4 +-----------------------------------------------------------------------+
5 | program/steps/mail/get.inc |
7 | This file is part of the Roundcube Webmail client |
8 | Copyright (C) 2005-2009, The Roundcube Dev Team |
9 | Licensed under the GNU GPL |
12 | Delivering a specific part of a mail message |
14 +-----------------------------------------------------------------------+
15 | Author: Thomas Bruederli <roundcube@gmail.com> |
16 +-----------------------------------------------------------------------+
18 $Id: get.inc 5514 2011-11-30 11:35:43Z alec $
24 if (!empty($_GET['_preload'])) {
25 $url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']);
26 $message = rcube_label('loadingdata');
28 header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
29 print "<html>\n<head>\n"
30 . '<meta http-equiv="refresh" content="0; url='.Q($url).'">' . "\n"
31 . '<meta http-equiv="content-type" content="text/html; charset='.RCMAIL_CHARSET.'">' . "\n"
32 . "</head>\n<body>\n$message\n</body>\n</html>";
38 // Now we need IMAP connection
39 if (!$RCMAIL->imap_connect()) {
40 // Get action is often executed simultanously.
41 // Some servers have MAXPERIP or other limits.
42 // To workaround this we'll wait for some time
43 // and try again (once).
44 // Note: Random sleep interval is used to minimize concurency
45 // in getting message parts
46 if (!isset($_GET['_redirected'])) {
47 usleep(rand(10,30)*100000); // 1-3 sec.
48 header('Location: ' . $_SERVER['REQUEST_URI'] . '&_redirected=1');
52 'code' => 500, 'type' => 'php',
53 'file' => __FILE__, 'line' => __LINE__,
54 'message' => 'Unable to get/display message part. IMAP connection error'),
57 // Don't kill session, just quit (#1486995)
61 // similar code as in program/steps/mail/show.inc
62 if (!empty($_GET['_uid'])) {
63 $RCMAIL->config->set('prefer_html', true);
64 $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
68 if (!empty($_GET['_frame'])) {
69 $OUTPUT->send('messagepart');
73 else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) {
75 if ($part = $MESSAGE->mime_parts[$pid]) {
76 $ctype_primary = strtolower($part->ctype_primary);
77 $ctype_secondary = strtolower($part->ctype_secondary);
78 $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);
80 // allow post-processing of the message body
81 $plugin = $RCMAIL->plugins->exec_hook('message_part_get',
82 array('id' => $part->mime_id, 'mimetype' => $mimetype, 'part' => $part, 'download' => !empty($_GET['_download'])));
87 // overwrite modified vars from plugin
88 $mimetype = $plugin['mimetype'];
89 list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
91 $part->body = $plugin['body'];
93 $browser = $RCMAIL->output->browser;
95 // send download headers
96 if ($plugin['download']) {
97 header("Content-Type: application/octet-stream");
99 header("Content-Type: application/force-download");
101 else if ($ctype_primary == 'text') {
102 header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ? $part->charset : RCMAIL_CHARSET));
105 $mimetype = rcmail_fix_mimetype($mimetype);
106 header("Content-Type: $mimetype");
107 header("Content-Transfer-Encoding: binary");
110 // deliver part content
111 if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) {
112 // get part body if not available
114 $part->body = $MESSAGE->get_part_content($part->mime_id);
116 $OUTPUT = new rcube_html_page();
117 $OUTPUT->write(rcmail_print_body($part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false)));
120 // don't kill the connection if download takes more than 30 sec.
123 $filename = $part->filename ? $part->filename : ($MESSAGE->subject ? $MESSAGE->subject : 'roundcube') . '.'.$ctype_secondary;
124 $filename = preg_replace('[\r\n]', '', $filename);
126 if ($browser->ie && $browser->ver < 7)
127 $filename = rawurlencode(abbreviate_string($filename, 55));
128 else if ($browser->ie)
129 $filename = rawurlencode($filename);
131 $filename = addcslashes($filename, '"');
133 $disposition = !empty($plugin['download']) ? 'attachment' : 'inline';
135 header("Content-Disposition: $disposition; filename=\"$filename\"");
137 // do content filtering to avoid XSS through fake images
138 if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
140 echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
141 else if ($part->size) {
142 $stdout = fopen('php://output', 'w');
143 stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
144 stream_filter_append($stdout, 'rcube_content');
145 $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
149 // turn off output buffering and print part content
152 else if ($part->size)
153 $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
163 // send correct headers for content type
164 header("Content-Type: text/html");
166 $cont = "<html>\n<head><title></title>\n</head>\n<body>";
167 $cont .= rcmail_message_body(array());
168 $cont .= "\n</body>\n</html>";
170 $OUTPUT = new rcube_html_page();
171 $OUTPUT->write($cont);
177 // if we arrive here, the requested part was not found
178 header('HTTP/1.1 404 Not Found');
184 * PHP stream filter to detect html/javascript code in attachments
186 class rcube_content_filter extends php_user_filter
188 private $buffer = '';
189 private $cutoff = 2048;
193 $this->cutoff = rand(2048, 3027);
197 function filter($in, $out, &$consumed, $closing)
199 while ($bucket = stream_bucket_make_writeable($in)) {
200 $this->buffer .= $bucket->data;
202 // check for evil content and abort
203 if (preg_match('/<(script|iframe|object)/i', $this->buffer))
204 return PSFS_ERR_FATAL;
206 // keep buffer small enough
207 if (strlen($this->buffer) > 4096)
208 $this->buffer = substr($this->buffer, $this->cutoff);
210 $consumed += $bucket->datalen;
211 stream_bucket_append($out, $bucket);