X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=program%2Fsteps%2Fmail%2Fget.inc;h=16f7acf63b67aa6aab2a8bf70ce4b79131dd4c80;hb=76507f7c63a660742e76889ad6e3919f3dde3bb0;hp=3b5810fa396105efdcd3bc9f2da9a74b6836701a;hpb=4212156c5c79d2f58342feb0d3ed1893f177bcab;p=roundcube.git

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 3b5810f..16f7acf 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -5,7 +5,7 @@
  | program/steps/mail/get.inc                                            |
  |                                                                       |
  | This file is part of the Roundcube Webmail client                     |
- | Copyright (C) 2005-2009, Roundcube Dev. - Switzerland                 |
+ | Copyright (C) 2005-2009, The Roundcube Dev Team                       |
  | Licensed under the GNU GPL                                            |
  |                                                                       |
  | PURPOSE:                                                              |
@@ -15,14 +15,14 @@
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
 
- $Id: get.inc 4115 2010-10-20 11:41:48Z alec $
+ $Id: get.inc 5514 2011-11-30 11:35:43Z alec $
 
 */
 
 
 // show loading page
 if (!empty($_GET['_preload'])) {
-  $url = str_replace('&_preload=1', '', $_SERVER['REQUEST_URI']);
+  $url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']);
   $message = rcube_label('loadingdata');
 
   header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
@@ -64,8 +64,6 @@ if (!empty($_GET['_uid'])) {
   $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
 }
 
-send_nocacheing_headers();
-
 // show part page
 if (!empty($_GET['_frame'])) {
   $OUTPUT->send('messagepart');
@@ -79,10 +77,23 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
     $ctype_secondary = strtolower($part->ctype_secondary);
     $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);
 
+    // allow post-processing of the message body
+    $plugin = $RCMAIL->plugins->exec_hook('message_part_get',
+      array('id' => $part->mime_id, 'mimetype' => $mimetype, 'part' => $part, 'download' => !empty($_GET['_download'])));
+
+    if ($plugin['abort'])
+      exit;
+
+    // overwrite modified vars from plugin
+    $mimetype = $plugin['mimetype'];
+    list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
+    if ($plugin['body'])
+      $part->body = $plugin['body'];
+
     $browser = $RCMAIL->output->browser;
 
     // send download headers
-    if ($_GET['_download']) {
+    if ($plugin['download']) {
       header("Content-Type: application/octet-stream");
       if ($browser->ie)
         header("Content-Type: application/force-download");
@@ -97,7 +108,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
     }
 
     // deliver part content
-    if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($_GET['_download'])) {
+    if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) {
       // get part body if not available
       if (!$part->body)
         $part->body = $MESSAGE->get_part_content($part->mime_id);
@@ -119,15 +130,28 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
       else
         $filename = addcslashes($filename, '"');
 
-      $disposition = !empty($_GET['_download']) ? 'attachment' : 'inline';
+      $disposition = !empty($plugin['download']) ? 'attachment' : 'inline';
 
       header("Content-Disposition: $disposition; filename=\"$filename\"");
 
-      // turn off output buffering and print part content
-      if ($part->body)
-        echo $part->body;
-      else if ($part->size)
-        $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+      // do content filtering to avoid XSS through fake images
+      if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
+        if ($part->body)
+          echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
+        else if ($part->size) {
+          $stdout = fopen('php://output', 'w');
+          stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
+          stream_filter_append($stdout, 'rcube_content');
+          $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
+        }
+      }
+      else {
+        // turn off output buffering and print part content
+        if ($part->body)
+          echo $part->body;
+        else if ($part->size)
+          $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+      }
     }
 
     exit;
@@ -155,3 +179,39 @@ header('HTTP/1.1 404 Not Found');
 exit;
 
 
+
+/**
+ * PHP stream filter to detect html/javascript code in attachments
+ */
+class rcube_content_filter extends php_user_filter
+{
+  private $buffer = '';
+  private $cutoff = 2048;
+
+  function onCreate()
+  {
+    $this->cutoff = rand(2048, 3027);
+    return true;
+  }
+
+  function filter($in, $out, &$consumed, $closing)
+  {
+    while ($bucket = stream_bucket_make_writeable($in)) {
+      $this->buffer .= $bucket->data;
+
+      // check for evil content and abort
+      if (preg_match('/<(script|iframe|object)/i', $this->buffer))
+        return PSFS_ERR_FATAL;
+
+      // keep buffer small enough
+      if (strlen($this->buffer) > 4096)
+        $this->buffer = substr($this->buffer, $this->cutoff);
+
+      $consumed += $bucket->datalen;
+      stream_bucket_append($out, $bucket);
+    }
+
+    return PSFS_PASS_ON;
+  }
+}
+