From 8c188058cf9281251cbac5cda43ef833843fd51b Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 8 Jun 2012 08:53:07 +0200 Subject: Fix handling of links with various URI schemes e.g. "skype:" (#1488106) Fix handling of links inside PRE elements on html to text conversion Fix indexing of links on html to text conversion --- CHANGELOG | 3 +++ 1 file changed, 3 insertions(+) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 8b0f0675f..224812948 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,9 @@ CHANGELOG Roundcube Webmail =========================== +- Fix handling of links with various URI schemes e.g. "skype:" (#1488106) +- Fix handling of links inside PRE elements on html to text conversion +- Fix indexing of links on html to text conversion - Add mail attachments using drag & drop on HTML5 enabled browsers - Add workaround for invalid BODYSTRUCTURE response - parse message with Mail_mimeDecode package (#1485585) - Decode header value in rcube_mime::get() by default (#1488511) -- cgit v1.2.3 From 54be5ccb50be664ca4cc30fab6fb84e7be8e223e Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 8 Jun 2012 09:22:49 +0200 Subject: Fix XSS vulnerability in message subject handling using Larry skin (#1488519) --- CHANGELOG | 1 + program/steps/mail/func.inc | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 224812948..0c3953484 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix XSS vulnerability in message subject handling using Larry skin (#1488519) - Fix handling of links with various URI schemes e.g. "skype:" (#1488106) - Fix handling of links inside PRE elements on html to text conversion - Fix indexing of links on html to text conversion diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 1e5dbda19..7417c6ba3 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -947,7 +947,7 @@ function rcmail_message_headers($attrib, $headers=NULL) // single header value is requested if (!empty($attrib['valueof'])) - return Q($plugin['output'][$attrib['valueof']]['value'], ($hkey == 'subject' ? 'strict' : 'show')); + return Q($plugin['output'][$attrib['valueof']]['value'], ($attrib['valueof'] == 'subject' ? 'strict' : 'show')); // compose html table $table = new html_table(array('cols' => 2)); -- cgit v1.2.3 From 8749e94b4bed36500e4f45c65cc16cfd5633ef34 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 8 Jun 2012 11:14:53 +0200 Subject: Fix attachment sizes in message print page and attachment preview page (#1488515) - Use size parameter from Content-Disposition header if specified, - Calculate size of base64 encoded message parts --- CHANGELOG | 1 + program/include/rcmail.php | 25 +++++++++++++++++++++++++ program/steps/mail/func.inc | 10 ++++------ program/steps/mail/show.inc | 5 +++-- 4 files changed, 33 insertions(+), 8 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 0c3953484..b1bd50e8c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix attachment sizes in message print page and attachment preview page (#1488515) - Fix XSS vulnerability in message subject handling using Larry skin (#1488519) - Fix handling of links with various URI schemes e.g. "skype:" (#1488106) - Fix handling of links inside PRE elements on html to text conversion diff --git a/program/include/rcmail.php b/program/include/rcmail.php index a10a2aa72..8ec8cfe47 100644 --- a/program/include/rcmail.php +++ b/program/include/rcmail.php @@ -1997,6 +1997,31 @@ class rcmail extends rcube } + /** + * Returns real size (calculated) of the message part + * + * @param rcube_message_part Message part + * + * @return string Part size (and unit) + */ + public function message_part_size($part) + { + if (isset($part->d_parameters['size'])) { + $size = $this->show_bytes((int)$part->d_parameters['size']); + } + else { + $size = $part->size; + if ($part->encoding == 'base64') { + $size = $size / 1.33; + } + + $size = '~' . $this->show_bytes($size); + } + + return $size; + } + + /************************************************************************ ********* Deprecated methods (to be removed) ********* ***********************************************************************/ diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc index 7417c6ba3..5a18ded6b 100644 --- a/program/steps/mail/func.inc +++ b/program/steps/mail/func.inc @@ -1477,13 +1477,13 @@ function rcmail_draftinfo_decode($str) function rcmail_message_part_controls($attrib) { - global $MESSAGE; + global $MESSAGE, $RCMAIL; $part = asciiwords(get_input_value('_part', RCUBE_INPUT_GPC)); if (!is_object($MESSAGE) || !is_array($MESSAGE->parts) || !