X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=program%2Fsteps%2Fmail%2Fget.inc;h=16f7acf63b67aa6aab2a8bf70ce4b79131dd4c80;hb=76507f7c63a660742e76889ad6e3919f3dde3bb0;hp=91c1a30a583fa3c46df7ff38686cbe7c7bf744ae;hpb=ade1655456ffdb799be8081f57ec90a408b99dd9;p=roundcube.git diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index 91c1a30..16f7acf 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -4,8 +4,8 @@ +-----------------------------------------------------------------------+ | program/steps/mail/get.inc | | | - | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev. - Switzerland | + | This file is part of the Roundcube Webmail client | + | Copyright (C) 2005-2009, The Roundcube Dev Team | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -15,124 +15,154 @@ | Author: Thomas Bruederli | +-----------------------------------------------------------------------+ - $Id: get.inc 884 2007-10-18 09:10:35Z thomasb $ + $Id: get.inc 5514 2011-11-30 11:35:43Z alec $ */ -require_once('Mail/mimeDecode.php'); - // show loading page -if ($_GET['_preload']) - { - $url = str_replace('&_preload=1', '', $_SERVER['REQUEST_URI']); +if (!empty($_GET['_preload'])) { + $url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']); $message = rcube_label('loadingdata'); - print "\n\n" . - '' . - "\n\n" . - $message . - "\n\n"; + header('Content-Type: text/html; charset=' . RCMAIL_CHARSET); + print "\n\n" + . '' . "\n" + . '' . "\n" + . "\n\n$message\n\n"; exit; +} + +ob_end_clean(); + +// Now we need IMAP connection +if (!$RCMAIL->imap_connect()) { + // Get action is often executed simultanously. + // Some servers have MAXPERIP or other limits. + // To workaround this we'll wait for some time + // and try again (once). + // Note: Random sleep interval is used to minimize concurency + // in getting message parts + if (!isset($_GET['_redirected'])) { + usleep(rand(10,30)*100000); // 1-3 sec. + header('Location: ' . $_SERVER['REQUEST_URI'] . '&_redirected=1'); } - - -// similar code as in program/steps/mail/show.inc -if ($_GET['_uid']) - { - $MESSAGE = array('UID' => get_input_value('_uid', RCUBE_INPUT_GET)); - $MESSAGE['structure'] = $IMAP->get_structure($MESSAGE['UID']); - $MESSAGE['parts'] = $IMAP->get_mime_numbers($MESSAGE['structure']); + else { + raise_error(array( + 'code' => 500, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => 'Unable to get/display message part. IMAP connection error'), + true, true); } + // Don't kill session, just quit (#1486995) + exit; +} +// similar code as in program/steps/mail/show.inc +if (!empty($_GET['_uid'])) { + $RCMAIL->config->set('prefer_html', true); + $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET)); +} // show part page -if ($_GET['_frame']) - { - parse_template('messagepart'); +if (!empty($_GET['_frame'])) { + $OUTPUT->send('messagepart'); exit; - } +} -else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) - { - if ($part = $MESSAGE['parts'][$pid]) - { +else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) { + + if ($part = $MESSAGE->mime_parts[$pid]) { $ctype_primary = strtolower($part->ctype_primary); $ctype_secondary = strtolower($part->ctype_secondary); $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary); - header("Expires: 0"); - header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); - header("Cache-Control: private", false); - header("Content-Transfer-Encoding: binary"); + // allow post-processing of the message body + $plugin = $RCMAIL->plugins->exec_hook('message_part_get', + array('id' => $part->mime_id, 'mimetype' => $mimetype, 'part' => $part, 'download' => !empty($_GET['_download']))); + + if ($plugin['abort']) + exit; + + // overwrite modified vars from plugin + $mimetype = $plugin['mimetype']; + list($ctype_primary, $ctype_secondary) = explode('/', $mimetype); + if ($plugin['body']) + $part->body = $plugin['body']; + + $browser = $RCMAIL->output->browser; // send download headers - if ($_GET['_download']) - { - header("Cache-Control: private", false); + if ($plugin['download']) { header("Content-Type: application/octet-stream"); - } - else + if ($browser->ie) + header("Content-Type: application/force-download"); + } + else if ($ctype_primary == 'text') { + header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ? $part->charset : RCMAIL_CHARSET)); + } + else { + $mimetype = rcmail_fix_mimetype($mimetype); header("Content-Type: $mimetype"); - - // We need to set the following headers to make downloads work using IE in HTTPS mode. - if (isset($_SERVER['HTTPS'])) - { - header('Pragma: '); - header('Cache-Control: '); - } + header("Content-Transfer-Encoding: binary"); + } // deliver part content - if ($ctype_primary=='text' && $ctype_secondary=='html') - { - // we have to analyze the whole structure again to find inline objects - list($new_parts, $new_attachments) = - rcmail_parse_message($MESSAGE['structure'], - array('safe' => (bool)$_GET['_safe'], - 'prefer_html' => TRUE, - 'get_url' => $GET_URL.'