* This contains the functions necessary to detect and decode MIME
* messages.
*
- * @copyright 1999-2019 The SquirrelMail Project Team
+ * @copyright 1999-2021 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
if (count($flags)) {
foreach ($flags as $flag) {
//FIXME: please document why it is we have to check the first char of the flag but we then go ahead and do a full string comparison anyway. Is this a speed enhancement? If not, let's keep it simple and just compare the full string and forget the switch block.
- $char = strtoupper($flag{1});
+ $char = strtoupper($flag[1]);
switch ($char) {
case 'S':
if (strtolower($flag) == '\\seen') {
/* There is some information in the content info header that could be important
* in order to parse html messages. Let's get them here.
*/
-// if ($ret{0} == '<') {
+// if ($ret[0] == '<') {
// $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, TRUE);
// }
} else if (preg_match('/"([^"]*)"/', $topline, $regs)) {
returning any changes, changes should simply be made to the original
arguments themselves. */
$temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent,
- &$defaultlink, &$display_filename, &$where, &$what);
+ &$defaultlink, &$display_filename, &$where, &$what,
+ &$type0, &$type1);
do_hook("attachment $type0/$type1", $temp);
/* The API for this hook has changed as of 1.5.2 so that all plugin
arguments are passed in an array instead of each their own plugin
returning any changes, changes should simply be made to the original
arguments themselves. */
$temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent,
- &$defaultlink, &$display_filename, &$where, &$what);
+ &$defaultlink, &$display_filename, &$where, &$what,
+ &$type0, &$type1);
// Do not let a generic plugin change the default link if a more
// specialized one already did it...
if ($defaultlink != $defaultlink_orig) {
returning any changes, changes should simply be made to the original
arguments themselves. */
$temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent,
- &$defaultlink, &$display_filename, &$where, &$what);
+ &$defaultlink, &$display_filename, &$where, &$what,
+ &$type0, &$type1);
// Do not let a generic plugin change the default link if a more
// specialized one already did it...
if ($defaultlink != $defaultlink_orig) {
$this_attachment['DefaultHREF'] = $defaultlink;
$this_attachment['DownloadHREF'] = $links['download link']['href'];
$this_attachment['ViewHREF'] = isset($links['attachment_common']) ? $links['attachment_common']['href'] : '';
- $this_attachment['Size'] = $header->size;
+
+ // base64 encoded file sizes are misleading, so approximate real size
+ if (!empty($header->encoding) && strtolower($header->encoding) == 'base64')
+ $this_attachment['Size'] = $header->size / 4 * 3;
+ else
+ $this_attachment['Size'] = $header->size;
+
$this_attachment['ContentType'] = sm_encode_html_special_chars($type0 .'/'. $type1);
$this_attachment['OtherLinks'] = array();
foreach ($links as $val) {
- if ($val['text']==_("Download") || $val['text'] == _("View"))
+ if ($val['text']==_("Download")) {
+ $this_attachment['DownloadHREF'] = $val['href'];
+ continue;
+ }
+ if ($val['text']==_("View")) {
+ $this_attachment['ViewHREF'] = $val['href'];
continue;
- if (empty($val['text']) && empty($val['extra']))
+ }
+
+ // This makes no sense - If 'text' and 'extra' are just concatenated,
+ // there is no point in having 'extra'.... I am going to assume this
+ // was a mistake and am changing 'extra' to be what I think it was
+ // meant to be: additional tag attributes. However, I'm not checking
+ // extensively for plugins that were using this the wrong way (but why would they?)
