From 681ba6fc3c296cd6cd11050531b8f4e785141786 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 16 Dec 2014 07:28:48 -0500
Subject: [PATCH] Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
---
program/steps/mail/compose.inc | 104 ++++++++++++++++++++++++++++------------------------
1 files changed, 56 insertions(+), 48 deletions(-)
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 22ebaed..fd25cf4 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -80,7 +80,7 @@
$OUTPUT->add_label('nosubject', 'nosenderwarning', 'norecipientwarning', 'nosubjectwarning', 'cancel',
'nobodywarning', 'notsentwarning', 'notuploadedwarning', 'savingmessage', 'sendingmessage',
'messagesaved', 'converting', 'editorwarning', 'searching', 'uploading', 'uploadingmany',
- 'fileuploaderror', 'sendmessage', 'savenewresponse', 'responsename', 'responsetext', 'save',
+ 'fileuploaderror', 'sendmessage', 'newresponse', 'responsename', 'responsetext', 'save',
'savingresponse', 'restoresavedcomposedata', 'restoremessage', 'delete', 'restore', 'ignore',
'selectimportfile');
@@ -91,6 +91,7 @@
$OUTPUT->set_env('mailbox', $RCMAIL->storage->get_folder());
$OUTPUT->set_env('top_posting', intval($RCMAIL->config->get('reply_mode')) > 0);
$OUTPUT->set_env('recipients_separator', trim($RCMAIL->config->get('recipients_separator', ',')));
+$OUTPUT->set_env('save_localstorage', (bool)$RCMAIL->config->get('compose_save_localstorage'));
$drafts_mbox = $RCMAIL->config->get('drafts_mbox');
$config_show_sig = $RCMAIL->config->get('show_sig', 1);
@@ -130,8 +131,10 @@
$compose_mode = RCUBE_COMPOSE_EDIT;
}
-$COMPOSE['mode'] = $compose_mode;
-$OUTPUT->set_env('compose_mode', $compose_mode);
+if ($compose_mode) {
+ $COMPOSE['mode'] = $compose_mode;
+ $OUTPUT->set_env('compose_mode', $compose_mode);
+}
if ($compose_mode == RCUBE_COMPOSE_EDIT || $compose_mode == RCUBE_COMPOSE_DRAFT) {
// don't add signature in draft/edit mode, we'll also not remove the old-one
@@ -280,6 +283,7 @@
foreach ($parts as $header) {
$fvalue = '';
$decode_header = true;
+ $charset = $MESSAGE->headers->charset;
// we have a set of recipients stored is session
if ($header == 'to' && ($mailto_id = $COMPOSE['param']['mailto'])
@@ -287,16 +291,19 @@
) {
$fvalue = urldecode($_SESSION['mailto'][$mailto_id]);
$decode_header = false;
+ $charset = $RCMAIL->output->charset;
// make session to not grow up too much
unset($_SESSION['mailto'][$mailto_id]);
$COMPOSE['param']['to'] = $fvalue;
}
else if (!empty($_POST['_'.$header])) {
- $fvalue = rcube_utils::get_input_value('_'.$header, rcube_utils::INPUT_POST, TRUE);
+ $fvalue = rcube_utils::get_input_value('_'.$header, rcube_utils::INPUT_POST, TRUE);
+ $charset = $RCMAIL->output->charset;
}
else if (!empty($COMPOSE['param'][$header])) {
- $fvalue = $COMPOSE['param'][$header];
+ $fvalue = $COMPOSE['param'][$header];
+ $charset = $RCMAIL->output->charset;
}
else if ($compose_mode == RCUBE_COMPOSE_REPLY) {
// get recipent address(es) out of the message headers
@@ -337,9 +344,9 @@
// When To: and Reply-To: are the same we add From: address to the list (#1489037)
if ($v = $MESSAGE->headers->from) {
- $from = rcube_mime::decode_address_list($v, null, false, $MESSAGE->headers->charset, true);
- $to = rcube_mime::decode_address_list($MESSAGE->headers->to, null, false, $MESSAGE->headers->charset, true);
- $replyto = rcube_mime::decode_address_list($MESSAGE->headers->replyto, null, false, $MESSAGE->headers->charset, true);
+ $from = rcube_mime::decode_address_list($v, null, false, $charset, true);
+ $to = rcube_mime::decode_address_list($MESSAGE->headers->to, null, false, $charset, true);
+ $replyto = rcube_mime::decode_address_list($MESSAGE->headers->replyto, null, false, $charset, true);
