* This contains the functions necessary to detect and decode MIME
* messages.
*
- * @copyright © 1999-2006 The SquirrelMail Project Team
+ * @copyright © 1999-2007 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
$read = trim(substr ($read, 0, -1));
$i = 0;
$msg = Message::parseStructure($read,$i);
+
if (!is_object($msg)) {
global $color, $mailbox;
/* removed urldecode because $_GET is auto urldecoded ??? */
}
if ($quotes % 2) {
- $line = '<span class="quote1">' . $line . '</style>';
+ $line = '<span class="quote1">' . $line . '</span>';
} elseif ($quotes) {
- $line = '<span class="quote2">' . $line . '</style>';
+ $line = '<span class="quote2">' . $line . '</span>';
}
$body_ary[$i] = $line;
global $startMessage, $languages, $squirrelmail_language,
$show_html_default, $sort, $has_unsafe_images, $passed_ent_id,
$use_iframe, $iframe_height, $download_and_unsafe_link,
- $download_href, $unsafe_image_toggle_href, $unsafe_image_toggle_text;
+ $download_href, $unsafe_image_toggle_href, $unsafe_image_toggle_text,
+ $oTemplate;
+
+ $nbsp = $oTemplate->fetch('non_breaking_space.tpl');
// workaround for not updated config.php
if (! isset($use_iframe)) $use_iframe = false;
$body = call_user_func($languages[$squirrelmail_language]['XTRA_CODE'] . '_decode',$body);
}
}
- $hookResults = do_hook("message_body", $body);
- $body = $hookResults[1];
+
+ /* As of 1.5.2, $body is passed (and modified) by reference */
+ do_hook('message_body', $body);
/* If there are other types that shouldn't be formatted, add
* them here.
. '&ent_id=' . $ent_num
. '&view_unsafe_images=' . (int) $view_unsafe_images;
- // adding warning message
- $body = html_tag('div',_("Viewing HTML formatted email"),'center');
+ global $oTemplate;
+ $oTemplate->assign('iframe_url', $iframeurl);
+ $oTemplate->assign('html_body', $html_body);
- /**
- * height can't be set to 100%, because it does not work as expected when
- * iframe is inside the table. Browsers do not create full height objects
- * even when iframe is not nested. Maybe there is some way to get full size
- * with CSS. Tested in firefox 1.02 and opera 7.53
- *
- * width="100%" does not work as expected, when table width is not set (automatic)
- *
- * tokul: I think <iframe> are safer sandbox than <object>. Objects might
- * need special handling for IE and IE6SP2.
- */
- $body.= "<div><iframe name=\"message_frame\" width=\"100%\" height=\"$iframe_height\" src=\"$iframeurl\""
- .' frameborder="1" marginwidth="0" marginheight="0" scrolling="auto">' . "\n";
-
- // Message for browsers without iframe support
- //$body.= _("Your browser does not support inline frames.
- // You can view HTML formated message by following below link.");
- //$body.= "<br /><a href=\"$iframeurl\">"._("View HTML Message")."</a>";
-
- // if browser can't render iframe, it renders html message.
- $body.= $html_body;
-
- // close iframe
- $body.="</iframe></div>\n";
+ $body = $oTemplate->fetch('read_html_iframe.tpl');
} else {
// old way of html rendering
$body = magicHTML($body, $id, $message, $mailbox);
$link .= '&passed_ent_id='.$passed_ent_id;
}
$download_href = SM_PATH . 'src/download.php?absolute_dl=true&' . $link;
- $download_and_unsafe_link .= ' | <a href="'. $download_href .'">' . _("Download this as a file") . '</a>';
+ $download_and_unsafe_link .= "$nbsp|$nbsp"
+ . create_hyperlink($download_href, _("Download this as a file"));
if ($view_unsafe_images) {
$text = _("Hide Unsafe Images");
} else {
if($text != '') {
$unsafe_image_toggle_href = SM_PATH . 'src/read_body.php?'.$link;
$unsafe_image_toggle_text = $text;
- $download_and_unsafe_link .= ' | <a href="'. $unsafe_image_toggle_href .'">' . $text . '</a>';
+ $download_and_unsafe_link .= "$nbsp|$nbsp"
+ . create_hyperlink($unsafe_image_toggle_href, $text);
}
}
return $body;
}
/**
- * Displays attachment links and information
- *
- * Since 1.3.0 function is not included in formatBody() call.
- *
- * Since 1.0.2 uses attachment $type0/$type1 hook.
- * Since 1.2.5 uses attachment $type0/* hook.
