No longer put complete filename relative to / in the HTML-code when

attaching files. This was a security bummer.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@208 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/smtp.php b/functions/smtp.php
index 2a397f28369045e1608910e7d13e8aee23a3c8a2..d6bf69934dab5d3690361fd47cbcea839bde1135 100644 (file)
--- a/functions/smtp.php
+++ b/functions/smtp.php
@@ -21,10 +21,10 @@
 
    // Attach the files that are due to be attached
    function attachFiles ($fp) {
-      global $attachments;
+      global $attachments, $attachment_dir;
 
       while (list($localname, $remotename) = each($attachments)) {
-         $fileinfo = fopen ($localname.".info", "r");
+         $fileinfo = fopen ($attachment_dir.$localname.".info", "r");
          $filetype = fgets ($fileinfo, 8192);
          fclose ($fileinfo);
          $filetype = trim ($filetype);
@@ -36,13 +36,13 @@
          fputs ($fp, "Content-Disposition: attachment; filename=\"$remotename\"\n");
          fputs ($fp, "Content-Transfer-Encoding: base64\n\n");
 
-         $file = fopen ($localname, "r");
+         $file = fopen ($attachment_dir.$localname, "r");
          while ($tmp = fread($file, 57))
             fputs ($fp, chunk_split(base64_encode($tmp)));
          fclose ($file);
 
-         unlink ($localname);
-         unlink ($localname.".info");
+         unlink ($attachment_dir.$localname);
+         unlink ($attachment_dir.$localname.".info");
       }
    }
 

diff --git a/src/compose.php b/src/compose.php
index d9ea51eaa750cef5058c410517fcecf4b3495c02..746c10a1d05f20a307944dad0f64bfcc5ef962d6 100644 (file)
--- a/src/compose.php
+++ b/src/compose.php
@@ -286,30 +286,33 @@
       }
    } else if (isset($attach)) {
       $localfilename = md5("$attachfile, $attachfile_name, $REMOTE_IP, $REMOTE_PORT, $UNIQUE_ID, and everything else that may add entropy");
-      $localfilename = $attachment_dir.$localfilename;
+      $localfilename = $localfilename;
       
       // Put the file in a better place
       error_reporting(0); // Rename will produce error output if it fails
-      if (!rename($attachfile, $localfilename)) {
-         if (!copy($attachfile, $localfilename)) {
+      if (!rename($attachfile, $attachment_dir.$localfilename)) {
+         if (!copy($attachfile, $attachment_dir.$localfilename)) {
             plain_error_message(_("Could not move/copy file. File not attached"));
+            $failed = true;
          }
       }
       // If it still exists, PHP will remove the original file
 
-      // Write information about the file
-      $fp = fopen ($localfilename.".info", "w");
-      fputs ($fp, "$attachfile_type\n$attachfile_name\n");
-      fclose ($fp);
+      if (!$failed) {
+         // Write information about the file
+         $fp = fopen ($attachment_dir.$localfilename.".info", "w");
+         fputs ($fp, "$attachfile_type\n$attachfile_name\n");
+         fclose ($fp);
 
-      $attachments[$localfilename] = $attachfile_name;
+         $attachments[$localfilename] = $attachfile_name;
+      }
       
       showInputForm();
    } else if (isset($do_delete)) {
       while (list($key, $localname) = each($delete)) {
          array_splice ($attachments, $localname, 1);
-         unlink ($localname);
-         unlink ($localname.".info");
+         unlink ($attachment_dir.$localname);
+         unlink ($attachment_dir.$localname.".info");
       }
 
       showInputForm();