From 4a2a62de30eae35398dc1e6fcca99c469dd218e6 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 19 Feb 2015 13:43:43 +0100
Subject: Fix needless security warning on BMP attachments display (#1490282)

---
 program/steps/mail/func.inc | 9 ++++++++-
 program/steps/mail/get.inc  | 9 ++++++---
 2 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'program')

diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 48d989954..c45fd2f97 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1959,9 +1959,16 @@ function rcmail_identity_select($MESSAGE, $identities = null, $compose_mode = 'r
 // Fixes some content-type names
 function rcmail_fix_mimetype($name)
 {
+    $map = array(
+        'image/x-ms-bmp' => 'image/bmp', // #1490282
+    );
+
+    if ($alias = $map[strtolower($name)]) {
+        $name = $alias;
+    }
     // Some versions of Outlook create garbage Content-Type:
     // application/pdf.A520491B_3BF7_494D_8855_7FAC2C6C0608
-    if (preg_match('/^application\/pdf.+/', $name)) {
+    else if (preg_match('/^application\/pdf.+/', $name)) {
         $name = 'application/pdf';
     }
     // treat image/pjpeg (image/pjpg, image/jpg) as image/jpeg (#1489097)
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 256af52b7..02ec5a4ac 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -138,7 +138,7 @@ else if (strlen($part_id)) {
             $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
 
             // 1. compare filename suffix with expected suffix derived from mimetype
-            $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
+            $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']);
 
             // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
             if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {
@@ -164,7 +164,7 @@ else if (strlen($part_id)) {
                 else {
                     // get valid file extensions
                     $extensions      = rcube_mime::get_mime_extensions($real_mimetype);
-                    $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
+                    $valid_extension = !$file_extension || in_array($file_extension, (array)$extensions);
                 }
 
                 // fix mimetype for images wrongly declared as octet-stream
@@ -172,7 +172,10 @@ else if (strlen($part_id)) {
                     $mimetype = $real_mimetype;
                 }
 
-                $valid = ($real_mimetype == $mimetype && $valid_extension);
+                // "fix" real mimetype the same way the original is before comparison
+                $real_mimetype = rcmail_fix_mimetype($real_mimetype);
+
+                $valid = $real_mimetype == $mimetype && $valid_extension;
             }
             else {
                 $real_mimetype = $mimetype;
-- 
cgit v1.2.3