- * Since 1.5.0 uses attachments_bottom hook.
- * Since 1.5.2 uses templates and does *not* return a value.
+ * Generate attachments array for passing to templates. Separated from
+ * formatAttachments() below so that the same array can be given to the
+ * print-friendly version.
*
+ * @since 1.5.2
* @param object $message SquirrelMail message object
* @param array $exclude_id message parts that are not attachments.
* @param string $mailbox mailbox name
* @param integer $id message id
*/
-function formatAttachments($message, $exclude_id, $mailbox, $id) {
- global $where, $what, $startMessage, $color, $passed_ent_id, $base_uri,
- $oTemplate;
+function buildAttachmentArray($message, $exclude_id, $mailbox, $id) {
+ global $where, $what, $startMessage, $color, $passed_ent_id, $base_uri;
$att_ar = $message->getAttachments($exclude_id);
$urlMailbox = urlencode($mailbox);
- $attach = array();
+ $attachments = array();
foreach ($att_ar as $att) {
$ent = $att->entity_id;
$header = $att->header;
$links['download link']['text'] = _("Download");
$links['download link']['href'] = $base_uri .
"src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent";
-
+
if ($type0 =='message' && $type1 == 'rfc822') {
$default_page = $base_uri . 'src/read_body.php';
$rfc822_header = $att->rfc822_header;
if ($where && $what) {
$defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what);
}
+ // IE does make use of mime content sniffing. Forcing a download
+ // prohibit execution of XSS inside an application/octet-stream attachment
+ if ($type0 == 'application' && $type1 == 'octet-stream') {
+ $defaultlink .= '&absolute_dl=true';
+ }
/* This executes the attachment hook with a specific MIME-type.
* If that doesn't have results, it tries if there's a rule
- * for a more generic type.
+ * for a more generic type. Finally, a hook for ALL attachment
+ * types is run as well.
*/
- $hookresults = do_hook("attachment $type0/$type1", $links,
- $startMessage, $id, $urlMailbox, $ent, $defaultlink,
- $display_filename, $where, $what);
- if(count($hookresults[1]) <= 1) {
- $hookresults = do_hook("attachment $type0/*", $links,
- $startMessage, $id, $urlMailbox, $ent, $defaultlink,
- $display_filename, $where, $what);
+ /* The API for this hook has changed as of 1.5.2 so that all plugin
+ arguments are passed in an array instead of each their own plugin
+ argument, and arguments are passed by reference, so instead of
+ returning any changes, changes should simply be made to the original
+ arguments themselves. */
+ do_hook("attachment $type0/$type1", $temp=array(&$links,
+ &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink,
+ &$display_filename, &$where, &$what));
+ if(count($links) <= 1) {
+ /* The API for this hook has changed as of 1.5.2 so that all plugin
+ arguments are passed in an array instead of each their own plugin
+ argument, and arguments are passed by reference, so instead of
+ returning any changes, changes should simply be made to the original
+ arguments themselves. */
+ do_hook("attachment $type0/*", $temp=array(&$links,
+ &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink,
+ &$display_filename, &$where, &$what));
}
-
- $links = $hookresults[1];
- $defaultlink = $hookresults[6];
-
- $a = array();
- $a['Name'] = decodeHeader($display_filename);
- $a['Description'] = $description;
- $a['DefaultHREF'] = $defaultlink;
- $a['DownloadHREF'] = $links['download link']['href'];
- $a['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : '';
- $a['Size'] = $header->size;
- $a['ContentType'] = htmlspecialchars($type0 .'/'. $type1);
- $a['OtherLinks'] = array();
+ /* The API for this hook has changed as of 1.5.2 so that all plugin
+ arguments are passed in an array instead of each their own plugin
+ argument, and arguments are passed by reference, so instead of
+ returning any changes, changes should simply be made to the original
+ arguments themselves. */
+ do_hook("attachment */*", $temp=array(&$links,
+ &$startMessage, &$id, &$urlMailbox, &$ent, &$defaultlink,
+ &$display_filename, &$where, &$what));
+
+ $this_attachment = array();
+ $this_attachment['Name'] = decodeHeader($display_filename);
+ $this_attachment['Description'] = $description;
+ $this_attachment['DefaultHREF'] = $defaultlink;
+ $this_attachment['DownloadHREF'] = $links['download link']['href'];
+ $this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : '';
+ $this_attachment['Size'] = $header->size;
+ $this_attachment['ContentType'] = htmlspecialchars($type0 .'/'. $type1);
+ $this_attachment['OtherLinks'] = array();
foreach ($links as $val) {
if ($val['text']==_("Download") || $val['text'] == _("View"))
continue;
if (empty($val['text']) && empty($val['extra']))
continue;
-
- $t = array();
- $t['HREF'] = $val['href'];
- $t['Text'] = (empty($val['text']) ? '' : $val['text']) . (empty($val['extra']) ? '' : $val['extra']);
- $a['OtherLinks'][] = $t;
+
+ $temp = array();
+ $temp['HREF'] = $val['href'];
+ $temp['Text'] = (empty($val['text']) ? '' : $val['text']) . (empty($val['extra']) ? '' : $val['extra']);
+ $this_attachment['OtherLinks'][] = $temp;
}
- $attach[] = $a;
-
+ $attachments[] = $this_attachment;
+
unset($links);
}
+ return $attachments;
+}
+
+/**
+ * Displays attachment links and information
+ *
+ * Since 1.3.0 function is not included in formatBody() call.
