From 46f7b7096450939fe03c95aa81ce06ae4bfca89d Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 28 Mar 2016 06:51:43 -0400
Subject: [PATCH] Enable reply/reply-all/forward buttons also in preview frame of message/rfc822
---
program/include/rcmail.php | 212 ++++++++++++++++++++++++++++++++---------------------
1 files changed, 128 insertions(+), 84 deletions(-)
diff --git a/program/include/rcmail.php b/program/include/rcmail.php
index 2327109..1ff42b4 100644
--- a/program/include/rcmail.php
+++ b/program/include/rcmail.php
@@ -1,6 +1,6 @@
<?php
-/*
+/**
+-----------------------------------------------------------------------+
| program/include/rcmail.php |
| |
@@ -60,16 +60,18 @@
const ERROR_INVALID_REQUEST = 1;
const ERROR_INVALID_HOST = 2;
const ERROR_COOKIES_DISABLED = 3;
+ const ERROR_RATE_LIMIT = 4;
/**
* This implements the 'singleton' design pattern
*
- * @param string Environment name to run (e.g. live, dev, test)
+ * @param integer $mode Ignored rcube::get_instance() argument
+ * @param string $env Environment name to run (e.g. live, dev, test)
*
* @return rcmail The one and only instance
*/
- static function get_instance($env = '')
+ static function get_instance($mode = 0, $env = '')
{
if (!self::$instance || !is_a(self::$instance, 'rcmail')) {
self::$instance = new rcmail($env);
@@ -92,6 +94,11 @@
if (($basename = basename($_SERVER['SCRIPT_FILENAME'])) && $basename != 'index.php') {
$this->filename = $basename;
}
+
+ // load all configured plugins
+ $plugins = (array) $this->config->get('plugins', array());
+ $required_plugins = array('filesystem_attachments', 'jqueryui');
+ $this->plugins->load_plugins($plugins, $required_plugins);
// start session
$this->session_init();
@@ -124,10 +131,8 @@
$GLOBALS['OUTPUT'] = $this->load_gui(!empty($_REQUEST['_framed']));
}
- // load plugins
+ // run init method on all the plugins
$this->plugins->init($this, $this->task);
- $this->plugins->load_plugins((array)$this->config->get('plugins', array()),
- array('filesystem_attachments', 'jqueryui'));
}
/**
@@ -174,9 +179,11 @@
// set localization
setlocale(LC_ALL, $lang . '.utf8', $lang . '.UTF-8', 'en_US.utf8', 'en_US.UTF-8');
- // workaround for http://bugs.php.net/bug.php?id=18556
- if (PHP_VERSION_ID < 50500 && in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
- setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8');
+ // Workaround for http://bugs.php.net/bug.php?id=18556
+ // Also strtoupper/strtolower and other methods are locale-aware
+ // for these locales it is problematic (#1490519)
+ if (in_array($lang, array('tr_TR', 'ku', 'az_AZ'))) {
+ setlocale(LC_CTYPE, 'en_US.utf8', 'en_US.UTF-8', 'C');
}
}
@@ -487,7 +494,7 @@
*
* @return boolean True on success, False on failure
*/
- function login($username, $pass, $host = null, $cookiecheck = false)
+ function login($username, $password, $host = null, $cookiecheck = false)
{
$this->login_error = null;
@@ -500,10 +507,22 @@
return false;
}
+ $username_filter = $this->config->get('login_username_filter');
+ $username_maxlen = $this->config->get('login_username_maxlen', 1024);
+ $password_maxlen = $this->config->get('login_password_maxlen', 1024);
$default_host = $this->config->get('default_host');
$default_port = $this->config->get('default_port');
$username_domain = $this->config->get('username_domain');
