| program/steps/mail/get.inc |
| |
| This file is part of the Roundcube Webmail client |
- | Copyright (C) 2005-2009, Roundcube Dev. - Switzerland |
+ | Copyright (C) 2005-2011, The Roundcube Dev Team |
| Licensed under the GNU GPL |
| |
| PURPOSE: |
| Author: Thomas Bruederli <roundcube@gmail.com> |
+-----------------------------------------------------------------------+
- $Id: get.inc 4115 2010-10-20 11:41:48Z alec $
+ $Id: get.inc 5635 2011-12-21 10:07:42Z alec $
*/
// show loading page
if (!empty($_GET['_preload'])) {
- $url = str_replace('&_preload=1', '', $_SERVER['REQUEST_URI']);
+ $url = preg_replace('/[&?]+_preload=1/', '', $_SERVER['REQUEST_URI']);
$message = rcube_label('loadingdata');
header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
$MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
}
-send_nocacheing_headers();
-
// show part page
if (!empty($_GET['_frame'])) {
$OUTPUT->send('messagepart');
$ctype_secondary = strtolower($part->ctype_secondary);
$mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);
+ // allow post-processing of the message body
+ $plugin = $RCMAIL->plugins->exec_hook('message_part_get',
+ array('id' => $part->mime_id, 'mimetype' => $mimetype, 'part' => $part, 'download' => !empty($_GET['_download'])));
+
+ if ($plugin['abort'])
+ exit;
+
+ // overwrite modified vars from plugin
+ $mimetype = $plugin['mimetype'];
+ list($ctype_primary, $ctype_secondary) = explode('/', $mimetype);
+ if ($plugin['body'])
+ $part->body = $plugin['body'];
+
$browser = $RCMAIL->output->browser;
// send download headers
- if ($_GET['_download']) {
+ if ($plugin['download']) {
header("Content-Type: application/octet-stream");
if ($browser->ie)
header("Content-Type: application/force-download");
}
// deliver part content
- if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($_GET['_download'])) {
+ if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) {
// get part body if not available
if (!$part->body)
$part->body = $MESSAGE->get_part_content($part->mime_id);
else
$filename = addcslashes($filename, '"');
- $disposition = !empty($_GET['_download']) ? 'attachment' : 'inline';
+ $disposition = !empty($plugin['download']) ? 'attachment' : 'inline';
header("Content-Disposition: $disposition; filename=\"$filename\"");
- // turn off output buffering and print part content
- if ($part->body)
- echo $part->body;
- else if ($part->size)
- $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+ // do content filtering to avoid XSS through fake images
+ if (!empty($_REQUEST['_embed']) && $browser->ie && $browser->ver <= 8) {
+ if ($part->body)
+ echo preg_match('/<(script|iframe|object)/i', $part->body) ? '' : $part->body;
+ else if ($part->size) {
+ $stdout = fopen('php://output', 'w');
+ stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter');
+ stream_filter_append($stdout, 'rcube_content');
+ $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout);
+ }
+ }
+ else {
+ // turn off output buffering and print part content
+ if ($part->body)
+ echo $part->body;
+ else if ($part->size)
+ $IMAP->get_message_part($MESSAGE->uid, $part->mime_id, $part, true);
+ }
}
exit;