* - Send mail
* - Save As Draft
*
- * @copyright 1999-2017 The SquirrelMail Project Team
+ * @copyright 1999-2019 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
// compose_messages only useful in SESSION when a forward-as-attachment
// has been preconstructed for us and passed in via that mechanism; once
// we have it, we can clear it from the SESSION
-sqsession_unregister('compose_messages');
+// -- No, this is useful in other scenarios, too -- removing:
+// sqsession_unregister('compose_messages');
// Turn on delayed error handling in case we wind up redirecting below
$oErrorHandler->setDelayedErrors(true);
/**
* 1) Remove the addresses we'll be sending the message 'to'
*/
- if (isset($header->reply_to)) {
+ if (isset($header->reply_to) && is_array($header->reply_to) && count($header->reply_to)) {
$excl_ar = $header->getAddr_a('reply_to');
+ } else if (is_object($header->reply_to)) { /* unneccesarry, just for failsafe purpose */
+ $excl_ar = $header->getAddr_a('reply_to');
+ } else {
+ $excl_ar = $header->getAddr_a('from');
}
/**
* 2) Remove our identities from the CC list (they still can be in the
$full_reply_citation = sprintf(_("%s wrote:"),$sOrig_from);
break;
case 'quote_who':
+ // TODO: the words "quote" and "who" are translated in 1.4.x so why not here? This isn't a real HTML tag...
$start = '<quote who="';
$end = '">';
$full_reply_citation = $start . $sOrig_from . $end;
// should never directly manipulate an object like this
if (!empty($attachments)) {
$attachments = unserialize(urldecode($attachments));
- if (!empty($attachments) && is_array($attachments))
- $composeMessage->entities = $attachments;
+ if (!empty($attachments) && is_array($attachments)) {
+ // sanitize the "att_local_name" since it is user-supplied and used to access the file system
+ // it must be alpha-numeric and 32 characters long (see the use of GenerateRandomString() below)
+ foreach ($attachments as $i => $attachment) {
+ if (empty($attachment->att_local_name) || strlen($attachment->att_local_name) !== 32) {
+ unset($attachments[$i]);
+ continue;
+ }
+ // probably marginal difference between (ctype_alnum + function_exists) and preg_match
+ if (function_exists('ctype_alnum')) {
+ if (!ctype_alnum($attachment->att_local_name))
+ unset($attachments[$i]);
+ }
+ else if (preg_match('/[^0-9a-zA-Z]/', $attachment->att_local_name))
+ unset($attachments[$i]);
+ }
+ if (!empty($attachments))
+ $composeMessage->entities = $attachments;
+ }
}
if (empty($mailbox)) {
$key, $imapServerAddress, $imapPort, $imap_stream_options,
$composeMessage, $body_quote, $request_mdn, $request_dr,
$mdn_user_support, $languages, $squirrelmail_language,
- $default_charset, $do_not_reply_to_self;
+ $default_charset, $do_not_reply_to_self, $compose_messages;
/*
* Set $default_charset to correspond with the user's selection
*/
function deliverMessage(&$composeMessage, $draft=false) {
global $send_to, $send_to_cc, $send_to_bcc, $mailprio, $subject, $body,
- $username, $identity, $idents, $data_dir,
+ $username, $identity, $idents, $data_dir, $compose_messages, $session,
$request_mdn, $request_dr, $default_charset, $useSendmail,
$domain, $action, $default_move_to_sent, $move_to_sent,
$imapServerAddress, $imapPort, $imap_stream_options, $sent_folder, $key;
sqimap_logout($imap_stream);
unset ($imap_deliver);
$composeMessage->purgeAttachments();
+//TODO: completely unclear if should be using $compose_session instead of $session below
+ unset($compose_messages[$session]);
+ sqsession_register($compose_messages,'compose_messages');
return $success;
} else {
$msg = '<br />'.sprintf(_("Error: Draft folder %s does not exist."), sm_encode_html_special_chars($draft_folder));
// final cleanup
//
$composeMessage->purgeAttachments();
+//TODO: completely unclear if should be using $compose_session instead of $session below
+ unset($compose_messages[$session]);
+ sqsession_register($compose_messages,'compose_messages');
sqimap_logout($imap_stream);
}
projects / squirrelmail.git / blobdiff