From 92bcb940d4a1be34ee9ea232741d18dd273dfea3 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 15 Oct 2015 03:09:31 -0400
Subject: [PATCH] Fix bug where HTML messages with invalid/excessive css styles couldn't be displayed (#1490539)
---
program/steps/mail/func.inc | 218 ++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 171 insertions(+), 47 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 6e2f982..e7b6940 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -37,7 +37,7 @@
}
// remove mbox part from _uid
-if (($_uid = rcube_utils::get_input_value('_uid', RCUBE_INPUT_GPC)) && !is_array($_uid) && preg_match('/^\d+-.+/', $_uid)) {
+if (($_uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GPC)) && !is_array($_uid) && preg_match('/^\d+-.+/', $_uid)) {
list($_uid, $mbox) = explode('-', $_uid, 2);
if (isset($_GET['_uid'])) $_GET['_uid'] = $_uid;
if (isset($_POST['_uid'])) $_POST['_uid'] = $_uid;
@@ -125,6 +125,7 @@
'messagecontentframe' => 'rcmail_messagecontent_frame',
'messageimportform' => 'rcmail_message_import_form',
'searchfilter' => 'rcmail_search_filter',
+ 'searchinterval' => 'rcmail_search_interval',
'searchform' => array($OUTPUT, 'search_form'),
));
@@ -453,6 +454,8 @@
}
}
+ $sort_col = $_SESSION['sort_col'];
+
// loop through message headers
foreach ($a_headers as $header) {
if (empty($header))
@@ -481,9 +484,9 @@
$cont = rcube::Q($cont);
}
else if ($col == 'size')
- $cont = show_bytes($header->$col);
+ $cont = $RCMAIL->show_bytes($header->$col);
else if ($col == 'date')
- $cont = $RCMAIL->format_date($header->date);
+ $cont = $RCMAIL->format_date($sort_col == 'arrival' ? $header->internaldate : $header->date);
else if ($col == 'folder') {
if ($last_folder !== $header->folder) {
$last_folder = $header->folder;
@@ -588,8 +591,9 @@
}
foreach ($a_show_cols as $col) {
- $label = '';
+ $label = '';
$sortable = false;
+ $rel_col = $col == 'date' && $sort_col == 'arrival' ? 'arrival' : $col;
// get column name
switch ($col) {
@@ -607,11 +611,11 @@
$col_name = $list_menu;
break;
case 'fromto':
- $label = $RCMAIL->gettext($smart_col);
+ $label = $RCMAIL->gettext($smart_col);
$col_name = rcube::Q($label);
break;
default:
- $label = $RCMAIL->gettext($col);
+ $label = $RCMAIL->gettext($col);
$col_name = rcube::Q($label);
}
@@ -621,7 +625,7 @@
$col_name = html::a(array(
'href' => "./#sort",
'class' => 'sortcol',
- 'rel' => $col,
+ 'rel' => $rel_col,
'title' => $RCMAIL->gettext('sortby')
), $col_name);
}
@@ -629,7 +633,7 @@
$col_name = '<span class="' . $col .'">' . $col_name . '</span>';
}
- $sort_class = $col == $sort_col && !$disabled_order ? " sorted$sort_order" : '';
+ $sort_class = $rel_col == $sort_col && !$disabled_order ? " sorted$sort_order" : '';
$class_name = $col.$sort_class;
// put it all together
@@ -770,7 +774,7 @@
// get default addressbook, like in addcontact.inc
$CONTACTS = $RCMAIL->get_address_book(-1, true);
- if ($CONTACTS) {
+ if ($CONTACTS && $message->sender['mailto']) {
$result = $CONTACTS->search('email', $message->sender['mailto'], 1, false);
if ($result->count) {
$message->set_safe(true);
@@ -884,8 +888,7 @@
$data['body'] = rcube_enriched::to_html($data['body']);
}
- $txt = new rcube_html2text($data['body'], false, true);
- $body = $txt->get_text();
+ $body = $RCMAIL->html2text($data['body']);
$part->ctype_secondary = 'plain';
}
// text/html
@@ -948,6 +951,13 @@
break;
case 'style':
+ // Crazy big styles may freeze the browser (#1490539)
+ // remove content with more than 5k lines
+ if (substr_count($content, "\n") > 5000) {
+ $out = '';
+ break;
+ }
+
// decode all escaped entities and reduce to ascii strings
$stripped = preg_replace('/[^a-zA-Z\(:;]/', '', rcube_utils::xss_entity_decode($content));
@@ -1172,7 +1182,8 @@
$attrib['id'] = 'rcmailMsgBody';
$safe_mode = $MESSAGE->is_safe || intval($_GET['_safe']);
- $out = '';
+ $out = '';
+ $part_no = 0;
$header_attrib = array();
foreach ($attrib as $attr => $value) {
@@ -1190,7 +1201,16 @@
// unsupported (e.g. encrypted)