$login_lc = $this->config->get('login_lc', 2);
+
+ // check input for security (#1490500)
+ if (($username_maxlen && strlen($username) > $username_maxlen)
+ || ($username_filter && !preg_match($username_filter, $username))
+ || ($password_maxlen && strlen($password) > $password_maxlen)
+ ) {
+ $this->login_error = self::ERROR_INVALID_REQUEST;
+ return false;
+ }
// host is validated in rcmail::autoselect_host(), so here
// we'll only handle unset host (if possible)
@@ -584,12 +603,24 @@
// user already registered -> overwrite username
if ($user = rcube_user::query($username, $host)) {
$username = $user->data['username'];
+
+ // Brute-force prevention
+ if ($user->is_locked()) {
+ $this->login_error = self::ERROR_RATE_LIMIT;
+ return false;
+ }
}
$storage = $this->get_storage();
// try to log in
- if (!$storage->connect($host, $username, $pass, $port, $ssl)) {
+ if (!$storage->connect($host, $username, $password, $port, $ssl)) {
+ if ($user) {
+ $user->failed_login();
+ }
+
+ // Wait a second to slow down brute-force attacks (#1490549)
+ sleep(1);
return false;
}
@@ -635,7 +666,7 @@
$_SESSION['storage_host'] = $host;
$_SESSION['storage_port'] = $port;
$_SESSION['storage_ssl'] = $ssl;
- $_SESSION['password'] = $this->encrypt($pass);
+ $_SESSION['password'] = $this->encrypt($password);
$_SESSION['login_time'] = time();
if (isset($_REQUEST['_timezone']) && $_REQUEST['_timezone'] != '_default_') {
@@ -804,11 +835,13 @@
// remove old token from the path
$base_path = rtrim($base_path, '/');
- $base_path = preg_replace('/\/[a-f0-9]{' . strlen($token) . '}$/', '', $base_path);
+ $base_path = preg_replace('/\/[a-zA-Z0-9]{' . strlen($token) . '}$/', '', $base_path);
// this need to be full url to make redirects work
$absolute = true;
}
+ else if ($secure && ($token = $this->get_request_token()))
+ $url .= $delm . '_token=' . urlencode($token);
if ($absolute || $full) {
// add base path to this Roundcube installation
@@ -1061,6 +1094,12 @@
// failed login
if ($failed_login) {
+ // don't fill the log with complete input, which could
+ // have been prepared by a hacker
+ if (strlen($user) > 256) {
+ $user = substr($user, 0, 256) . '...';
+ }
+
$message = sprintf('Failed login for %s from %s in session %s (error: %d)',
$user, rcube_utils::remote_ip(), session_id(), $error_code);
}
@@ -1584,7 +1623,7 @@
// skip folders in which it isn't possible to create subfolders
if (!empty($opts['skip_noinferiors'])) {
$attrs = $this->storage->folder_attributes($folder['id']);
- if ($attrs && in_array('\\Noinferiors', $attrs)) {
+ if ($attrs && in_array_nocase('\\Noinferiors', $attrs)) {
continue;
}
}
@@ -1791,8 +1830,9 @@
* @param string $fallback Fallback message label
* @param array $fallback_args Fallback message label arguments
* @param string $suffix Message label suffix
+ * @param array $params Additional parameters (type, prefix)
*/
- public function display_server_error($fallback = null, $fallback_args = null, $suffix = '')
+ public function display_server_error($fallback = null, $fallback_args = null, $suffix = '', $params = array())
{
$err_code = $this->storage->get_error_code();
$res_code = $this->storage->get_response_code();
@@ -1813,13 +1853,13 @@
$error = 'errornoperm';
}
// try to detect full mailbox problem and display appropriate message
