1 files changed, 105 insertions, 31 deletions

diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 23dc22b7c..a27e788a3 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -22,7 +22,7 @@
 
 // show loading page
 if (!empty($_GET['_preload'])) {
-  $url = preg_replace('/([&?]+)_preload=/', '\\1_embed=', $_SERVER['REQUEST_URI']);
+  $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']);
   $message = rcube_label('loadingdata');
 
   header('Content-Type: text/html; charset=' . RCMAIL_CHARSET);
@@ -38,19 +38,34 @@ ob_end_clean();
 
 // similar code as in program/steps/mail/show.inc
 if (!empty($_GET['_uid'])) {
+  $uid = get_input_value('_uid', RCUBE_INPUT_GET);
   $RCMAIL->config->set('prefer_html', true);
-  $MESSAGE = new rcube_message(get_input_value('_uid', RCUBE_INPUT_GET));
+  $MESSAGE = new rcube_message($uid);
 }
 
 // check connection status
 check_storage_status();
 
+$part_id = get_input_value('_part', RCUBE_INPUT_GPC);
+
 // show part page
 if (!empty($_GET['_frame'])) {
-  if (($part_id = get_input_value('_part', RCUBE_INPUT_GPC)) && ($part = $MESSAGE->mime_parts[$part_id])) {
-    $OUTPUT->set_pagetitle(rcmail_attachment_name($part));
+  if ($part_id && ($part = $MESSAGE->mime_parts[$part_id])) {
+    $filename = rcmail_attachment_name($part);
+    $OUTPUT->set_pagetitle($filename);
   }
 
+  // register UI objects
+  $OUTPUT->add_handlers(array(
+    'messagepartframe'    => 'rcmail_message_part_frame',
+    'messagepartcontrols' => 'rcmail_message_part_controls',
+  ));
+
+  $OUTPUT->set_env('mailbox', $RCMAIL->storage->get_folder());
+  $OUTPUT->set_env('uid', $uid);
+  $OUTPUT->set_env('part', $part_id);
+  $OUTPUT->set_env('filename', $filename);
+
   $OUTPUT->send('messagepart');
   exit;
 }
@@ -62,9 +77,10 @@ else if ($_GET['_thumb']) {
     $thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240);
     $temp_dir       = $RCMAIL->config->get('temp_dir');
     list(,$ext)     = explode('/', $part->mimetype);
-    $cache_basename = $temp_dir . '/' . md5($MESSAGE->headers->messageID . $part->mime_id . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size);
-    $cache_file     = $cache_basename . '.' . $ext;
     $mimetype       = $part->mimetype;
+    $file_ident     = $MESSAGE->headers->messageID . ':' . $part->mime_id . ':' . $part->size . ':' . $part->mimetype;
+    $cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size);
+    $cache_file     = $cache_basename . '.' . $ext;
 
     // render thumbnail image if not done yet
     if (!is_file($cache_file)) {
@@ -91,12 +107,9 @@ else if ($_GET['_thumb']) {
   exit;
 }
 
-else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
-
-  if ($part = $MESSAGE->mime_parts[$pid]) {
-    $ctype_primary = strtolower($part->ctype_primary);
-    $ctype_secondary = strtolower($part->ctype_secondary);
-    $mimetype = sprintf('%s/%s', $ctype_primary, $ctype_secondary);
+else if (strlen($part_id)) {
+  if ($part = $MESSAGE->mime_parts[$part_id]) {
+    $mimetype = rcmail_fix_mimetype($part->mimetype);
 
     // allow post-processing of the message body
     $plugin = $RCMAIL->plugins->exec_hook('message_part_get',
@@ -106,7 +119,7 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       exit;
 
     // overwrite modified vars from plugin
-    $mimetype = $plugin['mimetype'];
+    $mimetype   = $plugin['mimetype'];
     $extensions = rcube_mime::get_mime_extensions($mimetype);
 
     if ($plugin['body'])
@@ -118,7 +131,7 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
 
       // 1. compare filename suffix with expected suffix derived from mimetype
-      $valid = $file_extension && in_array($file_extension, (array)$extensions);
+      $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
 
       // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
       if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || $mimetype == 'text/plain') {
@@ -145,6 +158,10 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
         $extensions = rcube_mime::get_mime_extensions($real_mimetype);
         $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
 
+        // ignore filename extension if mimeclass matches (#1489029)
+        if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass'])
+          $valid_extension = true;
+
         // fix mimetype for images wrongly declared as octet-stream
         if ($mimetype == 'application/octet-stream' && strpos($real_mimetype, 'image/') === 0 && $valid_extension)
           $mimetype = $real_mimetype;
@@ -157,22 +174,32 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
 
       // show warning if validity checks failed
       if (!$valid) {
-        $OUTPUT = new rcmail_html_page();
-        $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
-          html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
-            rcube_label(array(
-              'name' => 'attachmentvalidationerror',
-              'vars' => array(
-                'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''),
-                'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''),
+        // send blocked.gif for expected images
+        if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) {
+          // Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. 
+          $OUTPUT->nocacheing_headers();
+          header("Content-Type: image/gif");
+          header("Content-Transfer-Encoding: binary");
+          readfile(INSTALL_PATH . 'program/resources/blocked.gif');
+        }
+        else {  // html warning with a button to load the file anyway
+          $OUTPUT = new rcmail_html_page();
+          $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed',
+            html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'),
+              rcube_label(array(
+                'name' => 'attachmentvalidationerror',
+                'vars' => array(
+                  'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''),
+                  'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''),
+                )
+              )) .
+              html::p(array('class' => 'rcmail-inline-buttons'),
+                html::tag('button',
+                  array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
+                  rcube_label('showanyway')))
               )
-            )) .
-            html::p(array('class' => 'rcmail-inline-buttons'),
-              html::tag('button',
-                array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"),
-                rcube_label('showanyway')))
-            )
-        )));
+          )));
+        }
         exit;
       }
     }
@@ -202,7 +229,6 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) {
       header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ? $part->charset : RCMAIL_CHARSET));
     }
     else {
-      $mimetype = rcmail_fix_mimetype($mimetype);
       header("Content-Type: $mimetype");
       header("Content-Transfer-Encoding: binary");
     }
@@ -366,7 +392,9 @@ else {
 header('HTTP/1.1 404 Not Found');
 exit;
 
-
+/**
+ * Handles nicely storage connection errors
+ */
 function check_storage_status()
 {
     $error = rcmail::get_instance()->storage->get_error_code();
@@ -398,3 +426,49 @@ function check_storage_status()
         exit;
     }
 }
+
+/**
+ * Attachment properties table
+ */
+function rcmail_message_part_controls($attrib)
+{
+    global $MESSAGE, $RCMAIL;
+
+    $part = asciiwords(get_input_value('_part', RCUBE_INPUT_GPC));
+    if (!is_object($MESSAGE) || !is_array($MESSAGE->parts)
+        || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE->mime_parts[$part]
+    ) {
+        return '';
+    }
+
+    $part  = $MESSAGE->mime_parts[$part];
+    $table = new html_table(array('cols' => 2));
+
+    $table->add('title', Q(rcube_label('namex')).':');
+    $table->add('header', Q(rcmail_attachment_name($part)));
+
+    $table->add('title', Q(rcube_label('type')).':');
+    $table->add('header', Q($part->mimetype));
+
+    $table->add('title', Q(rcube_label('size')).':');
+    $table->add('header', Q($RCMAIL->message_part_size($part)));
+
+    return $table->show($attrib);
+}
+
+/**
+ * Attachment preview frame
+ */
+function rcmail_message_part_frame($attrib)
+{
+    global $MESSAGE, $RCMAIL;
+
+    $part = $MESSAGE->mime_parts[asciiwords(get_input_value('_part', RCUBE_INPUT_GPC))];
+    $ctype_primary = strtolower($part->ctype_primary);
+
+    $attrib['src'] = './?' . str_replace('_frame=', ($ctype_primary=='text' ? '_embed=' : '_preload='), $_SERVER['QUERY_STRING']);
+
+    $RCMAIL->output->add_gui_object('messagepartframe', $attrib['id']);
+
+    return html::iframe($attrib);
+}