commit | author | age
|
4e17e6
|
1 |
<?php |
T |
2 |
|
a95874
|
3 |
/** |
4e17e6
|
4 |
+-----------------------------------------------------------------------+ |
T |
5 |
| program/steps/mail/get.inc | |
|
6 |
| | |
e019f2
|
7 |
| This file is part of the Roundcube Webmail client | |
c97625
|
8 |
| Copyright (C) 2005-2013, The Roundcube Dev Team | |
7fe381
|
9 |
| | |
T |
10 |
| Licensed under the GNU General Public License version 3 or | |
|
11 |
| any later version with exceptions for skins & plugins. | |
|
12 |
| See the README file for a full license statement. | |
4e17e6
|
13 |
| | |
T |
14 |
| PURPOSE: | |
|
15 |
| Delivering a specific part of a mail message | |
|
16 |
| | |
|
17 |
+-----------------------------------------------------------------------+ |
|
18 |
| Author: Thomas Bruederli <roundcube@gmail.com> | |
|
19 |
+-----------------------------------------------------------------------+ |
|
20 |
*/ |
|
21 |
|
|
22 |
|
|
23 |
// show loading page |
8fa58e
|
24 |
if (!empty($_GET['_preload'])) { |
b1d13e
|
25 |
$_get = $_GET + array('_mimewarning' => 1, '_embed' => 1); |
TB |
26 |
unset($_get['_preload']); |
|
27 |
$url = $RCMAIL->url($_get); |
c97625
|
28 |
$message = $RCMAIL->gettext('loadingdata'); |
4e17e6
|
29 |
|
c97625
|
30 |
header('Content-Type: text/html; charset=' . RCUBE_CHARSET); |
AM |
31 |
print "<html>\n<head>\n" |
6b2b2e
|
32 |
. '<meta http-equiv="refresh" content="0; url='.rcube::Q($url).'">' . "\n" |
AM |
33 |
. '<meta http-equiv="content-type" content="text/html; charset='.RCUBE_CHARSET.'">' . "\n" |
3e8b11
|
34 |
. "</head>\n<body>\n$message\n</body>\n</html>"; |
c97625
|
35 |
exit; |
8fa58e
|
36 |
} |
4e17e6
|
37 |
|
d51c93
|
38 |
ob_end_clean(); |
4e17e6
|
39 |
|
T |
40 |
// similar code as in program/steps/mail/show.inc |
8fa58e
|
41 |
if (!empty($_GET['_uid'])) { |
c97625
|
42 |
$uid = rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GET); |
AM |
43 |
$RCMAIL->config->set('prefer_html', true); |
63e793
|
44 |
$MESSAGE = new rcube_message($uid, null, intval($_GET['_safe'])); |
8fa58e
|
45 |
} |
4bfe4e
|
46 |
|
AM |
47 |
// check connection status |
|
48 |
check_storage_status(); |
4e17e6
|
49 |
|
6b2b2e
|
50 |
$part_id = rcube_utils::get_input_value('_part', rcube_utils::INPUT_GPC); |
eaf383
|
51 |
|
4e17e6
|
52 |
// show part page |
8fa58e
|
53 |
if (!empty($_GET['_frame'])) { |
c97625
|
54 |
if ($part_id && ($part = $MESSAGE->mime_parts[$part_id])) { |
AM |
55 |
$filename = rcmail_attachment_name($part); |
|
56 |
$OUTPUT->set_pagetitle($filename); |
|
57 |
} |
b6da0b
|
58 |
|
c97625
|
59 |
// register UI objects |
AM |
60 |
$OUTPUT->add_handlers(array( |
|
61 |
'messagepartframe' => 'rcmail_message_part_frame', |
|
62 |
'messagepartcontrols' => 'rcmail_message_part_controls', |
|
63 |
)); |
eaf383
|
64 |
|
c97625
|
65 |
$OUTPUT->set_env('mailbox', $RCMAIL->storage->get_folder()); |
AM |
66 |
$OUTPUT->set_env('uid', $uid); |
|
67 |
$OUTPUT->set_env('part', $part_id); |
|
68 |
$OUTPUT->set_env('filename', $filename); |
049428
|
69 |
|
c97625
|
70 |
$OUTPUT->send('messagepart'); |
AM |
71 |
