* This contains the functions necessary to detect and decode MIME
* messages.
*
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright 1999-2009 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
if (strtolower($flag) == '\\flagged') {
$msg->is_flagged = true;
}
+ else if (strtolower($flag) == '$forwarded') {
+ $msg->is_forwarded = true;
+ }
break;
case 'M':
if (strtolower($flag) == '$mdnsent') {
} while($topline && ($topline[0] == '*') && !preg_match('/\* [0-9]+ FETCH.*/i', $topline)) ;
$wholemessage = implode('', $data);
- if (ereg('\\{([^\\}]*)\\}', $topline, $regs)) {
+ if (preg_match('/\{([^\}]*)\}/', $topline, $regs)) {
$ret = substr($wholemessage, 0, $regs[1]);
/* There is some information in the content info header that could be important
* in order to parse html messages. Let's get them here.
// if ($ret{0} == '<') {
// $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, TRUE);
// }
- } else if (ereg('"([^"]*)"', $topline, $regs)) {
+ } else if (preg_match('/"([^"]*)"/', $topline, $regs)) {
$ret = $regs[1];
} else if ((stristr($topline, 'nil') !== false) && (empty($wholemessage))) {
$ret = $wholemessage;
return $ret;
}
-function mime_print_body_lines ($imap_stream, $id, $ent_id=1, $encoding, $rStream='php://stdout') {
+function mime_print_body_lines ($imap_stream, $id, $ent_id=1, $encoding, $rStream='php://stdout', $force_crlf='') {
/* Don't kill the connection if the browser is over a dialup
* and it would take over 30 seconds to download it.
} else {
$body = mime_fetch_body ($imap_stream, $id, $ent_id);
if (is_resource($rStream)) {
- fputs($rStream,decodeBody($body,$encoding));
+ fputs($rStream,decodeBody($body, $encoding, $force_crlf));
} else {
- echo decodeBody($body, $encoding);
+ echo decodeBody($body, $encoding, $force_crlf);
}
}
$body_ary = explode("\n", $body);
for ($i=0; $i < count($body_ary); $i++) {
- $line = $body_ary[$i];
+ $line = rtrim($body_ary[$i],"\r");
+
if (strlen($line) - 2 >= $wrap_at) {
sqWordWrap($line, $wrap_at, $charset);
}
* @param string $ent_num (since 1.3.0) message part id
* @param integer $id (since 1.3.0) message id
* @param string $mailbox (since 1.3.0) imap folder name
- * @param boolean $clean (since 1.5.1) Do not output stuff that's irrelevant for the printable version.
* @return string html formated message text
*/
-function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $mailbox='INBOX', $clean=FALSE) {
+function formatBody($imap_stream, $message, $color, $wrap_at, $ent_num, $id, $mailbox='INBOX') {
/* This if statement checks for the entity to show as the
* primary message. To add more of them, just put them in the
* order that is their priority.
// workaround for not updated config.php
if (! isset($use_iframe)) $use_iframe = false;
- if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
- $view_unsafe_images = false;
- }
+ // If there's no "view_unsafe_images" variable in the URL, turn unsafe
+ // images off by default.
+ sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
$body = '';
$urlmailbox = urlencode($mailbox);
$body = trim($body);
translateText($body, $wrap_at,
$body_message->header->getParameter('charset'));
- } elseif ($use_iframe && ! $clean) {
- // $clean is used to remove iframe in printable view.
-
+ } elseif ($use_iframe) {
/**
* If we don't add html message between iframe tags,
* we must detect unsafe images and modify $has_unsafe_images.
$body_message->header->getParameter('charset'));
}
- // if this is the clean display (i.e. printer friendly), stop here.
- if ( $clean ) {
- return $body;
- }
+ /*
+ * Previously the links for downloading and unsafe images were printed
+ * under the mail. By putting the links in a global variable we can
+ * print it in the toolbar where it belongs. Since the original code was
+ * in this place it's left here. It might be possible to move it to some
+ * other place if that makes sense. The possibility to do so has not
+ * been evaluated yet.
