X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=src%2Fcompose.php;h=afc20be3ef486d353e985dbf0fc92ef6bbe4aa32;hp=ee8bcaaa264d04fb49353f0b4faae8dff42d48bf;hb=c4faef335b2362c81b8ebf026d4066c12d70536c;hpb=79cecc00d76f1f34ad76d2de904a0dc3adf0978a

diff --git a/src/compose.php b/src/compose.php
index ee8bcaaa..afc20be3 100644
--- a/src/compose.php
+++ b/src/compose.php
@@ -10,7 +10,7 @@
  *    - Send mail
  *    - Save As Draft
  *
- * @copyright 1999-2016 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -55,7 +55,8 @@ sqgetGlobalVar('compose_messages',  $compose_messages,  SQ_SESSION);
 // compose_messages only useful in SESSION when a forward-as-attachment
 // has been preconstructed for us and passed in via that mechanism; once
 // we have it, we can clear it from the SESSION
-sqsession_unregister('compose_messages');
+// -- No, this is useful in other scenarios, too -- removing:
+// sqsession_unregister('compose_messages');
 
 // Turn on delayed error handling in case we wind up redirecting below
 $oErrorHandler->setDelayedErrors(true);
@@ -174,8 +175,12 @@ function replyAllString($header) {
     /**
      * 1) Remove the addresses we'll be sending the message 'to'
      */
-    if (isset($header->reply_to)) {
+    if (isset($header->reply_to) && is_array($header->reply_to) && count($header->reply_to)) {
         $excl_ar = $header->getAddr_a('reply_to');
+    } else if (is_object($header->reply_to)) { /* unneccesarry, just for failsafe purpose */
+        $excl_ar = $header->getAddr_a('reply_to');
+    } else {
+        $excl_ar = $header->getAddr_a('from');
     }
     /**
      * 2) Remove our identities from the CC list (they still can be in the
@@ -246,6 +251,7 @@ function getReplyCitation($orig_from, $orig_date) {
         $full_reply_citation = sprintf(_("%s wrote:"),$sOrig_from);
         break;
     case 'quote_who':
+        // TODO: the words "quote" and "who" are translated in 1.4.x so why not here?  This isn't a real HTML tag...
         $start = '<quote who="';
         $end   = '">';
         $full_reply_citation = $start . $sOrig_from . $end;
@@ -405,8 +411,25 @@ if (!empty($compose_messages[$session])) {
 // should never directly manipulate an object like this
 if (!empty($attachments)) {
     $attachments = unserialize(urldecode($attachments));
-    if (!empty($attachments) && is_array($attachments))
-        $composeMessage->entities = $attachments;
+    if (!empty($attachments) && is_array($attachments)) {
+        // sanitize the "att_local_name" since it is user-supplied and used to access the file system
+        // it must be alpha-numeric and 32 characters long (see the use of GenerateRandomString() below)
+        foreach ($attachments as $i => $attachment) {
+            if (empty($attachment->att_local_name) || strlen($attachment->att_local_name) !== 32) {
+                unset($attachments[$i]);
+                continue;
+            }
+            // probably marginal difference between (ctype_alnum + function_exists) and preg_match
+            if (function_exists('ctype_alnum')) {
+                if (!ctype_alnum($attachment->att_local_name))
+                    unset($attachments[$i]);
+            }
+            else if (preg_match('/[^0-9a-zA-Z]/', $attachment->att_local_name))
+                unset($attachments[$i]);
+        }
+        if (!empty($attachments))
+            $composeMessage->entities = $attachments;
+    }
 }
 
 if (empty($mailbox)) {
@@ -573,8 +596,14 @@ if ($send) {
             exit();
         } else {
             if ( !isset($pageheader_sent) || !$pageheader_sent ) {
-                header("Location: $location/right_main.php?mailbox=$urlMailbox".
-                    "&startMessage=$startMessage&mail_sent=$mail_sent");
+                global $return_to_message_after_reply;
+                if (($action === 'reply' || $action === 'reply_all' || $action === 'forward' || $action === 'forward_as_attachment')
+                 && $return_to_message_after_reply && $passed_id)
+                    header("Location: $location/read_body.php?passed_id=$passed_id&mailbox=$urlMailbox".
+                            "&startMessage=$startMessage&mail_sent=$mail_sent");
+                else
+                    header("Location: $location/right_main.php?mailbox=$urlMailbox".
+                            "&startMessage=$startMessage&mail_sent=$mail_sent");
             } else {
 //FIXME: DON'T ECHO HTML FROM CORE!
                 echo '   <br><br><div style="text-align: center;"><a href="' . $location
@@ -784,7 +813,7 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se
         $key, $imapServerAddress, $imapPort, $imap_stream_options,
         $composeMessage, $body_quote, $request_mdn, $request_dr,
         $mdn_user_support, $languages, $squirrelmail_language,
-        $default_charset, $do_not_reply_to_self;
+        $default_charset, $do_not_reply_to_self, $compose_messages;
 
