From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Sun, 06 Mar 2016 08:31:07 -0500
Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response
---
program/lib/Roundcube/rcube_message.php | 259 +++++++++++++++++++++++++++++----------------------
1 files changed, 146 insertions(+), 113 deletions(-)
diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php
index d089713..10ebbf6 100644
--- a/program/lib/Roundcube/rcube_message.php
+++ b/program/lib/Roundcube/rcube_message.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| This file is part of the Roundcube Webmail client |
| Copyright (C) 2008-2014, The Roundcube Dev Team |
@@ -53,13 +53,13 @@
public $uid;
public $folder;
public $headers;
- public $parts = array();
- public $mime_parts = array();
+ public $sender;
+ public $parts = array();
+ public $mime_parts = array();
public $inline_parts = array();
- public $attachments = array();
- public $subject = '';
- public $sender = null;
- public $is_safe = false;
+ public $attachments = array();
+ public $subject = '';
+ public $is_safe = false;
const BODY_MAX_SIZE = 1048576; // 1MB
@@ -69,26 +69,27 @@
*
* Provide a uid, and parse message structure.
*
- * @param string $uid The message UID.
- * @param string $folder Folder name
+ * @param string $uid The message UID.
+ * @param string $folder Folder name
+ * @param bool $is_safe Security flag
*
* @see self::$app, self::$storage, self::$opt, self::$parts
*/
- function __construct($uid, $folder = null)
+ function __construct($uid, $folder = null, $is_safe = false)
{
// decode combined UID-folder identifier
if (preg_match('/^\d+-.+/', $uid)) {
list($uid, $folder) = explode('-', $uid, 2);
}
- $this->uid = $uid;
- $this->app = rcube::get_instance();
+ $this->uid = $uid;
+ $this->app = rcube::get_instance();
$this->storage = $this->app->get_storage();
$this->folder = strlen($folder) ? $folder : $this->storage->get_folder();
- $this->storage->set_options(array('all_headers' => true));
// Set current folder
$this->storage->set_folder($this->folder);
+ $this->storage->set_options(array('all_headers' => true));
$this->headers = $this->storage->get_message($uid);
@@ -96,19 +97,19 @@
return;
}
- $this->mime = new rcube_mime($this->headers->charset);
-
+ $this->mime = new rcube_mime($this->headers->charset);
$this->subject = $this->headers->get('subject');
list(, $this->sender) = each($this->mime->decode_address_list($this->headers->from, 1));
- $this->set_safe((intval($_GET['_safe']) || $_SESSION['safe_messages'][$this->folder.':'.$uid]));
+ $this->set_safe($is_safe || $_SESSION['safe_messages'][$this->folder.':'.$uid]);
$this->opt = array(
- 'safe' => $this->is_safe,
+ 'safe' => $this->is_safe,
'prefer_html' => $this->app->config->get('prefer_html'),
- 'get_url' => $this->app->url(array(
- 'action' => 'get',
- 'mbox' => $this->storage->get_folder(),
- 'uid' => $uid))
+ 'get_url' => $this->app->url(array(
+ 'action' => 'get',
+ 'mbox' => $this->folder,
+ 'uid' => $uid),
+ false, false, true)
);
if (!empty($this->headers->structure)) {
@@ -122,7 +123,6 @@
// notify plugins and let them analyze this structured message object
$this->app->plugins->exec_hook('message_load', array('object' => $this));
}
-
/**
* Return a (decoded) message header
@@ -140,7 +140,6 @@
return $this->headers->get($name, !$raw);
}
-
/**
* Set is_safe var and session data
*
@@ -150,7 +149,6 @@
{
$_SESSION['safe_messages'][$this->folder.':'.$this->uid] = $this->is_safe = $safe;
}
-
/**
* Compose a valid URL for getting a message part
@@ -166,7 +164,6 @@
else
return false;
}
-
/**
* Get content of a specific part of this message
@@ -199,7 +196,6 @@
}
}
-
/**
* Get content of a specific part of this message
*
@@ -217,11 +213,16 @@
return;
}
+ // allow plugins to modify part body
+ $plugin = $this->app->plugins->exec_hook('message_part_body',
+ array('object' => $this, 'part' => $part));
+
// only text parts can be formatted
$formatted = $formatted && $part->ctype_primary == 'text';
// part body not fetched yet... save in memory if it's small enough
if ($part->body === null && is_numeric($mime_id) && $part->size < self::BODY_MAX_SIZE) {
+ $this->storage->set_folder($this->folder);
// Warning: body here should be always unformatted
$part->body = $this->storage->get_message_part($this->uid, $mime_id, $part,