+ */
+ // Initialize the global variable to an empty string.
+ // FIXME: To have $download_and_unsafe_link as a global variable might not be needed since the use of separate variables ($download_href, $unsafe_image_toggle_href, and $unsafe_image_toggle_text) for the templates was introduced.
$download_and_unsafe_link = '';
+ // Prepare and build a link for downloading the mail.
$link = 'passed_id=' . $id . '&ent_id='.$ent_num.
'&mailbox=' . $urlmailbox .'&sort=' . $sort .
'&startMessage=' . $startMessage . '&show_more=0';
$link .= '&passed_ent_id='.$passed_ent_id;
}
$download_href = SM_PATH . 'src/download.php?absolute_dl=true&' . $link;
+
+ // Always add the link for downloading the mail as a file to the global
+ // variable.
$download_and_unsafe_link .= "$nbsp|$nbsp"
. create_hyperlink($download_href, _("Download this as a file"));
+
+ // Find out the right text to use in the link depending on the
+ // circumstances. If the unsafe images are displayed the link should
+ // hide them, if they aren't displayed the link should only appear if
+ // the mail really contains unsafe images.
if ($view_unsafe_images) {
$text = _("Hide Unsafe Images");
} else {
$text = '';
}
}
+
+ // Only create a link for unsafe images if there's need for one. If so:
+ // add it to the global variable.
if($text != '') {
$unsafe_image_toggle_href = SM_PATH . 'src/read_body.php?'.$link;
$unsafe_image_toggle_text = $text;
}
/**
- * Generate attachments array for passing to templates. Separated from
- * formatAttachments() below so that the same array can be given to the
- * print-friendly version.
+ * Generate attachments array for passing to templates.
*
* @since 1.5.2
* @param object $message SquirrelMail message object
}
/**
- * Decodes encoded message body
+ * Decodes encoded string (usually message body)
+ *
+ * This function decodes a string (usually the message body)
+ * depending on the encoding type. Currently quoted-printable
+ * and base64 encodings are supported.
+ *
+ * The decode_body hook was added to this function in 1.4.2/1.5.0.
+ * The $force_crlf parameter was added in 1.5.2.
+ *
+ * @param string $string The encoded string
+ * @param string $encoding used encoding
+ * @param string $force_crlf Whether or not to force CRLF or LF
+ * line endings (or to leave as is).
+ * If given as "LF", line endings will
+ * all be converted to LF; if "CRLF",
+ * line endings will all be converted
+ * to CRLF. If given as an empty value,
+ * the global $force_crlf_default will
+ * be consulted (it can be specified in
+ * config/config_local.php). Otherwise,
+ * any other value will cause the string
+ * to be left alone. Note that this will
+ * be overridden to "LF" if not using at
+ * least PHP version 4.3.0. (OPTIONAL;
+ * default is empty - consult global
+ * default value)
+ *
+ * @return string The decoded string
*
- * This function decodes the body depending on the encoding type.
- * Currently quoted-printable and base64 encodings are supported.
- * decode_body hook was added to this function in 1.4.2/1.5.0
- * @param string $body encoded message body
- * @param string $encoding used encoding
- * @return string decoded string
* @since 1.0
+ *
*/
-function decodeBody($body, $encoding) {
+function decodeBody($string, $encoding, $force_crlf='') {
+
+ global $force_crlf_default;
+ if (empty($force_crlf)) $force_crlf = $force_crlf_default;
+ $force_crlf = strtoupper($force_crlf);
+
+ // must force line endings to LF due to broken
+ // quoted_printable_decode() in PHP versions
+ // before 4.3.0 (see below)
+ //
+ if (!check_php_version(4, 3, 0) || $force_crlf == 'LF')
+ $string = str_replace("\r\n", "\n", $string);
+ else if ($force_crlf == 'CRLF')
+ $string = str_replace("\n", "\r\n", $string);
- $body = str_replace("\r\n", "\n", $body);
$encoding = strtolower($encoding);
$encoding_handler = do_hook('decode_body', $encoding);
- // plugins get first shot at decoding the body
+ // plugins get first shot at decoding the string
//
if (!empty($encoding_handler) && function_exists($encoding_handler)) {
- $body = $encoding_handler('decode', $body);
+ $string = $encoding_handler('decode', $string);
} elseif ($encoding == 'quoted-printable' ||
$encoding == 'quoted_printable') {
- /**
- * quoted_printable_decode() function is broken in older
- * php versions. Text with \r\n decoding was fixed only
- * in php 4.3.0. Minimal code requirement 4.0.4 +
- * str_replace("\r\n", "\n", $body); call.
