X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fmime.php;h=9bc6182032a95e40ecff32f7c9b43e9a442102a4;hp=56ee0d47c3320ad1b57e88eb8f1519d0aa346bd6;hb=1710ad6563993035601d94fe96f68c9b964e866c;hpb=24e8917ead46268f6a4264900c832b4a5c37ee84 diff --git a/functions/mime.php b/functions/mime.php index 56ee0d47..9bc61820 100644 --- a/functions/mime.php +++ b/functions/mime.php @@ -6,7 +6,7 @@ * This contains the functions necessary to detect and decode MIME * messages. * - * @copyright 1999-2020 The SquirrelMail Project Team + * @copyright 1999-2021 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -71,7 +71,7 @@ function mime_structure ($bodystructure, $flags=array()) { if (count($flags)) { foreach ($flags as $flag) { //FIXME: please document why it is we have to check the first char of the flag but we then go ahead and do a full string comparison anyway. Is this a speed enhancement? If not, let's keep it simple and just compare the full string and forget the switch block. - $char = strtoupper($flag{1}); + $char = strtoupper($flag[1]); switch ($char) { case 'S': if (strtolower($flag) == '\\seen') { @@ -151,7 +151,7 @@ function mime_fetch_body($imap_stream, $id, $ent_id=1, $fetch_size=0) { /* There is some information in the content info header that could be important * in order to parse html messages. Let's get them here. */ -// if ($ret{0} == '<') { +// if ($ret[0] == '<') { // $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, TRUE); // } } else if (preg_match('/"([^"]*)"/', $topline, $regs)) { @@ -598,7 +598,8 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, - &$defaultlink, &$display_filename, &$where, &$what); + &$defaultlink, &$display_filename, &$where, &$what, + &$type0, &$type1); do_hook("attachment $type0/$type1", $temp); /* The API for this hook has changed as of 1.5.2 so that all plugin arguments are passed in an array instead of each their own plugin @@ -606,7 +607,8 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, - &$defaultlink, &$display_filename, &$where, &$what); + &$defaultlink, &$display_filename, &$where, &$what, + &$type0, &$type1); // Do not let a generic plugin change the default link if a more // specialized one already did it... if ($defaultlink != $defaultlink_orig) { @@ -620,7 +622,8 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { returning any changes, changes should simply be made to the original arguments themselves. */ $temp = array(&$links, &$startMessage, &$id, &$urlMailbox, &$ent, - &$defaultlink, &$display_filename, &$where, &$what); + &$defaultlink, &$display_filename, &$where, &$what, + &$type0, &$type1); // Do not let a generic plugin change the default link if a more // specialized one already did it... if ($defaultlink != $defaultlink_orig) { @@ -645,14 +648,27 @@ function buildAttachmentArray($message, $exclude_id, $mailbox, $id) { $this_attachment['ContentType'] = sm_encode_html_special_chars($type0 .'/'. $type1); $this_attachment['OtherLinks'] = array(); foreach ($links as $val) { - if ($val['text']==_("Download") || $val['text'] == _("View")) + if ($val['text']==_("Download")) { + $this_attachment['DownloadHREF'] = $val['href']; continue; - if (empty($val['text']) && empty($val['extra'])) + } + if ($val['text']==_("View")) { + $this_attachment['ViewHREF'] = $val['href']; + continue; + } + + // This makes no sense - If 'text' and 'extra' are just concatenated, + // there is no point in having 'extra'.... I am going to assume this + // was a mistake and am changing 'extra' to be what I think it was + // meant to be: additional tag attributes. However, I'm not checking + // extensively for plugins that were using this the wrong way (but why would they?) + if (empty($val['text'])) continue; $temp = array(); $temp['HREF'] = $val['href']; - $temp['Text'] = (empty($val['text']) ? '' : $val['text']) . (empty($val['extra']) ? '' : $val['extra']); + $temp['Text'] = $val['text']; + $temp['Extra'] = (empty($val['extra']) ? '' : $val['extra']); $this_attachment['OtherLinks'][] = $temp; } $attachments[] = $this_attachment; @@ -985,7 +1001,7 @@ function encodeHeader ($string) { $iEncStart = $enc_init = false; $cur_l = $iOffset = 0; for($i = 0; $i < $j; ++$i) { - switch($string{$i}) + switch($string[$i]) { case '"': case '=': @@ -1007,7 +1023,7 @@ function encodeHeader ($string) { $ret = ''; $iEncStart = false; } else { - $ret .