<?php
+
/**
* Deliver.class.php
*
- * Copyright (c) 1999-2005 The SquirrelMail Project Team
- * Licensed under the GNU GPL. For full terms see the file COPYING.
- *
* This contains all the functions needed to send messages through
* a delivery backend.
*
+ * @author Marc Groot Koerkamp
+ * @copyright © 1999-2005 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
- * @author Marc Groot Koerkamp
* @package squirrelmail
*/
if ($boundary && $message->entity_id && count($message->entities)) {
if (strpos($boundary,'_part_')) {
$boundary = substr($boundary,0,strpos($boundary,'_part_'));
+
+ // the next four lines use strrev to reverse any nested boundaries
+ // because RFC 2046 (5.1.1) says that if a line starts with the outer
+ // boundary string (doesn't matter what the line ends with), that
+ // can be considered a match for the outer boundary; thus the nested
+ // boundary needs to be unique from the outer one
+ //
+ } else if (strpos($boundary,'_trap_')) {
+ $boundary = substr(strrev($boundary),0,strpos(strrev($boundary),'_part_'));
}
- $boundary_new = $boundary . '_part_'.$message->entity_id;
+ $boundary_new = strrev($boundary . '_part_'.$message->entity_id);
} else {
$boundary_new = $boundary;
}
case 'message':
if ($message->body_part) {
$body_part = $message->body_part;
+ // remove NUL characters
+ $body_part = str_replace("\0",'',$body_part);
$length += $this->clean_crlf($body_part);
if ($stream) {
$this->preWriteToStream($body_part);
$filename = $message->att_local_name;
$file = fopen ($filename, 'rb');
while ($body_part = fgets($file, 4096)) {
+ // remove NUL characters
+ $body_part = str_replace("\0",'',$body_part);
$length += $this->clean_crlf($body_part);
if ($stream) {
$this->preWriteToStream($body_part);
default:
if ($message->body_part) {
$body_part = $message->body_part;
+ // remove NUL characters
+ $body_part = str_replace("\0",'',$body_part);
$length += $this->clean_crlf($body_part);
if ($stream) {
$this->writeToStream($stream, $body_part);
$filename = $message->att_local_name;
$file = fopen ($filename, 'rb');
while ($tmp = fread($file, 570)) {
- $body_part = chunk_split(base64_encode($tmp));
+ $body_part = chunk_split(base64_encode($tmp));
+ // Up to 4.3.10 chunk_split always appends a newline,
+ // while in 4.3.11 it doesn't if the string to split
+ // is shorter than the chunk length.
+ if( substr($body_part, -1 , 1 ) != "\n" )
+ $body_part .= "\n";
$length += $this->clean_crlf($body_part);
if ($stream) {
$this->writeToStream($stream, $body_part);
$contenttype = 'Content-Type: '. $mime_header->type0 .'/'.
$mime_header->type1;
if (count($message->entities)) {
- $contenttype .= ";\r\n " . 'boundary="'.$boundary.'"';
+ $contenttype .= ';' . 'boundary="'.$boundary.'"';
}
if (isset($mime_header->parameters['name'])) {
$contenttype .= '; name="'.
* @return string $header
*/
function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) {
- global $domain, $version, $username, $skip_SM_header;
+ global $domain, $version, $username, $encode_header_key,
+ $edit_identity, $hide_auth_header;
/* if server var SERVER_NAME not available, use $domain */
if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) {
/* This creates an RFC 822 date */
$date = date('D, j M Y H:i:s ', mktime()) . $this->timezone();
/* Create a message-id */
- $message_id = '<' . $REMOTE_PORT . '.' . $REMOTE_ADDR . '.';
- $message_id .= time() . '.squirrel@' . $SERVER_NAME .'>';
+ $message_id = '<' . $REMOTE_PORT . '.';
+ if (isset($encode_header_key) && trim($encode_header_key)!='') {
+ // use encrypted form of remote address
+ $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key));
+ } else {
+ $message_id.= $REMOTE_ADDR;
+ }
+ $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>';
/* Make an RFC822 Received: line */
if (isset($REMOTE_HOST)) {
$received_from = "$REMOTE_HOST ([$REMOTE_ADDR])";
$received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)";
}
$header = array();
- if ( !isset($skip_SM_header) || !$skip_SM_header )
- {
- $header[] = "Received: from $received_from" . $rn;
- $header[] = " (SquirrelMail authenticated user $username)" . $rn;
- $header[] = " by $SERVER_NAME with HTTP;" . $rn;
- $header[] = " $date" . $rn;
+
+ /**
+ * SquirrelMail header
+ *
+ * This Received: header provides information that allows to track
+ * user and machine that was used to send email. Don't remove it
+ * unless you understand all possible forging issues or your
+ * webmail installation does not prevent changes in user's email address.
+ * See SquirrelMail bug tracker #847107 for more details about it.
+ *
+ * Add $hide_squirrelmail_header as a candidate for config_local.php
+ * to allow completely hiding SquirrelMail participation in message
+ * processing; This is dangerous, especially if users can modify their
+ * account information, as it makes mapping a sent message back to the
+ * original sender almost impossible.
