X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=class%2Fdeliver%2FDeliver.class.php;h=bd952764f70e6f2c71a1e42f40451fd679064d20;hp=9a243c50980ace4c3654b30119b9c740a80843b2;hb=94511d239551fa56b44eb26b5cfc9dd83324438b;hpb=dcc5c9134b5578c657f9f5c45e64c79eb46684c7 diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php index 9a243c50..bd952764 100644 --- a/class/deliver/Deliver.class.php +++ b/class/deliver/Deliver.class.php @@ -1,19 +1,41 @@ rfc822_header; if (count($message->entities)) { @@ -23,7 +45,7 @@ class Deliver { $boundary=''; } $raw_length = 0; - $reply_rfc822_header = (isset($message->reply_rfc822_header) + $reply_rfc822_header = (isset($message->reply_rfc822_header) ? $message->reply_rfc822_header : ''); $header = $this->prepareRFC822_Header($rfc822_header, $reply_rfc822_header, $raw_length); @@ -35,13 +57,36 @@ class Deliver { return $raw_length; } + /** + * function writeBody - generate and write the mime boundaries around each part to the stream + * + * Recursively formats and writes the MIME boundaries of the $message + * to the output stream. + * + * @param Message $message Message object to transform + * @param resource $stream SMTP output stream + * @param integer &$length_raw raw length of the message (part) + * as returned by mail fn + * @param string $boundary custom boundary to call, usually for subparts + * + * @return void + */ function writeBody($message, $stream, &$length_raw, $boundary='') { // calculate boundary in case of multidimensional mime structures if ($boundary && $message->entity_id && count($message->entities)) { if (strpos($boundary,'_part_')) { $boundary = substr($boundary,0,strpos($boundary,'_part_')); + + // the next four lines use strrev to reverse any nested boundaries + // because RFC 2046 (5.1.1) says that if a line starts with the outer + // boundary string (doesn't matter what the line ends with), that + // can be considered a match for the outer boundary; thus the nested + // boundary needs to be unique from the outer one + // + } else if (strpos($boundary,'_trap_')) { + $boundary = substr(strrev($boundary),0,strpos(strrev($boundary),'_part_')); } - $boundary_new = $boundary . '_part_'.$message->entity_id; + $boundary_new = strrev($boundary . '_part_'.$message->entity_id); } else { $boundary_new = $boundary; } @@ -55,7 +100,7 @@ class Deliver { } } $this->writeBodyPart($message, $stream, $length_raw); - + $last = false; for ($i=0, $entCount=count($message->entities);$i<$entCount;$i++) { $msg = $this->writeBody($message->entities[$i], $stream, $length_raw, $boundary_new); @@ -71,6 +116,18 @@ class Deliver { } } + /** + * function writeBodyPart - write each individual mimepart + * + * Recursively called by WriteBody to write each mime part to the SMTP stream + * + * @param Message $message Message object to transform + * @param resource $stream SMTP output stream + * @param integer &$length length of the message part + * as returned by mail fn + * + * @return void + */ function writeBodyPart($message, $stream, &$length) { if ($message->mime_header) { $type0 = $message->mime_header->type0; @@ -85,9 +142,11 @@ class Deliver { case 'message': if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { - $this->preWriteToStream($body_part); + $this->preWriteToStream($body_part); $this->writeToStream($stream, $body_part); } $last = $body_part; @@ -95,6 +154,8 @@ class Deliver { $filename = $message->att_local_name; $file = fopen ($filename, 'rb'); while ($body_part = fgets($file, 4096)) { + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->preWriteToStream($body_part); @@ -108,6 +169,8 @@ class Deliver { default: if ($message->body_part) { $body_part = $message->body_part; + // remove NUL characters + $body_part = str_replace("\0",'',$body_part); $length += $this->clean_crlf($body_part); if ($stream) { $this->writeToStream($stream, $body_part); @@ -115,7 +178,6 @@ class Deliver { } elseif ($message->att_local_name) { $filename = $message->att_local_name; $file = fopen ($filename, 'rb'); - $encoded = ''; while ($tmp = fread($file, 570)) { $body_part = chunk_split(base64_encode($tmp)); $length += $this->clean_crlf($body_part); @@ -140,6 +202,16 @@ class Deliver { } } + /** + * function clean_crlf - change linefeeds and newlines to legal characters + * + * The SMTP format only allows CRLF as line terminators. + * This function replaces illegal teminators with the correct terminator. + * + * @param string &$s string to clean linefeeds on + * + * @return void + */ function clean_crlf(&$s) { $s = str_replace("\r\n", "\n", $s); $s = str_replace("\r", "\n", $s); @@ -147,27 +219,84 @@ class Deliver { return strlen($s); } + /** + * function strip_crlf - strip linefeeds and newlines from a string + * + * The SMTP format only allows CRLF as line terminators. + * This function strips all line terminators from the string. + * + * @param string &$s string to clean linefeeds on + * + * @return void + */ function strip_crlf(&$s) { $s = str_replace("\r\n ", '', $s); $s = str_replace("\r", '', $s); $s = str_replace("\n", '', $s); } + /** + * function preWriteToStream - reserved for extended functionality + * + * This function is not yet implemented. + * Reserved for extended functionality. + * + * @param string &$s string to operate on + * + * @return void + */ function preWriteToStream(&$s) { } + /** + * function writeToStream - write data to the SMTP stream + * + * @param resource $stream SMTP output stream + * @param string $data string with data to send to the SMTP stream + * + * @return void + */ function writeToStream($stream, $data) { fputs($stream, $data); } + /** + * function initStream - reserved for extended functionality + * + * This function is not yet implemented. + * Reserved for extended functionality. + * + * @param Message $message Message object + * @param string $host host name or IP to connect to + * @param string $user username to log into the SMTP server with + * @param string $pass password to log into the SMTP server with + * @param integer $length + * + * @return handle $stream file handle resource to SMTP stream + */ function initStream($message, $length=0, $host='', $port='', $user='', $pass='') { return $stream; } - - function getBcc() { + + /** + * function getBCC - reserved for extended functionality + * + * This function is not yet implemented. + * Reserved for extended functionality. + * + */ + function getBCC() { return false; } + /** + * function prepareMIME_Header - creates the mime header + * + * @param Message $message Message object to act on + * @param string $boundary mime boundary from fn MimeBoundary + * + * @return string $header properly formatted mime header + */ function prepareMIME_Header($message, $boundary) { $mime_header = $message->mime_header; $rn="\r\n"; @@ -176,7 +305,7 @@ class Deliver { $contenttype = 'Content-Type: '. $mime_header->type0 .'/'. $mime_header->type1; if (count($message->entities)) { - $contenttype .= ";\r\n " . 'boundary="'.$boundary.'"'; + $contenttype .= ';' . 'boundary="'.$boundary.'"'; } if (isset($mime_header->parameters['name'])) { $contenttype .= '; name="'. @@ -190,20 +319,19 @@ class Deliver { $header[] = $contenttype . $rn; if ($mime_header->description) { - $header[] .= 'Content-Description: ' . $mime_header->description . $rn; + $header[] = 'Content-Description: ' . $mime_header->description . $rn; } if ($mime_header->encoding) { - $encoding = $mime_header->encoding; - $header[] .= 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; + $header[] = 'Content-Transfer-Encoding: ' . $mime_header->encoding . $rn; } else { if ($mime_header->type0 == 'text' || $mime_header->type0 == 'message') { - $header[] .= 'Content-Transfer-Encoding: 8bit' . $rn; + $header[] = 'Content-Transfer-Encoding: 8bit' . $rn; } else { - $header[] .= 'Content-Transfer-Encoding: base64' . $rn; + $header[] = 'Content-Transfer-Encoding: base64' . $rn; } } if ($mime_header->id) { - $header[] .= 'Content-ID: ' . $mime_header->id . $rn; + $header[] = 'Content-ID: ' . $mime_header->id . $rn; } if ($mime_header->disposition) { $disposition = $mime_header->disposition; @@ -212,13 +340,13 @@ class Deliver { $contentdisp .