X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=class%2Fdeliver%2FDeliver.class.php;h=bb02bdde09bdb5599eae75564a3e5af896499f78;hp=059c6f52cbe24cdcb75200ce3855e7a6b9d2fd96;hb=08e334759239b690f929d4b376086d6beef71d5a;hpb=68577cf484e6db5a6fdf053e3097c274d072894a diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php index 059c6f52..bb02bdde 100644 --- a/class/deliver/Deliver.class.php +++ b/class/deliver/Deliver.class.php @@ -1,16 +1,15 @@ rfc822_header; if (count($message->entities)) { $boundary = $this->mimeBoundary(); @@ -46,16 +66,80 @@ class Deliver { $boundary=''; } $raw_length = 0; + + + // calculate reply header if needed + // + if ($reply_id) { + global $imapConnection, $username, $imapServerAddress, + $imapPort, $mailbox; + + if (!is_resource($imapConnection)) + $imapConnection = sqimap_login($username, FALSE, + $imapServerAddress, $imapPort, 0); + + sqimap_mailbox_select($imapConnection, $mailbox); + $reply_message = sqimap_get_message($imapConnection, $reply_id, $mailbox); + + if ($reply_ent_id) { + /* redefine the messsage in case of message/rfc822 */ + $reply_message = $message->getEntity($reply_ent_id); + /* message is an entity which contains the envelope and type0=message + * and type1=rfc822. The actual entities are childs from + * $reply_message->entities[0]. That's where the encoding and is located + */ + + $orig_header = $reply_message->rfc822_header; /* here is the envelope located */ + + } else { + $orig_header = $reply_message->rfc822_header; + } + $message->reply_rfc822_header = $orig_header; + } + + $reply_rfc822_header = (isset($message->reply_rfc822_header) ? $message->reply_rfc822_header : ''); $header = $this->prepareRFC822_Header($rfc822_header, $reply_rfc822_header, $raw_length); + $this->send_mail($message, $header, $boundary, $stream, $raw_length, $extra); + + return $raw_length; + } + + /** + * function send_mail - send the message parts to the IMAP stream + * + * @param Message $message Message object to send + * @param string $header Headers ready to send + * @param string $boundary Message parts boundary + * @param resource $stream Handle to the SMTP stream + * (when FALSE, nothing will be + * written to the stream; this can + * be used to determine the actual + * number of bytes that will be + * written to the stream) + * @param int &$raw_length The number of bytes written (or that + * would have been written) to the + * output stream - NOTE that this is + * passed by reference + * @param mixed $extra Any implementation-specific variables + * can be passed in here and used in + * an overloaded version of this method + * if needed. + * + * @return void + * + */ + function send_mail($message, $header, $boundary, $stream=false, + &$raw_length, $extra=NULL) { + + if ($stream) { $this->preWriteToStream($header); $this->writeToStream($stream, $header); } $this->writeBody($message, $stream, $raw_length, $boundary); - return $raw_length; } /** @@ -66,6 +150,11 @@ class Deliver { * * @param Message $message Message object to transform * @param resource $stream SMTP output stream + * (when FALSE, nothing will be + * written to the stream; this can + * be used to determine the actual + * number of bytes that will be + * written to the stream) * @param integer &$length_raw raw length of the message (part) * as returned by mail fn * @param string $boundary custom boundary to call, usually for subparts @@ -77,8 +166,17 @@ class Deliver { if ($boundary && $message->entity_id && count($message->entities)) { if (strpos($boundary,'_part_')) { $boundary = substr($boundary,0,strpos($boundary,'_part_')); + + // the next four lines use strrev to reverse any nested boundaries + // because RFC 2046 (5.1.1) says that if a line starts with the outer + // boundary string (doesn't matter what the line ends with), that + // can be considered a match for the outer boundary; thus the nested + // boundary needs to be unique from the outer one + // + } else if (strpos($boundary,'_trap_')) { + $boundary = substr(strrev($boundary),0,strpos(strrev($boundary),'_part_')); } - $boundary_new = $boundary . '_part_'.