* that it is the first one. That is usually the case anyway.
*/
if (!$ent_id) {
- $cmd = "FETCH $id BODY[]";
+ $cmd = "FETCH $id BODY[]";
} else {
- $cmd = "FETCH $id BODY[$ent_id]";
+ $cmd = "FETCH $id BODY[$ent_id]";
}
$data = sqimap_run_command ($imap_stream, $cmd, true, $response, $message, $uid_support);
/* There is some information in the content info header that could be important
* in order to parse html messages. Let's get them here.
*/
- if ($ret{0} == '<') {
- $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, $uid_support);
- }
+// if ($ret{0} == '<') {
+// $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, $uid_support);
+// }
} else if (ereg('"([^"]*)"', $topline, $regs)) {
$ret = $regs[1];
} else {
*/
global $startMessage, $username, $key, $imapServerAddress, $imapPort,
$show_html_default, $sort, $has_unsafe_images, $passed_ent_id;
- global $languages, $squirrelmail_language;
+ global $languages, $squirrelmail_language;
if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
$view_unsafe_images = false;
translateText($body, $wrap_at,
$body_message->header->getParameter('charset'));
}
- $link = 'read_body.php?passed_id=' . $id . '&ent_id='.$ent_num.
- '&mailbox=' . $urlmailbox .'&sort=' . $sort .
- '&startMessage=' . $startMessage . '&show_more=0';
- if (isset($passed_ent_id)) {
- $link .= '&passed_ent_id='.$passed_ent_id;
- }
+ $link = 'read_body.php?passed_id=' . $id . '&ent_id='.$ent_num.
+ '&mailbox=' . $urlmailbox .'&sort=' . $sort .
+ '&startMessage=' . $startMessage . '&show_more=0';
+ if (isset($passed_ent_id)) {
+ $link .= '&passed_ent_id='.$passed_ent_id;
+ }
if ($view_unsafe_images) {
$text = _("Hide Unsafe Images");
} else {
- if (isset($has_unsafe_images) && $has_unsafe_images) {
- $link .= '&view_unsafe_images=1';
- $text = _("View Unsafe Images");
- } else {
- $text = '';
- }
+ if (isset($has_unsafe_images) && $has_unsafe_images) {
+ $link .= '&view_unsafe_images=1';
+ $text = _("View Unsafe Images");
+ } else {
+ $text = '';
+ }
}
$body .= '<center><small><a href="'.$link.'">'.$text.
- '</a></small></center><br>' . "\n";
+ '</a></small></center><br>' . "\n";
}
return $body;
}
$type1 = strtolower($header->type1);
$name = '';
$links['download link']['text'] = _("download");
- $links['download link']['href'] =
- "../src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent";
+ $links['download link']['href'] = SM_PATH .
+ "src/download.php?absolute_dl=true&passed_id=$id&mailbox=$urlMailbox&ent_id=$ent";
$ImageURL = '';
if ($type0 =='message' && $type1 == 'rfc822') {
- $default_page = '../src/read_body.php';
+ $default_page = SM_PATH . 'src/read_body.php';
$rfc822_header = $att->rfc822_header;
$filename = $rfc822_header->subject;
if (trim( $filename ) == '') {
$filename = 'untitled-[' . $ent . ']' ;
- }
+ }
$from_o = $rfc822_header->from;
if (is_object($from_o)) {
$from_name = $from_o->getAddress(false);
$from_name = decodeHeader(($from_name));
$description = $from_name;
} else {
- $default_page = '../src/download.php';
+ $default_page = SM_PATH . 'src/download.php';
if (is_object($header->disposition)) {
$filename = $header->disposition->getProperty('filename');
if (trim($filename) == '') {
$filename = 'untitled-[' . $ent . ']' ;
} else {
$filename = 'cid: ' . $header->id;
- }
+ }
} else {
- $filename = $name;
+ $filename = $name;
}
} else {
$filename = $name;
}
}
} else {
- $filename = $header->getParameter('name');
- if (!trim($filename)) {
- if (trim( $header->id ) == '') {
- $filename = 'untitled-[' . $ent . ']' ;
- } else {
- $filename = 'cid: ' . $header->id;
- }
- }
- }
+ $filename = $header->getParameter('name');
+ if (!trim($filename)) {
+ if (trim( $header->id ) == '') {
+ $filename = 'untitled-[' . $ent . ']' ;
+ } else {
+ $filename = 'cid: ' . $header->id;
+ }
+ }
+ }
if ($header->description) {
$description = decodeHeader($header->description);
} else {
}
$defaultlink = $default_page . "?startMessage=$startMessage"
. "&passed_id=$id&mailbox=$urlMailbox"
- . '&ent_id='.$ent.$passed_ent_id_link.'&absolute_dl=true';
+ . '&ent_id='.$ent.$passed_ent_id_link;
if ($where && $what) {
$defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what);
}
if (isset($languages[$squirrelmail_language]['XTRA_CODE']) &&
function_exists($languages[$squirrelmail_language]['XTRA_CODE'])) {
$string = $languages[$squirrelmail_language]['XTRA_CODE']('decodeheader', $string);
- // Do we need to return at this point?
