From f06aa8058b7e32ba32d4551074b6e0b8a300f751 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Mon, 21 Oct 2013 15:02:40 -0400
Subject: [PATCH] Bump version after security fix
---
program/steps/mail/func.inc | 226 +++++++++++++++++++++++++++++++++++++++++---------------
1 files changed, 165 insertions(+), 61 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index aeb917b..e486cc6 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -78,7 +78,7 @@
if ($_SESSION['search_filter'] && $_SESSION['search_filter'] != 'ALL') {
$search_request = md5($mbox_name.$_SESSION['search_filter']);
- $RCMAIL->storage->search($mbox_name, $_SESSION['search_filter'], RCMAIL_CHARSET, $_SESSION['sort_col']);
+ $RCMAIL->storage->search($mbox_name, $_SESSION['search_filter'], RCMAIL_CHARSET, rcmail_sort_column());
$_SESSION['search'] = $RCMAIL->storage->get_search_set();
$_SESSION['search_request'] = $search_request;
$OUTPUT->set_env('search_request', $search_request);
@@ -93,11 +93,13 @@
// set current mailbox and some other vars in client environment
$OUTPUT->set_env('mailbox', $mbox_name);
$OUTPUT->set_env('pagesize', $RCMAIL->storage->get_pagesize());
- $OUTPUT->set_env('quota', $RCMAIL->storage->get_capability('QUOTA'));
$OUTPUT->set_env('delimiter', $RCMAIL->storage->get_hierarchy_delimiter());
$OUTPUT->set_env('threading', $threading);
$OUTPUT->set_env('threads', $threading || $RCMAIL->storage->get_capability('THREAD'));
$OUTPUT->set_env('preview_pane_mark_read', $RCMAIL->config->get('preview_pane_mark_read', 0));
+ if ($RCMAIL->storage->get_capability('QUOTA')) {
+ $OUTPUT->set_env('quota', true);
+ }
if ($CONFIG['delete_junk'])
$OUTPUT->set_env('delete_junk', true);
@@ -126,13 +128,76 @@
$OUTPUT->set_pagetitle(rcmail_localize_foldername($RCMAIL->storage->mod_folder($mbox_name)));
}
+/**
+ * Returns 'to' if current folder is configured Sent or Drafts
+ * or their subfolders, otherwise returns 'from'.
+ *
+ * @return string Column name
+ */
+function rcmail_message_list_smart_column_name()
+{
+ global $RCMAIL;
+
+ $delim = $RCMAIL->storage->get_hierarchy_delimiter();
+ $mbox = $RCMAIL->storage->get_folder();
+ $sent_mbox = $RCMAIL->config->get('sent_mbox');
+ $drafts_mbox = $RCMAIL->config->get('drafts_mbox');
+
+ if (strpos($mbox.$delim, $sent_mbox.$delim) === 0 || strpos($mbox.$delim, $drafts_mbox.$delim) === 0) {
+ return 'to';
+ }
+
+ return 'from';
+}
+
+/**
+ * Returns configured messages list sorting column name
+ * The name is context-sensitive, which means if sorting is set to 'fromto'
+ * it will return 'from' or 'to' according to current folder type.