$message->entity_id; + $boundary_new = strrev($boundary . '_part_'.$message->entity_id); } else { $boundary_new = $boundary; } @@ -115,6 +213,11 @@ class Deliver { * * @param Message $message Message object to transform * @param resource $stream SMTP output stream + * (when FALSE, nothing will be + * written to the stream; this can + * be used to determine the actual + * number of bytes that will be + * written to the stream) * @param integer &$length length of the message part * as returned by mail fn * @@ -134,6 +237,8 @@ class Deliver { case 'message': if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->preWriteToStream($body_part); @@ -141,9 +246,13 @@ class Deliver { } $last = $body_part; } elseif ($message->att_local_name) { + global $username, $attachment_dir; + $hashed_attachment_dir = getHashedDir($username, $attachment_dir); $filename = $message->att_local_name; - $file = fopen ($filename, 'rb'); + $file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb'); while ($body_part = fgets($file, 4096)) { + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->preWriteToStream($body_part); @@ -157,16 +266,24 @@ class Deliver { default: if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->writeToStream($stream, $body_part); } } elseif ($message->att_local_name) { + global $username, $attachment_dir; + $hashed_attachment_dir = getHashedDir($username, $attachment_dir); $filename = $message->att_local_name; - $file = fopen ($filename, 'rb'); - $encoded = ''; + $file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb'); while ($tmp = fread($file, 570)) { - $body_part = chunk_split(base64_encode($tmp)); + $body_part = chunk_split(base64_encode($tmp)); + // Up to 4.3.10 chunk_split always appends a newline, + // while in 4.3.11 it doesn't if the string to split + // is shorter than the chunk length. + if( substr($body_part, -1 , 1 ) != "\n" ) + $body_part .= "\n"; $length += $this->clean_crlf($body_part); if ($stream) { $this->writeToStream($stream, $body_part); @@ -292,7 +409,7 @@ class Deliver { $contenttype = 'Content-Type: '. $mime_header->type0 .'/'. $mime_header->type1; if (count($message->entities)) { - $contenttype .= ";\r\n " . 'boundary="'.$boundary.'"'; + $contenttype .= ';' . 'boundary="'.$boundary.'"'; } if (isset($mime_header->parameters['name'])) { $contenttype .= '; name="'. @@ -306,20 +423,19 @@ class Deliver { $header[] = $contenttype . $rn; if ($mime_header->description) { - $header[] .= 'Content-Description: ' . $mime_header->description . $rn; + $header[] = 'Content-Description: ' . $mime_header->description . $rn; } if ($mime_header->encoding) { - $encoding = $mime_header->encoding; - $header[] .= 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; + $header[] = 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; } else { if ($mime_header->type0 == 'text' || $mime_header->type0 == 'message') { - $header[] .= 'Content-Transfer-Encoding: 8bit' . $rn; + $header[] = 'Content-Transfer-Encoding: 8bit' . $rn; } else { - $header[] .= 'Content-Transfer-Encoding: base64' . $rn; + $header[] = 'Content-Transfer-Encoding: base64' . $rn; } } if ($mime_header->id) { - $header[] .= 'Content-ID: ' . $mime_header->id . $rn; + $header[] = 'Content-ID: ' . $mime_header->id . $rn; } if ($mime_header->disposition) { $disposition = $mime_header->disposition; @@ -331,10 +447,10 @@ class Deliver { $header[] = $contentdisp . $rn; } if ($mime_header->md5) { - $header[] .= 'Content-MD5: ' . $mime_header->md5 . $rn; + $header[] = 'Content-MD5: ' . $mime_header->md5 . $rn; } if ($mime_header->language) { - $header[] .