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE->mime_parts[$part]) return ''; - $part = $MESSAGE->mime_parts[$part]; + $part = $MESSAGE->mime_parts[$part]; $table = new html_table(array('cols' => 3)); $filename = $part->filename; @@ -1497,10 +1497,8 @@ function rcmail_message_part_controls($attrib) $table->add('download-link', html::a(array('href' => './?'.str_replace('_frame=', '_download=', $_SERVER['QUERY_STRING'])), Q(rcube_label('download')))); } - if (!empty($part->size)) { - $table->add('title', Q(rcube_label('filesize'))); - $table->add('header', Q(show_bytes($part->size))); - } + $table->add('title', Q(rcube_label('filesize'))); + $table->add('header', Q($RCMAIL->message_part_size($part))); return $table->show($attrib); } diff --git a/program/steps/mail/show.inc b/program/steps/mail/show.inc index 158ba31c8..5fa72d77f 100644 --- a/program/steps/mail/show.inc +++ b/program/steps/mail/show.inc @@ -144,7 +144,7 @@ if ($uid = get_input_value('_uid', RCUBE_INPUT_GET)) { function rcmail_message_attachments($attrib) { - global $PRINT_MODE, $MESSAGE; + global $PRINT_MODE, $MESSAGE, $RCMAIL; $out = $ol = ''; @@ -156,7 +156,8 @@ function rcmail_message_attachments($attrib) } if ($PRINT_MODE) { - $ol .= html::tag('li', null, sprintf("%s (%s)", Q($filename), Q(show_bytes($attach_prop->size)))); + $size = $RCMAIL->message_part_size($attach_prop); + $ol .= html::tag('li', null, Q(sprintf("%s (%s)", $filename, $size))); } else { if (mb_strlen($filename) > 50) { -- cgit v1.2.3 From 4fd5b62194c37cf296d3f9c8babfb14f897c2d93 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 8 Jun 2012 11:49:12 +0200 Subject: Add Content-Length for attachments where possible (#1485478) --- CHANGELOG | 1 + program/steps/mail/get.inc | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index b1bd50e8c..b423f7cbc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Add Content-Length for attachments where possible (#1485478) - Fix attachment sizes in message print page and attachment preview page (#1488515) - Fix XSS vulnerability in message subject handling using Larry skin (#1488519) - Fix handling of links with various URI schemes e.g. "skype:" (#1488106) diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc index 658538a20..bcd57dee0 100644 --- a/program/steps/mail/get.inc +++ b/program/steps/mail/get.inc @@ -199,13 +199,18 @@ else if (strlen($pid = get_input_value('_part', RCUBE_INPUT_GET))) { $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, false, $stdout); } } + // send part as-it-is else { - // turn off output buffering and print part content if ($part->body) { + header("Content-Length: " . sizeof($part->body)); echo $part->body; $sent = true; } else if ($part->size) { + if ($size = (int)$part->d_parameters['size']) { + header("Content-Length: $size"); + } + $sent = $RCMAIL->storage->get_message_part($MESSAGE->uid, $part->mime_id, $part, true); } } -- cgit v1.2.3 From c281619b96afaa34274bb56a3506e5c59b325b02 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Fri, 8 Jun 2012 14:18:39 +0200 Subject: Fix Shift + delete button does not permanently delete messages (#1488243) --- CHANGELOG | 1 + program/include/rcube_output_html.php | 6 +++--- program/js/app.js | 8 ++++---- 3 files changed, 8 insertions(+), 7 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index b423f7cbc..45b310ebc 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix Shift + delete button does not permanently delete messages (#1488243) - Add Content-Length for attachments where possible (#1485478) - Fix attachment sizes in message print page and attachment preview page (#1488515) - Fix XSS vulnerability in message subject handling using Larry skin (#1488519) diff --git a/program/include/rcube_output_html.php b/program/include/rcube_output_html.php index 142755bcf..fce9615cf 100644 --- a/program/include/rcube_output_html.php +++ b/program/include/rcube_output_html.php @@ -933,7 +933,7 @@ class rcube_output_html extends rcube_output // make valid href to specific buttons if (in_array($attrib['command'], rcmail::$main_tasks)) { $attrib['href'] = $this->app->url(array('task' => $attrib['command'])); - $attrib['onclick'] = sprintf("%s.command('switch-task','%s');return false", rcmail::JS_OBJECT_NAME, $attrib['command']); + $attrib['onclick'] = sprintf("%s.command('switch-task','%s',null,event); return false", rcmail::JS_OBJECT_NAME, $attrib['command']); } else if ($attrib['task'] && in_array($attrib['task'], rcmail::$main_tasks)) { $attrib['href'] = $this->app->url(array('action' => $attrib['command'], 'task' => $attrib['task'])); @@ -956,7 +956,7 @@ class rcube_output_html extends rcube_output } else if ($command && !