if ($part->realtype) {
if ($part->realtype == 'multipart/encrypted' || $part->realtype == 'application/pkcs7-mime') {
- $out .= html::span('part-notice', $RCMAIL->gettext('encryptedmessage'));
+ if (!empty($_SESSION['browser_caps']['pgpmime']) && ($pgp_mime_part = $MESSAGE->get_multipart_encrypted_part())) {
+ $out .= html::span('part-notice', $RCMAIL->gettext('externalmessagedecryption'));
+ $OUTPUT->set_env('pgp_mime_part', $pgp_mime_part->mime_id);
+ $OUTPUT->set_env('pgp_mime_container', '#' . $attrib['id']);
+ $OUTPUT->add_label('loadingdata');
+ }
+
+ if (!$MESSAGE->encrypted_part) {
+ $out .= html::span('part-notice', $RCMAIL->gettext('encryptedmessage'));
+ }
}
continue;
}
@@ -1224,15 +1244,21 @@
rcmail_message_error($MESSAGE->uid);
}
+ // check if the message body is PGP encrypted
+ if (strpos($body, '-----BEGIN PGP MESSAGE-----') !== false) {
+ $OUTPUT->set_env('is_pgp_content', '#message-part' . ($part_no + 1));
+ }
+
$plugin = $RCMAIL->plugins->exec_hook('message_body_prefix',
array('part' => $part, 'prefix' => ''));
$body = rcmail_print_body($body, $part, array('safe' => $safe_mode, 'plain' => !$RCMAIL->config->get('prefer_html')));
if ($part->ctype_secondary == 'html') {
- $body = rcmail_html4inline($body, $attrib['id'], 'rcmBody', $attrs, $safe_mode);
- $div_attr = array('class' => 'message-htmlpart');
- $style = array();
+ $container_id = 'message-htmlpart' . (++$part_no);
+ $body = rcmail_html4inline($body, $container_id, 'rcmBody', $attrs, $safe_mode);
+ $div_attr = array('class' => 'message-htmlpart', 'id' => $container_id);
+ $style = array();
if (!empty($attrs)) {
foreach ($attrs as $a_idx => $a_val)
@@ -1243,8 +1269,11 @@
$out .= html::div($div_attr, $plugin['prefix'] . $body);
}
- else
- $out .= html::div('message-part', $plugin['prefix'] . $body);
+ else {
+ $container_id = 'message-part' . (++$part_no);
+ $div_attr = array('class' => 'message-part', 'id' => $container_id);
+ $out .= html::div($div_attr, $plugin['prefix'] . $body);
+ }
}
}
}
@@ -1373,10 +1402,10 @@
/**
* modify a HTML message that it can be displayed inside a HTML page
*/
-function rcmail_html4inline($body, $container_id, $body_id='', &$attributes=null, $allow_remote=false)
+function rcmail_html4inline($body, $container_id, $body_class='', &$attributes=null, $allow_remote=false)
{
$last_style_pos = 0;
- $cont_id = $container_id.($body_id ? ' div.'.$body_id : '');
+ $cont_id = $container_id . ($body_class ? ' div.'.$body_class : '');
// find STYLE tags
while (($pos = stripos($body, '<style', $last_style_pos)) && ($pos2 = stripos($body, '</style>', $pos))) {
@@ -1420,7 +1449,7 @@
'<!--\\1-->',
'<?',
'?>',
- '<div class="'.$body_id.'"\\1>',
+ '<div class="' . $body_class . '"\\1>',
'</div>',
),
$body);
@@ -1428,7 +1457,7 @@
$attributes = array();
// Handle body attributes that doesn't play nicely with div elements
- $regexp = '/<div class="' . preg_quote($body_id, '/') . '"([^>]*)/';
+ $regexp = '/<div class="' . preg_quote($body_class, '/') . '"([^>]*)/';
if (preg_match($regexp, $body, $m)) {
$attrs = $m[0];
@@ -1465,7 +1494,7 @@
// make sure there's 'rcmBody' div, we need it for proper css modification
// its name is hardcoded in rcmail_message_body() also
else {
- $body = '<div class="' . $body_id . '">' . $body . '</div>';
+ $body = '<div class="' . $body_class . '">' . $body . '</div>';
}
return $body;
@@ -1796,6 +1825,7 @@
'Message-ID' => $RCMAIL->gen_message_id(),
'X-Sender' => $identity['email'],
'References' => trim($message->headers->references . ' ' . $message->headers->messageID),
+ 'In-Reply-To' => $message->headers->messageID,
);
$report = "Final-Recipient: rfc822; {$identity['email']}\r\n"
@@ -1811,20 +1841,21 @@
$report .= "Reporting-UA: $agent\r\n";
}
+ $to = rcube_mime::decode_mime_string($message->headers->to, $message->headers->charset);
+ $date = $RCMAIL->format_date($message->headers->date, $RCMAIL->config->get('date_long'));
$body = $RCMAIL->gettext("yourmessage") . "\r\n\r\n" .
