From 8bbbc757da66a7d226c0723ba7b47cb711b728e0 Mon Sep 17 00:00:00 2001
From: pdontthink <pdontthink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 11 Sep 2008 01:32:56 +0000
Subject: [PATCH] Relax restriction on image tag src URIs.  Others PLEASE TEST
 (HTML mails with unsafe images).  Per the developers mailing list, no one
 could show that there was any exploit here.  Some code has been inserted here
 but commented out in case there is in fact some exploit - the code will
 filter image URI file extensions as before but for URIs that fail that test,
 SM will check the actual served content for legitimate image files (so
 dynamically generated images from .asp, .php, and other systems can be
 correctly displayed).

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13277 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 functions/mime.php | 57 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 56 insertions(+), 1 deletion(-)

diff --git a/functions/mime.php b/functions/mime.php
index f253bab2..ae3c7ac4 100644
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -1880,11 +1880,66 @@ function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"')
                                 $attvalue = $sQuote . $secremoveimg . $sQuote;
                             } else {
                                 if (isset($aUrl['path'])) {
+
+                                    // No one has been able to show that image URIs
+                                    // can be exploited, so for now, no restrictions
+                                    // are made at all.  If this proves to be a problem,
+                                    // the commented-out code below can be of help.
+                                    // (One consideration is that I see nothing in this
+                                    // function that specifically says that we will
+                                    // only ever arrive here when inspecting an image
+                                    // tag, although that does seem to be the end
+                                    // result - e.g., <script src="..."> where malicious
+                                    // image URIs are in fact a problem are already
+                                    // filtered out elsewhere.
+                                    /* ---------------------------------
                                     // validate image extension.
                                     $ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.')));
                                     if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) {
-                                        $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+                                        // If URI is to something other than
+                                        // a regular image file, get the contents
+                                        // and try to see if it is an image.
+                                        // Don't use Fileinfo (finfo_file()) because
+                                        // we'd need to make the admin configure the
+                                        // location of the magic.mime file (FIXME: add finfo_file() support later?)
+                                        //
+                                        $mime_type = '';
+                                        if (function_exists('mime_content_type')
+                                         && ($FILE = @fopen($attvalue, 'rb', FALSE))) {
+
+                                            // fetch file
+                                            //
+                                            $file_contents = '';
+                                            while (!feof($FILE)) {
+                                                $file_contents .= fread($FILE, 8192);
+                                            }
+                                            fclose($FILE);
+
+                                            // store file locally
+                                            //
+                                            global $attachment_dir, $username;
+                                            $hashed_attachment_dir = getHashedDir($username, $attachment_dir);
+                                            $localfilename = GenerateRandomString(32, '', 7);
+                                            $full_localfilename = "$hashed_attachment_dir/$localfilename";
+                                            while (file_exists($full_localfilename)) {
+                                                $localfilename = GenerateRandomString(32, '', 7);
+                                                $full_localfilename = "$hashed_attachment_dir/$localfilename";
+                                            }
+                                            $FILE = fopen("$hashed_attachment_dir/$localfilename", 'wb');
+                                            fwrite($FILE, $file_contents);
+                                            fclose($FILE);
+
+                                            // get mime type and remove file
+                                            //
+                                            $mime_type = mime_content_type("$hashed_attachment_dir/$localfilename");
+                                            unlink("$hashed_attachment_dir/$localfilename");
+                                        }
+                                        // debug: echo "$attvalue FILE TYPE IS $mime_type<HR>";
+                                        if (substr(strtolower($mime_type), 0, 5) != 'image') {
+                                            $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+                                        }
                                     }
+                                    --------------------------------- */
                                 } else {
                                     $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
                                 }
-- 
2.25.1