= 'Content-Language: ' . $mime_header->language . $rn; + $header[] = 'Content-Language: ' . $mime_header->language . $rn; } $cnt = count($header); @@ -361,7 +477,8 @@ class Deliver { * @return string $header */ function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) { - global $domain, $version, $username; + global $domain, $username, $encode_header_key, + $edit_identity, $hide_auth_header; /* if server var SERVER_NAME not available, use $domain */ if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) { @@ -377,10 +494,17 @@ class Deliver { $rn = "\r\n"; /* This creates an RFC 822 date */ - $date = date('D, j M Y H:i:s ', mktime()) . $this->timezone(); + $date = date('D, j M Y H:i:s ', time()) . $this->timezone(); /* Create a message-id */ - $message_id = '<' . $REMOTE_PORT . '.' . $REMOTE_ADDR . '.'; - $message_id .= time() . '.squirrel@' . $REMOTE_ADDR .'>'; + $message_id = '<' . (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : ''); +//FIXME: if $REMOTE_ADDR is missing, should we skip this if/else block? or perhaps try to generate it with some different kind of info? + if (isset($encode_header_key) && trim($encode_header_key)!='') { + // use encrypted form of remote address + $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)); + } else { + $message_id.= $REMOTE_ADDR; + } + $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>'; /* Make an RFC822 Received: line */ if (isset($REMOTE_HOST)) { $received_from = "$REMOTE_HOST ([$REMOTE_ADDR])"; @@ -394,13 +518,47 @@ class Deliver { $received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)"; } $header = array(); - $header[] = "Received: from $received_from" . $rn; - $header[] = " (SquirrelMail authenticated user $username);" . $rn; - $header[] = " by $SERVER_NAME with HTTP;" . $rn; - $header[] = " $date" . $rn; + + /** + * SquirrelMail header + * + * This Received: header provides information that allows to track + * user and machine that was used to send email. Don't remove it + * unless you understand all possible forging issues or your + * webmail installation does not prevent changes in user's email address. + * See SquirrelMail bug tracker #847107 for more details about it. + * + * Add $hide_squirrelmail_header as a candidate for config_local.php + * to allow completely hiding SquirrelMail participation in message + * processing; This is dangerous, especially if users can modify their + * account information, as it makes mapping a sent message back to the + * original sender almost impossible. + */ + $show_sm_header = ( defined('hide_squirrelmail_header') ? ! hide_squirrelmail_header : 1 ); + + if ( $show_sm_header ) { + if (isset($encode_header_key) && + trim($encode_header_key)!='') { + // use encoded headers, if encryption key is set and not empty + $header[] = 'X-Squirrel-UserHash: '.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn; + $header[] = 'X-Squirrel-FromHash: '.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn; + if (isset($HTTP_X_FORWARDED_FOR)) + $header[] = 'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn; + } else { + // use default received headers + $header[] = "Received: from $received_from" . $rn; + if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header) + $header[] = " (SquirrelMail authenticated user $username)" . $rn; + $header[] = " by $SERVER_NAME with HTTP;" . $rn; + $header[] = " $date" . $rn; + } + } + /* Insert the rest of the header fields */ $header[] = 'Message-ID: '. $message_id . $rn; - if ($reply_rfc822_header->message_id) { + if (is_object($reply_rfc822_header) && + isset($reply_rfc822_header->message_id) && + $reply_rfc822_header->message_id) { $rep_message_id = $reply_rfc822_header->message_id; // $this->strip_crlf($message_id); $header[] = 'In-Reply-To: '.