diff options
author | thomascube <thomas@roundcube.net> | 2007-08-10 08:27:40 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2007-08-10 08:27:40 +0000 |
commit | 719a257f0c8fd750a4984ed56273dc653565729e (patch) | |
tree | 2707636618edff63d691180a99a48cbdda350703 /program/steps | |
parent | 4b9efbb9f49911b17bde2d46b86df825e987101e (diff) |
Some bugfixes, security issues + minor improvements
Diffstat (limited to 'program/steps')
-rw-r--r-- | program/steps/mail/func.inc | 28 | ||||
-rw-r--r-- | program/steps/mail/get.inc | 4 | ||||
-rw-r--r-- | program/steps/mail/show.inc | 2 | ||||
-rw-r--r-- | program/steps/settings/manage_folders.inc | 4 |
4 files changed, 21 insertions, 17 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 8c5f987c3..730606265 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -646,6 +646,7 @@ function rcmail_parse_message(&$structure, $arg=array(), $recursive=FALSE) foreach ($structure->parts as $p => $sub_part) { + $rel_parts = $attachmnts = null; $sub_ctype_primary = strtolower($sub_part->ctype_primary); $sub_ctype_secondary = strtolower($sub_part->ctype_secondary); @@ -656,19 +657,22 @@ function rcmail_parse_message(&$structure, $arg=array(), $recursive=FALSE) $html_part = $p; else if ($sub_ctype_primary=='text' && $sub_ctype_secondary=='enriched') $enriched_part = $p; - else if ($sub_ctype_primary=='multipart' && $sub_ctype_secondary=='related') + else if ($sub_ctype_primary=='multipart' && ($sub_ctype_secondary=='related' || $sub_ctype_secondary=='mixed')) $related_part = $p; } - + // parse related part (alternative part could be in here) - if ($related_part!==NULL && $prefer_html) - { - list($parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE); - $a_return_parts = array_merge($a_return_parts, $parts); + if ($related_part!==NULL) + { + list($rel_parts, $attachmnts) = rcmail_parse_message($structure->parts[$related_part], $arg, TRUE); $a_attachments = array_merge($a_attachments, $attachmnts); - } + } + + // merge related parts if any + if ($rel_parts && $prefer_html && !$html_part) + $a_return_parts = array_merge($a_return_parts, $rel_parts); - // print html/plain part + // choose html/plain part to print else if ($html_part!==NULL && $prefer_html) $print_part = &$structure->parts[$html_part]; else if ($enriched_part!==NULL) @@ -683,7 +687,7 @@ function rcmail_parse_message(&$structure, $arg=array(), $recursive=FALSE) $a_return_parts[] = $print_part; } // show plaintext warning - else if ($html_part!==NULL) + else if ($html_part!==NULL && empty($a_return_parts)) { $c = new stdClass; $c->type = 'content'; @@ -913,8 +917,8 @@ function rcmail_message_body($attrib) $ctype_secondary = strtolower($MESSAGE['structure']->ctype_secondary); // list images after mail body - if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' && $ctype_secondary=='mixed' && - sizeof($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL)) + if (get_boolean($attrib['showimages']) && $ctype_primary=='multipart' && + !empty($MESSAGE['attachments']) && !strstr($message_body, '<html') && strlen($GET_URL)) { foreach ($MESSAGE['attachments'] as $attach_prop) { @@ -1239,7 +1243,7 @@ function rcmail_message_part_frame($attrib) $part = $MESSAGE['parts'][$_GET['_part']]; $ctype_primary = strtolower($part->ctype_primary); - $attrib['src'] = './?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING']); + $attrib['src'] = Q('./?'.str_replace('_frame=', ($ctype_primary=='text' ? '_show=' : '_preload='), $_SERVER['QUERY_STRING'])); $attrib_str = create_attrib_string($attrib, array('id', 'class', 'style', 'src', 'width', 'height')); $out = '<iframe '. $attrib_str . "></iframe>"; diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index 11688f125..cbf8e0c88 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -29,7 +29,7 @@ if ($_GET['_preload']) $message = rcube_label('loadingdata'); print "<html>\n<head>\n" . - '<meta http-equiv="refresh" content="0; url='.htmlspecialchars($url).'">' . + '<meta http-equiv="refresh" content="0; url='.Q($url).'">' . "\n</head>\n<body>" . $message . "\n</body>\n</html>"; @@ -107,7 +107,7 @@ else if ($pid = get_input_value('_part', RCUBE_INPUT_GET)) else { header(sprintf('Content-Disposition: %s; filename="%s";', - $part->disposition ? $part->disposition : 'attachment', + $_GET['_download'] ? 'attachment' : 'inline', $part->filename ? $part->filename : "roundcube.$ctype_secondary")); // turn off output buffering and print part content diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 6c247aea9..e25da03a6 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -48,7 +48,7 @@ if ($_GET['_uid']) // allow caching, unless remote images are present if ((bool)get_input_value('_safe', RCUBE_INPUT_GET)) send_nocacheing_headers(); - else + else if (empty($CONFIG['devel_mode'])) send_modified_header($_SESSION['login_time'], $etag); $MESSAGE['subject'] = rcube_imap::decode_mime_string($MESSAGE['headers']->subject, $MESSAGE['headers']->charset); diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc index 150b7cd72..b08d9ccc9 100644 --- a/program/steps/settings/manage_folders.inc +++ b/program/steps/settings/manage_folders.inc @@ -27,7 +27,7 @@ rcmail_imap_init(TRUE); if ($_action=='subscribe') { if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_POST)) - $IMAP->subscribe(array($mboxes)); + $IMAP->subscribe($mboxes); if ($OUTPUT->ajax_call) $OUTPUT->remote_response('// subscribed'); @@ -37,7 +37,7 @@ if ($_action=='subscribe') else if ($_action=='unsubscribe') { if ($mboxes = get_input_value('_mboxes', RCUBE_INPUT_POST)) - $IMAP->unsubscribe(array($mboxes)); + $IMAP->unsubscribe($mboxes); if ($OUTPUT->ajax_call) $OUTPUT->remote_response('// unsubscribed'); |