X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=class%2Fdeliver%2FDeliver.class.php;h=9cf091aaa832f162d9275760679f1333717da648;hp=3ecdf21b506d212ed0a7e55b931b39fe0b0ee1c3;hb=432db2fc4af6edc726e9a52f023cd3bd1d664667;hpb=6c84ba1ec45ab854c37b6f65c5b4d84ab1c7aad4 diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php index 3ecdf21b..9cf091aa 100644 --- a/class/deliver/Deliver.class.php +++ b/class/deliver/Deliver.class.php @@ -76,8 +76,17 @@ class Deliver { if ($boundary && $message->entity_id && count($message->entities)) { if (strpos($boundary,'_part_')) { $boundary = substr($boundary,0,strpos($boundary,'_part_')); + + // the next four lines use strrev to reverse any nested boundaries + // because RFC 2046 (5.1.1) says that if a line starts with the outer + // boundary string (doesn't matter what the line ends with), that + // can be considered a match for the outer boundary; thus the nested + // boundary needs to be unique from the outer one + // + } else if (strpos($boundary,'_trap_')) { + $boundary = substr(strrev($boundary),0,strpos(strrev($boundary),'_part_')); } - $boundary_new = $boundary . '_part_'.$message->entity_id; + $boundary_new = strrev($boundary . '_part_'.$message->entity_id); } else { $boundary_new = $boundary; } @@ -133,6 +142,8 @@ class Deliver { case 'message': if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->preWriteToStream($body_part); @@ -143,6 +154,8 @@ class Deliver { $filename = $message->att_local_name; $file = fopen ($filename, 'rb'); while ($body_part = fgets($file, 4096)) { + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->preWriteToStream($body_part); @@ -156,6 +169,8 @@ class Deliver { default: if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->writeToStream($stream, $body_part); @@ -290,7 +305,7 @@ class Deliver { $contenttype = 'Content-Type: '. $mime_header->type0 .'/'. $mime_header->type1; if (count($message->entities)) { - $contenttype .= ";\r\n " . 'boundary="'.$boundary.'"'; + $contenttype .= ';' . 'boundary="'.$boundary.'"'; } if (isset($mime_header->parameters['name'])) { $contenttype .= '; name="'. @@ -304,19 +319,19 @@ class Deliver { $header[] = $contenttype . $rn; if ($mime_header->description) { - $header[] .= 'Content-Description: ' . $mime_header->description . $rn; + $header[] = 'Content-Description: ' . $mime_header->description . $rn; } if ($mime_header->encoding) { - $header[] .= 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; + $header[] = 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; } else { if ($mime_header->type0 == 'text' || $mime_header->type0 == 'message') { - $header[] .= 'Content-Transfer-Encoding: 8bit' . $rn; + $header[] = 'Content-Transfer-Encoding: 8bit' . $rn; } else { - $header[] .= 'Content-Transfer-Encoding: base64' . $rn; + $header[] = 'Content-Transfer-Encoding: base64' . $rn; } } if ($mime_header->id) { - $header[] .= 'Content-ID: ' . $mime_header->id . $rn; + $header[] = 'Content-ID: ' . $mime_header->id . $rn; } if ($mime_header->disposition) { $disposition = $mime_header->disposition; @@ -328,10 +343,10 @@ class Deliver { $header[] = $contentdisp . $rn; } if ($mime_header->md5) { - $header[] .= 'Content-MD5: ' . $mime_header->md5 . $rn; + $header[] = 'Content-MD5: ' . $mime_header->md5 . $rn; } if ($mime_header->language) { - $header[] .= 'Content-Language: ' . $mime_header->language . $rn; + $header[] = 'Content-Language: ' . $mime_header->language . $rn; } $cnt = count($header); @@ -358,7 +373,7 @@ class Deliver { * @return string $header */ function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) { - global $domain, $version, $username, $skip_SM_header; + global $domain, $version, $username, $encode_header_key, $edit_identity, $hide_auth_header; /* if server var SERVER_NAME not available, use $domain */ if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) { @@ -376,8 +391,14 @@ class Deliver { /* This creates an RFC 822 date */ $date = date('D, j M Y H:i:s ', mktime()) . $this->timezone(); /* Create a message-id */ - $message_id = '<' . $REMOTE_PORT . '.' . $REMOTE_ADDR . '.'; - $message_id .= time() . '.squirrel@' . $SERVER_NAME .'>'; + $message_id = '<' . $REMOTE_PORT . '.'; + if (isset($encode_header_key) && trim($encode_header_key)!='') { + // use encrypted form of remote address + $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)); + } else { + $message_id.= $REMOTE_ADDR; + } + $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>'; /* Make an RFC822 Received: line */ if (isset($REMOTE_HOST)) { $received_from = "$REMOTE_HOST ([$REMOTE_ADDR])"; @@ -391,13 +412,32 @@ class Deliver { $received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)"; } $header = array(); - if ( !isset($skip_SM_header) || !