diff options
Diffstat (limited to 'program')
| -rw-r--r-- | program/include/rcmail_output_html.php | 4 | ||||
| -rw-r--r-- | program/lib/Roundcube/html.php | 2 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube.php | 4 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_charset.php | 14 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_image.php | 4 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_imap.php | 20 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_imap_generic.php | 2 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_message.php | 6 | ||||
| -rw-r--r-- | program/lib/Roundcube/rcube_storage.php | 2 | ||||
| -rw-r--r-- | program/steps/mail/compose.inc | 16 | ||||
| -rw-r--r-- | program/steps/mail/func.inc | 32 | ||||
| -rw-r--r-- | program/steps/mail/get.inc | 10 | ||||
| -rw-r--r-- | program/steps/settings/edit_identity.inc | 3 | ||||
| -rw-r--r-- | program/steps/settings/func.inc | 2 | ||||
| -rw-r--r-- | program/steps/settings/save_identity.inc | 46 |
15 files changed, 112 insertions, 55 deletions
diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 998779509..a2ec29ca3 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -1531,9 +1531,9 @@ class rcmail_output_html extends rcmail_output $input_action = new html_hiddenfield(array('name' => '_action', 'value' => 'login')); $input_tzone = new html_hiddenfield(array('name' => '_timezone', 'id' => 'rcmlogintz', 'value' => '_default_')); $input_url = new html_hiddenfield(array('name' => '_url', 'id' => 'rcmloginurl', 'value' => $url)); - $input_user = new html_inputfield(array('name' => '_user', 'id' => 'rcmloginuser') + $input_user = new html_inputfield(array('name' => '_user', 'id' => 'rcmloginuser', 'required' => 'required') + $attrib + $user_attrib); - $input_pass = new html_passwordfield(array('name' => '_pass', 'id' => 'rcmloginpwd') + $input_pass = new html_passwordfield(array('name' => '_pass', 'id' => 'rcmloginpwd', 'required' => 'required') + $attrib + $pass_attrib); $input_host = null; diff --git a/program/lib/Roundcube/html.php b/program/lib/Roundcube/html.php index 3e6e47a56..a36711281 100644 --- a/program/lib/Roundcube/html.php +++ b/program/lib/Roundcube/html.php @@ -358,7 +358,7 @@ class html_inputfield extends html protected $tagname = 'input'; protected $type = 'text'; protected $allowed = array( - 'type','name','value','size','tabindex','autocapitalize', + 'type','name','value','size','tabindex','autocapitalize','required', 'autocomplete','checked','onchange','onclick','disabled','readonly', 'spellcheck','results','maxlength','src','multiple','accept', 'placeholder','autofocus', diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php index ce97cd0a5..e0f889a87 100644 --- a/program/lib/Roundcube/rcube.php +++ b/program/lib/Roundcube/rcube.php @@ -498,11 +498,11 @@ class rcube if ($tmp && ($dir = opendir($tmp))) { while (($fname = readdir($dir)) !== false) { - if ($fname{0} == '.') { + if ($fname[0] == '.') { continue; } - if (filemtime($tmp.'/'.$fname) < $expire) { + if (@filemtime($tmp.'/'.$fname) < $expire) { @unlink($tmp.'/'.$fname); } } diff --git a/program/lib/Roundcube/rcube_charset.php b/program/lib/Roundcube/rcube_charset.php index a7f26a3f4..19dbf6cbc 100644 --- a/program/lib/Roundcube/rcube_charset.php +++ b/program/lib/Roundcube/rcube_charset.php @@ -674,23 +674,27 @@ class rcube_charset // Prioritize charsets according to current language (#1485669) switch ($language) { - case 'ja_JP': // for Japanese + case 'ja_JP': $prio = array('ISO-2022-JP', 'JIS', 'UTF-8', 'EUC-JP', 'eucJP-win', 'SJIS', 'SJIS-win'); break; - case 'zh_CN': // for Chinese (Simplified) - case 'zh_TW': // for Chinese (Traditional) + case 'zh_CN': + case 'zh_TW': $prio = array('UTF-8', 'BIG-5', 'GB2312', 'EUC-TW'); break; - case 'ko_KR': // for Korean + case 'ko_KR': $prio = array('UTF-8', 'EUC-KR', 'ISO-2022-KR'); break; - case 'ru_RU': // for Russian + case 'ru_RU': $prio = array('UTF-8', 'WINDOWS-1251', 'KOI8-R'); break; + case 'tr_TR': + $prio = array('UTF-8', 'ISO-8859-9', 'WINDOWS-1254'); + break; + default: $prio = array('UTF-8', 'SJIS', 'GB2312', 'ISO-8859-1', 'ISO-8859-2', 'ISO-8859-3', 'ISO-8859-4', diff --git a/program/lib/Roundcube/rcube_image.php b/program/lib/Roundcube/rcube_image.php index 09bb4e81b..c9a555300 100644 --- a/program/lib/Roundcube/rcube_image.php +++ b/program/lib/Roundcube/rcube_image.php @@ -124,7 +124,7 @@ class rcube_image $p['-opts'] = array('-resize' => $p['size'].'