X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fmime.php;h=8f232695cf8c902030d2fd44d52b36373c42141a;hb=ca885a4ff4cc1175af8db97bab02f7aa74ced73a;hp=ccbfd2900a44c03a6c75cb1e6f21357b7679efe3;hpb=8bd0068d630a8bfca396e936e5f34b9bd452fba8;p=squirrelmail.git
diff --git a/functions/mime.php b/functions/mime.php
index ccbfd290..8f232695 100644
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -3,12 +3,11 @@
/**
* mime.php
*
- * Copyright (c) 1999-2005 The SquirrelMail Project Team
- * Licensed under the GNU GPL. For full terms see the file COPYING.
- *
* This contains the functions necessary to detect and decode MIME
* messages.
*
+ * @copyright © 1999-2006 The SquirrelMail Project Team
+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
*/
@@ -335,7 +334,8 @@ function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $ma
* order that is their priority.
*/
global $startMessage, $languages, $squirrelmail_language,
- $show_html_default, $sort, $has_unsafe_images, $passed_ent_id, $use_iframe,$iframe_height;
+ $show_html_default, $sort, $has_unsafe_images, $passed_ent_id,
+ $use_iframe, $iframe_height, $download_and_unsafe_link;
// workaround for not updated config.php
if (! isset($use_iframe)) $use_iframe = false;
@@ -388,7 +388,9 @@ function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $ma
* If we don't add html message between iframe tags,
* we must detect unsafe images and modify $has_unsafe_images.
*/
- $html_body = magicHTML($body, $id, $message, $mailbox);
+ $html_body = magicHTML($body, $id, $message, $mailbox);
+ // Convert character set in order to display html mails in different character set
+ $html_body = charset_decode($body_message->header->getParameter('charset'),$html_body,false,true);
// creating iframe url
$iframeurl=sqm_baseuri().'src/view_html.php?'
@@ -427,6 +429,12 @@ function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $ma
} else {
// old way of html rendering
$body = magicHTML($body, $id, $message, $mailbox);
+ /**
+ * convert character set. charset_decode does not remove html special chars
+ * applied by magicHTML functions and does not sanitize them second time if
+ * fourth argument is true.
+ */
+ $body = charset_decode($body_message->header->getParameter('charset'),$body,false,true);
}
} else {
translateText($body, $wrap_at,
@@ -438,13 +446,15 @@ function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $ma
return $body;
}
+ $download_and_unsafe_link = '';
+
$link = 'passed_id=' . $id . '&ent_id='.$ent_num.
'&mailbox=' . $urlmailbox .'&sort=' . $sort .
'&startMessage=' . $startMessage . '&show_more=0';
if (isset($passed_ent_id)) {
$link .= '&passed_ent_id='.$passed_ent_id;
}
- $body .= '
- */
+ * First look for general BODY style declaration, which would be
+ * like so:
+ * body {background: blah-blah}
+ * and change it to .bodyclass so we can just assign it to a
+ */
$content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content);
$secremoveimg = '../images/' . _("sec_remove_eng.png");
/**
- * Fix url('blah') declarations.
- */
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
- /**
- * Fix url('https*://.*) declarations but only if $view_unsafe_images
- * is false.
- */
- if (!$view_unsafe_images){
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
- }
+ * Fix url('blah') declarations.
+ */
+ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
+ // "url(\\1$secremoveimg\\2)", $content);
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+ // translate ur\l and variations (IE parses that)
+ $content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", 'url', $content);
+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
+ $sProto = strtolower($matches[1]);
+ switch ($sProto) {
+ /**
+ * Fix url('https*://.*) declarations but only if $view_unsafe_images
+ * is false.
+ */
+ case 'https':
+ case 'http':
+ if (!$view_unsafe_images){
- /**
- * Fix urls that refer to cid:
- */
- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
- $content, $matches)){
- $cidurl = $matches{1};
- $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
- $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
- "url($httpurl)", $content);
+ $sExpr = "/url\s*\(\s*[\'\"]?\s*$sProto*:.*[\'\"]?\s*\)/si";
+ $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
+
+ } else {
+ $content = preg_replace('/url/i',"u\0r\0l",$content);
+ }
+ break;
+ /**
+ * Fix urls that refer to cid:
+ */
+ case 'cid':
+ $cidurl = 'cid:'. $matches[2];
+ $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
+ // escape parentheses that can modify the regular expression
+ $cidurl = str_replace(array('(',')'),array('\\(','\\)'),$cidurl);
+ $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
+ "u\0r\0l($httpurl)", $content);
+ break;
+ default:
+ /**
+ * replace url with protocol other then the white list
+ * http,https and cid by an empty string.
+ */
+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
+ "", $content);
+ break;
+ }
}
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
+ $contentTemp = $content;
+ sq_defang($contentTemp);
+ sq_unspace($contentTemp);
/**
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
*/
- $match = Array('/expression/i',
- '/behaviou*r/i',
- '/binding/i',
- '/include-source/i');
- $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
- $content = preg_replace($match, $replace, $content);
+ $match = Array('/\/\*.*\*\//',
+ '/expression/i',
+ '/behaviou*r/i',
+ '/binding/i',
+ '/include-source/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy');
+ $contentNew = preg_replace($match, $replace, $contentTemp);
+ if ($contentNew !== $contentTemp) {
+ // insecure css declarations are used. From now on we don't care
+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
+ $content = $contentNew;
+ }
return array($content, $newpos);
}
+
/**
* This function converts cid: url's into the ones that can be viewed in
* the browser.