+ *
+ * Since 1.0.2 uses attachment $type0/$type1 hook.
+ * Since 1.2.5 uses attachment $type0/* hook.
+ * Since 1.5.0 uses attachments_bottom hook.
+ * Since 1.5.2 uses templates and does *not* return a value.
+ *
+ * @param object $message SquirrelMail message object
+ * @param array $exclude_id message parts that are not attachments.
+ * @param string $mailbox mailbox name
+ * @param integer $id message id
+ */
+function formatAttachments($message, $exclude_id, $mailbox, $id) {
+ global $oTemplate;
+
+ $attach = buildAttachmentArray($message, $exclude_id, $mailbox, $id);
+
$oTemplate->assign('attachments', $attach);
$oTemplate->display('read_attachments.tpl');
}
$body = str_replace("\r\n", "\n", $body);
$encoding = strtolower($encoding);
- $encoding_handler = do_hook_function('decode_body', $encoding);
+ $encoding_handler = do_hook('decode_body', $encoding);
// plugins get first shot at decoding the body
return;
}
$m = false;
+ // before deent, translate the dangerous unicode characters and ... to safe values
+ // otherwise the regular expressions do not match.
+
+
+
do {
$m = false;
$m = $m || sq_deent($attvalue, '/\�*(\d+);*/s');
}
}
+/**
+ * Translate all dangerous Unicode or Shift_JIS characters which are accepted by
+ * IE as regular characters.
+ *
+ * @param attvalue The attribute value before dangerous characters are translated.
+ * @return attvalue Nothing, modifies a reference value.
+ * @author Marc Groot Koerkamp.
+ */
+function sq_fixIE_idiocy(&$attvalue) {
+ // remove NUL
+ $attvalue = str_replace("\0", "", $attvalue);
+ // remove comments
+ $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue);
+
+ // IE has the evil habit of accepting every possible value for the attribute expression.
+ // The table below contains characters which are parsed by IE if they are used in the "expression"
+ // attribute value.
+ $aDangerousCharsReplacementTable = array(
+ array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */
+ 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */
+ 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */
+ 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */
+ 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */
+ 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */
+ 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */
+ 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */
+ 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */
+ 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */
+ 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */
+ 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */
+ 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */
+ 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */
+ 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */
+ 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */
+ 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */
+ 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */
+ 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */
+ 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */
+ 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */
+ 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */
+ 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */
+ 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */
+ '艤', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some Chinese char range
+ '芅', /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */
+ '艷', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */
+ '芘', /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */
+ '良', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */
+ '芐', /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */
+ '艱', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */
+ '芒', /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */
+ '色', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */
+ '芓', /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */
+ '艨', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */
+ '芉', /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */
+ '艮', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */
+ '芏', /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */
+ '艭', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */
+ '芎'), /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */
+ array('l', 'l', 'r','r','n','n',
+ 'E','E','e','e','X','X','x','x','P','P','p','p','S','S','s','s','I','I',
+ 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n',
+ 'E','e','X','x','P','p','S','s','I','i','O','o','N','n'));
+ $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue);
+
+ // Escapes are useful for special characters like "{}[]()'&. In other cases they are
+ // used for XSS.