= sprintf("=%02X",ord($string{$i})); + $ret .= sprintf("=%02X",ord($string[$i])); } break; case '(': @@ -1037,7 +1053,7 @@ function encodeHeader ($string) { } break; default: - $k = ord($string{$i}); + $k = ord($string[$i]); if ($k > 126) { if ($iEncStart === false) { // do not start encoding in the middle of a string, also take the rest of the word. @@ -1071,7 +1087,7 @@ function encodeHeader ($string) { $cur_l = 0; $ret = ''; } else { - $ret .= $string{$i}; + $ret .= $string[$i]; } } } @@ -1366,7 +1382,7 @@ function sq_tagprint($tagname, $attary, $tagtype){ $fulltag = '<' . $tagname; if (is_array($attary) && sizeof($attary)){ $atts = Array(); - while (list($attname, $attvalue) = each($attary)){ + foreach ($attary as $attname => $attvalue){ array_push($atts, "$attname=$attvalue"); } $fulltag .= ' ' . join(" ", $atts); @@ -1447,12 +1463,12 @@ function sq_findnxreg($body, $offset, $reg){ $matches = Array(); $retarr = Array(); preg_match("%^(.*?)($reg)%si", substr($body, $offset), $matches); - if (!isset($matches{0}) || !$matches{0}){ + if (!isset($matches[0]) || !$matches[0]){ $retarr = false; } else { - $retarr{0} = $offset + strlen($matches{1}); - $retarr{1} = $matches{1}; - $retarr{2} = $matches{2}; + $retarr[0] = $offset + strlen($matches[1]); + $retarr[1] = $matches[1]; + $retarr[2] = $matches[2]; } return $retarr; } @@ -1610,8 +1626,8 @@ function sq_getnxtag($body, $offset){ /** * Yep. So we did. */ - $pos += strlen($matches{1}); - if ($matches{2} == "/>"){ + $pos += strlen($matches[1]); + if ($matches[2] == "/>"){ $tagtype = 3; $pos++; } @@ -1668,7 +1684,7 @@ function sq_getnxtag($body, $offset){ return $retary; } case '>': - $attary{$attname} = '"yes"'; + $attary[$attname] = '"yes"'; return Array($tagname, $attary, $tagtype, $lt, $pos); break; default: @@ -1702,7 +1718,7 @@ function sq_getnxtag($body, $offset){ } list($pos, $attval, $match) = $regary; $pos++; - $attary{$attname} = "'" . $attval . "'"; + $attary[$attname] = "'" . $attval . "'"; } else if ($quot == '"'){ $regary = sq_findnxreg($body, $pos+1, '\"'); if ($regary == false){ @@ -1710,7 +1726,7 @@ function sq_getnxtag($body, $offset){ } list($pos, $attval, $match) = $regary; $pos++; - $attary{$attname} = '"' . $attval . '"'; + $attary[$attname] = '"' . $attval . '"'; } else { /** * These are hateful. Look for \s, or >. @@ -1724,13 +1740,13 @@ function sq_getnxtag($body, $offset){ * If it's ">" it will be caught at the top. */ $attval = preg_replace("/\"/s", """, $attval); - $attary{$attname} = '"' . $attval . '"'; + $attary[$attname] = '"' . $attval . '"'; } } else if (preg_match("|[\w/>]|", $char)) { /** * That was attribute type 4. */ - $attary{$attname} = '"yes"'; + $attary[$attname] = '"yes"'; } else { /** * An illegal character. Find next '>' and return. @@ -1769,7 +1785,7 @@ function sq_deent(&$attvalue, $regex, $hex=false){ if ($hex){ $numval = hexdec($numval); } - $repl{$matches[0][$i]} = chr($numval); + $repl[$matches[0][$i]] = chr($numval); } $attvalue = strtr($attvalue, $repl); return true; @@ -1800,7 +1816,7 @@ function sq_fixatts($tagname, $mailbox ){ $me = 'sq_fixatts'; - while (list($attname, $attvalue) = each($attary)){ + foreach ($attary as $attname => $attvalue){ /** * See if this attribute should be removed. */ @@ -1808,7 +1824,7 @@ function sq_fixatts($tagname, if (preg_match($matchtag, $tagname)){ foreach ($matchattrs as $matchattr){ if (preg_match($matchattr, $attname)){ - unset($attary{$attname}); + unset($attary[$attname]); continue; } } @@ -1829,7 +1845,7 @@ function sq_fixatts($tagname, // entities are used in the attribute value. In 99% of the cases it's there as XSS // i.e.