- "\t" . $RCMAIL->gettext("to") . ': ' . rcube_mime::decode_mime_string($message->headers->to, $message->headers->charset) . "\r\n" .
- "\t" . $RCMAIL->gettext("subject") . ': ' . $message->subject . "\r\n" .
- "\t" . $RCMAIL->gettext("date") . ': ' . $RCMAIL->format_date($message->headers->date, $RCMAIL->config->get('date_long')) . "\r\n" .
+ "\t" . $RCMAIL->gettext("to") . ": {$to}\r\n" .
+ "\t" . $RCMAIL->gettext("subject") . ": {$message->subject}\r\n" .
+ "\t" . $RCMAIL->gettext("date") . ": {$date}\r\n" .
"\r\n" . $RCMAIL->gettext("receiptnote");
- $compose->headers($headers);
+ $compose->headers(array_filter($headers));
$compose->setContentType('multipart/report', array('report-type'=> 'disposition-notification'));
$compose->setTXTBody(rcube_mime::wordwrap($body, 75, "\r\n"));
$compose->addAttachment($report, 'message/disposition-notification', 'MDNPart2.txt', false, '7bit', 'inline');
- if ($RCMAIL->config->get('mdn_use_from')) {
- $options['mdn_use_from'] = true;
- }
+ // SMTP options
+ $options = array('mdn_use_from' => (bool) $RCMAIL->config->get('mdn_use_from'));
$sent = $RCMAIL->deliver_message($compose, $identity['email'], $mailto, $smtp_error, $body_file, $options);
@@ -2005,8 +2036,9 @@
{
global $RCMAIL;
- if (!strlen($attrib['id']))
+ if (!strlen($attrib['id'])) {
$attrib['id'] = 'rcmlistfilter';
+ }
$attrib['onchange'] = rcmail_output::JS_OBJECT_NAME.'.filter_mailbox(this.value)';
@@ -2020,27 +2052,45 @@
$attachment .= ' HEADER Content-Type ' . rcube_imap_generic::escape($type);
}
- $select_filter = new html_select($attrib);
- $select_filter->add($RCMAIL->gettext('all'), 'ALL');
- $select_filter->add($RCMAIL->gettext('unread'), 'UNSEEN');
- $select_filter->add($RCMAIL->gettext('flagged'), 'FLAGGED');
- $select_filter->add($RCMAIL->gettext('unanswered'), 'UNANSWERED');
+ $select = new html_select($attrib);
+ $select->add($RCMAIL->gettext('all'), 'ALL');
+ $select->add($RCMAIL->gettext('unread'), 'UNSEEN');
+ $select->add($RCMAIL->gettext('flagged'), 'FLAGGED');
+ $select->add($RCMAIL->gettext('unanswered'), 'UNANSWERED');
if (!$RCMAIL->config->get('skip_deleted')) {
- $select_filter->add($RCMAIL->gettext('deleted'), 'DELETED');
- $select_filter->add($RCMAIL->gettext('undeleted'), 'UNDELETED');
+ $select->add($RCMAIL->gettext('deleted'), 'DELETED');
+ $select->add($RCMAIL->gettext('undeleted'), 'UNDELETED');
}
- $select_filter->add($RCMAIL->gettext('withattachment'), $attachment);
- $select_filter->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('highest'), 'HEADER X-PRIORITY 1');
- $select_filter->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('high'), 'HEADER X-PRIORITY 2');
- $select_filter->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('normal'), 'NOT HEADER X-PRIORITY 1 NOT HEADER X-PRIORITY 2 NOT HEADER X-PRIORITY 4 NOT HEADER X-PRIORITY 5');
- $select_filter->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('low'), 'HEADER X-PRIORITY 4');
- $select_filter->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('lowest'), 'HEADER X-PRIORITY 5');
-
- $out = $select_filter->show($_REQUEST['_search'] ? $_SESSION['search_filter'] : 'ALL');
+ $select->add($RCMAIL->gettext('withattachment'), $attachment);
