diff options
| author | Aleksander Machniak <alec@alec.pl> | 2013-04-06 19:28:47 +0200 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2013-04-06 19:28:47 +0200 |
| commit | 4fdaa02ac724e597479a4a48388a8a10101000fd (patch) | |
| tree | ac6e7b739dddfafd41dde12c06ccbd6d82c29699 /program/lib | |
| parent | 50cc5b370f1fab3ecf4ff516f60087129e8a57d1 (diff) | |
Fix handling of invalid characters in message headers and output (#1489032)
Diffstat (limited to 'program/lib')
| -rw-r--r-- | program/lib/Roundcube/html.php | 12 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_message.php | 15 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_message_header.php | 7 |
3 files changed, 23 insertions, 11 deletions
diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php index 592720308..7b30e60cb 100644 --- a/program/lib/Roundcube/html.php +++ b/program/lib/Roundcube/html.php @@ -35,6 +35,7 @@ class html public static $common_attrib = array('id','class','style','title','align'); public static $containers = array('iframe','div','span','p','h1','h2','h3','form','textarea','table','thead','tbody','tr','th','td','style','script'); + /** * Constructor * @@ -332,7 +333,16 @@ class html */ public static function quote($str) { - return @htmlspecialchars($str, ENT_COMPAT, RCUBE_CHARSET); + static $flags; + + if (!$flags) { + $flags = ENT_COMPAT; + if (defined('ENT_SUBSTITUTE')) { + $flags |= ENT_SUBSTITUTE; + } + } + + return @htmlspecialchars($str, $flags, RCUBE_CHARSET); } } diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php index 41a114f7f..69735fc52 100644 --- a/program/lib/Roundcube/rcube_message.php +++ b/program/lib/Roundcube/rcube_message.php @@ -85,12 +85,13 @@ class rcube_message $this->headers = $this->storage->get_message($uid); - if (!$this->headers) + if (!$this->headers) { return; + } $this->mime = new rcube_mime($this->headers->charset); - $this->subject = $this->mime->decode_mime_string($this->headers->subject); + $this->subject = $this->headers->get('subject'); list(, $this->sender) = each($this->mime->decode_address_list($this->headers->from, 1)); $this->set_safe((intval($_GET['_safe']) || $_SESSION['safe_messages'][$this->folder.':'.$uid])); @@ -125,15 +126,11 @@ class rcube_message */ public function get_header($name, $raw = false) { - if (empty($this->headers)) + if (empty($this->headers)) { return null; + } - if ($this->headers->$name) - $value = $this->headers->$name; - else if ($this->headers->others[$name]) - $value = $this->headers->others[$name]; - - return $raw ? $value : $this->mime->decode_header($value); + return $this->headers->get($name, !$raw); } diff --git a/program/lib/Roundcube/rcube_message_header.php b/program/lib/Roundcube/rcube_message_header.php index 274ae7f9f..2c5e2b6c8 100644 --- a/program/lib/Roundcube/rcube_message_header.php +++ b/program/lib/Roundcube/rcube_message_header.php @@ -215,7 +215,12 @@ class rcube_message_header $value = $this->others[$name]; } - return $decode ? rcube_mime::decode_header($value, $this->charset) : $value; + if ($decode) { + $value = rcube_mime::decode_header($value, $this->charset); + $value = rcube_charset::clean($value); + } + + return $value; } /** |