exit; |
8fa58e
|
72 |
} |
4e17e6
|
73 |
|
031491
|
74 |
// render thumbnail of an image attachment |
TB |
75 |
else if ($_GET['_thumb']) { |
c97625
|
76 |
$pid = rcube_utils::get_input_value('_part', rcube_utils::INPUT_GET); |
AM |
77 |
if ($part = $MESSAGE->mime_parts[$pid]) { |
|
78 |
$thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240); |
|
79 |
$temp_dir = $RCMAIL->config->get('temp_dir'); |
|
80 |
$mimetype = $part->mimetype; |
|
81 |
$file_ident = $MESSAGE->headers->messageID . ':' . $part->mime_id . ':' . $part->size . ':' . $part->mimetype; |
|
82 |
$cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size); |
03aa84
|
83 |
$cache_file = $cache_basename . '.thumb'; |
031491
|
84 |
|
c97625
|
85 |
// render thumbnail image if not done yet |
AM |
86 |
if (!is_file($cache_file)) { |
03aa84
|
87 |
if ($fp = fopen(($orig_name = $cache_basename . '.tmp'), 'w')) { |
7ff227
|
88 |
$MESSAGE->get_part_body($part->mime_id, false, 0, $fp); |
c97625
|
89 |
fclose($fp); |
031491
|
90 |
|
c97625
|
91 |
$image = new rcube_image($orig_name); |
AM |
92 |
if ($imgtype = $image->resize($thumbnail_size, $cache_file, true)) { |
|
93 |
$mimetype = 'image/' . $imgtype; |
|
94 |
unlink($orig_name); |
|
95 |
} |
40d734
|
96 |
else if (stripos($mimetype, 'image/svg') === 0) { |
AM |
97 |
$content = rcmail_svg_filter(file_get_contents($orig_name)); |
|
98 |
file_put_contents($cache_file, $content); |
|
99 |
unlink($orig_name); |
|
100 |
} |
c97625
|
101 |
else { |
AM |
102 |
rename($orig_name, $cache_file); |
|
103 |
} |
|
104 |
} |
19cc5b
|
105 |
} |
AM |
106 |
|
c97625
|
107 |
if (is_file($cache_file)) { |
AM |
108 |
header('Content-Type: ' . $mimetype); |
|
109 |
readfile($cache_file); |
19cc5b
|
110 |
} |
8fa58e
|
111 |
} |
8d4bcd
|
112 |
|
4e17e6
|
113 |
exit; |
8fa58e
|
114 |
} |
c97625
|
115 |
else if (strlen($part_id)) { |
AM |
116 |
if ($part = $MESSAGE->mime_parts[$part_id]) { |
|
117 |
$mimetype = rcmail_fix_mimetype($part->mimetype); |
|
118 |
|
|
119 |
// allow post-processing of the message body |
|
120 |
$plugin = $RCMAIL->plugins->exec_hook('message_part_get', array( |
|
121 |
'uid' => $MESSAGE->uid, |
|
122 |
'id' => $part->mime_id, |
|
123 |
'mimetype' => $mimetype, |
|
124 |
'part' => $part, |
|
125 |
'download' => !empty($_GET['_download']) |
|
126 |
)); |
|
127 |
|
|
128 |
if ($plugin['abort']) { |
|
129 |
exit; |
|
130 |
} |
|
131 |
|
|
132 |
// overwrite modified vars from plugin |
|
133 |
$mimetype = $plugin['mimetype']; |
|
134 |
$extensions = rcube_mime::get_mime_extensions($mimetype); |
|
135 |
|
|
136 |
if ($plugin['body']) { |
48ba44
|
137 |
$body = $plugin['body']; |
c97625
|
138 |
} |
AM |
139 |
|
|
140 |
// compare file mimetype with the stated content-type headers and file extension to avoid malicious operations |
|
141 |
if (!empty($_REQUEST['_embed']) && empty($_REQUEST['_nocheck'])) { |
|
142 |
$file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION)); |
|
143 |
|
|
144 |
// 1. compare filename suffix with expected suffix derived from mimetype |
4a2a62
|
145 |
$valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']); |