- */
- $body = quoted_printable_decode($body);
+
+ // quoted_printable_decode() function is broken in older
+ // php versions. Text with \r\n decoding was fixed only
+ // in php 4.3.0. Minimal code requirement is PHP 4.0.4+
+ // and the above call to: str_replace("\r\n", "\n", $string);
+ //
+ $string = quoted_printable_decode($string);
+
} elseif ($encoding == 'base64') {
- $body = base64_decode($body);
+ $string = base64_decode($string);
}
// All other encodings are returned raw.
- return $body;
+ return $string;
}
/**
$attvalue = trim(substr($attvalue,1,-1));
}
- if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
- $view_unsafe_images = false;
- }
+ // If there's no "view_unsafe_images" variable in the URL, turn unsafe
+ // images off by default.
+ sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
+
$secremoveimg = '../images/' . _("sec_remove_eng.png");
/**
$attvalue = $sQuote . $secremoveimg . $sQuote;
} else {
if (isset($aUrl['path'])) {
+
+ // No one has been able to show that image URIs
+ // can be exploited, so for now, no restrictions
+ // are made at all. If this proves to be a problem,
+ // the commented-out code below can be of help.
+ // (One consideration is that I see nothing in this
+ // function that specifically says that we will
+ // only ever arrive here when inspecting an image
+ // tag, although that does seem to be the end
+ // result - e.g., <script src="..."> where malicious
+ // image URIs are in fact a problem are already
+ // filtered out elsewhere.
+ /* ---------------------------------
// validate image extension.
$ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.')));
if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) {
- $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+ // If URI is to something other than
+ // a regular image file, get the contents
+ // and try to see if it is an image.
+ // Don't use Fileinfo (finfo_file()) because
+ // we'd need to make the admin configure the
+ // location of the magic.mime file (FIXME: add finfo_file() support later?)
+ //
+ $mime_type = '';
+ if (function_exists('mime_content_type')
+ && ($FILE = @fopen($attvalue, 'rb', FALSE))) {
+
+ // fetch file
+ //
+ $file_contents = '';
+ while (!feof($FILE)) {
+ $file_contents .= fread($FILE, 8192);
+ }
+ fclose($FILE);
+
+ // store file locally
+ //
+ global $attachment_dir, $username;
+ $hashed_attachment_dir = getHashedDir($username, $attachment_dir);
+ $localfilename = GenerateRandomString(32, '', 7);
+ $full_localfilename = "$hashed_attachment_dir/$localfilename";
+ while (file_exists($full_localfilename)) {
+ $localfilename = GenerateRandomString(32, '', 7);
+ $full_localfilename = "$hashed_attachment_dir/$localfilename";
+ }
+ $FILE = fopen("$hashed_attachment_dir/$localfilename", 'wb');
+ fwrite($FILE, $file_contents);
+ fclose($FILE);
+
+ // get mime type and remove file
+ //
+ $mime_type = mime_content_type("$hashed_attachment_dir/$localfilename");
+ unlink("$hashed_attachment_dir/$localfilename");
+ }
+ // debug: echo "$attvalue FILE TYPE IS $mime_type<HR>";
+ if (substr(strtolower($mime_type), 0, 5) != 'image') {
+ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
+ }
}
+ --------------------------------- */
} else {
$attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
}
}
+ } else {
+ $attvalue = $sQuote . $attvalue . $sQuote;
}
break;
case 'outbind':
* One day MS might actually make it match something useful, for now, falling
* back to using cid2http, so we can grab the blank.png.