= '; filename="'. encodeHeader($disposition->getProperty('filename')). '"'; } - $header[] = $contentdisp . $rn; + $header[] = $contentdisp . $rn; } if ($mime_header->md5) { - $header[] .= 'Content-MD5: ' . $mime_header->md5 . $rn; + $header[] = 'Content-MD5: ' . $mime_header->md5 . $rn; } if ($mime_header->language) { - $header[] .= 'Content-Language: ' . $mime_header->language . $rn; + $header[] = 'Content-Language: ' . $mime_header->language . $rn; } $cnt = count($header); @@ -231,8 +359,21 @@ class Deliver { return $header; } + /** + * function prepareRFC822_Header - prepares the RFC822 header string from Rfc822Header object(s) + * + * This function takes the Rfc822Header object(s) and formats them + * into the RFC822Header string to send to the SMTP server as part + * of the SMTP message. + * + * @param Rfc822Header $rfc822_header + * @param Rfc822Header $reply_rfc822_header + * @param integer &$raw_length length of the message + * + * @return string $header + */ function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) { - global $domain, $version, $username; + global $domain, $version, $username, $encode_header_key, $edit_identity, $hide_auth_header; /* if server var SERVER_NAME not available, use $domain */ if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) { @@ -250,8 +391,14 @@ class Deliver { /* This creates an RFC 822 date */ $date = date('D, j M Y H:i:s ', mktime()) . $this->timezone(); /* Create a message-id */ - $message_id = '<' . $REMOTE_PORT . '.' . $REMOTE_ADDR . '.'; - $message_id .= time() . '.squirrel@' . $REMOTE_ADDR .'>'; + $message_id = '<' . $REMOTE_PORT . '.'; + if (isset($encode_header_key) && trim($encode_header_key)!='') { + // use encrypted form of remote address + $message_id.= OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)); + } else { + $message_id.= $REMOTE_ADDR; + } + $message_id .= '.' . time() . '.squirrel@' . $SERVER_NAME .'>'; /* Make an RFC822 Received: line */ if (isset($REMOTE_HOST)) { $received_from = "$REMOTE_HOST ([$REMOTE_ADDR])"; @@ -265,10 +412,32 @@ class Deliver { $received_from .= " (proxying for $HTTP_X_FORWARDED_FOR)"; } $header = array(); - $header[] = "Received: from $received_from" . $rn; - $header[] = " (SquirrelMail authenticated user $username);" . $rn; - $header[] = " by $SERVER_NAME with HTTP;" . $rn; - $header[] = " $date" . $rn; + + /** + * SquirrelMail header + * + * This Received: header provides information that allows to track + * user and machine that was used to send email. Don't remove it + * unless you understand all possible forging issues or your + * webmail installation does not prevent changes in user's email address. + * See SquirrelMail bug tracker #847107 for more details about it. + */ + if (isset($encode_header_key) && + trim($encode_header_key)!='') { + // use encoded headers, if encryption key is set and not empty + $header[] = 'X-Squirrel-UserHash: '.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn; + $header[] = 'X-Squirrel-FromHash: '.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn; + if (isset($HTTP_X_FORWARDED_FOR)) + $header[] = 'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn; + } else { + // use default received headers + $header[] = "Received: from $received_from" . $rn; + if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header) + $header[] = " (SquirrelMail authenticated user $username)" . $rn; + $header[] = " by $SERVER_NAME with HTTP;" . $rn; + $header[] = " $date" . $rn; + } + /* Insert the rest of the header fields */ $header[] = 'Message-ID: '. $message_id . $rn; if ($reply_rfc822_header->message_id) { @@ -280,16 +449,20 @@ class Deliver { } $header[] = "Date: $date" . $rn; $header[] = 'Subject: '.encodeHeader($rfc822_header->subject) . $rn; - $header[] = 'From: '. $rfc822_header->getAddr_s('from',',',true) . $rn; - /* RFC2822 if from contains more then 1 address */ + $header[] = 'From: '. $rfc822_header->getAddr_s('from',",$rn ",true) . $rn; + + // folding address list [From|To|Cc|Bcc] happens by using ",$rn" as delimiter + // Do not use foldLine for that. + + // RFC2822 if from contains more then 1 address if (count($rfc822_header->from) > 1) { $header[] = 'Sender: '. $rfc822_header->getAddr_s('sender',',',true) . $rn; } if (count($rfc822_header->to)) { - $header[] = 'To: '. $rfc822_header->getAddr_s('to',',',true) . $rn; + $header[] = 'To: '. $rfc822_header->getAddr_s('to',",$rn ",true) . $rn; } if (count($rfc822_header->cc)) { - $header[] = 'Cc: '. $rfc822_header->getAddr_s('cc',',',true) . $rn; + $header[] = 'Cc: '. $rfc822_header->getAddr_s('cc',",$rn ",true) . $rn; } if (count($rfc822_header->reply_to)) { $header[] = 'Reply-To: '. $rfc822_header->getAddr_s('reply_to',',',true) . $rn; @@ -297,18 +470,15 @@ class Deliver { /* Sendmail should return true. Default = false */ $bcc = $this->getBcc(); if (count($rfc822_header->bcc)) { - $s = 'Bcc: '. $rfc822_header->getAddr_s('bcc',',',true) . $rn; + $s = 'Bcc: '. $rfc822_header->getAddr_s('bcc',",$rn ",true) . $rn; if (!$bcc) { - $s = $this->foldLine($s, 78, str_pad('',4)); $raw_length += strlen($s); } else { $header[] = $s; } } - /* Identify SquirrelMail */ + /* Identify SquirrelMail */ $header[] = 'User-Agent: SquirrelMail/' . $version . $rn; - // Spamassassin complains about no X-Mailer in combination with X-Priority - $header[] = 'X-Mailer: SquirrelMail/' . $version . $rn; /* Do the MIME-stuff */ $header[] = 'MIME-Version: 1.0' . $rn; $contenttype = 'Content-Type: '. $rfc822_header->content_type->type0 .'/'. @@ -316,33 +486,34 @@ class Deliver { if (count($rfc822_header->content_type->properties)) { foreach ($rfc822_header->content_type->properties as $k => $v) { if ($k && $v) { - $contenttype .= ';' .$k.'='.$v; + $contenttype .= ';' .$k.'='.$v; } } } $header[] = $contenttype . $rn; if ($encoding = $rfc822_header->encoding) { - $header[] .= 'Content-Transfer-Encoding: ' . $encoding . $rn; - } + $header[] = 'Content-Transfer-Encoding: ' . $encoding . $rn; + } if ($rfc822_header->dnt) { - $dnt = $rfc822_header->getAddr_s('dnt'); + $dnt = $rfc822_header->getAddr_s('dnt'); /* Pegasus Mail */ $header[] = 'X-Confirm-Reading-To: '.$dnt. $rn; /* RFC 2298 */ $header[] = 'Disposition-Notification-To: '.$dnt. $rn; } if ($rfc822_header->priority) { - $prio = $rfc822_header->priority; - $header[] = 'X-Priority: '. $prio. $rn; - switch($prio) + switch($rfc822_header->priority) { - case 1: $header[] = 'Importance: High'. $rn; break; - case 3: $header[] = 'Importance: Normal'. $rn; break; - case 5: $header[] = 'Importance: Low'. $rn; break; + case 1: + $header[] = 'X-Priority: 1 (Highest)'.$rn; + $header[] = 'Importance: High'. $rn; break; + case 5: + $header[] = 'X-Priority: 5 (Lowest)'.$rn; + $header[] = 'Importance: Low'. $rn; break; default: break; } } - /* Insert headers from the $more_headers array */ + /* Insert headers from the $more_headers array */ if(count($rfc822_header->more_headers)) { reset($rfc822_header->more_headers); foreach ($rfc822_header->more_headers as $k => $v) { @@ -374,6 +545,12 @@ class Deliver { } $hdr_s .= $sLine; break; + case 'To': + case 'Cc': + case 'Bcc': + case 'From': + $hdr_s .= $header[$i]; + break; default: $hdr_s .= $this->foldLine($header[$i], 78, str_pad('',4)); break; } } @@ -383,9 +560,15 @@ class Deliver { return $header; } - /* - * function for cleanly folding of headerlines - */ + /** + * function foldLine - for cleanly folding of headerlines + * + * @param string $line + * @param integer $length length to fold the line at + * @param string $pre prefix the line with... + * + * @return string $line folded line with trailing CRLF + */ function foldLine($line, $length, $pre='') { $line = substr($line,0, -2); $length -= 2; /* do not fold between \r and \n */ @@ -422,7 +605,7 @@ class Deliver { $fold_string = "\r\n "; $aFoldLine[] = substr($line,0,$iLengthEnc); $line = substr($line,$iLengthEnc); - } + } } else if ($iPosEnc < $length) { /* the encoded string fits into the foldlength */ /*remainder */ $sLineRem = substr($line,$iPosEncEnd,$length - $iPosEncEnd); @@ -435,7 +618,7 @@ class Deliver { $bFirstFold = true; $length -= strlen($fold_string); } - } + } } } if (!