From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/steps/mail/sendmail.inc | 106 +++++++++++++++++++++++++++++++---------------------
1 files changed, 63 insertions(+), 43 deletions(-)
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index 7b74e88..dbd6f98 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -128,52 +128,25 @@
// if configured, the Received headers goes to top, for good measure
if ($RCMAIL->config->get('http_received_header')) {
- $nldlm = "\r\n\t";
- $encrypt = $RCMAIL->config->get('http_received_header_encrypt');
-
- // FROM/VIA
+ $nldlm = "\r\n\t";
$http_header = 'from ';
+ // FROM/VIA
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
- $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
- $hostname = gethostbyaddr($hosts[0]);
-
- if ($encrypt) {
- $http_header .= rcmail_encrypt_header($hostname);
- if ($host != $hostname)
- $http_header .= ' ('. rcmail_encrypt_header($host) . ')';
- }
- else {
- $http_header .= (($host != $hostname) ? $hostname : '[' . $host . ']');
- if ($host != $hostname)
- $http_header .= ' (['. $host .'])';
- }
- $http_header .= $nldlm . ' via ';
+ $hosts = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
+ $http_header .= rcmail_received_host($hosts[0]) . $nldlm . ' via ';
}
- $host = $_SERVER['REMOTE_ADDR'];
- $hostname = gethostbyaddr($host);
-
- if ($encrypt) {
- $http_header .= rcmail_encrypt_header($hostname);
- if ($host != $hostname)
- $http_header .= ' ('. rcmail_encrypt_header($host) . ')';
- }
- else {
- $http_header .= (($host != $hostname) ? $hostname : '[' . $host . ']');
- if ($host != $hostname)
- $http_header .= ' (['. $host .'])';
- }
+ $http_header .= rcmail_received_host($_SERVER['REMOTE_ADDR']);
// BY
$http_header .= $nldlm . 'by ' . $_SERVER['HTTP_HOST'];
// WITH
- $http_header .= $nldlm . 'with HTTP (' . $_SERVER['SERVER_PROTOCOL'] .
- ' '.$_SERVER['REQUEST_METHOD'] . '); ' . date('r');
- $http_header = wordwrap($http_header, 69, $nldlm);
+ $http_header .= $nldlm . 'with HTTP (' . $_SERVER['SERVER_PROTOCOL']
+ . ' ' . $_SERVER['REQUEST_METHOD'] . '); ' . date('r');
- $headers['Received'] = $http_header;
+ $headers['Received'] = wordwrap($http_header, 69, $nldlm);
}
$headers['Date'] = $RCMAIL->user_date();
@@ -261,7 +234,7 @@
// sending aborted by plugin
if ($data['abort'] && !$savedraft) {
- $OUTPUT->show_message($data['message'] ? $data['message'] : 'sendingfailed');
+ $OUTPUT->show_message($data['message'] ?: 'sendingfailed');
$OUTPUT->send('iframe');
}
else {
@@ -272,6 +245,19 @@
// fetch message body
$message_body = rcube_utils::get_input_value('_message', rcube_utils::INPUT_POST, TRUE, $message_charset);
+
+if (isset($_POST['_pgpmime'])) {
+ $pgp_mime = rcube_utils::get_input_value('_pgpmime', rcube_utils::INPUT_POST);
+ $isHtml = false;
+ $message_body = '';
+
+ // clear unencrypted attachments
+ foreach ((array) $COMPOSE['attachments'] as $attach) {
+ $RCMAIL->plugins->exec_hook('attachment_delete', $attach);
+ }
+
+ $COMPOSE['attachments'] = array();
+}
if ($isHtml) {
$bstyle = array();
@@ -469,7 +455,7 @@
}
else {
$ctype = str_replace('image/pjpeg', 'image/jpeg', $attachment['mimetype']); // #1484914
- $file = $attachment['data'] ? $attachment['data'] : $attachment['path'];
+ $file = $attachment['data'] ?: $attachment['path'];
$folding = (int) $RCMAIL->config->get('mime_param_folding');
$MAIL_MIME->addAttachment($file,
@@ -500,6 +486,23 @@
if ($flowed) {
$text_charset .= ";\r\n format=flowed";
+}
+
+// compose PGP/Mime message
+if ($pgp_mime) {
+ $MAIL_MIME->addAttachment(new Mail_mimePart('Version: 1', array(
+ 'content_type' => 'application/pgp-encrypted',
+ 'description' => 'PGP/MIME version identification',
+ )));
+
+ $MAIL_MIME->addAttachment(new Mail_mimePart($pgp_mime, array(
+ 'content_type' => 'application/octet-stream',
+ 'filename' => 'encrypted.asc',
+ 'disposition' => 'inline',
+ )));
+
+ $MAIL_MIME->setContentType('multipart/encrypted', array('protocol' => 'application/pgp-encrypted'));
+ $MAIL_MIME->setParam('preamble', 'This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)');
}
// encoding settings for mail composing
@@ -670,7 +673,7 @@
array('msgid' => $message_id, 'uid' => $saved, 'folder' => $store_target));
// display success
- $OUTPUT->show_message($plugin['message'] ? $plugin['message'] : 'messagesaved', 'confirmation');
+ $OUTPUT->show_message($plugin['message'] ?: 'messagesaved', 'confirmation');
// update "_draft_saveid" and the "cmp_hash" to prevent "Unsaved changes" warning
$COMPOSE['param']['draft_uid'] = $plugin['uid'];
@@ -723,16 +726,33 @@
/****** message sending functions ********/
-// encrypt parts of the header
-function rcmail_encrypt_header($what)
+function rcmail_received_host($host)
+{
+ $hostname = gethostbyaddr($host);
+
+ $result = rcmail_encrypt_host($hostname);
+
+ if ($host != $hostname) {
+ $result .= ' (' . rcmail_encrypt_host($host) . ')';
+ }
+
+ return $result;
+}
+
+// encrypt host IP or hostname for Received header
+function rcmail_encrypt_host($host)
{
global $RCMAIL;
- if (!$RCMAIL->config->get('http_received_header_encrypt')) {
- return $what;
+ if ($RCMAIL->config->get('http_received_header_encrypt')) {
+ return $RCMAIL->encrypt($host);
}
- return $RCMAIL->encrypt($what);
+ if (!preg_match('/[^0-9:.]/', $host)) {
+ return "[$host]";
+ }
+
+ return $host;
}
// get identity record
--
Gitblit v1.9.1