*/
- $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+ $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
break;
case 'cid':
/**
* Turn cid: urls into http-friendly ones.
*/
- $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+ $attvalue = $sQuote . sq_cid2http($message, $id, $attvalue, $mailbox) . $sQuote;
break;
default:
$attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
/**
- * First look for general BODY style declaration, which would be
- * like so:
- * body {background: blah-blah}
- * and change it to .bodyclass so we can just assign it to a <div>
- */
+ * First look for general BODY style declaration, which would be
+ * like so:
+ * body {background: blah-blah}
+ * and change it to .bodyclass so we can just assign it to a <div>
+ */
$content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content);
$secremoveimg = '../images/' . _("sec_remove_eng.png");
/**
$content = str_replace($aValue,$aReplace,$content);
}
- /**
- * Remove any backslashes, entities, and extraneous whitespace.
- */
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
$contentTemp = $content;
sq_defang($contentTemp);
sq_unspace($contentTemp);
/**
* Fix stupid css declarations which lead to vulnerabilities
* in IE.
+ *
+ * Also remove "position" attribute, as it can easily be set
+ * to "fixed" or "absolute" with "left" and "top" attributes
+ * of zero, taking over the whole content frame. It can also
+ * be set to relative and move itself anywhere it wants to,
+ * displaying content in areas it shouldn't be allowed to touch.
*/
$match = Array('/\/\*.*\*\//',
'/expression/i',
'/binding/i',
'/include-source/i',
'/javascript/i',
- '/script/i');
- $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy');
+ '/script/i',
+ '/position/i');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
// insecure css declarations are used. From now on we don't care
$cidurl = preg_replace($match_str, $str_rep, $cidurl);
$linkurl = find_ent_id($cidurl, $message);
- /* in case of non-save cid links $httpurl should be replaced by a sort of
- unsave link image */
+ /* in case of non-safe cid links $httpurl should be replaced by a sort of
+ unsafe link image */
$httpurl = '';
/**
}
if (!empty($linkurl)) {
- $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
+ $httpurl = $quotchar . sqm_baseuri() . 'src/download.php?absolute_dl=true&' .
"passed_id=$id&mailbox=" . urlencode($mailbox) .
'&ent_id=' . $linkurl . $quotchar;
} else {
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
- "/position\s*:\s*absolute/i",
+
+ // position:relative can also be exploited
+ // to put content outside of email body area
+ // and position:fixed is similarly exploitable
+ // as position:absolute, so we'll remove it
+ // altogether....
+ //
+ // Does this screw up legitimate HTML messages?
+ // If so, the only fix I see is to allow position
+ // attributes (any values? I think we still have
+ // to block static and fixed) only if $use_iframe
+ // is enabled (1.5.0+)
+ //
+ // was: "/position\s*:\s*absolute/i",
+ //
+ "/position\s*:/i",
+
"/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
- "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si"
+ "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si",
),
Array(
"",
)
)
);
- if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
- $view_unsafe_images = false;
- }
+
+ // If there's no "view_unsafe_images" variable in the URL, turn unsafe
+ // images off by default.
+ sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET, FALSE);
+
if (!$view_unsafe_images){
/**
* Remove any references to http/https if view_unsafe_images set
$filename =
call_user_func($languages[$squirrelmail_language]['XTRA_CODE'] . '_downloadfilename', $filename, $HTTP_USER_AGENT);
} else {
- $filename = ereg_replace('[\\/:\*\?"<>\|;]', '_', str_replace(' ', ' ', $filename));
+ $filename = preg_replace('/[\\\\\/:*?"<>|;]/', '_', str_replace(' ', ' ', $filename));
}
// A Pox on Microsoft and it's Internet Explorer!