$skip_SM_header ) - { - $header[] = "Received: from $received_from" . $rn; - $header[] = " (SquirrelMail authenticated user $username)" . $rn; - $header[] = " by $SERVER_NAME with HTTP;" . $rn; - $header[] = " $date" . $rn; + + /** + * SquirrelMail header + * + * This Received: header provides information that allows to track + * user and machine that was used to send email. Don't remove it + * unless you understand all possible forging issues or your + * webmail installation does not prevent changes in user's email address. + * See SquirrelMail bug tracker #847107 for more details about it. + */ + if (isset($encode_header_key) && + trim($encode_header_key)!='') { + // use encoded headers, if encryption key is set and not empty + $header[].= 'X-Squirrel-UserHash: '.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn; + $header[].= 'X-Squirrel-FromHash: '.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn; + if (isset($HTTP_X_FORWARDED_FOR)) + $header[].= 'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn; + } else { + // use default received headers + $header[] = "Received: from $received_from" . $rn; + if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header) + $header[] = " (SquirrelMail authenticated user $username)" . $rn; + $header[] = " by $SERVER_NAME with HTTP;" . $rn; + $header[] = " $date" . $rn; } + /* Insert the rest of the header fields */ $header[] = 'Message-ID: '. $message_id . $rn; if ($reply_rfc822_header->message_id) { @@ -452,7 +492,7 @@ class Deliver { } $header[] = $contenttype . $rn; if ($encoding = $rfc822_header->encoding) { - $header[] .= 'Content-Transfer-Encoding: ' . $encoding . $rn; + $header[] = 'Content-Transfer-Encoding: ' . $encoding . $rn; } if ($rfc822_header->dnt) { $dnt = $rfc822_header->getAddr_s('dnt'); @@ -467,9 +507,6 @@ class Deliver { case 1: $header[] = 'X-Priority: 1 (Highest)'.$rn; $header[] = 'Importance: High'. $rn; break; - case 3: - $header[] = 'X-Priority: 3 (Normal)'.$rn; - $header[] = 'Importance: Normal'. $rn; break; case 5: $header[] = 'X-Priority: 5 (Lowest)'.$rn; $header[] = 'Importance: Low'. $rn; break; @@ -685,5 +722,66 @@ class Deliver { trim($refer); return $refer; } + + /** + * Converts ip address to hexadecimal string + * + * Function is used to convert ipv4 and ipv6 addresses to hex strings. + * It removes all delimiter symbols from ip addresses, converts decimal + * ipv4 numbers to hex and pads strings in order to present full length + * address. ipv4 addresses are represented as 8 byte strings, ipv6 addresses + * are represented as 32 byte string. + * + * If function fails to detect address format, it returns unprocessed string. + * @param string $string ip address string + * @return string processed ip address string + * @since 1.5.1 + */ + function ip2hex($string) { + if (preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$string,$match)) { + // ipv4 address + $ret = str_pad(dechex($match[1]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[2]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[3]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[4]),2,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)$/i",$string,$match)) { + // full ipv6 address + $ret = str_pad($match[1],4,'0',STR_PAD_LEFT) + . str_pad($match[2],4,'0',STR_PAD_LEFT) + . str_pad($match[3],4,'0',STR_PAD_LEFT) + . str_pad($match[4],4,'0',STR_PAD_LEFT) + . str_pad($match[5],4,'0',STR_PAD_LEFT) + . str_pad($match[6],4,'0',STR_PAD_LEFT) + . str_pad($match[7],4,'0',STR_PAD_LEFT) + . str_pad($match[8],4,'0',STR_PAD_LEFT); + } elseif (preg_match("/^\:\:([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with all starting symbols nulled + $aAddr=explode(':',$match[1]); + $ret=''; + foreach ($aAddr as $addr) { + $ret.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $ret=str_pad($ret,32,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h\:]+)::([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with middle part nulled + $aStart=explode(':',$match[1]); + $sStart=''; + foreach($aStart as $addr) { + $sStart.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $aEnd = explode(':',$match[2]); + $sEnd=''; + foreach($aEnd as $addr) { + $sEnd.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $ret = $sStart + . str_pad('',(32 - strlen($sStart . $sEnd)),'0',STR_PAD_LEFT) + . $sEnd; + } else { + // unknown addressing + $ret = $string; + } + return $ret; + } } -?> +?> \ No newline at end of file