     /*
      * Set $default_charset to correspond with the user's selection
@@ -926,6 +955,11 @@ function newMail ($mailbox='', $passed_id='', $passed_ent_id='', $action='', $se
                 // rewrap the body to clean up quotations and line lengths
                 sqBodyWrap($body, $editor_size);
                 $composeMessage = getAttachments($message, $composeMessage, $passed_id, $entities, $imapConnection);
+                if (!empty($orig_header->x_sm_flag_reply))
+                    $composeMessage->rfc822_header->more_headers['X-SM-Flag-Reply'] = $orig_header->x_sm_flag_reply;
+//TODO: completely unclear if should be using $compose_session instead of $session below
+                $compose_messages[$session] = $composeMessage;
+                sqsession_register($compose_messages,'compose_messages');
                 break;
             case ('edit_as_new'):
                 $send_to = decodeHeader($orig_header->getAddr_s('to'),false,false,true);
@@ -1685,7 +1719,7 @@ function getByteSize($ini_size) {
  */
 function deliverMessage(&$composeMessage, $draft=false) {
     global $send_to, $send_to_cc, $send_to_bcc, $mailprio, $subject, $body,
-        $username, $identity, $idents, $data_dir,
+        $username, $identity, $idents, $data_dir, $compose_messages, $session,
         $request_mdn, $request_dr, $default_charset, $useSendmail,
         $domain, $action, $default_move_to_sent, $move_to_sent,
         $imapServerAddress, $imapPort, $imap_stream_options, $sent_folder, $key;
@@ -1781,6 +1815,19 @@ function deliverMessage(&$composeMessage, $draft=false) {
        it over to deliver; plugin authors note that $composeMessage
        is sent and modified by reference since 1.5.2 */
     do_hook('compose_send', $composeMessage);
+//TODO: need to migrate to the following, but it neessitates changes in existing plugins, since the args are now an array
+    //$temp = array(&$composeMessage, &$draft);
+    //do_hook('compose_send', $temp);
+
+    // remove special header if present and prepare to mark
+    // a message that a draft was composed in reply to
+    if (!empty($composeMessage->rfc822_header->x_sm_flag_reply) && !$draft) {
+        global $passed_id, $mailbox;
+        // tricks the code below that marks the reply
+        list($action, $passed_id, $mailbox) = explode('::', $rfc822_header->x_sm_flag_reply, 3);
+        unset($composeMessage->rfc822_header->x_sm_flag_reply);
+        unset($composeMessage->rfc822_header->more_headers['X-SM-Flag-Reply']);
+    }
 
     if (!$useSendmail && !$draft) {
         require_once(SM_PATH . 'class/deliver/Deliver_SMTP.class.php');
@@ -1810,12 +1857,22 @@ function deliverMessage(&$composeMessage, $draft=false) {
         $imap_stream = sqimap_login($username, false, $imapServerAddress,
                 $imapPort, 0, $imap_stream_options);
         if (sqimap_mailbox_exists ($imap_stream, $draft_folder)) {
+//TODO: this can leak private information about folders and message IDs if messages are accessed/sent from another client --- should this feature be optional?
+            // make note of the message to mark as having been replied to
+            global $passed_id, $mailbox;
+            if ($action == 'reply' || $action == 'reply_all' || $action == 'forward' || $action == 'forward_as_attachment') {
+                $composeMessage->rfc822_header->more_headers['X-SM-Flag-Reply'] = $action . '::' . $passed_id . '::' . $mailbox;
+            }
+
             require_once(SM_PATH . 'class/deliver/Deliver_IMAP.class.php');
             $imap_deliver = new Deliver_IMAP();
             $success = $imap_deliver->mail($composeMessage, $imap_stream, $reply_id, $reply_ent_id, $imap_stream, $draft_folder);
             sqimap_logout($imap_stream);
             unset ($imap_deliver);
             $composeMessage->purgeAttachments();
+//TODO: completely unclear if should be using $compose_session instead of $session below
+            unset($compose_messages[$session]);
+            sqsession_register($compose_messages,'compose_messages');
             return $success;
         } else {
             $msg  = '<br />'.sprintf(_("Error: Draft folder %s does not exist."), sm_encode_html_special_chars($draft_folder));
@@ -1853,60 +1910,64 @@ function deliverMessage(&$composeMessage, $draft=false) {
 