+ */
+ $show_sm_header = ( defined('hide_squirrelmail_header') ? ! hide_squirrelmail_header : 1 );
+
+ if ( $show_sm_header ) {
+ if (isset($encode_header_key) &&
+ trim($encode_header_key)!='') {
+ // use encoded headers, if encryption key is set and not empty
+ $header[] = 'X-Squirrel-UserHash: '.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn;
+ $header[] = 'X-Squirrel-FromHash: '.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn;
+ if (isset($HTTP_X_FORWARDED_FOR))
+ $header[] = 'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn;
+ } else {
+ // use default received headers
+ $header[] = "Received: from $received_from" . $rn;
+ if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header)
+ $header[] = " (SquirrelMail authenticated user $username)" . $rn;
+ $header[] = " by $SERVER_NAME with HTTP;" . $rn;
+ $header[] = " $date" . $rn;
+ }
}
+
/* Insert the rest of the header fields */
$header[] = 'Message-ID: '. $message_id . $rn;
- if ($reply_rfc822_header->message_id) {
+ if (is_object($reply_rfc822_header) &&
+ isset($reply_rfc822_header->message_id) &&
+ $reply_rfc822_header->message_id) {
$rep_message_id = $reply_rfc822_header->message_id;
// $this->strip_crlf($message_id);
$header[] = 'In-Reply-To: '.$rep_message_id . $rn;
$header[] = 'Subject: '.encodeHeader($rfc822_header->subject) . $rn;
$header[] = 'From: '. $rfc822_header->getAddr_s('from',",$rn ",true) . $rn;
- // folding address list [From|To|Cc|Bcc] happens by using ",$rn<space>" as delimiter
+ // folding address list [From|To|Cc|Bcc] happens by using ",$rn<space>"
+ // as delimiter
// Do not use foldLine for that.
// RFC2822 if from contains more then 1 address
trim($refer);
return $refer;
}
+
+ /**
+ * Converts ip address to hexadecimal string
+ *
+ * Function is used to convert ipv4 and ipv6 addresses to hex strings.
+ * It removes all delimiter symbols from ip addresses, converts decimal
+ * ipv4 numbers to hex and pads strings in order to present full length
+ * address. ipv4 addresses are represented as 8 byte strings, ipv6 addresses
+ * are represented as 32 byte string.
+ *
+ * If function fails to detect address format, it returns unprocessed string.
+ * @param string $string ip address string
+ * @return string processed ip address string
+ * @since 1.5.1 and 1.4.5
+ */
+ function ip2hex($string) {
+ if (preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$string,$match)) {
+ // ipv4 address
+ $ret = str_pad(dechex($match[1]),2,'0',STR_PAD_LEFT)
+ . str_pad(dechex($match[2]),2,'0',STR_PAD_LEFT)
+ . str_pad(dechex($match[3]),2,'0',STR_PAD_LEFT)
+ . str_pad(dechex($match[4]),2,'0',STR_PAD_LEFT);
+ } elseif (preg_match("/^([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)$/i",$string,$match)) {
+ // full ipv6 address
+ $ret = str_pad($match[1],4,'0',STR_PAD_LEFT)
+ . str_pad($match[2],4,'0',STR_PAD_LEFT)
+ . str_pad($match[3],4,'0',STR_PAD_LEFT)
+ . str_pad($match[4],4,'0',STR_PAD_LEFT)
+ . str_pad($match[5],4,'0',STR_PAD_LEFT)
+ . str_pad($match[6],4,'0',STR_PAD_LEFT)
+ . str_pad($match[7],4,'0',STR_PAD_LEFT)
+ . str_pad($match[8],4,'0',STR_PAD_LEFT);
+ } elseif (preg_match("/^\:\:([0-9a-h\:]+)$/i",$string,$match)) {
+ // short ipv6 with all starting symbols nulled
+ $aAddr=explode(':',$match[1]);
+ $ret='';
+ foreach ($aAddr as $addr) {
+ $ret.=str_pad($addr,4,'0',STR_PAD_LEFT);
+ }
+ $ret=str_pad($ret,32,'0',STR_PAD_LEFT);
+ } elseif (preg_match("/^([0-9a-h\:]+)::([0-9a-h\:]+)$/i",$string,$match)) {
+ // short ipv6 with middle part nulled
+ $aStart=explode(':',$match[1]);
+ $sStart='';
+ foreach($aStart as $addr) {
+ $sStart.=str_pad($addr,4,'0',STR_PAD_LEFT);
+ }
+ $aEnd = explode(':',$match[2]);
+ $sEnd='';
+ foreach($aEnd as $addr) {
+ $sEnd.=str_pad($addr,4,'0',STR_PAD_LEFT);
+ }
+ $ret = $sStart
+ . str_pad('',(32 - strlen($sStart . $sEnd)),'0',STR_PAD_LEFT)
+ . $sEnd;
+ } else {
+ // unknown addressing
+ $ret = $string;
+ }
+ return $ret;
+ }
}
+
?>