+ if (empty($val['text']))
continue;
$temp = array();
$temp['HREF'] = $val['href'];
- $temp['Text'] = (empty($val['text']) ? '' : $val['text']) . (empty($val['extra']) ? '' : $val['extra']);
+ $temp['Text'] = $val['text'];
+ $temp['Extra'] = (empty($val['extra']) ? '' : $val['extra']);
$this_attachment['OtherLinks'][] = $temp;
}
$attachments[] = $this_attachment;
$iEncStart = $enc_init = false;
$cur_l = $iOffset = 0;
for($i = 0; $i < $j; ++$i) {
- switch($string{$i})
+ switch($string[$i])
{
case '"':
case '=':
$ret = '';
$iEncStart = false;
} else {
- $ret .= sprintf("=%02X",ord($string{$i}));
+ $ret .= sprintf("=%02X",ord($string[$i]));
}
break;
case '(':
}
break;
default:
- $k = ord($string{$i});
+ $k = ord($string[$i]);
if ($k > 126) {
if ($iEncStart === false) {
// do not start encoding in the middle of a string, also take the rest of the word.
$cur_l = 0;
$ret = '';
} else {
- $ret .= $string{$i};
+ $ret .= $string[$i];
}
}
}
$fulltag = '<' . $tagname;
if (is_array($attary) && sizeof($attary)){
$atts = Array();
- while (list($attname, $attvalue) = each($attary)){
+ foreach ($attary as $attname => $attvalue){
array_push($atts, "$attname=$attvalue");
}
$fulltag .= ' ' . join(" ", $atts);
$matches = Array();
$retarr = Array();
preg_match("%^(.*?)($reg)%si", substr($body, $offset), $matches);
- if (!isset($matches{0}) || !$matches{0}){
+ if (!isset($matches[0]) || !$matches[0]){
$retarr = false;
} else {
- $retarr{0} = $offset + strlen($matches{1});
- $retarr{1} = $matches{1};
- $retarr{2} = $matches{2};
+ $retarr[0] = $offset + strlen($matches[1]);
+ $retarr[1] = $matches[1];
+ $retarr[2] = $matches[2];
}
return $retarr;
}
/**
* Yep. So we did.
*/
- $pos += strlen($matches{1});
- if ($matches{2} == "/>"){
+ $pos += strlen($matches[1]);
+ if ($matches[2] == "/>"){
$tagtype = 3;
$pos++;
}
return $retary;
}
case '>':
- $attary{$attname} = '"yes"';
+ $attary[$attname] = '"yes"';
return Array($tagname, $attary, $tagtype, $lt, $pos);
break;
default:
}
list($pos, $attval, $match) = $regary;
$pos++;
- $attary{$attname} = "'" . $attval . "'";
+ $attary[$attname] = "'" . $attval . "'";
} else if ($quot == '"'){
$regary = sq_findnxreg($body, $pos+1, '\"');
if ($regary == false){
}
list($pos, $attval, $match) = $regary;
$pos++;
- $attary{$attname} = '"' . $attval . '"';
+ $attary[$attname] = '"' . $attval . '"';
} else {
/**
* These are hateful. Look for \s, or >.
* If it's ">" it will be caught at the top.
*/
$attval = preg_replace("/\"/s", """, $attval);
- $attary{$attname} = '"' . $attval . '"';
+ $attary[$attname] = '"' . $attval . '"';
}
} else if (preg_match("|[\w/>]|", $char)) {
/**
* That was attribute type 4.
*/
- $attary{$attname} = '"yes"';
+ $attary[$attname] = '"yes"';
} else {
/**
* An illegal character. Find next '>' and return.
if ($hex){
$numval = hexdec($numval);
}
- $repl{$matches[0][$i]} = chr($numval);
+ $repl[$matches[0][$i]] = chr($numval);
}
$attvalue = strtr($attvalue, $repl);
return true;
$mailbox
){
$me = 'sq_fixatts';
- while (list($attname, $attvalue) = each($attary)){
+ foreach ($attary as $attname => $attvalue){
/**
* See if this attribute should be removed.
