diff options
| author | Aleksander Machniak <alec@alec.pl> | 2015-02-19 13:43:43 +0100 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2015-02-19 13:43:43 +0100 |
| commit | 4a2a62de30eae35398dc1e6fcca99c469dd218e6 (patch) | |
| tree | fc2bdcce6255ea535c055babe97b5b02904a0a77 /program | |
| parent | 50b04366ee7472272e2576d17c609e1d26345221 (diff) | |
Fix needless security warning on BMP attachments display (#1490282)
Diffstat (limited to 'program')
| -rw-r--r-- | program/steps/mail/func.inc | 9 | ||||
| -rw-r--r-- | program/steps/mail/get.inc | 9 |
2 files changed, 14 insertions, 4 deletions
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 48d989954..c45fd2f97 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1959,9 +1959,16 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r // Fixes some content-type names function rcmail_fix_mimetype($name) { + $map = array( + 'image/x-ms-bmp' => 'image/bmp', // #1490282 + ); + + if ($alias = $map[strtolower($name)]) { + $name = $alias; + } // Some versions of Outlook create garbage Content-Type: // application/pdf.A520491B_3BF7_494D_8855_7FAC2C6C0608 - if (preg_match('/^application\/pdf.+/', $name)) { + else if (preg_match('/^application\/pdf.+/', $name)) { $name = 'application/pdf'; } // treat image/pjpeg (image/pjpg, image/jpg) as image/jpeg (#1489097) diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index 256af52b7..02ec5a4ac 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -138,7 +138,7 @@ else if (strlen($part_id)) { $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION)); // 1. compare filename suffix with expected suffix derived from mimetype - $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); + $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']); // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { @@ -164,7 +164,7 @@ else if (strlen($part_id)) { else { // get valid file extensions $extensions = rcube_mime::get_mime_extensions($real_mimetype); - $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions)); + $valid_extension = !$file_extension || in_array($file_extension, (array)$extensions); } // fix mimetype for images wrongly declared as octet-stream @@ -172,7 +172,10 @@ else if (strlen($part_id)) { $mimetype = $real_mimetype; } - $valid = ($real_mimetype == $mimetype && $valid_extension); + // "fix" real mimetype the same way the original is before comparison + $real_mimetype = rcmail_fix_mimetype($real_mimetype); + + $valid = $real_mimetype == $mimetype && $valid_extension; } else { $real_mimetype = $mimetype; |