From a8ca51718b7652d3351978a622a2302f3daae91c Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Wed, 27 Mar 2013 12:07:28 -0400
Subject: [PATCH] Sanity check the file path for generic message footer before adding it
---
program/steps/mail/sendmail.inc | 100 ++++++++++++++++++++++++++++++-------------------
1 files changed, 61 insertions(+), 39 deletions(-)
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 826f731..25537f3 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -75,13 +75,18 @@
// get identity record
function rcmail_get_identity($id)
{
- global $RCMAIL, $OUTPUT;
+ global $RCMAIL, $message_charset;
if ($sql_arr = $RCMAIL->user->get_identity($id)) {
$out = $sql_arr;
+
+ if ($message_charset != RCMAIL_CHARSET) {
+ foreach ($out as $k => $v)
+ $out[$k] = rcube_charset_convert($v, RCMAIL_CHARSET, $message_charset);
+ }
+
$out['mailto'] = $sql_arr['email'];
- $out['string'] = format_email_recipient($sql_arr['email'],
- rcube_charset_convert($sql_arr['name'], RCMAIL_CHARSET, $OUTPUT->get_charset()));
+ $out['string'] = format_email_recipient($sql_arr['email'], $sql_arr['name']);
return $out;
}
@@ -100,7 +105,7 @@
*/
function rcmail_fix_emoticon_paths(&$mime_message)
{
- global $CONFIG;
+ global $RCMAIL;
$body = $mime_message->getHTMLBody();
@@ -125,8 +130,9 @@
if (! in_array($image_name, $included_images)) {
// add the image to the MIME message
- if (! $mime_message->addHTMLImage($img_file, 'image/gif', '', true, $image_name))
- $OUTPUT->show_message("emoticonerror", 'error');
+ if (!$mime_message->addHTMLImage($img_file, 'image/gif', '', true, $image_name)) {
+ $RCMAIL->output->show_message("emoticonerror", 'error');
+ }
array_push($included_images, $image_name);
}
@@ -179,7 +185,11 @@
// address with name (handle name)
} else if (preg_match('/<*'.$email_regexp.'>*$/', $item, $matches)) {
$address = $matches[0];
- $name = trim(str_replace($address, '', $item), '" ');
+ $name = trim(str_replace($address, '', $item));
+ if ($name[0] == '"' && $name[count($name)-1] == '"') {
+ $name = substr($name, 1, -1);
+ }
+ $name = stripcslashes($name);
$address = rcube_idn_to_ascii(trim($address, '<>'));
$result[] = format_email_recipient($address, $name);
$item = $address;
@@ -200,6 +210,33 @@
}
return implode(', ', $result);
+}
+
+
+function rcmail_generic_message_footer($isHtml)
+{
+ global $CONFIG;
+
+ if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {
+ $file = $CONFIG['generic_message_footer_html'];
+ $html_footer = true;
+ }
+ else {
+ $file = $CONFIG['generic_message_footer'];
+ $html_footer = false;
+ }
+
+ if ($file && realpath($file)) {
+ // sanity check
+ if (!preg_match('/\.(php|ini|conf)$/', $file) && strpos($file, '/etc/') === false) {
+ $footer = file_get_contents($file);
+ if ($isHtml && !$html_footer)
+ $footer = '<pre>' . $footer . '</pre>';
+ return $footer;
+ }
+ }
+
+ return false;
}
@@ -424,6 +461,7 @@
if ($CONFIG['spellcheck_before_send'] && $CONFIG['enable_spellcheck']
&& empty($COMPOSE['spell_checked']) && !empty($message_body)
) {
+ $message_body = str_replace("\r\n", "\n", $message_body);
$spellchecker = new rcube_spellchecker(get_input_value('_lang', RCUBE_INPUT_GPC));
$spell_result = $spellchecker->check($message_body, $isHtml);
@@ -438,19 +476,10 @@
}
// generic footer for all messages
- if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) {
- $footer = file_get_contents(realpath($CONFIG['generic_message_footer_html']));
- $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset);
- }
- else if (!empty($CONFIG['generic_message_footer'])) {
- $footer = file_get_contents(realpath($CONFIG['generic_message_footer']));
+ if ($footer = rcmail_generic_message_footer($isHtml)) {
$footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset);
- if ($isHtml)
- $footer = '<pre>'.$footer.'</pre>';
- }
-
- if ($footer)
$message_body .= "\r\n" . $footer;
+ }
}
if ($isHtml) {
@@ -497,14 +526,9 @@
$h2t = new html2text($plugin['body'], false, true, 0);
$plainTextPart = rc_wordwrap($h2t->get_text(), $LINE_LENGTH, "\r\n");
$plainTextPart = wordwrap($plainTextPart, 998, "\r\n", true);
- if (!$plainTextPart) {
- // empty message body breaks attachment handling in drafts
- $plainTextPart = "\r\n";
- }
- else {
- // make sure all line endings are CRLF (#1486712)
- $plainTextPart = preg_replace('/\r?\n/', "\r\n", $plainTextPart);
- }
+
+ // make sure all line endings are CRLF (#1486712)
+ $plainTextPart = preg_replace('/\r?\n/', "\r\n", $plainTextPart);
$plugin = $RCMAIL->plugins->exec_hook('message_outgoing_body',
array('body' => $plainTextPart, 'type' => 'alternative', 'message' => $MAIL_MIME));
@@ -528,10 +552,6 @@
$message_body = rc_wordwrap($message_body, $LINE_LENGTH, "\r\n");
$message_body = wordwrap($message_body, 998, "\r\n", true);
- if (!strlen($message_body)) {
- // empty message body breaks attachment handling in drafts
- $message_body = "\r\n";
- }
$MAIL_MIME->setTXTBody($message_body, false, true);
}
@@ -694,17 +714,19 @@
unlink($mailbody_file);
$mailbody_file = null;
}
+ }
- // raise error if saving failed
- if (!$saved) {
- raise_error(array('code' => 800, 'type' => 'imap',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "Could not save message in $store_target"), TRUE, FALSE);
+ // raise error if saving failed
+ if (!$saved) {
+ raise_error(array('code' => 800, 'type' => 'imap',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Could not save message in $store_target"), TRUE, FALSE);
- if ($savedraft) {
- $OUTPUT->show_message('errorsaving', 'error');
- $OUTPUT->send('iframe');
- }
+ if ($savedraft) {
+ $OUTPUT->show_message('errorsaving', 'error');
+ // start the auto-save timer again
+ $OUTPUT->command('auto_save_start');
+ $OUTPUT->send('iframe');
}
}
--
Gitblit v1.9.1