added extra check for save internal link extensions. (for use with

magicHTML)
Maybe this is the wrong fix but in case of iframes tags with a cid link to an
internal entity it's possible that stupid users download attached virus
entities because the iframe src pointed to a filename with .scr, .exe, .bat or
other extension. This patch only allow the following hardcoded save extensions:
gif, jpeg, jpg, png, bmp.

To do:
notify user in case of invalid extensions.
totally remove iframes because I think in most cases (virus) they are unsave.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3468 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/functions/mime.php b/functions/mime.php
index 3563a9986074051a93211739e5bd13b5b767ebb6..9573299476485b30265996cdc405c229d91457e2 100644 (file)
--- a/functions/mime.php
+++ b/functions/mime.php
@@ -604,13 +604,26 @@ function find_ent_id( $id, $message ) {
        if ( $message->entities[$i]->header->type0 == 'multipart')  {    
            $ret = find_ent_id( $id, $message->entities[$i] );
         } else {
-            if ( strcasecmp( $message->entities[$i]->header->id, $id ) == 0 )
-                $ret = $message->entities[$i]->entity_id;
+            if ( strcasecmp( $message->entities[$i]->header->id, $id ) == 0 ) {
+               if (sq_check_save_extension($message->entities[$i])) {
+                   $ret = $message->entities[$i]->entity_id;
+               } else {
+                   $ret = '';
+               }
+           }
         }
     }
     return( $ret );
 }
 
+function sq_check_save_extension($message) {
+    $filename = $message->getFilename();
+    $ext = substr($filename, strrpos($filename,'.')+1);
+    $save_extensions = array('jpg','jpeg','gif','png','bmp');
+    return (in_array($ext, $save_extensions));
+}
+
+
 /**
  ** HTMLFILTER ROUTINES
  */
@@ -1221,9 +1234,15 @@ function sq_cid2http($message, $id, $cidurl, $mailbox){
     $quotchar = substr($cidurl, 0, 1);
     $cidurl = str_replace($quotchar, "", $cidurl);
     $cidurl = substr(trim($cidurl), 4);
-    $httpurl = $quotchar . "../src/download.php?absolute_dl=true&" .
-        "passed_id=$id&mailbox=" . urlencode($mailbox) .
-        "&ent_id=" . find_ent_id($cidurl, $message) . $quotchar;
+    $linkurl = find_ent_id($cidurl, $message);
+    /* in case of non-save cid links $httpurl should be replaced by a sort of
+       unsave link image */
+    $httpurl = '';
+    if ($linkurl) {
+        $httpurl = $quotchar . "../src/download.php?absolute_dl=true&" .
+                   "passed_id=$id&mailbox=" . urlencode($mailbox) .
+                   "&ent_id=" . $linkurl . $quotchar;
+    }
     return $httpurl;
 }