1 files changed, 46 insertions, 27 deletions

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index fddb40ae8..372757720 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -22,7 +22,7 @@
 
 // show loading page
 if (!empty($_GET['_preload'])) {
-  $url = preg_replace('/([&?]+)_preload=/', '\\1_embed=', $_SERVER['REQUEST_URI']);
+  $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']);
   $message = rcube_label('loadingdata');
 
   header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
@@ -60,11 +60,12 @@ else if ($_GET['_thumb']) {
   $pid = get_input_value('_part', RCUBE_INPUT_GET);
   if ($part = $MESSAGE->mime_parts[$pid]) {
     $thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240);
-    $temp_dir = $RCMAIL->config->get('temp_dir');
-    list(,$ext) = explode('/', $part->mimetype);
-    $cache_basename = $temp_dir . '/' . md5($MESSAGE->headers->messageID . $part->mime_id . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size);
-    $cache_file = $cache_basename . '.' . $ext;
-    $mimetype = $part->mimetype;
+    $temp_dir       = $RCMAIL->config->get('temp_dir');
+    list(,$ext)     = explode('/', $part->mimetype);
+    $mimetype       = $part->mimetype;
+    $file_ident     = $MESSAGE->headers->messageID . ':' . $part->mime_id . ':' . $part->size . ':' . $part->mimetype;
+    $cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size);
+    $cache_file     = $cache_basename . '.' . $ext;
 
     // render thumbnail image if not done yet
     if (!is_file($cache_file)) {
@@ -73,7 +74,7 @@ else if ($_GET['_thumb']) {
       fclose($fp);
 
       $image = new rcube_image($orig_name);
-      if ($imgtype = $image->resize($RCMAIL->config->get('image_thumbnail_size', 240), $cache_file, true)) {
+      if ($imgtype = $image->resize($thumbnail_size, $cache_file, true)) {
         $mimetype = 'image/' . $imgtype;
         unlink($orig_name);
       }
@@ -94,9 +95,7 @@ else if ($_GET['_thumb']) {
 else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
 
   if ($part = $MESSAGE->mime_parts[$pid]) {
-    $ctype_primary = strtolower($part->ctype_primary);
-    $ctype_secondary = strtolower($part->ctype_secondary);
-    $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);
+    $mimetype = rcmail_fix_mimetype($part->mimetype);
 
     // allow post-processing of the message body
     $plugin = $RCMAIL->plugins->exec_hook('message_part_get',
@@ -106,7 +105,7 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       exit;
 
     // overwrite modified vars from plugin
-    $mimetype = $plugin['mimetype'];
+    $mimetype   = $plugin['mimetype'];
     $extensions = rcube_mime::get_mime_extensions($mimetype);
 
     if ($plugin['body'])
@@ -118,10 +117,10 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
 
       // 1. compare filename suffix with expected suffix derived from mimetype
-      $valid = $file_extension && in_array($file_extension, (array)$extensions);
+      $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
 
       // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
-      if ($valid || !$file_extension || $mimetype == 'application/octet-stream') {
+      if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || $mimetype == 'text/plain') {
         if ($part->body)  // part body is already loaded
           $body = $part->body;
         else if ($part->size && $part->size < 1024*1024)   // load the entire part if it's small enough
@@ -133,6 +132,10 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
         $real_mimetype = rcube_mime::file_content_type($body, $part->filename, $mimetype, true, true);
         list($real_ctype_primary, $real_ctype_secondary) = explode('/', $real_mimetype);
 
+        // accept text/plain with any extension
+        if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype)
+          $file_extension = 'txt';
+
         // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here
         if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0)
           $real_mimetype = $mimetype;
@@ -141,6 +144,10 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
         $extensions = rcube_mime::get_mime_extensions($real_mimetype);
         $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
 
+        // ignore filename extension if mimeclass matches (#1489029)
+        if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass'])
+          $valid_extension = true;
+
         // fix mimetype for images wrongly declared as octet-stream
         if ($mimetype == 'application/octet-stream' && strpos($real_mimetype, 'image/') === 0 && $valid_extension)
           $mimetype = $real_mimetype;
@@ -153,19 +160,32 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
 
       // show warning if validity checks failed
       if (!$valid) {
-        $OUTPUT = new rcmail_html_page();
-        $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
-          html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
-            rcube_label(array(
-              'name' => 'attachmentvalidationerror',
-              'vars' => array('expected' => "$mimetype (.$file_extension)", 'detected' => "$real_mimetype (.$extensions[0])")
-            )) .
-            html::p(array('class' => 'rcmail-inline-buttons'),
-              html::tag('button',
-                array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
-                rcube_label('showanyway')))
-            )
-        )));
+        // send blocked.gif for expected images
+        if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) {
+          // Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. 
+          $OUTPUT->nocacheing_headers();
+          header("Content-Type: image/gif");
+          header("Content-Transfer-Encoding: binary");
+          readfile(INSTALL_PATH . 'program/resources/blocked.gif');
+        }
+        else {  // html warning with a button to load the file anyway
+          $OUTPUT = new rcmail_html_page();
+          $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
+            html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
+              rcube_label(array(
+                'name' => 'attachmentvalidationerror',
+                'vars' => array(
+                  'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''),
+                  'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''),
+                )
+              )) .
+              html::p(array('class' => 'rcmail-inline-buttons'),
+                html::tag('button',
+                  array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
+                  rcube_label('showanyway')))
+              )
+          )));
+        }
         exit;
       }
     }
@@ -195,7 +215,6 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ? $part->charset : RCMAIL_CHARSET));
     }
     else {
-      $mimetype = rcmail_fix_mimetype($mimetype);
       header("Content-Type: $mimetype");
       header("Content-Transfer-Encoding: binary");
     }