+ *
+ * @return string Column name
+ */
+function rcmail_sort_column()
+{
+ global $RCMAIL;
+
+ if (isset($_SESSION['sort_col'])) {
+ $column = $_SESSION['sort_col'];
+ }
+ else {
+ $column = $RCMAIL->config->get('message_sort_col');
+ }
+
+ // get name of smart From/To column in folder context
+ if ($column == 'fromto') {
+ $column = rcmail_message_list_smart_column_name();
+ }
+
+ return $column;
+}
+
+/**
+ * Returns configured message list sorting order
+ *
+ * @return string Sorting order (ASC|DESC)
+ */
+function rcmail_sort_order()
+{
+ global $RCMAIL;
+
+ if (isset($_SESSION['sort_order'])) {
+ return $_SESSION['sort_order'];
+ }
+
+ return $RCMAIL->config->get('message_sort_order');
+}
/**
* return the message list as HTML table
*/
function rcmail_message_list($attrib)
{
- global $RCMAIL, $CONFIG, $OUTPUT;
+ global $CONFIG, $OUTPUT;
// add some labels to client
$OUTPUT->add_label('from', 'to');
@@ -153,15 +218,6 @@
// save some variables for use in ajax list
$_SESSION['list_attrib'] = $attrib;
-
- $mbox = $RCMAIL->storage->get_folder();
- $delim = $RCMAIL->storage->get_hierarchy_delimiter();
-
- // show 'to' instead of 'from' in sent/draft messages
- if ((strpos($mbox.$delim, $CONFIG['sent_mbox'].$delim)===0 || strpos($mbox.$delim, $CONFIG['drafts_mbox'].$delim)===0)
- && (($f = array_search('from', $a_show_cols)) !== false) && array_search('to', $a_show_cols) === false)
- $a_show_cols[$f] = 'to';
-
// make sure 'threads' and 'subject' columns are present
if (!in_array('subject', $a_show_cols))
array_unshift($a_show_cols, 'subject');
@@ -212,7 +268,6 @@
}
$mbox = $RCMAIL->storage->get_folder();
- $delim = $RCMAIL->storage->get_hierarchy_delimiter();
// make sure 'threads' and 'subject' columns are present
if (!in_array('subject', $a_show_cols))
@@ -221,11 +276,6 @@
array_unshift($a_show_cols, 'threads');
$_SESSION['list_attrib']['columns'] = $a_show_cols;
-
- // show 'to' instead of 'from' in sent/draft messages
- if ((strpos($mbox.$delim, $CONFIG['sent_mbox'].$delim)===0 || strpos($mbox.$delim, $CONFIG['drafts_mbox'].$delim)===0)
- && (($f = array_search('from', $a_show_cols)) !== false) && array_search('to', $a_show_cols) === false)
- $a_show_cols[$f] = 'to';
// Make sure there are no duplicated columns (#1486999)
$a_show_cols = array_unique($a_show_cols);
@@ -240,7 +290,12 @@
$thead = $head_replace ? rcmail_message_list_head($_SESSION['list_attrib'], $a_show_cols) : NULL;
- $OUTPUT->command('set_message_coltypes', $a_show_cols, $thead);
+ // get name of smart From/To column in folder context
+ if (($f = array_search('fromto', $a_show_cols)) !== false) {
+ $smart_col = rcmail_message_list_smart_column_name();
+ }
+
+ $OUTPUT->command('set_message_coltypes', $a_show_cols, $thead, $smart_col);
if (empty($a_headers))
return;
@@ -261,16 +316,18 @@
// format each col; similar as in rcmail_message_list()
foreach ($a_show_cols as $col) {
- if (in_array($col, array('from', 'to', 'cc', 'replyto')))
- $cont = Q(rcmail_address_string($header->$col, 3, false, null, $header->charset), 'show');
- else if ($col=='subject') {
+ $col_name = $col == 'fromto' ? $smart_col : $col;
+
+ if (in_array($col_name, array('from', 'to', 'cc', 'replyto')))
+ $cont = rcmail_address_string($header->$col_name, 3, false, null, $header->charset);
+ else if ($col == 'subject') {
$cont = trim(rcube_mime::decode_header($header->$col, $header->charset));
if (!$cont) $cont = rcube_label('nosubject');
$cont = Q($cont);
}
- else if ($col=='size')
+ else if ($col == 'size')
$cont = show_bytes($header->$col);
- else if ($col=='date')
+ else if ($col == 'date')
$cont = format_date($header->date);
else
$cont = Q($header->$col);
@@ -321,8 +378,6 @@
*/
function rcmail_message_list_head($attrib, $a_show_cols)
{
- global $CONFIG;
-
$skin_path = $_SESSION['skin_path'];
$image_tag = html::img(array('src' => "%s%s", 'alt' => "%s"));
@@ -331,7 +386,7 @@
$sort_order = $_SESSION['sort_order'];
// define sortable columns
- $a_sort_cols = array('subject', 'date', 'from', 'to', 'size', 'cc');
+ $a_sort_cols = array('subject', 'date', 'from', 'to', 'fromto', 'size', 'cc');
if (!empty($attrib['optionsmenuicon'])) {
$onclick = 'return ' . JS_OBJECT_NAME . ".command('menu-open', 'messagelistmenu')";
@@ -349,6 +404,11 @@
$cells = array();
+ // get name of smart From/To column in folder context
+ if (($f = array_search('fromto', $a_show_cols)) !== false) {
+ $smart_col = rcmail_message_list_smart_column_name();
+ }
+
foreach ($a_show_cols as $col) {
// get column name
switch ($col) {
@@ -362,6 +422,9 @@
break;
case 'threads':
$col_name = $list_menu;
+ break;
+ case 'fromto':
+ $col_name = Q(rcube_label($smart_col));
break;
default:
$col_name = Q(rcube_label($col));
@@ -677,7 +740,9 @@
else if ($data['type'] == 'enriched') {
$part->ctype_secondary = 'html';
require_once(INSTALL_PATH . 'program/lib/enriched.inc');
- $body = Q(enriched_to_html($data['body']), 'show');
+ $body = enriched_to_html($data['body']);
+ $body = rcmail_wash_html($body, $data, $part->replaces);
+ $part->ctype_secondary = 'html';
}
else {
// assert plaintext
@@ -726,8 +791,8 @@
// find/mark quoted lines...