$fold) { @@ -450,7 +633,7 @@ class Deliver { case ($iFoldPos = strrpos($line_tmp,'=')): break; default: break; } - + if (!$iFoldPos) { /* clean folding didn't work */ $iFoldPos = $length; } @@ -471,6 +654,14 @@ class Deliver { return $line."\r\n"; } + /** + * function mimeBoundary - calculates the mime boundary to use + * + * This function will generate a random mime boundary base part + * for the message if the boundary has not already been set. + * + * @return string $mimeBoundaryString random mime boundary string + */ function mimeBoundary () { static $mimeBoundaryString; @@ -482,7 +673,11 @@ class Deliver { return $mimeBoundaryString; } - /* Time offset for correct timezone */ + /** + * function timezone - Time offset for correct timezone + * + * @return string $result with timezone and offset + */ function timezone () { global $invert_time; @@ -499,11 +694,18 @@ class Deliver { $diff_hour = floor ($diff_second / 3600); $diff_minute = floor (($diff_second-3600*$diff_hour) / 60); $zonename = '('.strftime('%Z').')'; - $result = sprintf ("%s%02d%02d %s", $sign, $diff_hour, $diff_minute, + $result = sprintf ("%s%02d%02d %s", $sign, $diff_hour, $diff_minute, $zonename); return ($result); } + /** + * function calculate_references - calculate correct Referer string + * + * @param Rfc822Header $hdr message header to calculate from + * + * @return string $refer concatenated and trimmed Referer string + */ function calculate_references($hdr) { $refer = $hdr->references; $message_id = $hdr->message_id; @@ -520,5 +722,66 @@ class Deliver { trim($refer); return $refer; } + + /** + * Converts ip address to hexadecimal string + * + * Function is used to convert ipv4 and ipv6 addresses to hex strings. + * It removes all delimiter symbols from ip addresses, converts decimal + * ipv4 numbers to hex and pads strings in order to present full length + * address. ipv4 addresses are represented as 8 byte strings, ipv6 addresses + * are represented as 32 byte string. + * + * If function fails to detect address format, it returns unprocessed string. + * @param string $string ip address string + * @return string processed ip address string + * @since 1.5.1 and 1.4.5 + */ + function ip2hex($string) { + if (preg_match("/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/",$string,$match)) { + // ipv4 address + $ret = str_pad(dechex($match[1]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[2]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[3]),2,'0',STR_PAD_LEFT) + . str_pad(dechex($match[4]),2,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)\:([0-9a-h]+)$/i",$string,$match)) { + // full ipv6 address + $ret = str_pad($match[1],4,'0',STR_PAD_LEFT) + . str_pad($match[2],4,'0',STR_PAD_LEFT) + . str_pad($match[3],4,'0',STR_PAD_LEFT) + . str_pad($match[4],4,'0',STR_PAD_LEFT) + . str_pad($match[5],4,'0',STR_PAD_LEFT) + . str_pad($match[6],4,'0',STR_PAD_LEFT) + . str_pad($match[7],4,'0',STR_PAD_LEFT) + . str_pad($match[8],4,'0',STR_PAD_LEFT); + } elseif (preg_match("/^\:\:([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with all starting symbols nulled + $aAddr=explode(':',$match[1]); + $ret=''; + foreach ($aAddr as $addr) { + $ret.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $ret=str_pad($ret,32,'0',STR_PAD_LEFT); + } elseif (preg_match("/^([0-9a-h\:]+)::([0-9a-h\:]+)$/i",$string,$match)) { + // short ipv6 with middle part nulled + $aStart=explode(':',$match[1]); + $sStart=''; + foreach($aStart as $addr) { + $sStart.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $aEnd = explode(':',$match[2]); + $sEnd=''; + foreach($aEnd as $addr) { + $sEnd.=str_pad($addr,4,'0',STR_PAD_LEFT); + } + $ret = $sStart + . str_pad('',(32 - strlen($sStart . $sEnd)),'0',STR_PAD_LEFT) + . $sEnd; + } else { + // unknown addressing + $ret = $string; + } + return $ret; + } } -?> +?> \ No newline at end of file