if (count($replyto) && !count(array_diff($to, $replyto)) && count(array_diff($from, $to))) {
$fvalue .= (!empty($fvalue) ? $separator : '') . $v;
@@ -365,7 +372,7 @@
// split recipients and put them back together in a unique way
if (!empty($fvalue) && in_array($header, array('to', 'cc', 'bcc'))) {
- $to_addresses = rcube_mime::decode_address_list($fvalue, null, $decode_header, $MESSAGE->headers->charset);
+ $to_addresses = rcube_mime::decode_address_list($fvalue, null, $decode_header, $charset);
$fvalue = array();
foreach ($to_addresses as $addr_part) {
@@ -487,7 +494,7 @@
foreach ($plugin['attachments'] as $attach) {
// we have structured data
if (is_array($attach)) {
- $attachment = $attach;
+ $attachment = $attach + array('group' => $COMPOSE_ID);
}
// only a file path is given
else {
@@ -611,7 +618,7 @@
$text = $html = $sql_arr['signature'];
if ($sql_arr['html_signature']) {
- $h2t = new rcube_html2text($sql_arr['signature'], false, false);
+ $h2t = new rcube_html2text($sql_arr['signature'], false, true);
$text = trim($h2t->get_text());
}
else {
@@ -624,7 +631,8 @@
}
if (!$sql_arr['html_signature']) {
- $html = "<pre>" . $html . "</pre>";
+ $t2h = new rcube_text2html($sql_arr['signature'], false);
+ $html = $t2h->get_html();
}
$a_signatures[$identity_id]['text'] = $text;
@@ -796,21 +804,13 @@
return '';
}
- if (empty($part->ctype_parameters) || empty($part->ctype_parameters['charset'])) {
- $part->ctype_parameters['charset'] = $MESSAGE->headers->charset;
- }
-
// fetch part if not available
- if (!isset($part->body)) {
- $part->body = $MESSAGE->get_part_content($part->mime_id);
- }
+ $body = $MESSAGE->get_part_body($part->mime_id, true);
// message is cached but not exists (#1485443), or other error
- if ($part->body === false) {
+ if ($body === false) {
return '';
}
-
- $body = $part->body;
if ($isHtml) {
if ($part->ctype_secondary == 'html') {
@@ -826,15 +826,8 @@
}
}
- if ($part->ctype_parameters['format'] == 'flowed') {
- $body = rcube_mime::unfold_flowed($body);
- }
-
// add HTML formatting
- $body = rcmail_plain_body($body);
- if ($body) {
- $body = '<pre>' . $body . '</pre>';
- }
+ $body = rcmail_plain_body($body, $part->ctype_parameters['format'] == 'flowed');
}
}
else {
@@ -957,9 +950,8 @@
"googie.setLanguages(%s);\n".
"googie.setCurrentLanguage('%s');\n".
"googie.setDecoration(false);\n".
- "googie.decorateTextarea('%s');\n".
- "%s.set_env('spellcheck', googie);",
- $RCMAIL->output->get_skin_path(),
+ "googie.decorateTextarea('%s');\n",
+ $RCMAIL->output->asset_url($RCMAIL->output->get_skin_path()),
$RCMAIL->url(array('_task' => 'utils', '_action' => 'spell', '_remote' => 1)),
!empty($dictionary) ? 'true' : 'false',
rcube::JQ(rcube::Q($RCMAIL->gettext('checkspelling'))),
@@ -970,14 +962,13 @@
rcube::JQ(rcube::Q($RCMAIL->gettext('addtodict'))),
rcube_output::json_serialize($spellcheck_langs),
$lang,
- $attrib['id'],
- rcmail_output::JS_OBJECT_NAME), 'foot');
+ $attrib['id']), 'foot');
$OUTPUT->add_label('checking');
$OUTPUT->set_env('spellcheck_langs', join(',', $editor_lang_set));
}
- $out .= "\n".'<iframe name="savetarget" src="program/resources/blank.gif" style="width:0;height:0;border:none;visibility:hidden;"></iframe>';
+ $out .= "\n".'<iframe name="savetarget" src="program/resources/blank.gif" style="width:0;height:0;border:none;visibility:hidden;" aria-hidden="true"></iframe>';
return $out;
}
@@ -997,6 +988,8 @@
)
));
+ $reply_mode = intval($RCMAIL->config->get('reply_mode'));
+
if (!$bodyIsHtml) {
$body = preg_replace('/\r?\n/', "\n", $body);
$body = trim($body, "\n");
@@ -1005,10 +998,13 @@
$body = rcmail_wrap_and_quote($body, $LINE_LENGTH);
$prefix .= "\n";
- $suffix = '';