for ($n=0, $cnt=count($body); $n < $cnt; $n++) {
- if ($body[$n][0] == '>' && preg_match('/^(>+\s*)+/', $body[$n], $regs)) {
- $q = strlen(preg_replace('/\s/', '', $regs[0]));
+ if ($body[$n][0] == '>' && preg_match('/^(>+ {0,1})+/', $body[$n], $regs)) {
+ $q = substr_count($regs[0], '>');
$body[$n] = substr($body[$n], strlen($regs[0]));
if ($q > $quote_level) {
@@ -889,6 +954,8 @@
$output_headers = array();
foreach ($standard_headers as $hkey) {
+ $ishtml = false;
+
if ($headers[$hkey])
$value = $headers[$hkey];
else if ($headers['others'][$hkey])
@@ -898,6 +965,8 @@
if (in_array($hkey, $exclude_headers))
continue;
+
+ $header_title = rcube_label(preg_replace('/(^mail-|-)/', '', $hkey));
if ($hkey == 'date') {
if ($PRINT_MODE)
@@ -913,32 +982,41 @@
continue;
}
else if ($hkey == 'replyto') {
- if ($headers['replyto'] != $headers['from'])
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ if ($headers['replyto'] != $headers['from']) {
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
+ $ishtml = true;
+ }
else
continue;
}
else if ($hkey == 'mail-reply-to') {
if ($headers['mail-replyto'] != $headers['reply-to']
&& $headers['reply-to'] != $headers['from']
- )
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ ) {
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
+ $ishtml = true;
+ }
else
continue;
}
else if ($hkey == 'mail-followup-to') {
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
+ $ishtml = true;
}
- else if (in_array($hkey, array('from', 'to', 'cc', 'bcc')))
- $header_value = rcmail_address_string($value, null, true, $attrib['addicon'], $headers['charset']);
+ else if (in_array($hkey, array('from', 'to', 'cc', 'bcc'))) {
+ $header_value = rcmail_address_string($value, $attrib['max'], true, $attrib['addicon'], $headers['charset'], $header_title);
+ $ishtml = true;
+ }
else if ($hkey == 'subject' && empty($value))
$header_value = rcube_label('nosubject');
else
$header_value = trim(rcube_mime::decode_header($value, $headers['charset']));
$output_headers[$hkey] = array(
- 'title' => rcube_label(preg_replace('/(^mail-|-)/', '', $hkey)),
- 'value' => $header_value, 'raw' => $value
+ 'title' => $header_title,
+ 'value' => $header_value,
+ 'raw' => $value,
+ 'html' => $ishtml,
);
}
@@ -947,14 +1025,14 @@
// single header value is requested
if (!empty($attrib['valueof']))
- return Q($plugin['output'][$attrib['valueof']]['value'], ($hkey == 'subject' ? 'strict' : 'show'));
+ return Q($plugin['output'][$attrib['valueof']]['value'], ($attrib['valueof'] == 'subject' ? 'strict' : 'show'));
// compose html table
$table = new html_table(array('cols' => 2));
foreach ($plugin['output'] as $hkey => $row) {
$table->add(array('class' => 'header-title'), Q($row['title']));
- $table->add(array('class' => 'header '.$hkey), Q($row['value'], ($hkey == 'subject' ? 'strict' : 'show')));
+ $table->add(array('class' => 'header '.$hkey), $row['html'] ? $row['value'] : Q($row['value'], ($hkey == 'subject' ? 'strict' : 'show')));
}
return $table->show($attrib);
@@ -972,10 +1050,10 @@
'4' => 'low',
'5' => 'lowest',
);
-
+
if ($value && $labels_map[$value])
return rcube_label($labels_map[$value]);
-
+
return '';
}
@@ -1158,7 +1236,7 @@
// modify HTML links to open a new window if clicked
$GLOBALS['rcmail_html_container_id'] = $container_id;
- $body = preg_replace_callback('/<(a|link)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body);
+ $body = preg_replace_callback('/<(a|link|area)\s+([^>]+)>/Ui', 'rcmail_alter_html_link', $body);