c97625
|
146 |
|
AM |
147 |
// 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension |
|
148 |
if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { |
48ba44
|
149 |
$tmp_body = $body ?: $MESSAGE->get_part_body($part->mime_id, false, 2048); |
c97625
|
150 |
|
AM |
151 |
// detect message part mimetype |
48ba44
|
152 |
$real_mimetype = rcube_mime::file_content_type($tmp_body, $part->filename, $mimetype, true, true); |
c97625
|
153 |
list($real_ctype_primary, $real_ctype_secondary) = explode('/', $real_mimetype); |
AM |
154 |
|
|
155 |
// accept text/plain with any extension |
|
156 |
if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) { |
|
157 |
$valid_extension = true; |
|
158 |
} |
556d28
|
159 |
// ignore differences in text/* mimetypes. Filetype detection isn't very reliable here |
AM |
160 |
else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) { |
|
161 |
$real_mimetype = $mimetype; |
|
162 |
$valid_extension = true; |
|
163 |
} |
|
164 |
// ignore filename extension if mimeclass matches (#1489029) |
|
165 |
else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) { |
|
166 |
$valid_extension = true; |
|
167 |
} |
|
168 |
else { |
|
169 |
// get valid file extensions |
|
170 |
$extensions = rcube_mime::get_mime_extensions($real_mimetype); |
45256e
|
171 |
$valid_extension = !$file_extension || empty($extensions) || in_array($file_extension, (array)$extensions); |
556d28
|
172 |
} |
c97625
|
173 |
|
AM |
174 |
// fix mimetype for images wrongly declared as octet-stream |
|
175 |
if ($mimetype == 'application/octet-stream' && strpos($real_mimetype, 'image/') === 0 && $valid_extension) { |
|
176 |
$mimetype = $real_mimetype; |
|
177 |
} |
|
178 |
|
4a2a62
|
179 |
// "fix" real mimetype the same way the original is before comparison |
AM |
180 |
$real_mimetype = rcmail_fix_mimetype($real_mimetype); |
|
181 |
|
|
182 |
$valid = $real_mimetype == $mimetype && $valid_extension; |
c97625
|
183 |
} |
AM |
184 |
else { |
|
185 |
$real_mimetype = $mimetype; |
|
186 |
} |
|
187 |
|
|
188 |
// show warning if validity checks failed |
|
189 |
if (!$valid) { |
|
190 |
// send blocked.gif for expected images |
|
191 |
if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) { |
|
192 |
// Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. |
c6efcf
|
193 |
$content = $RCMAIL->get_resource_content('blocked.gif'); |
c97625
|
194 |
$OUTPUT->nocacheing_headers(); |
AM |
195 |
header("Content-Type: image/gif"); |
|
196 |
header("Content-Transfer-Encoding: binary"); |
c6efcf
|
197 |
header("Content-Length: " . strlen($content)); |
AM |
198 |
echo $content; |
c97625
|
199 |
} |
AM |
200 |
else { // html warning with a button to load the file anyway |
|
201 |
$OUTPUT = new rcmail_html_page(); |
|
202 |
$OUTPUT->write(html::tag('html', null, html::tag('body', 'embed', |
|
203 |
html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'), |
|
204 |
$RCMAIL->gettext(array( |
|
205 |
'name' => 'attachmentvalidationerror', |
|
206 |
'vars' => array( |
|
207 |
'expected' => $mimetype . ($file_extension ? " (.$file_extension)" : ''), |