$attrib['onclick']) { $attrib['onclick'] = sprintf( - "return %s.command('%s','%s',this)", + "return %s.command('%s','%s',this,event)", rcmail::JS_OBJECT_NAME, $command, $attrib['prop'] @@ -1485,7 +1485,7 @@ class rcube_output_html extends rcube_output if (empty($attrib['form'])) { $out = $this->form_tag(array( 'name' => "rcmqsearchform", - 'onsubmit' => rcmail::JS_OBJECT_NAME . ".command('search');return false;", + 'onsubmit' => rcmail::JS_OBJECT_NAME . ".command('search'); return false", 'style' => "display:inline"), $out); } diff --git a/program/js/app.js b/program/js/app.js index 7eb8c787c..a5c7db441 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -493,7 +493,7 @@ function rcube_webmail() /*********************************************************/ // execute a specific command on the web client - this.command = function(command, props, obj) + this.command = function(command, props, obj, event) { var ret, uid, cid, url, flag; @@ -713,7 +713,7 @@ function rcube_webmail() case 'delete': // mail task if (this.task == 'mail') - this.delete_messages(); + this.delete_messages(event); // addressbook task else if (this.task == 'addressbook') this.delete_contacts(); @@ -2555,7 +2555,7 @@ function rcube_webmail() }; // delete selected messages from the current mailbox - this.delete_messages = function() + this.delete_messages = function(event) { var uid, i, len, trash = this.env.trash_mailbox, list = this.message_list, @@ -2587,7 +2587,7 @@ function rcube_webmail() // if there is a trash mailbox defined and we're not currently in it else { // if shift was pressed delete it immediately - if (list && list.modkey == SHIFT_KEY) { + if ((list && list.modkey == SHIFT_KEY) || (event && rcube_event.get_modifier(event) == SHIFT_KEY)) { if (confirm(this.get_label('deletemessagesconfirm'))) this.permanently_remove_messages(); } -- cgit v1.2.3 From ba1fb0510fbf8826d74cc239051e0f5ea8c7c42a Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sat, 9 Jun 2012 15:44:56 +0200 Subject: Update to Mail_Mime-1.8.5 (#1488521) --- CHANGELOG | 1 + program/lib/Mail/mime.php | 7 ++++--- program/lib/Mail/mimePart.php | 49 +++++++++++++++++++++++++++++++------------ 3 files changed, 41 insertions(+), 16 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 45b310ebc..aac9e6524 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Update to Mail_Mime-1.8.5 (#1488521) - Fix Shift + delete button does not permanently delete messages (#1488243) - Add Content-Length for attachments where possible (#1485478) - Fix attachment sizes in message print page and attachment preview page (#1488515) diff --git a/program/lib/Mail/mime.php b/program/lib/Mail/mime.php index a7dfa6d0c..76c6ec2ff 100644 --- a/program/lib/Mail/mime.php +++ b/program/lib/Mail/mime.php @@ -48,7 +48,7 @@ * @author Aleksander Machniak * @copyright 2003-2006 PEAR * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 1.8.4 + * @version 1.8.5 * @link http://pear.php.net/package/Mail_mime * * This class is based on HTML Mime Mail class from @@ -89,7 +89,7 @@ require_once 'Mail/mimePart.php'; * @author Sean Coates * @copyright 2003-2006 PEAR * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version Release: 1.8.4 + * @version Release: 1.8.5 * @link http://pear.php.net/package/Mail_mime */ class Mail_mime @@ -387,7 +387,8 @@ class Mail_mime * @param string $description Content-Description header * @param string $h_charset The character set of the headers e.g. filename * If not specified, $charset will be used - * @param array $add_headers Additional part headers + * @param array $add_headers Additional part headers. Array keys can be in form + * of : * * @return mixed True on success or PEAR_Error object * @access public diff --git a/program/lib/Mail/mimePart.php b/program/lib/Mail/mimePart.php index f3cd98e6d..4e4170d8e 100644 --- a/program/lib/Mail/mimePart.php +++ b/program/lib/Mail/mimePart.php @@ -48,7 +48,7 @@ * @author Aleksander Machniak * @copyright 2003-2006 PEAR * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version 1.8.4 + * @version 1.8.5 * @link http://pear.php.net/package/Mail_mime */ @@ -70,7 +70,7 @@ * @author Aleksander Machniak * @copyright 2003-2006 PEAR * @license http://www.opensource.org/licenses/bsd-license.php BSD License - * @version Release: 1.8.4 + * @version Release: 1.8.5 * @link http://pear.php.net/package/Mail_mime */ class Mail_mimePart @@ -156,7 +156,8 @@ class Mail_mimePart * headers_charset - Charset of the headers e.g. filename, description. * If not set, 'charset' will be used * eol - End of line sequence. Default: "\r\n" - * headers - Hash array with additional part headers + * headers - Hash array with additional part headers. Array keys can be + * in form of : * body_file - Location of file with part's body (instead of $body) * * @access public @@ -222,13 +223,17 @@ class Mail_mimePart $params['headers_charset'] = $params['charset']; } } + + // header values encoding parameters + $h_charset = !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII'; + $h_language = !empty($params['language']) ? $params['language'] : null; + $h_encoding = !empty($params['name_encoding']) ? $params['name_encoding'] : null; + + if (!empty($params['filename'])) { $headers['Content-Type'] .= ';' . $this->_eol; $headers['Content-Type'] .= $this->_buildHeaderParam( - 'name', $params['filename'], - !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII', - !empty($params['language']) ? $params['language'] : null, - !empty($params['name_encoding']) ? $params['name_encoding'] : null + 'name', $params['filename'], $h_charset, $h_language, $h_encoding ); } @@ -238,23 +243,41 @@ class Mail_mimePart if (!empty($params['filename'])) { $headers['Content-Disposition'] .= ';' . $this->_eol; $headers['Content-Disposition'] .= $this->_buildHeaderParam( - 'filename', $params['filename'], - !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII', - !empty($params['language']) ? $params['language'] : null, + 'filename', $params['filename'], $h_charset, $h_language, !empty($params['filename_encoding']) ? $params['filename_encoding'] : null ); } + + // add attachment size + $size = $this->_body_file ? filesize($this->_body_file) : strlen($body); + if ($size) { + $headers['Content-Disposition'] .= ';' . $this->_eol . ' size=' . $size; + } } if (!empty($params['description'])) { $headers['Content-Description'] = $this->encodeHeader( - 'Content-Description', $params['description'], - !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII', - !empty($params['name_encoding']) ? $params['name_encoding'] : 'quoted-printable', + 'Content-Description', $params['description'], $h_charset, $h_encoding, $this->_eol ); } + // Search and add existing headers' parameters + foreach ($headers as $key => $value) { + $items = explode(':', $key); + if (count($items) == 2) { + $header = $items[0]; + $param = $items[1]; + if (isset($headers[$header])) { + $headers[$header] .= ';' . $this->_eol; + } + $headers[$header] .= $this->_buildHeaderParam( + $param, $value, $h_charset, $h_language, $h_encoding + ); + unset($headers[$key]); + } + } + // Default encoding if (!isset($this->_encoding)) { $this->_encoding = '7bit'; -- cgit v1.2.3 From 6e1864cb1731bb870d775ac15eea6589a779ab2e Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Sun, 10 Jun 2012 10:09:01 +0200 Subject: Fix storing X-ANNIVERSARY date in vCard format (#1488527) --- CHANGELOG | 1 + program/include/rcube_vcard.php | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index aac9e6524..3ac39c3ee 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix storing X-ANNIVERSARY date in vCard format (#1488527) - Update to Mail_Mime-1.8.5 (#1488521) - Fix Shift + delete button does not permanently delete messages (#1488243) - Add Content-Length for attachments where possible (#1485478) diff --git a/program/include/rcube_vcard.php b/program/include/rcube_vcard.php index b03ba9cfa..52545a0d9 100644 --- a/program/include/rcube_vcard.php +++ b/program/include/rcube_vcard.php @@ -312,8 +312,9 @@ class rcube_vcard break; case 'birthday': - if ($val = rcube_strtotime($value)) - $this->raw['BDAY'][] = array(0 => date('Y-m-d', $val), 'value' => array('date')); + case 'anniversary': + if (($val = rcube_strtotime($value)) && ($fn = self::$fieldmap[$field])) + $this->raw[$fn][] = array(0 => date('Y-m-d', $val), 'value' => array('date')); break; case 'address': -- cgit v1.2.3