         if ($action=='reply' || $action=='reply_all' || $action=='forward' || $action=='forward_as_attachment') {
             require(SM_PATH . 'functions/mailbox_display.php');
-            $aMailbox = sqm_api_mailbox_select($imap_stream, $iAccount, $mailbox,array('setindex' => $what, 'offset' => $startMessage),array());
-            switch($action) {
-            case 'reply':
-            case 'reply_all':
-                // check if we are allowed to set the \\Answered flag
-                if (in_array('\\answered',$aMailbox['PERMANENTFLAGS'], true)) {
-                    $aUpdatedMsgs = sqimap_toggle_flag($imap_stream, array($passed_id), '\\Answered', true, false);
-                    if (isset($aUpdatedMsgs[$passed_id]['FLAGS'])) {
-                        /**
-                        * Only update the cached headers if the header is
-                        * cached.
-                        */
-                        if (isset($aMailbox['MSG_HEADERS'][$passed_id])) {
-                            $aMailbox['MSG_HEADERS'][$passed_id]['FLAGS'] = $aMsg['FLAGS'];
+            // select errors here could be due to a draft reply being sent
+            // after the original message's mailbox is moved or deleted
+            $aMailbox = sqm_api_mailbox_select($imap_stream, $iAccount, $mailbox,array('setindex' => $what, 'offset' => $startMessage),array(), false);
+            // a non-empty return from above means we can proceed
+            if (!empty($aMailbox)) {
+                switch($action) {
+                case 'reply':
+                case 'reply_all':
+                    // check if we are allowed to set the \\Answered flag
+                    if (in_array('\\answered',$aMailbox['PERMANENTFLAGS'], true)) {
+                        $aUpdatedMsgs = sqimap_toggle_flag($imap_stream, array($passed_id), '\\Answered', true, false);
+                        if (isset($aUpdatedMsgs[$passed_id]['FLAGS'])) {
+                            /**
+                            * Only update the cached headers if the header is
+                            * cached.
+                            */
+                            if (isset($aMailbox['MSG_HEADERS'][$passed_id])) {
+                                $aMailbox['MSG_HEADERS'][$passed_id]['FLAGS'] = $aMsg['FLAGS'];
+                            }
                         }
                     }
-                }
-                break;
-            case 'forward':
-            case 'forward_as_attachment':
-                // check if we are allowed to set the $Forwarded flag (RFC 4550 paragraph 2.8)
-                if (in_array('$forwarded',$aMailbox['PERMANENTFLAGS'], true) ||
-                    in_array('\\*',$aMailbox['PERMANENTFLAGS'])) {
-
-                    // when forwarding as an attachment from the message
-                    // list, passed_id is not used, need to get UID(s)
-                    // from the query string
-                    //
-                    if (empty($passed_id) && !empty($fwduid))
-                        $ids = explode('_', $fwduid);
-                    else
-                        $ids = array($passed_id);
+                    break;
+                case 'forward':
+                case 'forward_as_attachment':
+                    // check if we are allowed to set the $Forwarded flag (RFC 4550 paragraph 2.8)
+                    if (in_array('$forwarded',$aMailbox['PERMANENTFLAGS'], true) ||
+                        in_array('\\*',$aMailbox['PERMANENTFLAGS'])) {
+
+                        // when forwarding as an attachment from the message
+                        // list, passed_id is not used, need to get UID(s)
+                        // from the query string
+                        //
+                        if (empty($passed_id) && !empty($fwduid))
+                            $ids = explode('_', $fwduid);
+                        else
+                            $ids = array($passed_id);
 
-                    $aUpdatedMsgs = sqimap_toggle_flag($imap_stream, $ids, '$Forwarded', true, false);
+                        $aUpdatedMsgs = sqimap_toggle_flag($imap_stream, $ids, '$Forwarded', true, false);
 
-                    foreach ($ids as $id) {
-                        if (isset($aUpdatedMsgs[$id]['FLAGS'])) {
-                            if (isset($aMailbox['MSG_HEADERS'][$id])) {
-                                $aMailbox['MSG_HEADERS'][$id]['FLAGS'] = $aMsg['FLAGS'];
+                        foreach ($ids as $id) {
+                            if (isset($aUpdatedMsgs[$id]['FLAGS'])) {
+                                if (isset($aMailbox['MSG_HEADERS'][$id])) {
+                                    $aMailbox['MSG_HEADERS'][$id]['FLAGS'] = $aMsg['FLAGS'];
+                                }
                             }
                         }
                     }
+                    break;
                 }
-                break;
-            }
 
-            /**
-             * Write mailbox with updated seen flag information back to cache.
-             */
-            if(isset($aUpdatedMsgs[$passed_id])) {
-                $mailbox_cache[$iAccount.'_'.$aMailbox['NAME']] = $aMailbox;
-                sqsession_register($mailbox_cache,'mailbox_cache');
+                /**
+                 * Write mailbox with updated seen flag information back to cache.
+                 */
+                if(isset($aUpdatedMsgs[$passed_id])) {
+                    $mailbox_cache[$iAccount.'_'.$aMailbox['NAME']] = $aMailbox;
+                    sqsession_register($mailbox_cache,'mailbox_cache');
+                }
             }
-
         }
 
 
@@ -1949,6 +2010,9 @@ function deliverMessage(&$composeMessage, $draft=false) {
         // final cleanup
         //
         $composeMessage->purgeAttachments();
+//TODO: completely unclear if should be using $compose_session instead of $session below
+        unset($compose_messages[$session]);
+        sqsession_register($compose_messages,'compose_messages');
         sqimap_logout($imap_stream);
 
     }