From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/mail/compose.inc | 160 ++++++++++++-----------------------------------------
1 files changed, 37 insertions(+), 123 deletions(-)
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 0b047d4..bbb29d0 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -88,7 +88,7 @@
'selectimportfile', 'messageissent', 'loadingdata', 'nopubkeyfor', 'nopubkeyforsender',
'encryptnoattachments','encryptedsendialog','searchpubkeyservers', 'importpubkeys',
'encryptpubkeysfound', 'search', 'close', 'import', 'keyid', 'keylength', 'keyexpired',
- 'keyrevoked', 'keyimportsuccess', 'keyservererror');
+ 'keyrevoked', 'keyimportsuccess', 'keyservererror', 'attaching');
$OUTPUT->set_pagetitle($RCMAIL->gettext('compose'));
@@ -385,6 +385,7 @@
'group' => $COMPOSE_ID,
'name' => $filename,
'mimetype' => rcube_mime::file_content_type($attach, $filename),
+ 'size' => filesize($attach),
'path' => $attach,
);
}
@@ -771,11 +772,9 @@
if (!empty($MESSAGE->parts)) {
// collect IDs of message/rfc822 parts
- if ($COMPOSE['mode'] == RCUBE_COMPOSE_EDIT || $COMPOSE['mode'] == RCUBE_COMPOSE_DRAFT) {
- foreach ($MESSAGE->attachments as $part) {
- if ($part->mimetype == 'message/rfc822') {
- $messages[] = $part->mime_id;
- }
+ foreach ($MESSAGE->mime_parts as $part) {
+ if ($part->mimetype == 'message/rfc822') {
+ $messages[] = $part->mime_id;
}
}
@@ -797,7 +796,7 @@
continue;
}
- // skip all content parts inside the message/rfc822 part in DRAFT/EDIT mode
+ // skip all content parts inside the message/rfc822 part
foreach ($messages as $mimeid) {
if (strpos($part->mime_id, $mimeid . '.') === 0) {
continue 2;
@@ -1252,6 +1251,10 @@
}
foreach ((array)$message->mime_parts as $pid => $part) {
+ if ($part->mimetype == 'message/rfc822') {
+ $messages[] = $part->mime_id;
+ }
+
if ($part->disposition == 'attachment' || ($part->disposition == 'inline' && $bodyIsHtml) || $part->filename) {
// skip parts that aren't valid attachments
if ($part->ctype_primary == 'multipart' || $part->mimetype == 'application/ms-tnef') {
@@ -1273,31 +1276,16 @@
continue;
}
- // skip message/rfc822 attachments on forwards (#1489214)
- // Thunderbird when forwarding in inline mode displays such attachments
- // and skips any attachments from inside of such part, this however
- // skipped e.g. images used in HTML body or other attachments. So,
- // better to skip .eml attachments but not their content (included files).
- if ($part->mimetype == 'message/rfc822') {
- if ($COMPOSE['mode'] == RCUBE_COMPOSE_FORWARD) {
- continue;
- }
- $messages[] = $part->mime_id;
- }
- else if ($COMPOSE['mode'] != RCUBE_COMPOSE_FORWARD) {
- // skip attachments included in message/rfc822 attachment (#1486487)
- foreach ($messages as $mimeid) {
- if (strpos($part->mime_id, $mimeid . '.') === 0) {
- continue 2;
- }
+ // skip attachments included in message/rfc822 attachment (#1486487, #1490607)
+ foreach ($messages as $mimeid) {
+ if (strpos($part->mime_id, $mimeid . '.') === 0) {
+ continue 2;
}
}
if (($attachment = $loaded_attachments[rcmail_attachment_name($part) . $part->mimetype])
- || ($attachment = rcmail_save_attachment($message, $pid))
+ || ($attachment = rcmail_save_attachment($message, $pid, $COMPOSE['id']))
) {
- $COMPOSE['attachments'][$attachment['id']] = $attachment;
-
if ($bodyIsHtml && ($part->content_id || $part->content_location)) {
$url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
$RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
@@ -1321,16 +1309,27 @@
{
global $RCMAIL, $COMPOSE;
- $cid_map = array();
+ $cid_map = array();
+ $messages = array();
if ($message->pgp_mime) {
return $cid_map;
}
foreach ((array)$message->mime_parts as $pid => $part) {
+ if ($part->mimetype == 'message/rfc822') {
+ $messages[] = $part->mime_id;
+ }
+
if (($part->content_id || $part->content_location) && $part->filename) {
- if ($attachment = rcmail_save_attachment($message, $pid)) {
- $COMPOSE['attachments'][$attachment['id']] = $attachment;
+ // skip attachments included in message/rfc822 attachment (#1486487, #1490607)
+ foreach ($messages as $mimeid) {