null, null, true, 0, false);
@@ -278,7 +279,6 @@
return $body;
}
-
/**
* Format text message part for display
*
@@ -319,16 +319,16 @@
return $body;
}
-
/**
* Determine if the message contains a HTML part. This must to be
* a real part not an attachment (or its part)
*
- * @param bool $enriched Enables checking for text/enriched parts too
+ * @param bool $enriched Enables checking for text/enriched parts too
+ * @param rcube_message_part &$part Reference to the part if found
*
* @return bool True if a HTML is available, False if not
*/
- function has_html_part($enriched = false)
+ public function has_html_part($enriched = false, &$part = null)
{
// check all message parts
foreach ($this->mime_parts as $part) {
@@ -340,6 +340,7 @@
$level = explode('.', $part->mime_id);
$depth = count($level);
+ $last = '';
// Check if the part belongs to higher-level's multipart part
// this can be alternative/related/signed/encrypted or mixed
@@ -349,9 +350,12 @@
return true;
}
- $parent = $this->mime_parts[join('.', $level)];
+ $parent = $this->mime_parts[join('.', $level)];
+ $max_delta = $depth - (1 + ($last == 'multipart/alternative' ? 1 : 0));
+ $last = $parent->mimetype;
+
if (!preg_match('/^multipart\/(alternative|related|signed|encrypted|mixed)$/', $parent->mimetype)
- || ($parent->mimetype == 'multipart/mixed' && $parent_depth < $depth - 1)) {
+ || ($parent->mimetype == 'multipart/mixed' && $parent_depth < $max_delta)) {
continue 2;
}
}
@@ -362,17 +366,20 @@
}
}
+ $part = null;
+
return false;
}
-
/**
* Determine if the message contains a text/plain part. This must to be
* a real part not an attachment (or its part)
*
+ * @param rcube_message_part &$part Reference to the part if found
+ *
* @return bool True if a plain text part is available, False if not
*/
- function has_text_part()
+ public function has_text_part(&$part = null)
{
// check all message parts
foreach ($this->mime_parts as $part) {
@@ -402,56 +409,59 @@
}
}
+ $part = null;
+
return false;
}
-
/**
* Return the first HTML part of this message
*
+ * @param rcube_message_part &$part Reference to the part if found
+ * @param bool $enriched Enables checking for text/enriched parts too
+ *
* @return string HTML message part content
*/
- function first_html_part()
+ public function first_html_part(&$part = null, $enriched = false)
{
- // check all message parts
- foreach ($this->mime_parts as $pid => $part) {
- if ($part->mimetype == 'text/html') {
- return $this->get_part_body($pid, true);
+ if ($this->has_html_part($enriched, $part)) {
+ $body = $this->get_part_body($part->mime_id, true);
+
+ if ($part->mimetype == 'text/enriched') {
+ $body = rcube_enriched::to_html($body);
}
+
+ return $body;
}
}
-
/**
- * Return the first text part of this message
+ * Return the first text part of this message.
+ * If there's no text/plain part but $strict=true and text/html part
+ * exists, it will be returned in text/plain format.
*
- * @param rcube_message_part $part Reference to the part if found
+ * @param rcube_message_part &$part Reference to the part if found
+ * @param bool $strict Check only text/plain parts
+ *
* @return string Plain text message/part content
*/
- function first_text_part(&$part=null)
+ public function first_text_part(&$part = null, $strict = false)
{
// no message structure, return complete body
- if (empty($this->parts))
+ if (empty($this->parts)) {
return $this->body;
-
- // check all message parts
- foreach ($this->mime_parts as $mime_id => $part) {
- if ($part->mimetype == 'text/plain') {
- return $this->get_part_body($mime_id, true);
- }
- else if ($part->mimetype == 'text/html') {
- $out = $this->get_part_body($mime_id, true);
-
- // create instance of html2text class
- $txt = new rcube_html2text($out);
- return $txt->get_text();
- }
}
- $part = null;
- return null;
- }
+ if ($this->has_text_part($part)) {
+ return $this->get_part_body($part->mime_id, true);
+ }
+ if (!$strict && ($body = $this->first_html_part($part, true))) {
+ // create instance of html2text class
+ $h2t = new rcube_html2text($body);
+ return $h2t->get_text();
+ }
+ }
/**
* Checks if part of the message is an attachment (or part of it)
@@ -478,6 +488,27 @@
return false;
}
+ /**
+ * In a multipart/encrypted encrypted message,
+ * find the encrypted message payload part.