@@ -1631,6 +1793,11 @@ function sq_cid2http($message, $id, $cidurl, $mailbox){
$quotchar = '';
}
$cidurl = substr(trim($cidurl), 4);
+
+ $match_str = '/\{.*?\}\//';
+ $str_rep = '';
+ $cidurl = preg_replace($match_str, $str_rep, $cidurl);
+
$linkurl = find_ent_id($cidurl, $message);
/* in case of non-save cid links $httpurl should be replaced by a sort of
unsave link image */
@@ -1663,7 +1830,7 @@ function sq_cid2http($message, $id, $cidurl, $mailbox){
* If we couldn't generate a proper img url, drop in a blank image
* instead of sending back empty, otherwise it causes unusual behaviour
*/
- $httpurl = $quotchar . SM_PATH . 'images/blank.png';
+ $httpurl = $quotchar . SM_PATH . 'images/blank.png' . $quotchar;
}
return $httpurl;
@@ -1896,6 +2063,7 @@ function sq_sanitize($body,
*
* @param $body the body of the message
* @param $id the id of the message
+
* @param $message
* @param $mailbox
* @param boolean $take_mailto_links When TRUE, converts mailto: links
@@ -1903,13 +2071,12 @@ function sq_sanitize($body,
* (optional; default = TRUE)
* @return a string with html safe to display in the browser.
*/
-function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links = true) {
+function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links =true) {
require_once(SM_PATH . 'functions/url_parser.php'); // for $MailTo_PReg_Match
global $attachment_common_show_images, $view_unsafe_images,
$has_unsafe_images;
-
/**
* Don't display attached images in HTML mode.
*/
@@ -1934,6 +2101,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
"embed",
"title",
"frameset",
+ "xmp",
"xml"
);
@@ -1973,7 +2141,6 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
"\\1$secremoveimg\\2",
"\\1$secremoveimg\\2",
"\\1$secremoveimg\\2",
- "\\1$secremoveimg\\2"
)
),
"/^href|action/i" =>
@@ -1984,7 +2151,6 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
"/^([\'\"])\s*about\s*:.*([\'\"])/si"
),
Array(
- "\\1#\\1",
"\\1#\\1",
"\\1#\\1",
"\\1#\\1"
@@ -1993,23 +2159,26 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
"/^style/i" =>
Array(
Array(
+ "/\/\*.*\*\//",
"/expression/i",
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
"/position\s*:\s*absolute/i",
+ "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
"/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
),
Array(
+ "",
"idiocy",
"idiocy",
"idiocy",
"idiocy",
"",
- "url(\\1#\\1)",
+ "url",
"url(\\1#\\1)",
"url(\\1#\\1)",
"url(\\1#\\1)",
@@ -2031,7 +2200,7 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1],
"\\1$secremoveimg\\1");
array_push($bad_attvals{'/.*/'}{'/^style/i'}[0],
- '/url\(([\'\"])\s*https*:.*([\'\"])\)/si');
+ '/url\([\'\"]?https?:[^\)]*[\'\"]?\)/si');
array_push($bad_attvals{'/.*/'}{'/^style/i'}[1],
"url(\\1$secremoveimg\\1)");
}
@@ -2058,7 +2227,6 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
$has_unsafe_images = true;
}
-
// we want to parse mailto's in HTML output, change to SM compose links
// this is a modified version of code from url_parser.php... but Marc is
// right: we need a better filtering implementation; adding this randomly
@@ -2071,7 +2239,6 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
if ((preg_match_all($MailTo_PReg_Match, $trusted, $regs)) && ($regs[0][0] != '')) {
foreach ($regs[0] as $i => $mailto_before) {
$mailto_params = $regs[10][$i];
-
// get rid of any tailing quote since we have to add send_to to the end
//
if (substr($mailto_before, strlen($mailto_before) - 1) == '"')
@@ -2131,18 +2298,18 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links
*/
function SendDownloadHeaders($type0, $type1, $filename, $force, $filesize=0) {
global $languages, $squirrelmail_language;
- $isIE = $isIE6 = 0;
+ $isIE = $isIE6plus = false;
sqgetGlobalVar('HTTP_USER_AGENT', $HTTP_USER_AGENT, SQ_SERVER);
if (strstr($HTTP_USER_AGENT, 'compatible; MSIE ') !== false &&
strstr($HTTP_USER_AGENT, 'Opera') === false) {
- $isIE = 1;
+ $isIE = true;
}
- if (strstr($HTTP_USER_AGENT, 'compatible; MSIE 6') !== false &&
- strstr($HTTP_USER_AGENT, 'Opera') === false) {
- $isIE6 = 1;
+ if (preg_match('/compatible; MSIE ([0-9]+)/', $HTTP_USER_AGENT, $match) &&
+ ((int)$match[1]) >= 6 && strstr($HTTP_USER_AGENT, 'Opera') === false) {
+ $isIE6plus = true;
}
if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
@@ -2199,7 +2366,7 @@ function SendDownloadHeaders($type0, $type1, $filename, $force, $filesize=0) {
// "attachment"... does it apply to inline too?
header ("Content-Disposition: attachment; filename=\"$filename\"");
- if ($isIE && !$isIE6) {
+ if ($isIE && !$isIE6plus) {
// This combination seems to work mostly. IE 5.5 SP 1 has
// known issues (see the Microsoft Knowledge Base)
@@ -2223,4 +2390,4 @@ function SendDownloadHeaders($type0, $type1, $filename, $force, $filesize=0) {
} // end fn SendDownloadHeaders
-?>
\ No newline at end of file
+?>