension, (array)$extensions);
}
// fix mimetype for images wrongly declared as octet-stream
@@ -172,7 +172,10 @@
$mimetype = $real_mimetype;
}
- $valid = ($real_mimetype == $mimetype && $valid_extension);
+ // "fix" real mimetype the same way the original is before comparison
+ $real_mimetype = rcmail_fix_mimetype($real_mimetype);
+
+ $valid = $real_mimetype == $mimetype && $valid_extension;
}
else {
$real_mimetype = $mimetype;
--
Gitblit v1.9.1