+ $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue);
+}
+
/**
* This function returns the final tag out of the tag name, an array
* of attributes, and the type of the tag. This function is called by
function sq_deent(&$attvalue, $regex, $hex=false){
$me = 'sq_deent';
$ret_match = false;
+ // remove comments
+ //$attvalue = preg_replace("/(\/\*.*\*\/)/","",$attvalue);
preg_match_all($regex, $attvalue, $matches);
if (is_array($matches) && sizeof($matches[0]) > 0){
$repl = Array();
}
}
}
+ /**
+ * Workaround for IE quirks
+ */
+ sq_fixIE_idiocy($attvalue);
+
/**
* Remove any backslashes, entities, and extraneous whitespace.
*/
+
+ $oldattvalue = $attvalue;
sq_defang($attvalue);
+ if ($attname == 'style' && $attvalue !== $oldattvalue) {
+ // entities are used in the attribute value. In 99% of the cases it's there as XSS
+ // i.e.<div style="{ left:expʀessioɴ( alert('XSS') ) }">
+ $attvalue = "idiocy";
+ $attary{$attname} = $attvalue;
+ }
sq_unspace($attvalue);
/**
function sq_fixstyle($body, $pos, $message, $id, $mailbox){
global $view_unsafe_images;
$me = 'sq_fixstyle';
- $ret = sq_findnxreg($body, $pos, '</\s*style\s*>');
- if ($ret == FALSE){
+ // workaround for </style> in between comments
+ $iCurrentPos = $pos;
+ $content = '';
+ $sToken = '';
+ $bSucces = false;
+ $bEndTag = false;
+ for ($i=$pos,$iCount=strlen($body);$i<$iCount;++$i) {
+ $char = $body{$i};
+ switch ($char) {
+ case '<':
+ $sToken .= $char;
+ break;
+ case '/':
+ if ($sToken == '<') {
+ $sToken .= $char;
+ $bEndTag = true;
+ } else {
+ $content .= $char;
+ }
+ break;
+ case '>':
+ if ($bEndTag) {
+ $sToken .= $char;
+ if (preg_match('/\<\/\s*style\s*\>/i',$sToken,$aMatch)) {
+ $newpos = $i + 1;
+ $bSucces = true;
+ break 2;
+ } else {
+ $content .= $sToken;
+ }
+ $bEndTag = false;
+ } else {
+ $content .= $char;
+ }
+ break;
+ case '!':
+ if ($sToken == '<') {
+ // possible comment
+ if (isset($body{$i+2}) && substr($body,$i,3) == '!--') {
+ $i = strpos($body,'-->',$i+3);
+ if ($i === false) { // no end comment
+ $i = strlen($body);
+ }
+ $sToken = '';
+ }
+ } else {
+ $content .= $char;
+ }
+ break;
+ default:
+ if ($bEndTag) {
+ $sToken .= $char;
+ } else {
+ $content .= $char;
+ }
+ break;
+ }
+ }
+ if ($bSucces == FALSE){
return array(FALSE, strlen($body));
}
- $newpos = $ret[0] + strlen($ret[2]);
- $content = $ret[1];
+
+
+
/**
* First look for general BODY style declaration, which would be
* like so:
*/
// $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
// "url(\\1$secremoveimg\\2)", $content);
- // remove NUL
- $content = str_replace("\0", "", $content);
+
+ // IE Sucks hard. We have a special function for it.
+ sq_fixIE_idiocy($content);
+
+ // remove @import line
+ $content = preg_replace("/^\s*(@import.*)$/mi","\n<!-- @import rules forbidden -->\n",$content);
+
// translate ur\l and variations (IE parses that)
+ // TODO check if the sq_fixIE_idiocy function already handles this.
$content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", 'url', $content);
// NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
'/expression/i',
'/behaviou*r/i',
'/binding/i',
- '/include-source/i');
- $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy');
+ '/include-source/i',
+ '/javascript/i',
+ '/script/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
// insecure css declarations are used. From now on we don't care
$has_unsafe_images;
/**
* Don't display attached images in HTML mode.
- *
+ *
* SB: why?
*/
$attachment_common_show_images = false;
// This works for most types, but doesn't work with Word files
header ("Content-Type: application/download; name=\"$filename\"");
-
+ header ("Content-Type: application/force-download; name=\"$filename\"");
// These are spares, just in case. :-)
//header("Content-Type: $type0/$type1; name=\"$filename\"");
//header("Content-Type: application/x-msdownload; name=\"$filename\"");
//header("Content-Type: application/octet-stream; name=\"$filename\"");
+ } else if ($isIE) {
+ // This is to prevent IE for MIME sniffing and auto open a file in IE
+ header ("Content-Type: application/force-download; name=\"$filename\"");
} else {
// another application/octet-stream forces download for Netscape
header ("Content-Type: application/octet-stream; name=\"$filename\"");