From f06aa8058b7e32ba32d4551074b6e0b8a300f751 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Mon, 21 Oct 2013 15:02:40 -0400
Subject: [PATCH] Bump version after security fix
---
program/steps/mail/func.inc | 77 ++++++++++++++++++++++++++------------
1 files changed, 52 insertions(+), 25 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 59203bf..e486cc6 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -740,7 +740,9 @@
else if ($data['type'] == 'enriched') {
$part->ctype_secondary = 'html';
require_once(INSTALL_PATH . 'program/lib/enriched.inc');
- $body = Q(enriched_to_html($data['body']), 'show');
+ $body = enriched_to_html($data['body']);
+ $body = rcmail_wash_html($body, $data, $part->replaces);
+ $part->ctype_secondary = 'html';
}
else {
// assert plaintext
@@ -789,8 +791,8 @@
// find/mark quoted lines...
for ($n=0, $cnt=count($body); $n < $cnt; $n++) {
- if ($body[$n][0] == '>' && preg_match('/^(>+\s*)+/', $body[$n], $regs)) {
- $q = strlen(preg_replace('/\s/', '', $regs[0]));
+ if ($body[$n][0] == '>' && preg_match('/^(>+ {0,1})+/', $body[$n], $regs)) {
+ $q = substr_count($regs[0], '>');
$body[$n] = substr($body[$n], strlen($regs[0]));
if ($q > $quote_level) {
@@ -964,6 +966,8 @@
if (in_array($hkey, $exclude_headers))
continue;
+ $header_title = rcube_label(preg_replace('/(^mail-|-)/', '', $hkey));
+
if ($hkey == 'date') {
if ($PRINT_MODE)
$header_value = format_date($value, $RCMAIL->config->get('date_long', 'x'));
@@ -979,7 +983,7 @@
}
else if ($hkey == 'replyto') {
if ($headers['replyto'] != $headers['from']) {
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
else
@@ -989,18 +993,18 @@
if ($headers['mail-replyto'] != $headers['reply-to']
&& $headers['reply-to'] != $headers['from']
) {
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
else
continue;
}
else if ($hkey == 'mail-followup-to') {
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
else if (in_array($hkey, array('from', 'to', 'cc', 'bcc'))) {
- $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset']);
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
$ishtml = true;
}
else if ($hkey == 'subject' && empty($value))
@@ -1009,7 +1013,7 @@
$header_value = trim(rcube_mime::decode_header($value, $headers['charset']));
$output_headers[$hkey] = array(
- 'title' => rcube_label(preg_replace('/(^mail-|-)/', '', $hkey)),
+ 'title' => $header_title,
'value' => $header_value,
'raw' => $value,
'html' => $ishtml,
@@ -1046,10 +1050,10 @@
'4' => 'low',
'5' => 'lowest',
);
-
+
if ($value && $labels_map[$value])
return rcube_label($labels_map[$value]);
-
+
return '';
}
@@ -1232,7 +1236,7 @@
// modify HTML links to open a new window if clicked
$GLOBALS['rcmail_html_container_id'] = $container_id;
- $body = preg_replace_callback('/<(a|link)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body);
+ $body = preg_replace_callback('/<(a|link|area)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body);
unset($GLOBALS['rcmail_html_container_id']);
$body = preg_replace(array(
@@ -1345,14 +1349,18 @@
$attrib['target'] = '_blank';
}
- return "<$tag" . html::attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . $end;
+ // allowed attributes for a|link|area tags
+ $allow = array('href','name','target','onclick','id','class','style','title',
+ 'rel','type','media','alt','coords','nohref','hreflang','shape');
+
+ return "<$tag" . html::attrib_string($attrib, $allow) . $end;
}
/**
* decode address string and re-format it as HTML links
*/
-function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, $default_charset=null)
+function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, $default_charset=null, $title=null)
{
global $RCMAIL, $PRINT_MODE, $CONFIG;
@@ -1364,6 +1372,7 @@
$c = count($a_parts);
$j = 0;
$out = '';
+ $allvalues = array();
if ($addicon && !isset($_SESSION['writeable_abook'])) {
$_SESSION['writeable_abook'] = $RCMAIL->get_address_sources(true) ? true : false;
@@ -1371,7 +1380,6 @@
foreach ($a_parts as $part) {
$j++;
-
$name = $part['name'];
$mailto = $part['mailto'];
$string = $part['string'];
@@ -1384,7 +1392,9 @@
$mailto = rcube_idn_to_utf8($mailto);
if ($PRINT_MODE) {
- $out .= sprintf('%s <%s>', Q($name), $mailto);
+ $out .= ($out ? ', ' : '') . sprintf('%s <%s>', Q($name), $mailto);
+ // for printing we display all addresses
+ continue;
}
else if (check_email($part['mailto'], false)) {
if ($linked) {
@@ -1404,7 +1414,7 @@
if ($addicon && $_SESSION['writeable_abook']) {
$address .= html::a(array(
'href' => "#add",
- 'onclick' => sprintf("return %s.command('add-contact','%s',this)", JS_OBJECT_NAME, $string),
+ 'onclick' => sprintf("return %s.command('add-contact','%s',this)", JS_OBJECT_NAME, JQ($string)),
'title' => rcube_label('addtoaddressbook'),
'class' => 'rcmaddcontact',
),
@@ -1413,7 +1423,6 @@
'alt' => "Add contact",
)));
}
- $out .= html::span('adr', $address);
}
else {
$address = '';
@@ -1421,17 +1430,35 @@
$address .= Q($name);
if ($mailto)
$address .= (strlen($address) ? ' ' : '') . sprintf('<%s>', Q($mailto));
-
- $out .= html::span('adr', $address);
}
- if ($c>$j)
- $out .= ','.($max ? ' ' : ' ');
+ $address = html::span('adr', $address);
+ $allvalues[] = $address;
- if ($max && $j==$max && $c>$j) {
- $out .= '...';
- break;
+ if (!$moreadrs)
+ $out .= ($out ? ', ' : '') . $address;
+
+ if ($max && $j == $max && $c > $j) {
+ if ($linked) {
+ $moreadrs = $c - $j;
+ }
+ else {
+ $out .= '...';
+ break;
+ }
}
+ }
+
+ if ($moreadrs) {
+ $out .= ' ' . html::a(array(
+ 'href' => '#more',
+ 'class' => 'morelink',
+ 'onclick' => sprintf("return %s.show_popup_dialog('%s','%s')",
+ JS_OBJECT_NAME,
+ JQ(join(', ', $allvalues)),
+ JQ($title))
+ ),
+ Q(rcube_label(array('name' => 'andnmore', 'vars' => array('nr' => $moreadrs)))));
}
return $out;
@@ -1476,7 +1503,7 @@
$out .= $line . "\n";
}
- return $out;
+ return rtrim($out, "\n");
}
--
Gitblit v1.9.1