>'); if (in_array($type, explode(',', $p['types']))) { // Valid type? - $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace RGB -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -flatten -auto-orient -colorspace sRGB -strip -quality {quality} {-opts} {intype}:{in} {type}:{out}', $p); } if ($result === '') { @@ -230,7 +230,7 @@ class rcube_image $p['out'] = $filename; $p['type'] = self::$extensions[$type]; - $result = rcube::exec($convert . ' 2>&1 -colorspace RGB -quality 75 {in} {type}:{out}', $p); + $result = rcube::exec($convert . ' 2>&1 -colorspace sRGB -strip -quality 75 {in} {type}:{out}', $p); if ($result === '') { @chmod($filename, 0600); diff --git a/program/lib/Roundcube/rcube_imap.php b/program/lib/Roundcube/rcube_imap.php index b60aefc5f..c5346c8aa 100644 --- a/program/lib/Roundcube/rcube_imap.php +++ b/program/lib/Roundcube/rcube_imap.php @@ -2092,17 +2092,18 @@ class rcube_imap extends rcube_storage /** * Fetch message body of a specific message from the server * - * @param int $uid Message UID - * @param string $part Part number - * @param rcube_message_part $o_part Part object created by get_structure() - * @param mixed $print True to print part, ressource to write part contents in - * @param resource $fp File pointer to save the message part - * @param boolean $skip_charset_conv Disables charset conversion - * @param int $max_bytes Only read this number of bytes + * @param int Message UID + * @param string Part number + * @param rcube_message_part Part object created by get_structure() + * @param mixed True to print part, resource to write part contents in + * @param resource File pointer to save the message part + * @param boolean Disables charset conversion + * @param int Only read this number of bytes + * @param boolean Enables formatting of text/* parts bodies * * @return string Message/part body if not printed */ - public function get_message_part($uid, $part=1, $o_part=NULL, $print=NULL, $fp=NULL, $skip_charset_conv=false, $max_bytes=0) + public function get_message_part($uid, $part=1, $o_part=NULL, $print=NULL, $fp=NULL, $skip_charset_conv=false, $max_bytes=0, $formatted=true) { if (!$this->check_connection()) { return null; @@ -2121,8 +2122,9 @@ class rcube_imap extends rcube_storage } if ($o_part && $o_part->size) { + $formatted = $formatted && $o_part->ctype_primary == 'text'; $body = $this->conn->handlePartBody($this->folder, $uid, true, - $part ? $part : 'TEXT', $o_part->encoding, $print, $fp, $o_part->ctype_primary == 'text', $max_bytes); + $part ? $part : 'TEXT', $o_part->encoding, $print, $fp, $formatted, $max_bytes); } if ($fp || $print) { diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php index 5787f36b6..e1193749b 100644 --- a/program/lib/Roundcube/rcube_imap_generic.php +++ b/program/lib/Roundcube/rcube_imap_generic.php @@ -2490,7 +2490,7 @@ class rcube_imap_generic } if ($binary) { - // WARNING: Use $formatting argument with care, this may break binary data stream + // WARNING: Use $formatted argument with care, this may break binary data stream $mode = -1; } diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php index 797ca185e..0d33ea44d 100644 --- a/program/lib/Roundcube/rcube_message.php +++ b/program/lib/Roundcube/rcube_message.php @@ -168,10 +168,11 @@ class rcube_message * @param resource $fp File pointer to save the message part * @param boolean $skip_charset_conv Disables charset conversion * @param int $max_bytes Only read this number of bytes + * @param boolean $formatted Enables formatting of text/* parts bodies * * @return string Part content */ - public function get_part_content($mime_id, $fp = null, $skip_charset_conv = false, $max_bytes = 0) + public function get_part_content($mime_id, $fp = null, $skip_charset_conv = false, $max_bytes = 0, $formatted = true) { if ($part = $this->mime_parts[$mime_id]) { // stored in message structure (winmail/inline-uuencode) @@ -185,7 +186,8 @@ class rcube_message // get from IMAP $this->storage->set_folder($this->folder); - return $this->storage->get_message_part($this->uid, $mime_id, $part, NULL, $fp, $skip_charset_conv, $max_bytes); + return $this->storage->get_message_part($this->uid, $mime_id, $part, + NULL, $fp, $skip_charset_conv, $max_bytes, $formatted); } } diff --git a/program/lib/Roundcube/rcube_storage.php b/program/lib/Roundcube/rcube_storage.php index 4b336f210..de8334551 100644 --- a/program/lib/Roundcube/rcube_storage.php +++ b/program/lib/Roundcube/rcube_storage.php @@ -61,8 +61,6 @@ abstract class rcube_storage 'MAIL-FOLLOWUP-TO', 'MAIL-REPLY-TO', 'RETURN-PATH', - 'DELIVERED-TO', - 'ENVELOPE-TO', ); const UNKNOWN = 0; diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 2330bc040..af84619f2 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -207,7 +207,10 @@ if (!empty($msg_uid) && empty($COMPOSE['as_attachment'])) if (!empty($MESSAGE->headers->charset)) $RCMAIL->storage->set_charset($MESSAGE->headers->charset); - if ($compose_mode == RCUBE_COMPOSE_REPLY) { + if (!$MESSAGE->headers) { + // error + } + else if ($compose_mode == RCUBE_COMPOSE_REPLY) { $COMPOSE['reply_uid'] = $msg_uid; $COMPOSE['reply_msgid'] = $MESSAGE->headers->messageID; $COMPOSE['references'] = trim($MESSAGE->headers->references . " " . $MESSAGE->headers->messageID); @@ -1000,10 +1003,19 @@ function rcmail_create_draft_body($body, $bodyIsHtml) && count($MESSAGE->mime_parts) > 0) { $cid_map = rcmail_write_compose_attachments($MESSAGE, $bodyIsHtml); + } + + // clean up HTML tags - XSS prevention (#1489251) + if ($bodyIsHtml) { + $body = rcmail_wash_html($body, array('safe' => 1), $cid_map); + + // remove comments (produced by washtml) + $body = preg_replace('/<!--[^>]+-->/', '', $body); // replace cid with href in inline images links - if ($cid_map) + if (!empty($cid_map)) { $body = str_replace(array_keys($cid_map), array_values($cid_map), $body); + } } return $body; diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index a41e3ffeb..e14d25ee3 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1783,8 +1783,14 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r // Try Return-Path if ($from_idx === null && ($return_path = $MESSAGE->headers->others['return-path'])) { foreach ($identities as $idx => $ident) { + // Return-Path header contains an email address, but on some mailing list + // it can be e.g. <pear-dev-return-55250-local=domain.tld@lists.php.net> + // where local@domain.tld is the address we're looking for (#1489241) + $ident1 = $ident['email_ascii']; + $ident2 = str_replace('@', '=', $ident1); + foreach ((array)$return_path as $path) { - if (stripos($path, $ident['email_ascii']) !== false) { + if (stripos($path, $ident1) !== false || stripos($path, $ident2)) { $from_idx = $idx; break 2; } @@ -1792,27 +1798,13 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r } } - // Fallback using Delivered-To - if ($from_idx === null && ($delivered_to = $MESSAGE->headers->others['delivered-to'])) { - foreach ($identities as $idx => $ident) { - if (in_array($ident['email_ascii'], (array)$delivered_to)) { - $from_idx = $idx; - break; - } - } - } + // See identity_select plugin for example usage of this hook + $plugin = rcmail::get_instance()->plugins->exec_hook('identity_select', + array('message' => $MESSAGE, 'identities' => $identities, 'selected' => $from_idx)); - // Fallback using Envelope-To - if ($from_idx === null && ($envelope_to = $MESSAGE->headers->others['envelope-to'])) { - foreach ($identities as $idx => $ident) { - if (in_array($ident['email_ascii'], (array)$envelope_to)) { - $from_idx = $idx; - break; - } - } - } + $selected = $plugin['selected']; - return $identities[$from_idx !== null ? $from_idx : $default_identity]; + return $identities[$selected !== null ? $selected : $default_identity]; } // Fixes some content-type names diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index a27e788a3..e0c4e2911 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -134,7 +134,7 @@ else if (strlen($part_id)) { $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension - if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || $mimetype == 'text/plain') { + if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { if ($part->body) // part body is already loaded $body = $part->body; else if ($part->size && $part->size < 1024*1024) // load the entire part if it's small enough @@ -189,8 +189,8 @@ else if (strlen($part_id)) { rcube_label(array( 'name' => 'attachmentvalidationerror', 'vars' => array( - 'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''), - 'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''), + 'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''), + 'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''), ) )) . html::p(array('class' => 'rcmail-inline-buttons'), @@ -233,7 +233,6 @@ else if (strlen($part_id)) { header("Content-Transfer-Encoding: binary"); } - // deliver part content if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) { // Check if we have enough memory to handle the message in it @@ -358,7 +357,8 @@ else if (strlen($part_id)) { header("Content-Length: $size"); } - $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); + // 8th argument disables re-formatting of text/* parts (#1489267) + $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true, null, false, 0, false); } } diff --git a/program/steps/settings/edit_identity.inc b/program/steps/settings/edit_identity.inc index d70a7aef7..edd4ba60d 100644 --- a/program/steps/settings/edit_identity.inc +++ b/program/steps/settings/edit_identity.inc @@ -77,7 +77,7 @@ function rcube_identity_form($attrib) 'signature' => array( 'name' => rcube_label('signature'), 'content' => array( - 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, + 'signature' => array('type' => 'textarea', 'size' => $t_cols, 'rows' => $t_rows, 'spellcheck' => true), 'html_signature' => array('type' => 'checkbox', 'label' => rcube_label('htmlsignature'), 'onclick' => 'return rcmail_toggle_editor(this, \'rcmfd_signature\');'), @@ -138,6 +138,7 @@ function rcube_identity_form($attrib) $label = !empty($colprop['label']) ? $colprop['label'] : rcube_label(str_replace('-', '', $col)); + $value = !empty($colprop['value']) ? $colprop['value'] : rcmail_get_edit_field($col, $IDENTITY_RECORD[$col], $colprop, $colprop['type']); diff --git a/program/steps/settings/func.inc b/program/steps/settings/func.inc index dbc9b3ce2..f6ea79ec6 100644 --- a/program/steps/settings/func.inc +++ b/program/steps/settings/func.inc @@ -546,7 +546,7 @@ function rcmail_user_prefs($current = null) $blocks['main']['options']['default_charset'] = array( 'title' => html::label($field_id, Q(rcube_label('defaultcharset'))), 'content' => $RCMAIL->output->charset_selector(array( - 'name' => '_default_charset', 'selected' => $config['default_charset'] + 'id' => $field_id, 'name' => '_default_charset', 'selected' => $config['default_charset'] ))); } diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 34d8be268..d3b132f8b 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -76,6 +76,15 @@ foreach ($email_checks as $email) { } } +// XSS protection in HTML signature (#1489251) +if (!empty($save_data['signature']) && !empty($save_data['html_signature'])) { + $save_data['signature'] = rcmail_wash_html($save_data['signature']); + + // clear POST data of signature, we want to use safe content + // when the form is displayed again + unset($_POST['_signature']); +} + // update an existing contact if ($_POST['_iid']) { $iid = get_input_value('_iid', RCUBE_INPUT_POST); @@ -167,3 +176,40 @@ if (!empty($_REQUEST['_framed'])) { } else rcmail_overwrite_action('identities'); + + +/** + * Sanity checks/cleanups on HTML body of signature + */ +function rcmail_wash_html($html) +{ + // Add header with charset spec., washtml cannot work without that + $html = '<html><head>' + . '<meta http-equiv="Content-Type" content="text/html; charset='.RCMAIL_CHARSET.'" />' + . '</head><body>' . $html . '</body></html>'; + + // clean HTML with washhtml by Frederic Motte + $wash_opts = array( + 'show_washed' => false, + 'allow_remote' => 1, + 'charset' => RCMAIL_CHARSET, + 'html_elements' => array('body', 'link'), + 'html_attribs' => array('rel', 'type'), + ); + + // initialize HTML washer + $washer = new rcube_washtml($wash_opts); + + //$washer->add_callback('form', 'rcmail_washtml_callback'); + //$washer->add_callback('style', 'rcmail_washtml_callback'); + + // Remove non-UTF8 characters (#1487813) + $html = rc_utf8_clean($html); + + $html = $washer->wash($html); + + // remove unwanted comments and tags (produced by washtml) + $html = preg_replace(array('/<!--[^>]+-->/', '/<\/?body>/'), '', $html); + + return $html; +} |