unset($GLOBALS['rcmail_html_container_id']);
$body = preg_replace(array(
@@ -1271,14 +1349,18 @@
$attrib['target'] = '_blank';
}
- return "<$tag" . html::attrib_string($attrib, array('href','name','target','onclick','id','class','style','title','rel','type','media')) . $end;
+ // allowed attributes for a|link|area tags
+ $allow = array('href','name','target','onclick','id','class','style','title',
+ 'rel','type','media','alt','coords','nohref','hreflang','shape');
+
+ return "<$tag" . html::attrib_string($attrib, $allow) . $end;
}
/**
* decode address string and re-format it as HTML links
*/
-function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, $default_charset=null)
+function rcmail_address_string($input, $max=null, $linked=false, $addicon=null, $default_charset=null, $title=null)
{
global $RCMAIL, $PRINT_MODE, $CONFIG;
@@ -1290,6 +1372,7 @@
$c = count($a_parts);
$j = 0;
$out = '';
+ $allvalues = array();
if ($addicon && !isset($_SESSION['writeable_abook'])) {
$_SESSION['writeable_abook'] = $RCMAIL->get_address_sources(true) ? true : false;
@@ -1297,7 +1380,6 @@
foreach ($a_parts as $part) {
$j++;
-
$name = $part['name'];
$mailto = $part['mailto'];
$string = $part['string'];
@@ -1310,7 +1392,9 @@
$mailto = rcube_idn_to_utf8($mailto);
if ($PRINT_MODE) {
- $out .= sprintf('%s <%s>', Q($name), $mailto);
+ $out .= ($out ? ', ' : '') . sprintf('%s <%s>', Q($name), $mailto);
+ // for printing we display all addresses
+ continue;
}
else if (check_email($part['mailto'], false)) {
if ($linked) {
@@ -1328,33 +1412,53 @@
}
if ($addicon && $_SESSION['writeable_abook']) {
- $address = html::span(null, $address . html::a(array(
+ $address .= html::a(array(
'href' => "#add",
- 'onclick' => sprintf("return %s.command('add-contact','%s',this)", JS_OBJECT_NAME, urlencode($string)),
+ 'onclick' => sprintf("return %s.command('add-contact','%s',this)", JS_OBJECT_NAME, JQ($string)),
'title' => rcube_label('addtoaddressbook'),
'class' => 'rcmaddcontact',
),
html::img(array(
'src' => $CONFIG['skin_path'] . $addicon,
'alt' => "Add contact",
- ))));
+ )));
}
- $out .= $address;
}
else {
+ $address = '';
if ($name)
- $out .= Q($name);
+ $address .= Q($name);
if ($mailto)
- $out .= (strlen($out) ? ' ' : '') . sprintf('<%s>', Q($mailto));
+ $address .= (strlen($address) ? ' ' : '') . sprintf('<%s>', Q($mailto));
}
- if ($c>$j)
- $out .= ','.($max ? ' ' : ' ');
+ $address = html::span('adr', $address);
+ $allvalues[] = $address;
- if ($max && $j==$max && $c>$j) {
- $out .= '...';
- break;
+ if (!$moreadrs)
+ $out .= ($out ? ', ' : '') . $address;
+
+ if ($max && $j == $max && $c > $j) {
+ if ($linked) {
+ $moreadrs = $c - $j;
+ }
+ else {
+ $out .= '...';
+ break;
+ }
}
+ }
+
+ if ($moreadrs) {
+ $out .= ' ' . html::a(array(
+ 'href' => '#more',
+ 'class' => 'morelink',
+ 'onclick' => sprintf("return %s.show_popup_dialog('%s','%s')",
+ JS_OBJECT_NAME,
+ JQ(join(', ', $allvalues)),
+ JQ($title))
+ ),
+ Q(rcube_label(array('name' => 'andnmore', 'vars' => array('nr' => $moreadrs)))));
}
return $out;
@@ -1374,7 +1478,7 @@
function rcmail_wrap_and_quote($text, $length = 72)
{
// Rebuild the message body with a maximum of $max chars, while keeping quoted message.
- $max = min(77, $length + 8);
+ $max = max(75, $length + 8);
$lines = preg_split('/\r?\n/', trim($text));
$out = '';
@@ -1399,7 +1503,7 @@
$out .= $line . "\n";
}
- return $out;
+ return rtrim($out, "\n");
}
--
Gitblit v1.9.1