- // return $string;
+ // Do we need to return at this point?
+ // return $string;
}
$i = 0;
+ $iLastMatch = -2;
+ $encoded = false;
+
$aString = explode(' ',$string);
+ $ret = '';
foreach ($aString as $chunk) {
+ if ($encoded && !$chunk) {
+ continue;
+ } elseif (!$chunk) {
+ $ret .= ' ';
+ continue;
+ }
$encoded = false;
- $aString[$i] = '';
- while (preg_match('/^(.*)=\?([^?]*)\?(Q|B)\?([^?]*)\?=(.*)$/Ui',$chunk,$res)) {
- $aString[$i] .= $res[1];
- //echo "$chunk match ". $res[5] . "<br>";
+ /* if encoded words are not separated by a linear-space-white we still catch them */
+ $j = $i-1;
+ if ($chunk{0} === '=') { /* performance, saves an unnessecarry preg call */
+ while ($match = preg_match('/^(.*)=\?([^?]*)\?(Q|B)\?([^?]*)\?=(.*)$/Ui',$chunk,$res)) {
+ /* if the last chunk isn't an encoded string then put back the space, otherwise don't */
+ if ($iLastMatch !== $j) {
+ if ($htmlsave) {
+ $ret .= ' ';
+ } else {
+ $ret .= ' ';
+ }
+ }
+ $iLastMatch = $i;
+ $j = $i;
+ $ret .= $res[1];
$encoding = ucfirst($res[3]);
switch ($encoding)
{
case 'B':
$replace = base64_decode($res[4]);
- $aString[$i] .= charset_decode($res[2],$replace);
+ $ret .= charset_decode($res[2],$replace);
break;
case 'Q':
$replace = str_replace('_', ' ', $res[4]);
$replace = htmlspecialchars($replace);
}
}
- $aString[$i] .= $replace;
+ $ret .= $replace;
break;
default:
break;
}
$chunk = $res[5];
$encoded = true;
- }
+ }
+ }
+ if (!$encoded) {
+ if ($htmlsave) {
+ $ret .= ' ';
+ } else {
+ $ret .= ' ';
+ }
+ }
+
if (!$encoded && $htmlsave) {
- $aString[$i] = htmlspecialchars($chunk);
+ $ret .= htmlspecialchars($chunk);
} else {
- $aString[$i] .= $chunk;
+ $ret .= $chunk;
}
++$i;
}
- return implode (' ',$aString);
-
+ /* remove the first added space */
+ if ($ret) {
+ if ($htmlsave) {
+ $ret = substr($ret,6);
+ } else {
+ $ret = substr($ret,1);
+ }
+ }
+
+ return $ret;
}
/*
}
$cur_l+=3;
if ($cur_l > ($max_l-2)) {
+ /* if there is an stringpart that doesn't need encoding, add it */
$aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
$aRet[] = "=?$default_charset?Q?$ret?=";
$iOffset = $i;
case '(':
case ')':
if ($iEncStart !== false) {
- $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
$aRet[] = "=?$default_charset?Q?$ret?=";
$iOffset = $i;
$cur_l = 0;
if ($iEncStart !== false) {
$cur_l++;
if ($cur_l > $max_l) {
- $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
$aRet[] = "=?$default_charset?Q?$ret?=";
$iOffset = $i;
$cur_l = 0;
$ret = '';
$iEncStart = false;
- } else {
+ } else {
$ret .= '_';
}
}
$iEncStart = $i;
}
$cur_l += 3;
+ /* first we add the encoded string that reached it's max size */
if ($cur_l > ($max_l-2)) {