$rep_message_id . $rn; @@ -409,33 +567,37 @@ class Deliver { } $header[] = "Date: $date" . $rn; $header[] = 'Subject: '.encodeHeader($rfc822_header->subject) . $rn; - $header[] = 'From: '. $rfc822_header->getAddr_s('from',", \r\n",true) . $rn; - /* RFC2822 if from contains more then 1 address */ + $header[] = 'From: '. $rfc822_header->getAddr_s('from',",$rn ",true) . $rn; + + // folding address list [From|To|Cc|Bcc] happens by using ",$rn" + // as delimiter + // Do not use foldLine for that. + + // RFC2822 if from contains more then 1 address if (count($rfc822_header->from) > 1) { - $header[] = 'Sender: '. $rfc822_header->getAddr_s('sender',", \r\n",true) . $rn; + $header[] = 'Sender: '. $rfc822_header->getAddr_s('sender',',',true) . $rn; } if (count($rfc822_header->to)) { - $header[] = 'To: '. $rfc822_header->getAddr_s('to',", \r\n",true) . $rn; + $header[] = 'To: '. $rfc822_header->getAddr_s('to',",$rn ",true) . $rn; } if (count($rfc822_header->cc)) { - $header[] = 'Cc: '. $rfc822_header->getAddr_s('cc',", \r\n",true) . $rn; + $header[] = 'Cc: '. $rfc822_header->getAddr_s('cc',",$rn ",true) . $rn; } if (count($rfc822_header->reply_to)) { - $header[] = 'Reply-To: '. $rfc822_header->getAddr_s('reply_to',", \r\n",true) . $rn; + $header[] = 'Reply-To: '. $rfc822_header->getAddr_s('reply_to',',',true) . $rn; } /* Sendmail should return true. Default = false */ $bcc = $this->getBcc(); if (count($rfc822_header->bcc)) { - $s = 'Bcc: '. $rfc822_header->getAddr_s('bcc',", \r\n",true) . $rn; + $s = 'Bcc: '. $rfc822_header->getAddr_s('bcc',",$rn ",true) . $rn; if (!$bcc) { - // $s = $this->foldLine($s, 78, str_pad('',4)); $raw_length += strlen($s); } else { $header[] = $s; } } /* Identify SquirrelMail */ - $header[] = 'User-Agent: SquirrelMail/' . $version . $rn; + $header[] = 'User-Agent: SquirrelMail/' . SM_VERSION . $rn; /* Do the MIME-stuff */ $header[] = 'MIME-Version: 1.0' . $rn; $contenttype = 'Content-Type: '. $rfc822_header->content_type->type0 .'/'. @@ -449,9 +611,9 @@ class Deliver { } $header[] = $contenttype . $rn; if ($encoding = $rfc822_header->encoding) { - $header[] .= 'Content-Transfer-Encoding: ' . $encoding . $rn; + $header[] = 'Content-Transfer-Encoding: ' . $encoding . $rn; } - if ($rfc822_header->dnt) { + if (isset($rfc822_header->dnt) && $rfc822_header->dnt) { $dnt = $rfc822_header->getAddr_s('dnt'); /* Pegasus Mail */ $header[] = 'X-Confirm-Reading-To: '.$dnt. $rn; @@ -459,13 +621,14 @@ class Deliver { $header[] = 'Disposition-Notification-To: '.$dnt. $rn; } if ($rfc822_header->priority) { - $prio = $rfc822_header->priority; - $header[] = 'X-Priority: '. $prio. $rn; - switch($prio) + switch($rfc822_header->priority) { - case 1: $header[] = 'Importance: High'. $rn; break; - case 3: $header[] = 'Importance: Normal'. $rn; break; - case 5: $header[] = 'Importance: Low'. $rn; break; + case 1: + $header[] = 'X-Priority: 1 (Highest)'.$rn; + $header[] = 'Importance: High'. $rn; break; + case 5: + $header[] = 'X-Priority: 5 (Lowest)'.$rn; + $header[] = 'Importance: Low'. $rn; break; default: break; } } @@ -485,12 +648,6 @@ class Deliver { { case 'Message-ID': case 'In-Reply_To': - case 'To': - case 'Cc': - case 'Bcc': - case 'From': - case 'Sender': - case 'Reply-To': $hdr_s .= $header[$i]; break; case 'References': @@ -498,7 +655,9 @@ class Deliver { $aRefs = explode(' ',$sRefs); $sLine = 'References:'; foreach ($aRefs as $sReference) { - if (strlen($sLine)+strlen($sReference) >76) { + if ( trim($sReference) == '' ) { + /* Don't add spaces. */ + } elseif (strlen($sLine)+strlen($sReference) >76) { $hdr_s .= $sLine; $sLine = $rn . ' ' . $sReference; } else { @@ -507,6 +666,12 @@ class Deliver { } $hdr_s .= $sLine; break; + case 'To': + case 'Cc': + case 'Bcc': + case 'From': + $hdr_s .= $header[$i]; + break; default: $hdr_s .