|
208 |
'detected' => $real_mimetype . ($extensions[0] ? " (.$extensions[0])" : ''), |
|
209 |
) |
|
210 |
)) |
|
211 |
. html::p(array('class' => 'rcmail-inline-buttons'), |
|
212 |
html::tag('button', array( |
|
213 |
'onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'" |
|
214 |
), |
|
215 |
$RCMAIL->gettext('showanyway')) |
|
216 |
) |
|
217 |
)))); |
|
218 |
} |
|
219 |
|
|
220 |
exit; |
|
221 |
} |
|
222 |
} |
|
223 |
|
|
224 |
|
|
225 |
// TIFF to JPEG conversion, if needed |
|
226 |
$tiff_support = !empty($_SESSION['browser_caps']) && !empty($_SESSION['browser_caps']['tif']); |
|
227 |
if (!empty($_REQUEST['_embed']) && !$tiff_support |
8968f9
|
228 |
&& rcube_image::is_convertable('image/tiff') |
c97625
|
229 |
&& rcmail_part_image_type($part) == 'image/tiff' |
AM |
230 |
) { |
|
231 |
$tiff2jpeg = true; |
|
232 |
$mimetype = 'image/jpeg'; |
|
233 |
} |
|
234 |
|
|
235 |
|
|
236 |
$browser = $RCMAIL->output->browser; |
|
237 |
list($ctype_primary, $ctype_secondary) = explode('/', $mimetype); |
|
238 |
|
|
239 |
if (!$plugin['download'] && $ctype_primary == 'text') { |
827159
|
240 |
header("Content-Type: text/$ctype_secondary; charset=" . ($part->charset ?: RCUBE_CHARSET)); |
c97625
|
241 |
} |
AM |
242 |
else { |
|
243 |
header("Content-Type: $mimetype"); |
|
244 |
header("Content-Transfer-Encoding: binary"); |
|
245 |
} |
|
246 |
|
|
247 |
// deliver part content |
|
248 |
if ($ctype_primary == 'text' && $ctype_secondary == 'html' && empty($plugin['download'])) { |
|
249 |
// Check if we have enough memory to handle the message in it |
|
250 |
// #1487424: we need up to 10x more memory than the body |
|
251 |
if (!rcube_utils::mem_check($part->size * 10)) { |
|
252 |
$out = '<body>' . $RCMAIL->gettext('messagetoobig'). ' ' |
|
253 |
. html::a('?_task=mail&_action=get&_download=1&_uid='.$MESSAGE->uid.'&_part='.$part->mime_id |
c83940
|
254 |
.'&_mbox='. urlencode($MESSAGE->folder), $RCMAIL->gettext('download')) . '</body></html>'; |
c97625
|
255 |
} |
AM |
256 |
else { |
|
257 |
// get part body if not available |
48ba44
|
258 |
if (!isset($body)) { |
AM |
259 |
$body = $MESSAGE->get_part_body($part->mime_id, true); |
c97625
|
260 |
} |
AM |
261 |
|
|
262 |
// show images? |
|
263 |
rcmail_check_safe($MESSAGE); |
|
264 |
|
|
265 |
// render HTML body |
48ba44
|
266 |
$out = rcmail_print_body($body, $part, array('safe' => $MESSAGE->is_safe, 'inline_html' => false)); |
c97625
|
267 |
|
AM |
268 |
// insert remote objects warning into HTML body |
|
269 |
if ($REMOTE_OBJECTS) { |
|
270 |
$body_start = 0; |
|
271 |
if ($body_pos = strpos($out, '<body')) { |
|
272 |
$body_start = strpos($out, '>', $body_pos) + 1; |
|
273 |
} |
|
274 |
|
|
275 |
$out = substr($out, 0, $body_start) |
|
276 |
. html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'), |
|
277 |
rcube::Q($RCMAIL->gettext('blockedimages')) . ' ' . |
|
278 |
html::tag('button', |
|
279 |
array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_safe' => 1))) . "'"), |
|
280 |
rcube::Q($RCMAIL->gettext('showimages'))) |
|
281 |
) |
|
282 |
