diff options
author | Thomas Bruederli <thomas@roundcube.net> | 2013-03-27 17:05:54 +0100 |
---|---|---|
committer | Thomas Bruederli <thomas@roundcube.net> | 2013-03-27 17:07:28 +0100 |
commit | a8ca51718b7652d3351978a622a2302f3daae91c (patch) | |
tree | 9c0cc3c3f192c3e6e3194fe72288de99b1a5140e /program | |
parent | e1d9b4824c1e5750dfbf51dc1c8b2d54cf0895c3 (diff) |
Sanity check the file path for generic message footer before adding it
Diffstat (limited to 'program')
-rw-r--r-- | program/steps/mail/sendmail.inc | 40 |
1 files changed, 29 insertions, 11 deletions
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index 6b5dcbcc9..25537f313 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -213,6 +213,33 @@ function rcmail_email_input_format($mailto, $count=false, $check=true) } +function rcmail_generic_message_footer($isHtml) +{ + global $CONFIG; + + if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) { + $file = $CONFIG['generic_message_footer_html']; + $html_footer = true; + } + else { + $file = $CONFIG['generic_message_footer']; + $html_footer = false; + } + + if ($file && realpath($file)) { + // sanity check + if (!preg_match('/\.(php|ini|conf)$/', $file) && strpos($file, '/etc/') === false) { + $footer = file_get_contents($file); + if ($isHtml && !$html_footer) + $footer = '<pre>' . $footer . '</pre>'; + return $footer; + } + } + + return false; +} + + /****** compose message ********/ if (strlen($_POST['_draft_saveid']) > 3) @@ -449,19 +476,10 @@ if (!$savedraft) { } // generic footer for all messages - if ($isHtml && !empty($CONFIG['generic_message_footer_html'])) { - $footer = file_get_contents(realpath($CONFIG['generic_message_footer_html'])); - $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); - } - else if (!empty($CONFIG['generic_message_footer'])) { - $footer = file_get_contents(realpath($CONFIG['generic_message_footer'])); + if ($footer = rcmail_generic_message_footer($isHtml)) { $footer = rcube_charset_convert($footer, RCMAIL_CHARSET, $message_charset); - if ($isHtml) - $footer = '<pre>'.$footer.'</pre>'; - } - - if ($footer) $message_body .= "\r\n" . $footer; + } } if ($isHtml) { |