+ *
+ * @return rcube_message_part
+ */
+ public function get_multipart_encrypted_part()
+ {
+ foreach ($this->mime_parts as $mime_id => $mpart) {
+ if ($mpart->mimetype == 'multipart/encrypted') {
+ $this->pgp_mime = true;
+ }
+ if ($this->pgp_mime && ($mpart->mimetype == 'application/octet-stream' ||
+ (!empty($mpart->filename) && $mpart->filename != 'version.txt'))) {
+ $this->encrypted_part = $mime_id;
+ return $mpart;
+ }
+ }
+
+ return false;
+ }
/**
* Read the message structure returend by the IMAP server
@@ -498,8 +529,9 @@
$structure->headers = rcube_mime::parse_headers($headers);
}
}
- else
+ else {
$mimetype = $structure->mimetype;
+ }
// show message headers
if ($recursive && is_array($structure->headers) &&
@@ -515,11 +547,15 @@
array('object' => $this, 'structure' => $structure,
'mimetype' => $mimetype, 'recursive' => $recursive));
- if ($plugin['abort'])
+ if ($plugin['abort']) {
return;
+ }
$structure = $plugin['structure'];
- list($message_ctype_primary, $message_ctype_secondary) = explode('/', $plugin['mimetype']);
+ $mimetype = $plugin['mimetype'];
+ $recursive = $plugin['recursive'];
+
+ list($message_ctype_primary, $message_ctype_secondary) = explode('/', $mimetype);
// print body if message doesn't have multiple parts
if ($message_ctype_primary == 'text' && !$recursive) {
@@ -549,12 +585,6 @@
else if ($mimetype == 'multipart/alternative'
&& is_array($structure->parts) && count($structure->parts) > 1
) {
- $plain_part = null;
- $html_part = null;
- $print_part = null;
- $related_part = null;
- $attach_part = null;
-
// get html/plaintext parts, other add to attachments list
foreach ($structure->parts as $p => $sub_part) {
$sub_mimetype = $sub_part->mimetype;
@@ -575,8 +605,10 @@
$related_part = $p;
else if ($sub_mimetype == 'text/plain' && !$plain_part)
$plain_part = $p;
- else if ($sub_mimetype == 'text/html' && !$html_part)
+ else if ($sub_mimetype == 'text/html' && !$html_part) {
$html_part = $p;
+ $this->got_html_part = true;
+ }
else if ($sub_mimetype == 'text/enriched' && !$enriched_part)
$enriched_part = $p;
else {
@@ -632,8 +664,19 @@
$p->ctype_secondary = 'plain';
$p->mimetype = 'text/plain';
$p->realtype = 'multipart/encrypted';
+ $p->mime_id = $structure->mime_id;
$this->parts[] = $p;
+
+ // add encrypted payload part as attachment
+ if (is_array($structure->parts)) {
+ for ($i=0; $i < count($structure->parts); $i++) {
+ $subpart = $structure->parts[$i];
+ if ($subpart->mimetype == 'application/octet-stream' || !empty($subpart->filename)) {
+ $this->attachments[] = $subpart;
+ }
+ }
+ }
}
// this is an S/MIME ecrypted message -> create a plaintext body with the according message
else if ($mimetype == 'application/pkcs7-mime') {
@@ -643,8 +686,13 @@
$p->ctype_secondary = 'plain';
$p->mimetype = 'text/plain';
$p->realtype = 'application/pkcs7-mime';
+ $p->mime_id = $structure->mime_id;
$this->parts[] = $p;
+
+ if (!empty($structure->filename)) {
+ $this->attachments[] = $structure;
+ }
}
// message contains multiple parts
else if (is_array($structure->parts) && !empty($structure->parts)) {
@@ -653,24 +701,16 @@
$mail_part = &$structure->parts[$i];
$primary_type = $mail_part->ctype_primary;
$secondary_type = $mail_part->ctype_secondary;
+ $part_mimetype = $mail_part->mimetype;
- // real content-type of message/rfc822
- if ($mail_part->real_mimetype) {
- $part_orig_mimetype = $mail_part->mimetype;
- $part_mimetype = $mail_part->real_mimetype;
- list($primary_type, $secondary_type) = explode('/', $part_mimetype);
- }
- else {
- $part_mimetype = $part_orig_mimetype = $mail_part->mimetype;
- }
-
- // multipart/alternative
- if ($primary_type == 'multipart') {
+ // multipart/alternative or message/rfc822
+ if ($primary_type == 'multipart' || $part_mimetype == 'message/rfc822') {
$this->parse_structure($mail_part, true);
// list message/rfc822 as attachment as well (mostly .eml)
- if ($part_orig_mimetype == 'message/rfc822' && !empty($mail_part->filename))
+ if ($primary_type == 'message' && !empty($mail_part->filename)) {
$this->attachments[] = $mail_part;