. substr($out, $body_start); |
|
283 |
} |
|
284 |
} |
|
285 |
|
|
286 |
// check connection status |
48ba44
|
287 |
if ($part->size && empty($body)) { |
c97625
|
288 |
check_storage_status(); |
AM |
289 |
} |
|
290 |
|
|
291 |
$OUTPUT = new rcmail_html_page(); |
|
292 |
$OUTPUT->write($out); |
|
293 |
} |
|
294 |
else { |
|
295 |
// don't kill the connection if download takes more than 30 sec. |
|
296 |
@set_time_limit(0); |
|
297 |
|
|
298 |
$filename = rcmail_attachment_name($part); |
|
299 |
|
5515db
|
300 |
if ($browser->ie) |
c97625
|
301 |
$filename = rawurlencode($filename); |
AM |
302 |
else |
|
303 |
$filename = addcslashes($filename, '"'); |
|
304 |
|
|
305 |
$disposition = !empty($plugin['download']) ? 'attachment' : 'inline'; |
|
306 |
|
|
307 |
// Workaround for nasty IE bug (#1488844) |
|
308 |
// If Content-Disposition header contains string "attachment" e.g. in filename |
|
309 |
// IE handles data as attachment not inline |
|
310 |
if ($disposition == 'inline' && $browser->ie && $browser->ver < 9) { |
|
311 |
$filename = str_ireplace('attachment', 'attach', $filename); |
|
312 |
} |
|
313 |
|
|
314 |
// add filename extension if missing |
|
315 |
if (!pathinfo($filename, PATHINFO_EXTENSION) && ($extensions = rcube_mime::get_mime_extensions($mimetype))) { |
|
316 |
$filename .= '.' . $extensions[0]; |
|
317 |
} |
|
318 |
|
|
319 |
header("Content-Disposition: $disposition; filename=\"$filename\""); |
|
320 |
|
|
321 |
// handle tiff to jpeg conversion |
|
322 |
if (!empty($tiff2jpeg)) { |
|
323 |
$temp_dir = unslashify($RCMAIL->config->get('temp_dir')); |
|
324 |
$file_path = tempnam($temp_dir, 'rcmAttmnt'); |
|
325 |
|
|
326 |
// write content to temp file |
48ba44
|
327 |
if ($body) { |
AM |
328 |
$saved = file_put_contents($file_path, $body); |
c97625
|
329 |
} |
AM |
330 |
else if ($part->size) { |
|
331 |
$fd = fopen($file_path, 'w'); |
48ba44
|
332 |
$saved = $MESSAGE->get_part_body($part->mime_id, false, 0, $fd); |
c97625
|
333 |
fclose($fd); |
AM |
334 |
} |
|
335 |
|
|
336 |
// convert image to jpeg and send it to the browser |
40d734
|
337 |
if ($sent = $saved) { |
c97625
|
338 |
$image = new rcube_image($file_path); |
AM |
339 |
if ($image->convert(rcube_image::TYPE_JPG, $file_path)) { |
|
340 |
header("Content-Length: " . filesize($file_path)); |
|
341 |
readfile($file_path); |
|
342 |
} |
|
343 |
unlink($file_path); |
|
344 |
} |
|
345 |
} |
|
346 |
else { |
40d734
|
347 |
$sent = rcmail_message_part_output($body, $part, $mimetype, $plugin['download']); |
c97625
|
348 |
} |
AM |
349 |
|
|
350 |
// check connection status |
|
351 |
if ($part->size && !$sent) { |
|
352 |
check_storage_status(); |
|
353 |
} |
|
354 |
} |
|
355 |
|
|
356 |
exit; |
|
357 |
} |
|
358 |
} |
4e17e6
|
359 |
// print message |
8fa58e
|
360 |
else { |
c97625
|
361 |
// send correct headers for content type |
AM |
362 |
header("Content-Type: text/html"); |
4e17e6
|
363 |
|
c97625
|
364 |
$cont = "<html>\n<head><title></title>\n</head>\n<body>"; |
AM |
365 |
$cont .= rcmail_message_body(array()); |
|
366 |
$cont .= "\n</body>\n</html>"; |
