From b1d13e8bd5c550fff9f3e0768fa33a2b3b3668f3 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Thu, 12 Mar 2015 11:27:14 -0400
Subject: [PATCH] Fix redirct URL for attachments loaded in an iframe (#1490191)
---
program/steps/mail/get.inc | 47 +++++++++++++++++++++++++++--------------------
1 files changed, 27 insertions(+), 20 deletions(-)
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 9484656..831026e 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -22,7 +22,9 @@
// show loading page
if (!empty($_GET['_preload'])) {
- $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']);
+ $_get = $_GET + array('_mimewarning' => 1, '_embed' => 1);
+ unset($_get['_preload']);
+ $url = $RCMAIL->url($_get);
$message = $RCMAIL->gettext('loadingdata');
header('Content-Type: text/html; charset=' . RCUBE_CHARSET);
@@ -85,7 +87,7 @@
// render thumbnail image if not done yet
if (!is_file($cache_file)) {
if ($fp = fopen(($orig_name = $cache_basename . '.orig.' . $ext), 'w')) {
- $MESSAGE->get_part_content($part->mime_id, $fp);
+ $MESSAGE->get_part_body($part->mime_id, false, 0, $fp);
fclose($fp);
$image = new rcube_image($orig_name);
@@ -138,7 +140,7 @@
$file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
// 1. compare filename suffix with expected suffix derived from mimetype
- $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
+ $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']);
// 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {
@@ -150,21 +152,21 @@
// accept text/plain with any extension
if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) {
- $file_extension = 'txt';
- }
-
- // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
- if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
- $real_mimetype = $mimetype;
- }
-
- // get valid file extensions
- $extensions = rcube_mime::get_mime_extensions($real_mimetype);
- $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
-
- // ignore filename extension if mimeclass matches (#1489029)
- if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
$valid_extension = true;
+ }
+ // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
+ else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) {
+ $real_mimetype = $mimetype;
+ $valid_extension = true;
+ }
+ // ignore filename extension if mimeclass matches (#1489029)
+ else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) {
+ $valid_extension = true;
+ }
+ else {
+ // get valid file extensions
+ $extensions = rcube_mime::get_mime_extensions($real_mimetype);
+ $valid_extension = !$file_extension || empty($extensions) || in_array($file_extension, (array)$extensions);
}
// fix mimetype for images wrongly declared as octet-stream
@@ -172,7 +174,10 @@
$mimetype = $real_mimetype;
}
- $valid = ($real_mimetype == $mimetype && $valid_extension);
+ // "fix" real mimetype the same way the original is before comparison
+ $real_mimetype = rcmail_fix_mimetype($real_mimetype);
+
+ $valid = $real_mimetype == $mimetype && $valid_extension;
}
else {
$real_mimetype = $mimetype;
@@ -183,10 +188,12 @@
// send blocked.gif for expected images
if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) {
// Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed.
+ $content = $RCMAIL->get_resource_content('blocked.gif');
$OUTPUT->nocacheing_headers();
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
- readfile(INSTALL_PATH . 'program/resources/blocked.gif');
+ header("Content-Length: " . strlen($content));
+ echo $content;
}
else { // html warning with a button to load the file anyway
$OUTPUT = new rcmail_html_page();
@@ -242,7 +249,7 @@
if (!rcube_utils::mem_check($part->size * 10)) {
$out = '<body>' . $RCMAIL->gettext('messagetoobig'). ' '
. html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id
- .'&_mbox='. urlencode($RCMAIL->storage->get_folder()), $RCMAIL->gettext('download')) . '</body></html>';
+ .'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')) . '</body></html>';
}
else {
// get part body if not available
--
Gitblit v1.9.1