From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/mail/func.inc | 147 +++++++++++++++++++++++++++++++++++++++++--------
1 files changed, 123 insertions(+), 24 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index d949cf6..963e696 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -78,11 +78,12 @@
// set current mailbox and some other vars in client environment
$OUTPUT->set_env('mailbox', $mbox_name);
$OUTPUT->set_env('pagesize', $RCMAIL->storage->get_pagesize());
+ $OUTPUT->set_env('current_page', max(1, $_SESSION['page']));
$OUTPUT->set_env('delimiter', $delimiter);
$OUTPUT->set_env('threading', $threading);
$OUTPUT->set_env('threads', $threading || $RCMAIL->storage->get_capability('THREAD'));
$OUTPUT->set_env('reply_all_mode', (int) $RCMAIL->config->get('reply_all_mode'));
- $OUTPUT->set_env('preview_pane_mark_read', $RCMAIL->config->get('preview_pane_mark_read', 0));
+ $OUTPUT->set_env('preview_pane_mark_read', (int) $RCMAIL->config->get('preview_pane_mark_read'));
if ($RCMAIL->storage->get_capability('QUOTA')) {
$OUTPUT->set_env('quota', true);
@@ -163,9 +164,11 @@
$mbox = strlen($_SESSION['mbox']) ? $_SESSION['mbox'] : 'INBOX';
}
- if ($RCMAIL->action == 'list') {
+ // we handle 'page' argument on 'list' and 'getunread' to prevent from
+ // race condition and unintentional page overwrite in session
+ if ($RCMAIL->action == 'list' || $RCMAIL->action == 'getunread') {
if (!($page = intval($_GET['_page']))) {
- $page = $_SESSION['page'] ? $_SESSION['page'] : 1;
+ $page = $_SESSION['page'] ?: 1;
}
$_SESSION['page'] = $page;
@@ -176,7 +179,7 @@
// set default sort col/order to session
if (!isset($_SESSION['sort_col'])) {
- $_SESSION['sort_col'] = $message_sort_col ? $message_sort_col : '';
+ $_SESSION['sort_col'] = $message_sort_col ?: '';
}
if (!isset($_SESSION['sort_order'])) {
$_SESSION['sort_order'] = strtoupper($message_sort_order) == 'ASC' ? 'ASC' : 'DESC';
@@ -951,6 +954,13 @@
break;
case 'style':
+ // Crazy big styles may freeze the browser (#1490539)
+ // remove content with more than 5k lines
+ if (substr_count($content, "\n") > 5000) {
+ $out = '';
+ break;
+ }
+
// decode all escaped entities and reduce to ascii strings
$stripped = preg_replace('/[^a-zA-Z\(:;]/', '', rcube_utils::xss_entity_decode($content));
@@ -979,10 +989,12 @@
static $sa_attrib;
// keep header table attrib
- if (is_array($attrib) && !$sa_attrib && !$attrib['valueof'])
+ if (is_array($attrib) && !$sa_attrib && !$attrib['valueof']) {
$sa_attrib = $attrib;
- else if (!is_array($attrib) && is_array($sa_attrib))
+ }
+ else if (!is_array($attrib) && is_array($sa_attrib)) {
$attrib = $sa_attrib;
+ }
if (!isset($MESSAGE)) {
return false;
@@ -1030,10 +1042,12 @@
}
else if ($hkey == 'priority') {
if ($value) {
- $header_value = html::span('prio' . $value, rcmail_localized_priority($value));
+ $header_value = html::span('prio' . $value, rcube::Q(rcmail_localized_priority($value)));
+ $ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'replyto') {
if ($headers['replyto'] != $headers['from']) {
@@ -1041,8 +1055,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'mail-reply-to') {
if ($headers['mail-replyto'] != $headers['reply-to']
@@ -1052,8 +1067,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'sender') {
if ($headers['sender'] != $headers['from']) {
@@ -1061,8 +1077,9 @@
$attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
- else
+ else {
continue;
+ }
}
else if ($hkey == 'mail-followup-to') {
$header_value = rcmail_address_string($value, $attrib['max'], true,
@@ -1099,14 +1116,15 @@
// single header value is requested
if (!empty($attrib['valueof'])) {
- return rcube::Q($plugin['output'][$attrib['valueof']]['value'], ($attrib['valueof'] == 'subject' ? 'strict' : 'show'));
+ $row = $plugin['output'][$attrib['valueof']];
+ return $row['html'] ? $row['value'] : rcube::Q($row['value']);
}
// compose html table