$attvalue = "idiocy"; - $attary{$attname} = $attvalue; + $attary[$attname] = $attvalue; } sq_unspace($attvalue); @@ -1852,7 +1868,7 @@ function sq_fixatts($tagname, $newvalue = preg_replace($valmatch, $valrepl, $attvalue); if ($newvalue != $attvalue){ - $attary{$attname} = $newvalue; + $attary[$attname] = $newvalue; $attvalue = $newvalue; } } @@ -1862,7 +1878,7 @@ function sq_fixatts($tagname, if ($attname == 'style') { if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) { // 8bit and control characters in style attribute values can be used for XSS, remove them - $attary{$attname} = '"disallowed character"'; + $attary[$attname] = '"disallowed character"'; } preg_match_all("/url\s*\((.+)\)/si",$attvalue,$aMatch); if (count($aMatch)) { @@ -1870,7 +1886,7 @@ function sq_fixatts($tagname, // url value $urlvalue = $sMatch; sq_fix_url($attname, $urlvalue, $message, $id, $mailbox,"'"); - $attary{$attname} = str_replace($sMatch,$urlvalue,$attvalue); + $attary[$attname] = str_replace($sMatch,$urlvalue,$attvalue); } } } @@ -1881,7 +1897,7 @@ function sq_fixatts($tagname, || $attname == 'poster' || $attname == 'formaction' || $attname == 'background' || $attname == 'action') { sq_fix_url($attname, $attvalue, $message, $id, $mailbox); - $attary{$attname} = $attvalue; + $attary[$attname] = $attvalue; } } /** @@ -2067,7 +2083,7 @@ function sq_fixstyle($body, $pos, $message, $id, $mailbox){ $bSucces = false; $bEndTag = false; for ($i=$pos,$iCount=strlen($body);$i<$iCount;++$i) { - $char = $body{$i}; + $char = $body[$i]; switch ($char) { case '<': $sToken = $char; @@ -2098,7 +2114,7 @@ function sq_fixstyle($body, $pos, $message, $id, $mailbox){ case '!': if ($sToken == '<') { // possible comment - if (isset($body{$i+2}) && substr($body,$i,3) == '!--') { + if (isset($body[$i+2]) && substr($body,$i,3) == '!--') { $i = strpos($body,'-->',$i+3); if ($i === false) { // no end comment $i = strlen($body); @@ -2321,7 +2337,7 @@ function sq_body2div($attary, $mailbox, $message, $id){ $styledef .= "color: $text; "; } if (strlen($styledef) > 0){ - $divattary{"style"} = "\"$styledef\""; + $divattary["style"] = "\"$styledef\""; } } return $divattary; @@ -2472,9 +2488,9 @@ function sq_sanitize($body, if ($tagname == "body"){ $tagname = "div"; } - if (isset($open_tags{$tagname}) && - $open_tags{$tagname} > 0){ - $open_tags{$tagname}--; + if (isset($open_tags[$tagname]) && + $open_tags[$tagname] > 0){ + $open_tags[$tagname]--; } else { $tagname = false; } @@ -2516,10 +2532,10 @@ function sq_sanitize($body, $message, $id); } if ($tagtype == 1){ - if (isset($open_tags{$tagname})){ - $open_tags{$tagname}++; + if (isset($open_tags[$tagname])){ + $open_tags[$tagname]++; } else { - $open_tags{$tagname}=1; + $open_tags[$tagname]=1; } } /** @@ -2741,13 +2757,13 @@ function magicHTML($body, $id, $message, $mailbox = 'INBOX', $take_mailto_links * Remove any references to http/https if view_unsafe_images set * to false. */ - array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[0], + array_push($bad_attvals['/.*/']['/^src|background/i'][0], '/^([\'\"])\s*https*:.*([\'\"])/si'); - array_push($bad_attvals{'/.*/'}{'/^src|background/i'}[1], + array_push($bad_attvals['/.*/']['/^src|background/i'][1], "\\1$secremoveimg\\1"); - array_push($bad_attvals{'/.*/'}{'/^style/i'}[0], + array_push($bad_attvals['/.*/']['/^style/i'][0], '/url\([\'\"]?https?:[^\)]*[\'\"]?\)/si'); - array_push($bad_attvals{'/.*/'}{'/^style/i'}[1], + array_push($bad_attvals['/.*/']['/^style/i'][1], "url(\\1$secremoveimg\\1)"); }