- if ($iEncStart !== false) {
- $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
- $aRet[] = "=?$default_charset?Q?$ret?=";
- } else {
- $aRet[] = substr($string,$iOffset,$i-$iOffset);
- }
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = "=?$default_charset?Q?$ret?= "; /* the next part is also encoded => separate by space */
$cur_l = 3;
$ret = '';
$iOffset = $i;
+ $iEncStart = $i;
}
- $enc_init = true;
+ $enc_init = true;
$ret .= sprintf("=%02X", $k);
} else {
if ($iEncStart !== false) {
$cur_l++;
if ($cur_l > $max_l) {
- $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
+ $aRet[] = substr($string,$iOffset,$iEncStart-$iOffset);
$aRet[] = "=?$default_charset?Q?$ret?=";
$iEncStart = false;
$iOffset = $i;
$cur_l = 0;
$ret = '';
- } else {
+ } else {
$ret .= $string{$i};
}
}
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
*/
- $match = Array('/expression/si',
- '/behaviou*r/si',
- '/binding/si');
+ $match = Array('/expression/i',
+ '/behaviou*r/i',
+ '/binding/i');
$replace = Array('idiocy', 'idiocy', 'idiocy');
$content = preg_replace($match, $replace, $content);
return $content;
unsave link image */
$httpurl = '';
if ($linkurl) {
- $httpurl = $quotchar . '../src/download.php?absolute_dl=true&' .
+ $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
"passed_id=$id&mailbox=" . urlencode($mailbox) .
'&ent_id=' . $linkurl . $quotchar;
}
$rm_attnames = Array(
"/.*/" =>
Array(
- "/target/si",
- "/^on.*/si",
- "/^dynsrc/si",
- "/^data.*/si"
+ "/target/i",
+ "/^on.*/i",
+ "/^dynsrc/i",
+ "/^data.*/i",
+ "/^lowsrc.*/i"
)
);
"\\1#\\2"
)
),
- "/^style/si" =>
+ "/^style/i" =>
Array(
Array(
- "/expression/si",
- "/binding/si",
- "/behaviou*r/si",
+ "/expression/i",
+ "/binding/i",
+ "/behaviou*r/i",
"|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
"/url\(([\'\"])\s*\S+script\s*:.*([\'\"])\)/si",
"/url\(([\'\"])\s*mocha\s*:.*([\'\"])\)/si",
'/^([\'\"])\s*https*:.*([\'\"])/si');
array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1],
"\\1$secremoveimg\\2");
- array_push($bad_attvals{'/.*/'}{'/^style/si'}[0],
+ array_push($bad_attvals{'/.*/'}{'/^style/i'}[0],
'/url\(([\'\"])\s*https*:.*([\'\"])\)/si');
- array_push($bad_attvals{'/.*/'}{'/^style/si'}[1],
+ array_push($bad_attvals{'/.*/'}{'/^style/i'}[1],
"url(\\1$secremoveimg\\2)");
}
$add_attr_to_tag = Array(
- "/^a$/si" => Array('target'=>'"_new"')
+ "/^a$/i" => Array('target'=>'"_new"')
);
$trusted = sq_sanitize($body,
$tag_list,
$id,
$mailbox
);
- if (preg_match("|$secremoveimg|si", $trusted)){
+ if (preg_match("|$secremoveimg|i", $trusted)){
$has_unsafe_images = true;
}
return $trusted;
}
-?>
\ No newline at end of file
+?>