diff options
Diffstat (limited to 'program/steps/mail')
| -rw-r--r-- | program/steps/mail/compose.inc | 16 | ||||
| -rw-r--r-- | program/steps/mail/func.inc | 32 | ||||
| -rw-r--r-- | program/steps/mail/get.inc | 10 |
3 files changed, 31 insertions, 27 deletions
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 2330bc040..af84619f2 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -207,7 +207,10 @@ if (!empty($msg_uid) && empty($COMPOSE['as_attachment'])) if (!empty($MESSAGE->headers->charset)) $RCMAIL->storage->set_charset($MESSAGE->headers->charset); - if ($compose_mode == RCUBE_COMPOSE_REPLY) { + if (!$MESSAGE->headers) { + // error + } + else if ($compose_mode == RCUBE_COMPOSE_REPLY) { $COMPOSE['reply_uid'] = $msg_uid; $COMPOSE['reply_msgid'] = $MESSAGE->headers->messageID; $COMPOSE['references'] = trim($MESSAGE->headers->references . " " . $MESSAGE->headers->messageID); @@ -1000,10 +1003,19 @@ function rcmail_create_draft_body($body, $bodyIsHtml) && count($MESSAGE->mime_parts) > 0) { $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); + } + + // clean up HTML tags - XSS prevention (#1489251) + if ($bodyIsHtml) { + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); + + // remove comments (produced by washtml) + $body = preg_replace('/<!--[^>]+-->/', '', $body); // replace cid with href in inline images links - if ($cid_map) + if (!empty($cid_map)) { $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + } } return $body; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index a41e3ffeb..e14d25ee3 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1783,8 +1783,14 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r // Try Return-Path if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) { foreach ($identities as $idx => $ident) { + // Return-Path header contains an email address, but on some mailing list + // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net> + // where local@domain.tld is the address we're looking for (#1489241) + $ident1 = $ident['email_ascii']; + $ident2 = str_replace('@', '=', $ident1); + foreach ((array)$return_path as $path) { - if (stripos($path, $ident['email_ascii']) !== false) { + if (stripos($path, $ident1) !== false || stripos($path, $ident2)) { $from_idx = $idx; break 2; } @@ -1792,27 +1798,13 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r } } - // Fallback using Delivered-To - if ($from_idx === null && ($delivered_to = $MESSAGE->headers->others['delivered-to'])) { - foreach ($identities as $idx => $ident) { - if (in_array($ident['email_ascii'], (array)$delivered_to)) { - $from_idx = $idx; - break; - } - } - } + // See identity_select plugin for example usage of this hook + $plugin = rcmail::get_instance()->plugins->exec_hook('identity_select', + array('message' => $MESSAGE, 'identities' => $identities, 'selected' => $from_idx)); - // Fallback using Envelope-To - if ($from_idx === null && ($envelope_to = $MESSAGE->headers->others['envelope-to'])) { - foreach ($identities as $idx => $ident) { - if (in_array($ident['email_ascii'], (array)$envelope_to)) { - $from_idx = $idx; - break; - } - } - } + $selected = $plugin['selected']; - return $identities[$from_idx !== null ? $from_idx : $default_identity]; + return $identities[$selected !== null ? $selected : $default_identity]; } // Fixes some content-type names diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index a27e788a3..e0c4e2911 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -134,7 +134,7 @@ else if (strlen($part_id)) { $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension - if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || $mimetype == 'text/plain') { + if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { if ($part->body) // part body is already loaded $body = $part->body; else if ($part->size && $part->size < 1024*1024) // load the entire part if it's small enough @@ -189,8 +189,8 @@ else if (strlen($part_id)) { rcube_label(array( 'name' => 'attachmentvalidationerror', 'vars' => array( - 'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''), - 'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''), + 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''), + 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''), ) )) . html::p(array('class' => 'rcmail-inline-buttons'), @@ -233,7 +233,6 @@ else if (strlen($part_id)) { header("Content-Transfer-Encoding: binary"); } - // deliver part content if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) { // Check if we have enough memory to handle the message in it @@ -358,7 +357,8 @@ else if (strlen($part_id)) { header("Content-Length: $size"); } - $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + // 8th argument disables re-formatting of text/* parts (#1489267) + $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true, null, false, 0, false); } } |