- if (intval($RCMAIL->config->get('reply_mode')) > 0) { // top-posting
+ if ($reply_mode > 0) { // top-posting
$prefix = "\n\n\n" . $prefix;
+ $suffix = '';
+ }
+ else {
+ $suffix = "\n";
}
}
else {
@@ -1023,7 +1019,7 @@
$prefix = '<p>' . rcube::Q($prefix) . "</p>\n";
$prefix .= '<blockquote>';
- if (intval($RCMAIL->config->get('reply_mode')) > 0) { // top-posting
+ if ($reply_mode > 0) { // top-posting
$prefix = '<br>' . $prefix;
$suffix = '</blockquote>';
}
@@ -1315,7 +1311,6 @@
}
else {
$data = $storage->get_raw_body($message->uid);
- $curr_mem += $message->size;
}
$attachment = array(
@@ -1366,7 +1361,7 @@
$path = tempnam($temp_dir, 'rcmAttmnt');
if ($fp = fopen($path, 'w')) {
- $message->get_part_content($pid, $fp, true, 0, false);
+ $message->get_part_body($pid, false, 0, $fp);
fclose($fp);
}
else {
@@ -1374,7 +1369,7 @@
}
}
else {
- $data = $message->get_part_content($pid, null, true, 0, false);
+ $data = $message->get_part_body($pid);
}
$mimetype = $part->ctype_primary . '/' . $part->ctype_secondary;
@@ -1388,6 +1383,7 @@
'data' => $data,
'path' => $path,
'size' => $path ? filesize($path) : strlen($data),
+ 'charset' => $part->charset,
);
$attachment = $rcmail->plugins->exec_hook('attachment_save', $attachment);
@@ -1457,12 +1453,18 @@
if (isset($_POST['_subject'])) {
$subject = rcube_utils::get_input_value('_subject', rcube_utils::INPUT_POST, TRUE);
}
+ else if (!empty($COMPOSE['param']['subject'])) {
+ $subject = $COMPOSE['param']['subject'];
+ }
// create a reply-subject
else if ($compose_mode == RCUBE_COMPOSE_REPLY) {
if (preg_match('/^re:/i', $MESSAGE->subject))
$subject = $MESSAGE->subject;
else
$subject = 'Re: '.$MESSAGE->subject;
+
+ // replace (was: ...) (#1489375)
+ $subject = preg_replace('/\s*\([wW]as:[^\)]+\)\s*$/', '', $subject);
}
// create a forward-subject
else if ($compose_mode == RCUBE_COMPOSE_FORWARD) {
@@ -1474,9 +1476,6 @@
// creeate a draft-subject
else if ($compose_mode == RCUBE_COMPOSE_DRAFT || $compose_mode == RCUBE_COMPOSE_EDIT) {
$subject = $MESSAGE->subject;
- }
- else if (!empty($COMPOSE['param']['subject'])) {
- $subject = $COMPOSE['param']['subject'];
}
$out = $form_start ? "$form_start\n" : '';
@@ -1525,7 +1524,9 @@
'href' => "#delete",
'title' => $RCMAIL->gettext('delete'),
'onclick' => sprintf("return %s.command('remove-attachment','rcmfile%s', this)", rcmail_output::JS_OBJECT_NAME, $id),
- 'class' => 'delete'
+ 'class' => 'delete',
+ 'tabindex' => $attrib['tabindex'] ?: '0',
+ 'aria-label' => $RCMAIL->gettext('delete') . ' ' . $a_prop['name'],
),
$button
) . rcube::Q($a_prop['name'])
@@ -1550,6 +1551,12 @@
$OUTPUT->set_env('attachments', $jslist);
$OUTPUT->add_gui_object('attachmentlist', $attrib['id']);
+
+ // put tabindex value into data-tabindex attribute
+ if (isset($attrib['tabindex'])) {
+ $attrib['data-tabindex'] = $attrib['tabindex'];
+ unset($attrib['tabindex']);
+ }
return html::tag('ul', $attrib, $out, html::$common_attrib);
}
@@ -1707,7 +1714,7 @@
if (empty($attrib['name']))
$attrib['name'] = 'editorSelect';
- $attrib['onchange'] = "return rcmail_toggle_editor(this, '".$attrib['editorid']."', '_is_html')";
+ $attrib['onchange'] = "return rcmail.command('toggle-editor', {id: '".$attrib['editorid']."', html: this.value == 'html'}, '', event)";
$select = new html_select($attrib);
@@ -1864,9 +1871,10 @@
foreach ($RCMAIL->get_compose_responses(true) as $response) {
$key = $response['key'];
$item = html::a(array(
- 'href '=> '#'.urlencode($response['name']),
+ 'href' => '#'.urlencode($response['name']),
'class' => rtrim('insertresponse ' . $attrib['itemclass']),
'unselectable' => 'on',
+ 'tabindex' => '0',
'rel' => $key,
), rcube::Q($response['name']));
--
Gitblit v1.9.1