= $this->foldLine($header[$i], 78, str_pad('',4)); break; } } @@ -656,27 +821,96 @@ class Deliver { } /** - * function calculate_references - calculate correct Referer string + * function calculate_references - calculate correct References string + * Adds the current message ID, and makes sure it doesn't grow forever, + * to that extent it drops message-ID's in a smart way until the string + * length is under the recommended value of 1000 ("References: <986>\r\n"). + * It always keeps the first and the last three ID's. * * @param Rfc822Header $hdr message header to calculate from * - * @return string $refer concatenated and trimmed Referer string + * @return string $refer concatenated and trimmed References string */ function calculate_references($hdr) { - $refer = $hdr->references; + $aReferences = preg_split('/\s+/', $hdr->references); $message_id = $hdr->message_id; $in_reply_to = $hdr->in_reply_to; - if (strlen($refer) > 2) { - $refer .= ' ' . $message_id; - } else { - if ($in_reply_to) { - $refer .= $in_reply_to . ' ' . $message_id; - } else { - $refer .= $message_id; + + // if References already exists, add the current message ID at the end. + // no References exists; if we know a IRT, add that aswell + if (count($aReferences) == 0 && $in_reply_to) { + $aReferences[] = $in_reply_to; + } + $aReferences[] = $message_id; + + // sanitize the array: trim whitespace, remove dupes + array_walk($aReferences, 'sq_trim_value'); + $aReferences = array_unique($aReferences); + + while ( count($aReferences) > 4 && strlen(implode(' ', $aReferences)) >= 986 ) { + $aReferences = array_merge(array_slice($aReferences,0,1),array_slice($aReferences,2)); + } + return implode(' ', $aReferences); + } + + /** + * Converts ip address to hexadecimal string + * + * Function is used to convert ipv4 and ipv6 addresses to hex strings. + * It removes all delimiter symbols from ip addresses, converts decimal + * ipv4 numbers to hex and pads strings in order to present full length + * address. ipv4 addresses are represented as 8 byte strings, ipv6 addresses + * are represented as 32 byte string. + * + * If function fails to detect address format, it returns unprocessed string. + * @param string $string ip address string + * @return string processed ip address string + * @since 1.5.1 and 1.4.5 + */ + function ip2hex($string) { + if (preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$string,$match)) { + // ipv4 address + $ret = str_pad(dechex($match[1]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[2]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[3]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[4]),2,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)$/i",$string,$match)) { + // full ipv6 address + $ret = str_pad($match[1],4,'0',STR_PAD_LEFT) + . str_pad($match[2],4,'0',STR_PAD_LEFT) + . str_pad($match[3],4,'0',STR_PAD_LEFT) + . str_pad($match[4],4,'0',STR_PAD_LEFT) + . str_pad($match[5],4,'0',STR_PAD_LEFT) + . str_pad($match[6],4,'0',STR_PAD_LEFT) + . str_pad($match[7],4,'0',STR_PAD_LEFT) + . str_pad($match[8],4,'0',STR_PAD_LEFT); + } elseif (preg_match("/^\:\:([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with all starting symbols nulled + $aAddr=explode(':',$match[1]); + $ret=''; + foreach ($aAddr as $addr) { + $ret.=str_pad($addr,4,'0',STR_PAD_LEFT); } + $ret=str_pad($ret,32,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h\:]+)::([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with middle part nulled + $aStart=explode(':',$match[1]); + $sStart=''; + foreach($aStart as $addr) { + $sStart.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $aEnd = explode(':',$match[2]); + $sEnd=''; + foreach($aEnd as $addr) { + $sEnd.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $ret = $sStart + . str_pad('',(32 - strlen($sStart . $sEnd)),'0',STR_PAD_LEFT) + . $sEnd; + } else { + // unknown addressing + $ret = $string; } - trim($refer); - return $refer; + return $ret; } } -?>