*/
if (preg_match($matchtag, $tagname)){
foreach ($matchattrs as $matchattr){
if (preg_match($matchattr, $attname)){
- unset($attary{$attname});
+ unset($attary[$attname]);
continue;
}
}
// entities are used in the attribute value. In 99% of the cases it's there as XSS
// i.e.<div style="{ left:expʀessioɴ( alert('XSS') ) }">
$attvalue = "idiocy";
- $attary{$attname} = $attvalue;
+ $attary[$attname] = $attvalue;
}
sq_unspace($attvalue);
$newvalue =
preg_replace($valmatch, $valrepl, $attvalue);
if ($newvalue != $attvalue){
- $attary{$attname} = $newvalue;
+ $attary[$attname] = $newvalue;
$attvalue = $newvalue;
}
}
if ($attname == 'style') {
if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) {
// 8bit and control characters in style attribute values can be used for XSS, remove them
- $attary{$attname} = '"disallowed character"';
+ $attary[$attname] = '"disallowed character"';
}
preg_match_all("/url\s*\((.+)\)/si",$attvalue,$aMatch);
if (count($aMatch)) {
// url value
$urlvalue = $sMatch;
sq_fix_url($attname, $urlvalue, $message, $id, $mailbox,"'");
- $attary{$attname} = str_replace($sMatch,$urlvalue,$attvalue);
+ $attary[$attname] = str_replace($sMatch,$urlvalue,$attvalue);
}
}
}
|| $attname == 'poster' || $attname == 'formaction'
|| $attname == 'background' || $attname == 'action') {
sq_fix_url($attname, $attvalue, $message, $id, $mailbox);
- $attary{$attname} = $attvalue;
+ $attary[$attname] = $attvalue;
}
}
/**
$bSucces = false;
$bEndTag = false;
for ($i=$pos,$iCount=strlen($body);$i<$iCount;++$i) {
- $char = $body{$i};
+ $char = $body[$i];
switch ($char) {
case '<':
$sToken = $char;
case '!':
if ($sToken == '<') {
// possible comment
- if (isset($body{$i+2}) && substr($body,$i,3) == '!--') {
+ if (isset($body[$i+2]) && substr($body,$i,3) == '!--') {
$i = strpos($body,'-->',$i+3);
if ($i === false) { // no end comment
$i = strlen($body);
$styledef .= "color: $text; ";
}
if (strlen($styledef) > 0){
- $divattary{"style"} = "\"$styledef\"";
+ $divattary["style"] = "\"$styledef\"";
}
}
return $divattary;
if ($tagname == "body"){
$tagname = "div";
}
- if (isset($open_tags{$tagname}) &&
- $open_tags{$tagname} > 0){
- $open_tags{$tagname}--;
+ if (isset($open_tags[$tagname]) &&
+ $open_tags[$tagname] > 0){
+ $open_tags[$tagname]--;
} else {
$tagname = false;
}
$message, $id);
}
if ($tagtype == 1){
- if (isset($open_tags{$tagname})){
- $open_tags{$tagname}++;
+ if (isset($open_tags[$tagname])){
+ $open_tags[$tagname]++;
} else {
- $open_tags{$tagname}=1;
+ $open_tags[$tagname]=1;
}
}
/**
* Remove any references to http/https if view_unsafe_images set
* to false.
*/
- array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[0],
+ array_push($bad_attvals['/.*/']['/^src|background/i'][0],
'/^([\'\"])\s*https*:.*([\'\"])/si');
- array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1],
+ array_push($bad_attvals['/.*/']['/^src|background/i'][1],
"\\1$secremoveimg\\1");
- array_push($bad_attvals{'/.*/'}{'/^style/i'}[0],
+ array_push($bad_attvals['/.*/']['/^style/i'][0],
'/url\([\'\"]?https?:[^\)]*[\'\"]?\)/si');
- array_push($bad_attvals{'/.*/'}{'/^style/i'}[1],
+ array_push($bad_attvals['/.*/']['/^style/i'][1],
"url(\\1$secremoveimg\\1)");
}