- // there can be e.g. "Quota exceeded" or "quotum would exceed"
- else if (stripos($err_str, 'quot') !== false && stripos($err_str, 'exceed') !== false) {
+ // there can be e.g. "Quota exceeded" / "quotum would exceed" / "Over quota"
+ else if (stripos($err_str, 'quot') !== false && preg_match('/exceed|over/i', $err_str)) {
$error = 'erroroverquota';
}
else {
$error = 'servererrormsg';
- $args = array('msg' => $err_str);
+ $args = array('msg' => rcube::Q($err_str));
}
}
else if ($err_code < 0) {
@@ -1828,13 +1868,21 @@
else if ($fallback) {
$error = $fallback;
$args = $fallback_args;
+ $params['prefix'] = false;
}
if ($error) {
if ($suffix && $this->text_exists($error . $suffix)) {
$error .= $suffix;
}
- $this->output->show_message($error, 'error', $args);
+
+ $msg = $this->gettext(array('name' => $error, 'vars' => $args));
+
+ if ($params['prefix'] && $fallback) {
+ $msg = $this->gettext(array('name' => $fallback, 'vars' => $fallback_args)) . ' ' . $msg;
+ }
+
+ $this->output->show_message($msg, $params['type'] ?: 'error');
}
}
@@ -1845,7 +1893,24 @@
*/
public function html_editor($mode = '')
{
- $hook = $this->plugins->exec_hook('html_editor', array('mode' => $mode));
+ $spellcheck = intval($this->config->get('enable_spellcheck'));
+ $spelldict = intval($this->config->get('spellcheck_dictionary'));
+ $disabled_plugins = array();
+ $disabled_buttons = array();
+ $extra_plugins = array();
+ $extra_buttons = array();
+
+ if (!$spellcheck) {
+ $disabled_plugins[] = 'spellchecker';
+ }
+
+ $hook = $this->plugins->exec_hook('html_editor', array(
+ 'mode' => $mode,
+ 'disabled_plugins' => $disabled_plugins,
+ 'disabled_buttons' => $disabled_buttons,
+ 'extra_plugins' => $extra_plugins,
+ 'extra_buttons' => $extra_buttons,
+ ));
if ($hook['abort']) {
return;
@@ -1872,8 +1937,12 @@
'mode' => $mode,
'lang' => $lang,
'skin_path' => $this->output->get_skin_path(),
- 'spellcheck' => intval($this->config->get('enable_spellcheck')),
- 'spelldict' => intval($this->config->get('spellcheck_dictionary'))
+ 'spellcheck' => $spellcheck, // deprecated
+ 'spelldict' => $spelldict,
+ 'disabled_plugins' => $hook['disabled_plugins'],
+ 'disabled_buttons' => $hook['disabled_buttons'],
+ 'extra_plugins' => $hook['extra_plugins'],
+ 'extra_buttons' => $hook['extra_buttons'],
);
$this->output->add_label('selectimage', 'addimage', 'selectmedia', 'addmedia');
@@ -1881,43 +1950,6 @@
$this->output->include_css('program/js/tinymce/roundcube/browser.css');
$this->output->include_script('tinymce/tinymce.min.js');
$this->output->include_script('editor.js');
- }
-
- /**
- * Replaces TinyMCE's emoticon images with plain-text representation
- *
- * @param string $html HTML content
- *
- * @return string HTML content
- */
- public static function replace_emoticons($html)
- {
- $emoticons = array(
- '8-)' => 'smiley-cool',
- ':-#' => 'smiley-foot-in-mouth',
- ':-*' => 'smiley-kiss',
- ':-X' => 'smiley-sealed',
- ':-P' => 'smiley-tongue-out',
- ':-@' => 'smiley-yell',
- ":'(" => 'smiley-cry',
- ':-(' => 'smiley-frown',
- ':-D' => 'smiley-laughing',
- ':-)' => 'smiley-smile',
- ':-S' => 'smiley-undecided',
- ':-$' => 'smiley-embarassed',
- 'O:-)' => 'smiley-innocent',
- ':-|' => 'smiley-money-mouth',
- ':-O' => 'smiley-surprised',
- ';-)' => 'smiley-wink',
- );
-
- foreach ($emoticons as $idx => $file) {