&_part=%s')); - - $all_parts = array_merge($new_parts, $new_attachments); - for ($partix = 0; $partix < sizeof($all_parts); $partix++) - if ($all_parts[$partix]->mime_id == $pid) - $part = &$all_parts[$partix]; - + if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) { // get part body if not available if (!$part->body) - $part->body = $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part); + $part->body = $MESSAGE->get_part_content($part->mime_id); $OUTPUT = new rcube_html_page(); - $OUTPUT->write(rcmail_print_body($part, (bool)$_GET['_safe'])); + $OUTPUT->write(rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false))); + } + else { + // don't kill the connection if download takes more than 30 sec. + @set_time_limit(0); + + $filename = $part->filename ? $part->filename : ($MESSAGE->subject ? $MESSAGE->subject : 'roundcube') . '.'.$ctype_secondary; + $filename = preg_replace('[\r\n]', '', $filename); + + if ($browser->ie && $browser->ver < 7) + $filename = rawurlencode(abbreviate_string($filename, 55)); + else if ($browser->ie) + $filename = rawurlencode($filename); + else + $filename = addcslashes($filename, '"'); + + $disposition = !empty($plugin['download']) ? 'attachment' : 'inline'; + + header("Content-Disposition: $disposition; filename=\"$filename\""); + + // do content filtering to avoid XSS through fake images + if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) { + if ($part->body) + echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body; + else if ($part->size) { + $stdout = fopen('php://output', 'w'); + stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter'); + stream_filter_append($stdout, 'rcube_content'); + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout); + } } - else - { - header(sprintf('Content-Disposition: %s; filename="%s";', - $_GET['_download'] ? 'attachment' : 'inline', - $part->filename ? $part->filename : "roundcube.$ctype_secondary")); - - // turn off output buffering and print part content - $IMAP->get_message_part($MESSAGE['UID'], $part->mime_id, $part->encoding, true); + else { + // turn off output buffering and print part content + if ($part->body) + echo $part->body; + else if ($part->size) + $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); } + } exit; - } } +} // print message -else - { - $ctype_primary = strtolower($MESSAGE['structure']->ctype_primary); - $ctype_secondary = strtolower($MESSAGE['structure']->ctype_secondary); - $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary); - +else { // send correct headers for content type header("Content-Type: text/html"); - $cont = ''; - list($MESSAGE['parts']) = rcmail_parse_message($MESSAGE['structure'], - array('safe' => (bool)$_GET['_safe'], - 'get_url' => $GET_URL.'&_part=%s')); - $cont = "\n\n\n"; $cont .= rcmail_message_body(array()); $cont .= "\n\n"; @@ -141,11 +171,47 @@ else $OUTPUT->write($cont); exit; - } +} // if we arrive here, the requested part was not found header('HTTP/1.1 404 Not Found'); exit; -?> + + +/** + * PHP stream filter to detect html/javascript code in attachments + */ +class rcube_content_filter extends php_user_filter +{ + private $buffer = ''; + private $cutoff = 2048; + + function onCreate() + { + $this->cutoff = rand(2048, 3027); + return true; + } + + function filter($in, $out, &$consumed, $closing) + { + while ($bucket = stream_bucket_make_writeable($in)) { + $this->buffer .= $bucket->data; + + // check for evil content and abort + if (preg_match('/<(script|iframe|object)/i', $this->buffer)) + return PSFS_ERR_FATAL; + + // keep buffer small enough + if (strlen($this->buffer) > 4096) + $this->buffer = substr($this->buffer, $this->cutoff); + + $consumed += $bucket->datalen; + stream_bucket_append($out, $bucket); + } + + return PSFS_PASS_ON; + } +} +