+ if (strpos($part->mime_id, $mimeid . '.') === 0) {
+ continue 2;
+ }
+ }
+
+ if ($attachment = rcmail_save_attachment($message, $pid, $COMPOSE['id'])) {
$url = sprintf('%s&_id=%s&_action=display-attachment&_file=rcmfile%s',
$RCMAIL->comm_path, $COMPOSE['id'], $attachment['id']);
@@ -1398,46 +1397,11 @@
$names[$name] = 1;
$name .= '.eml';
- $data = $path = null;
-
if (!empty($loaded_attachments[$name . 'message/rfc822'])) {
continue;
}
- // don't load too big attachments into memory
- if (!rcube_utils::mem_check($message->size)) {
- $temp_dir = unslashify($RCMAIL->config->get('temp_dir'));
- $path = tempnam($temp_dir, 'rcmAttmnt');
- if ($fp = fopen($path, 'w')) {
- $storage->get_raw_body($message->uid, $fp);
- fclose($fp);
- }
- else {
- return false;
- }
- }
- else {
- $data = $storage->get_raw_body($message->uid);
- }
-
- $attachment = array(
- 'group' => $COMPOSE['id'],
- 'name' => $name,
- 'mimetype' => 'message/rfc822',
- 'data' => $data,
- 'path' => $path,
- 'size' => $path ? filesize($path) : strlen($data),
- );
-
- $attachment = $RCMAIL->plugins->exec_hook('attachment_save', $attachment);
-
- if ($attachment['status']) {
- unset($attachment['data'], $attachment['status'], $attachment['content_id'], $attachment['abort']);
- $COMPOSE['attachments'][$attachment['id']] = $attachment;
- }
- else if ($path) {
- @unlink($path);
- }
+ rcmail_save_attachment($message, null, $COMPOSE['id'], array('filename' => $name));
if ($message->headers->messageID) {
$refs[] = $message->headers->messageID;
@@ -1451,59 +1415,6 @@
if (!empty($refs)) {
$COMPOSE['references'] = implode(' ', $refs);
}
-}
-
-
-function rcmail_save_attachment(&$message, $pid)
-{
- global $COMPOSE;
-
- $rcmail = rcmail::get_instance();
- $part = $message->mime_parts[$pid];
- $data = $path = null;
-
- // don't load too big attachments into memory
- if (!rcube_utils::mem_check($part->size)) {
- $temp_dir = unslashify($rcmail->config->get('temp_dir'));
- $path = tempnam($temp_dir, 'rcmAttmnt');
-
- if ($fp = fopen($path, 'w')) {
- $message->get_part_body($pid, false, 0, $fp);
- fclose($fp);
- }
- else {
- return false;
- }
- }
- else {
- $data = $message->get_part_body($pid);
- }
-
- $mimetype = $part->ctype_primary . '/' . $part->ctype_secondary;
- $filename = rcmail_attachment_name($part);
-
- $attachment = array(
- 'group' => $COMPOSE['id'],
- 'name' => $filename,
- 'mimetype' => $mimetype,
- 'content_id' => $part->content_id,
- 'data' => $data,
- 'path' => $path,
- 'size' => $path ? filesize($path) : strlen($data),
- 'charset' => $part->charset,
- );
-
- $attachment = $rcmail->plugins->exec_hook('attachment_save', $attachment);
-
- if ($attachment['status']) {
- unset($attachment['data'], $attachment['status'], $attachment['content_id'], $attachment['abort']);
- return $attachment;
- }
- else if ($path) {
- @unlink($path);
- }
-
- return false;
}
function rcmail_save_image($path, $mimetype = '', $data = null)
@@ -1648,6 +1559,9 @@
continue;
}
+ $content = sprintf('%s <span class="attachment-size">(%s)</span>',
+ rcube::Q($a_prop['name']), $RCMAIL->show_bytes($a_prop['size']));
+
$out .= html::tag('li', array(
'id' => 'rcmfile'.$id,
'class' => rcube_utils::file2class($a_prop['mimetype'], $a_prop['name']),
@@ -1662,7 +1576,7 @@
'aria-label' => $RCMAIL->gettext('delete') . ' ' . $a_prop['name'],
),
$button
- ) . rcube::Q($a_prop['name'])
+ ) . $content
);
$jslist['rcmfile'.$id] = array(
@@ -1913,8 +1827,8 @@
$form_start .= $hiddenfields->show();
}
- $form_end = ($MESSAGE_FORM && !strlen($attrib['form'])) ? '</form>' : '';
- $form_name = !empty($attrib['form']) ? $attrib['form'] : 'form';
+ $form_end = ($MESSAGE_FORM && !strlen($attrib['form'])) ? '</form>' : '';
+ $form_name = $attrib['form'] ?: 'form';
if (!$MESSAGE_FORM)
$RCMAIL->output->add_gui_object('messageform', $form_name);
@@ -1951,7 +1865,7 @@
rcube_utils::html_identifier($id,true),
$class_name,
$source['id'],
- $js_id, (!empty($source['name']) ? $source['name'] : $id));
+ $js_id, ($source['name'] ?: $id));
}
$OUTPUT->add_gui_object('addressbookslist', $attrib['id']);
--
Gitblit v1.9.1