- // <img title="Cry" src="http://.../program/js/tinymce/plugins/emoticons/img/smiley-cry.gif" border="0" alt="Cry" />
- $search[] = '/<img title="[a-z ]+" src="https?:\/\/[a-z0-9_.\/-]+\/tinymce\/plugins\/emoticons\/img\/'.$file.'.gif"[^>]+\/>/i';
- $replace[] = $idx;
- }
-
- return preg_replace($search, $replace, $html);
}
/**
@@ -2062,16 +2094,15 @@
if (!empty($_GET['_thumbnail'])) {
$temp_dir = $this->config->get('temp_dir');
$thumbnail_size = 80;
- list(,$ext) = explode('/', $file['mimetype']);
$mimetype = $file['mimetype'];
$file_ident = $file['id'] . ':' . $file['mimetype'] . ':' . $file['size'];
$cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $this->user->ID . ':' . $thumbnail_size);
- $cache_file = $cache_basename . '.' . $ext;
+ $cache_file = $cache_basename . '.thumb';
// render thumbnail image if not done yet
if (!is_file($cache_file)) {
if (!$file['path']) {
- $orig_name = $filename = $cache_basename . '.orig.' . $ext;
+ $orig_name = $filename = $cache_basename . '.tmp';
file_put_contents($orig_name, $file['data']);
}
else {
@@ -2214,12 +2245,12 @@
$size = $this->show_bytes((int)$part->d_parameters['size']);
}
else {
- $size = $part->size;
- if ($part->encoding == 'base64') {
- $size = $size / 1.33;
- }
+ $size = $part->size;
+ if ($part->encoding == 'base64') {
+ $size = $size / 1.33;
+ }
- $size = '~' . $this->show_bytes($size);
+ $size = '~' . $this->show_bytes($size);
}
return $size;
@@ -2239,8 +2270,8 @@
// message UID (or comma-separated list of IDs) is provided in
// the form of <ID>-<MBOX>[,<ID>-<MBOX>]*
- $_uid = $uids ?: rcube_utils::get_input_value('_uid', RCUBE_INPUT_GPC);
- $_mbox = $mbox ?: (string)rcube_utils::get_input_value('_mbox', RCUBE_INPUT_GPC);
+ $_uid = $uids ?: rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GPC);
+ $_mbox = $mbox ?: (string) rcube_utils::get_input_value('_mbox', rcube_utils::INPUT_GPC);
// already a hash array
if (is_array($_uid) && !isset($_uid[0])) {
@@ -2307,24 +2338,37 @@
return file_get_contents($name, false);
}
-
- /************************************************************************
- ********* Deprecated methods (to be removed) *********
- ***********************************************************************/
-
- public static function setcookie($name, $value, $exp = 0)
+ /**
+ * Converts HTML content into plain text
+ *
+ * @param string $html HTML content
+ * @param array $options Conversion parameters (width, links, charset)
+ *
+ * @return string Plain text
+ */
+ public function html2text($html, $options = array())
{
- rcube_utils::setcookie($name, $value, $exp);
- }
+ $default_options = array(
+ 'links' => true,
+ 'width' => 75,
+ 'body' => $html,
+ 'charset' => RCUBE_CHARSET,
+ );
- public function imap_connect()
- {
- return $this->storage_connect();
- }
+ $options = array_merge($default_options, (array) $options);
- public function imap_init()
- {
- return $this->storage_init();
+ // Plugins may want to modify HTML in another/additional way
+ $options = $this->plugins->exec_hook('html2text', $options);
+
+ // Convert to text
+ if (!$options['abort']) {
+ $converter = new rcube_html2text($options['body'],
+ false, $options['links'], $options['width'], $options['charset']);
+
+ $options['body'] = rtrim($converter->get_text());
+ }
+
+ return $options['body'];
}
/**
--
Gitblit v1.9.1