From: stekkel <stekkel@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Mon, 26 Aug 2002 14:31:15 +0000 (+0000)
Subject: added extra check for save internal link extensions. (for use with
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e5e9381ade90a4da09af455a7bcd3084720a7233;p=squirrelmail.git

added extra check for save internal link extensions. (for use with
magicHTML)
Maybe this is the wrong fix but in case of iframes tags with a cid link to an
internal entity it's possible that stupid users download attached virus
entities because the iframe src pointed to a filename with .scr, .exe, .bat or
other extension. This patch only allow the following hardcoded save extensions:
gif, jpeg, jpg, png, bmp.

To do:
notify user in case of invalid extensions.
totally remove iframes because I think in most cases (virus) they are unsave.


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3468 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/functions/mime.php b/functions/mime.php
index 3563a998..95732994 100644
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -604,13 +604,26 @@ function find_ent_id( $id, $message ) {
 	if ( $message->entities[$i]->header->type0 == 'multipart')  { 	 
     	    $ret = find_ent_id( $id, $message->entities[$i] );
         } else {
-            if ( strcasecmp( $message->entities[$i]->header->id, $id ) == 0 )
-                $ret = $message->entities[$i]->entity_id;
+            if ( strcasecmp( $message->entities[$i]->header->id, $id ) == 0 ) {
+	        if (sq_check_save_extension($message->entities[$i])) {
+            	    $ret = $message->entities[$i]->entity_id;
+		} else {
+		    $ret = '';
+		}
+	    }
         }
     }
     return( $ret );
 }
 
+function sq_check_save_extension($message) {
+    $filename = $message->getFilename();
+    $ext = substr($filename, strrpos($filename,'.')+1);
+    $save_extensions = array('jpg','jpeg','gif','png','bmp');
+    return (in_array($ext, $save_extensions));
+}
+
+
 /**
  ** HTMLFILTER ROUTINES
  */
@@ -1221,9 +1234,15 @@ function sq_cid2http($message, $id, $cidurl, $mailbox){
     $quotchar = substr($cidurl, 0, 1);
     $cidurl = str_replace($quotchar, "", $cidurl);
     $cidurl = substr(trim($cidurl), 4);
-    $httpurl = $quotchar . "../src/download.php?absolute_dl=true&amp;" .
-        "passed_id=$id&amp;mailbox=" . urlencode($mailbox) .
-        "&amp;ent_id=" . find_ent_id($cidurl, $message) . $quotchar;
+    $linkurl = find_ent_id($cidurl, $message);
+    /* in case of non-save cid links $httpurl should be replaced by a sort of
+       unsave link image */
+    $httpurl = '';
+    if ($linkurl) {
+        $httpurl = $quotchar . "../src/download.php?absolute_dl=true&amp;" .
+                   "passed_id=$id&amp;mailbox=" . urlencode($mailbox) .
+                   "&amp;ent_id=" . $linkurl . $quotchar;
+    }
     return $httpurl;
 }