4e17e6
|
367 |
|
c97625
|
368 |
$OUTPUT = new rcmail_html_page(); |
AM |
369 |
$OUTPUT->write($cont); |
4e17e6
|
370 |
|
c97625
|
371 |
exit; |
8fa58e
|
372 |
} |
4e17e6
|
373 |
|
T |
374 |
|
|
375 |
// if we arrive here, the requested part was not found |
|
376 |
header('HTTP/1.1 404 Not Found'); |
|
377 |
exit; |
|
378 |
|
eaf383
|
379 |
/** |
AM |
380 |
* Handles nicely storage connection errors |
|
381 |
*/ |
4bfe4e
|
382 |
function check_storage_status() |
AM |
383 |
{ |
|
384 |
$error = rcmail::get_instance()->storage->get_error_code(); |
|
385 |
|
|
386 |
// Check if we have a connection error |
|
387 |
if ($error == rcube_imap_generic::ERROR_BAD) { |
|
388 |
ob_end_clean(); |
|
389 |
|
|
390 |
// Get action is often executed simultanously. |
|
391 |
// Some servers have MAXPERIP or other limits. |
|
392 |
// To workaround this we'll wait for some time |
|
393 |
// and try again (once). |
|
394 |
// Note: Random sleep interval is used to minimize concurency |
|
395 |
// in getting message parts |
|
396 |
|
|
397 |
if (!isset($_GET['_redirected'])) { |
|
398 |
usleep(rand(10,30)*100000); // 1-3 sec. |
|
399 |
header('Location: ' . $_SERVER['REQUEST_URI'] . '&_redirected=1'); |
|
400 |
} |
|
401 |
else { |
6b2b2e
|
402 |
rcube::raise_error(array( |
4bfe4e
|
403 |
'code' => 500, 'type' => 'php', |
AM |
404 |
'file' => __FILE__, 'line' => __LINE__, |
|
405 |
'message' => 'Unable to get/display message part. IMAP connection error'), |
|
406 |
true, true); |
|
407 |
} |
|
408 |
|
|
409 |
// Don't kill session, just quit (#1486995) |
|
410 |
exit; |
|
411 |
} |
|
412 |
} |
049428
|
413 |
|
eaf383
|
414 |
/** |
AM |
415 |
* Attachment properties table |
|
416 |
*/ |
049428
|
417 |
function rcmail_message_part_controls($attrib) |
AM |
418 |
{ |
|
419 |
global $MESSAGE, $RCMAIL; |
|
420 |
|
6b2b2e
|
421 |
$part = asciiwords(rcube_utils::get_input_value('_part', rcube_utils::INPUT_GPC)); |
049428
|
422 |
if (!is_object($MESSAGE) || !is_array($MESSAGE->parts) |
AM |
423 |
|| !($_GET['_uid'] && $_GET['_part']) || !$MESSAGE->mime_parts[$part] |
|
424 |
) { |
|
425 |
return ''; |
|
426 |
} |
|
427 |
|
|
428 |
$part = $MESSAGE->mime_parts[$part]; |
|
429 |
$table = new html_table(array('cols' => 2)); |
|
430 |
|
6b2b2e
|
431 |
$table->add('title', rcube::Q($RCMAIL->gettext('namex')).':'); |
AM |
432 |
$table->add('header', rcube::Q(rcmail_attachment_name($part))); |
049428
|
433 |
|
6b2b2e
|
434 |
$table->add('title', rcube::Q($RCMAIL->gettext('type')).':'); |
AM |
435 |
$table->add('header', rcube::Q($part->mimetype)); |
049428
|
436 |
|
6b2b2e
|
437 |
$table->add('title', rcube::Q($RCMAIL->gettext('size')).':'); |
AM |
438 |
$table->add('header', rcube::Q($RCMAIL->message_part_size($part))); |
049428
|
439 |
|
AM |
440 |
return $table->show($attrib); |
|
441 |
} |
|
442 |
|
eaf383
|
443 |
/** |
AM |
444 |
* Attachment preview frame |
|
445 |
*/ |
049428
|
446 |
function rcmail_message_part_frame($attrib) |
AM |
447 |
{ |
|
448 |
global $MESSAGE, $RCMAIL; |
|
449 |
|
6b2b2e
|
450 |
$part = $MESSAGE->mime_parts[asciiwords(rcube_utils::get_input_value('_part', rcube_utils::INPUT_GPC))]; |