+ }
}
// part text/[plain|html] or delivery status
else if ((($part_mimetype == 'text/plain' || $part_mimetype == 'text/html') && $mail_part->disposition != 'attachment') ||
@@ -681,11 +721,12 @@
array('object' => $this, 'structure' => $mail_part,
'mimetype' => $part_mimetype, 'recursive' => true));
- if ($plugin['abort'])
+ if ($plugin['abort']) {
continue;
+ }
if ($part_mimetype == 'text/html' && $mail_part->size) {
- $got_html_part = true;
+ $this->got_html_part = true;
}
$mail_part = $plugin['structure'];
@@ -705,23 +746,22 @@
$this->attachments[] = $mail_part;
}
}
- // part message/*
- else if ($primary_type == 'message') {
- $this->parse_structure($mail_part, true);
-
- // list as attachment as well (mostly .eml)
- if (!empty($mail_part->filename))
- $this->attachments[] = $mail_part;
- }
// ignore "virtual" protocol parts
else if ($primary_type == 'protocol') {
continue;
}
// part is Microsoft Outlook TNEF (winmail.dat)
else if ($part_mimetype == 'application/ms-tnef') {
- foreach ((array)$this->tnef_decode($mail_part) as $tpart) {
+ $tnef_parts = (array) $this->tnef_decode($mail_part);
+ foreach ($tnef_parts as $tpart) {
$this->mime_parts[$tpart->mime_id] = $tpart;
$this->attachments[] = $tpart;
+ }
+
+ // add winmail.dat to the list if it's content is unknown
+ if (empty($tnef_parts) && !empty($mail_part->filename)) {
+ $this->mime_parts[$mail_part->mime_id] = $mail_part;
+ $this->attachments[] = $mail_part;
}
}
// part is a file/attachment
@@ -736,21 +776,14 @@
// part belongs to a related message and is linked
if (preg_match('/^multipart\/(related|relative)/', $mimetype)
- && ($mail_part->headers['content-id'] || $mail_part->headers['content-location'])) {
+ && ($mail_part->headers['content-id'] || $mail_part->headers['content-location'])
+ ) {
if ($mail_part->headers['content-id'])
$mail_part->content_id = preg_replace(array('/^</', '/>$/'), '', $mail_part->headers['content-id']);
if ($mail_part->headers['content-location'])
$mail_part->content_location = $mail_part->headers['content-base'] . $mail_part->headers['content-location'];
$this->inline_parts[] = $mail_part;
- }
- // attachment encapsulated within message/rfc822 part needs further decoding (#1486743)
- else if ($part_orig_mimetype == 'message/rfc822') {
- $this->parse_structure($mail_part, true);
-
- // list as attachment as well (mostly .eml)
- if (!empty($mail_part->filename))
- $this->attachments[] = $mail_part;
}
// regular attachment with valid content type
// (content-type name regexp according to RFC4288.4.2)
@@ -767,9 +800,13 @@
$this->attachments[] = $mail_part;
}
}
- // attachment part as message/rfc822 (#1488026)
- else if ($mail_part->mimetype == 'message/rfc822') {
- $this->parse_structure($mail_part);
+ // calendar part not marked as attachment (#1490325)
+ else if ($part_mimetype == 'text/calendar') {
+ if (!$mail_part->filename) {
+ $mail_part->filename = 'calendar.ics';
+ }
+
+ $this->attachments[] = $mail_part;
}
}
@@ -790,7 +827,7 @@
// MS Outlook sends sometimes non-related attachments as related
// In this case multipart/related message has only one text part
// We'll add all such attachments to the attachments list
- if (!isset($got_html_part) && empty($inline_object->content_id)) {
+ if (!isset($this->got_html_part)) {
$this->attachments[] = $inline_object;
}
// MS Outlook sometimes also adds non-image attachments as related
@@ -823,7 +860,6 @@
}
}
-
/**
* Fill aflat array with references to all parts, indexed by part numbers
*
@@ -839,7 +875,6 @@
$this->get_mime_numbers($part->parts[$i]);
}
-
/**
* Decode a Microsoft Outlook TNEF part (winmail.dat)
*
@@ -850,7 +885,7 @@
{
// @TODO: attachment may be huge, handle body via file
$body = $this->get_part_body($part->mime_id);
- $tnef = new tnef_decoder;
+ $tnef = new rcube_tnef_decoder;
$tnef_arr = $tnef->decompress($body);
$parts = array();
@@ -874,7 +909,6 @@
return $parts;
}
-
/**
* Parse message body for UUencoded attachments bodies
@@ -1001,5 +1035,4 @@
{
return rcube_mime::format_flowed($text, $length);
}
-
}
--
Gitblit v1.9.1