$table = new html_table(array('cols' => 2));
foreach ($plugin['output'] as $hkey => $row) {
- $val = $row['html'] ? $row['value'] : rcube::Q($row['value'], ($hkey == 'subject' ? 'strict' : 'show'));
+ $val = $row['html'] ? $row['value'] : rcube::Q($row['value']);
$table->add(array('class' => 'header-title'), rcube::Q($row['title']));
$table->add(array('class' => 'header '.$hkey), $val);
@@ -1222,15 +1240,6 @@
// fetch part body
$body = $MESSAGE->get_part_body($part->mime_id, true);
-
- // extract headers from message/rfc822 parts
- if ($part->mimetype == 'message/rfc822') {
- $msgpart = rcube_mime::parse_message($body);
- if (!empty($msgpart->headers)) {
- $part = $msgpart;
- $out .= html::div('message-partheaders', rcmail_message_headers(sizeof($header_attrib) ? $header_attrib : null, $part->headers));
- }
- }
// message is cached but not exists (#1485443), or other error
if ($body === false) {
@@ -1624,7 +1633,7 @@
$content = rcube::Q($name ? sprintf('%s <%s>', $name, $mailto) : $mailto);
}
else {
- $content = rcube::Q($name ? $name : $mailto);
+ $content = rcube::Q($name ?: $mailto);
$attrs['title'] = $mailto;
}
@@ -1632,7 +1641,7 @@
}
else {
$address = html::span(array('title' => $mailto, 'class' => "rcmContactAddress"),
- rcube::Q($name ? $name : $mailto));
+ rcube::Q($name ?: $mailto));
}
if ($addicon && $_SESSION['writeable_abook']) {
@@ -2199,3 +2208,93 @@
return $jsresult;
}
+
+function rcmail_save_attachment($message, $pid, $compose_id, $params = array())
+{
+ global $COMPOSE;
+
+ $rcmail = rcmail::get_instance();
+ $storage = $rcmail->get_storage();
+
+ if ($pid) {
+ // attachment requested
+ $part = $message->mime_parts[$pid];
+ $size = $part->size;
+ $mimetype = $part->ctype_primary . '/' . $part->ctype_secondary;
+ $filename = $params['filename'] ?: rcmail_attachment_name($part);
+ }
+ else {
+ // the whole message requested
+ $size = $message->size;
+ $mimetype = 'message/rfc822';
+ $filename = $params['filename'] ?: 'message_rfc822.eml';
+ }
+
+ // don't load too big attachments into memory
+ if (!rcube_utils::mem_check($size)) {
+ $temp_dir = unslashify($rcmail->config->get('temp_dir'));
+ $path = tempnam($temp_dir, 'rcmAttmnt');
+
+ if ($fp = fopen($path, 'w')) {
+ if ($pid) {
+ // part body
+ $message->get_part_body($pid, false, 0, $fp);
+ }
+ else {
+ // complete message
+ $storage->get_raw_body($message->uid, $fp);
+ }
+
+ fclose($fp);
+ }
+ else {
+ return false;
+ }
+ }
+ else if ($pid) {
+ // part body
+ $data = $message->get_part_body($pid);
+ }
+ else {
+ // complete message
+ $data = $storage->get_raw_body($message->uid);
+ }
+
+ $attachment = array(
+ 'group' => $compose_id,
+ 'name' => $filename,
+ 'mimetype' => $mimetype,
+ 'content_id' => $part ? $part->content_id : null,
+ 'data' => $data,
+ 'path' => $path,
+ 'size' => $path ? filesize($path) : strlen($data),
+ 'charset' => $part ? $part->charset : null,
+ );
+
+ $attachment = $rcmail->plugins->exec_hook('attachment_save', $attachment);
+
+ if ($attachment['status']) {
+ unset($attachment['data'], $attachment['status'], $attachment['content_id'], $attachment['abort']);
+
+ // rcube_session::append() replaces current session data with the old values
+ // (in rcube_session::reload()). This is a problem in 'compose' action, because before
+ // the first append() use we set some important data in the session.
+ // It also overwrites attachments list. Fixing reload() is not so simple if possible
+ // as we don't really know what has been added and what removed in meantime.
+ // So, for now we'll do not use append() on 'compose' action (#1490608).
+
+ if ($rcmail->action == 'compose') {
+ $COMPOSE['attachments'][$attachment['id']] = $attachment;
+ }
+ else {
+ $rcmail->session->append('compose_data_' . $compose_id . '.attachments', $attachment['id'], $attachment);
+ }
+
+ return $attachment;
+ }
+ else if ($path) {
+ @unlink($path);
+ }
+
+ return false;
+}
--
Gitblit v1.9.1