049428
|
451 |
$ctype_primary = strtolower($part->ctype_primary); |
AM |
452 |
|
|
453 |
$attrib['src'] = './?' . str_replace('_frame=', ($ctype_primary=='text' ? '_embed=' : '_preload='), $_SERVER['QUERY_STRING']); |
|
454 |
|
|
455 |
$RCMAIL->output->add_gui_object('messagepartframe', $attrib['id']); |
|
456 |
|
|
457 |
return html::iframe($attrib); |
|
458 |
} |
40d734
|
459 |
|
AM |
460 |
/** |
|
461 |
* Output attachment body with content filtering |
|
462 |
*/ |
|
463 |
function rcmail_message_part_output($body, $part, $mimetype, $download) |
|
464 |
{ |
|
465 |
global $MESSAGE, $RCMAIL; |
|
466 |
|
|
467 |
if (!$part->size && !$body) { |
|
468 |
return false; |
|
469 |
} |
|
470 |
|
|
471 |
$browser = $RCMAIL->output->browser; |
|
472 |
$secure = stripos($mimetype, 'image/') === false || $download; |
|
473 |
|
|
474 |
// Remove <script> in SVG images |
|
475 |
if (!$secure && stripos($mimetype, 'image/svg') === 0) { |
|
476 |
if (!$body) { |
|
477 |
$body = $MESSAGE->get_part_body($part->mime_id, false); |
|
478 |
if (empty($body)) { |
|
479 |
return false; |
|
480 |
} |
|
481 |
} |
|
482 |
|
|
483 |
echo rcmail_svg_filter($body); |
|
484 |
return true; |
|
485 |
} |
|
486 |
|
|
487 |
// Remove dangerous content in images for older IE (to be removed) |
|
488 |
if (!$secure && $browser->ie && $browser->ver <= 8) { |
|
489 |
if ($body) { |
|
490 |
echo preg_match('/<(script|iframe|object)/i', $body) ? '' : $body; |
|
491 |
return true; |
|
492 |
} |
|
493 |
else { |
|
494 |
$stdout = fopen('php://output', 'w'); |
|
495 |
stream_filter_register('rcube_content', 'rcube_content_filter') or die('Failed to register content filter'); |
|
496 |
stream_filter_append($stdout, 'rcube_content'); |
|
497 |
return $MESSAGE->get_part_body($part->mime_id, true, 0, $stdout); |
|
498 |
} |
|
499 |
} |
|
500 |
|
|
501 |
if ($body && !$download) { |
|
502 |
header("Content-Length: " . strlen($body)); |
|
503 |
echo $body; |
|
504 |
return true; |
|
505 |
} |
|
506 |
|
|
507 |
// Don't be tempted to set Content-Length to $part->d_parameters['size'] (#1490482) |
|
508 |
// RFC2183 says "The size parameter indicates an approximate size" |
|
509 |
|
|
510 |
return $MESSAGE->get_part_body($part->mime_id, false, 0, -1); |
|
511 |
} |
|
512 |
|
|
513 |
/** |
|
514 |
* Remove <script> in SVG images |
|
515 |
*/ |
|
516 |
function rcmail_svg_filter($body) |
|
517 |
{ |
a1fdb2
|
518 |
// clean SVG with washhtml |
AM |
519 |
$wash_opts = array( |
|
520 |
'show_washed' => false, |
|
521 |
'allow_remote' => false, |
|
522 |
'charset' => RCUBE_CHARSET, |
|
523 |
'html_elements' => array('title'), |
|
524 |
// 'blocked_src' => 'program/resources/blocked.gif', |
|
525 |
); |
40d734
|
526 |
|
a1fdb2
|
527 |
// initialize HTML washer |
AM |
528 |
$washer = new rcube_washtml($wash_opts); |
40d734
|
529 |
|
a1fdb2
|
530 |
// allow CSS styles, will be sanitized by rcmail_washtml_callback() |
AM |
531 |
$washer->add_callback('style', 'rcmail_washtml_callback'); |
|
532 |
|
|
533 |
return $washer->wash($body); |
40d734
|
534 |
} |