From ac88dc8d0918ac5ea6004b9ca05158b00d4bd4ed Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Tue, 27 Nov 2012 18:12:31 +0100
Subject: Don't open application/x-shockwave-flash files in browser (quick fix
 for XSS reported in #148882)

---
 program/steps/mail/show.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc
index c6c6d9636..20e76a64b 100644
--- a/program/steps/mail/show.inc
+++ b/program/steps/mail/show.inc
@@ -54,7 +54,7 @@ if ($uid = get_input_value('_uid', RCUBE_INPUT_GET)) {
   $OUTPUT->set_env('mailbox', $mbox_name);
 
   // mimetypes supported by the browser (default settings)
-  $mimetypes = $RCMAIL->config->get('client_mimetypes', 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/x-javascript,application/pdf,application/x-shockwave-flash');
+  $mimetypes = $RCMAIL->config->get('client_mimetypes', 'text/plain,text/html,text/xml,image/jpeg,image/gif,image/png,application/x-javascript,application/pdf');
   $OUTPUT->set_env('mimetypes', is_string($mimetypes) ? explode(',', $mimetypes) : (array)$mimetypes);
 
   if ($CONFIG['drafts_mbox'])
-- 
cgit v1.2.3