+ $select->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('highest'), 'HEADER X-PRIORITY 1');
+ $select->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('high'), 'HEADER X-PRIORITY 2');
+ $select->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('normal'), 'NOT HEADER X-PRIORITY 1 NOT HEADER X-PRIORITY 2 NOT HEADER X-PRIORITY 4 NOT HEADER X-PRIORITY 5');
+ $select->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('low'), 'HEADER X-PRIORITY 4');
+ $select->add($RCMAIL->gettext('priority').': '.$RCMAIL->gettext('lowest'), 'HEADER X-PRIORITY 5');
$RCMAIL->output->add_gui_object('search_filter', $attrib['id']);
- return $out;
+ return $select->show($_REQUEST['_search'] ? $_SESSION['search_filter'] : 'ALL');
+}
+
+function rcmail_search_interval($attrib)
+{
+ global $RCMAIL;
+
+ if (!strlen($attrib['id'])) {
+ $attrib['id'] = 'rcmsearchinterval';
+ }
+
+ $select = new html_select($attrib);
+ $select->add('', '');
+
+ foreach (array('1W', '1M', '1Y', '-1W', '-1M', '-1Y') as $value) {
+ $select->add($RCMAIL->gettext('searchinterval' . $value), $value);
+ }
+
+ $RCMAIL->output->add_gui_object('search_interval', $attrib['id']);
+
+ return $select->show($_REQUEST['_search'] ? $_SESSION['search_interval'] : '');
}
function rcmail_message_error()
@@ -2156,3 +2206,77 @@
return $jsresult;
}
+
+function rcmail_save_attachment($message, $pid, $compose_id, $params = array())
+{
+ $rcmail = rcmail::get_instance();
+ $storage = $rcmail->get_storage();
+
+ if ($pid) {
+ // attachment requested
+ $part = $message->mime_parts[$pid];
+ $size = $part->size;
+ $mimetype = $part->ctype_primary . '/' . $part->ctype_secondary;
+ $filename = $params['filename'] ?: rcmail_attachment_name($part);
+ }
+ else {
+ // the whole message requested
+ $size = $message->size;
+ $mimetype = 'message/rfc822';
+ $filename = $params['filename'] ?: 'message_rfc822.eml';
+ }
+
+ // don't load too big attachments into memory
+ if (!rcube_utils::mem_check($size)) {
+ $temp_dir = unslashify($rcmail->config->get('temp_dir'));
+ $path = tempnam($temp_dir, 'rcmAttmnt');
+
+ if ($fp = fopen($path, 'w')) {
+ if ($pid) {
+ // part body
+ $message->get_part_body($pid, false, 0, $fp);
+ }
+ else {
+ // complete message
+ $storage->get_raw_body($message->uid, $fp);
+ }
+
+ fclose($fp);
+ }
+ else {
+ return false;
+ }
+ }
+ else if ($pid) {
+ // part body
+ $data = $message->get_part_body($pid);
+ }
+ else {
+ // complete message
+ $data = $storage->get_raw_body($message->uid);
+ }
+
+ $attachment = array(
+ 'group' => $compose_id,
+ 'name' => $filename,
+ 'mimetype' => $mimetype,
+ 'content_id' => $part ? $part->content_id : null,
+ 'data' => $data,
+ 'path' => $path,
+ 'size' => $path ? filesize($path) : strlen($data),
+ 'charset' => $part ? $part->charset : null,
+ );
+
+ $attachment = $rcmail->plugins->exec_hook('attachment_save', $attachment);
+
+ if ($attachment['status']) {
+ unset($attachment['data'], $attachment['status'], $attachment['content_id'], $attachment['abort']);
+ $rcmail->session->append('compose_data_' . $compose_id . '.attachments', $attachment['id'], $attachment);
+ return $attachment;
+ }
+ else if ($path) {
+ @unlink($path);
+ }
+
+ return false;
+}
--
Gitblit v1.9.1