| | |
| | | |
| | | // show loading page |
| | | if (!empty($_GET['_preload'])) { |
| | | $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']); |
| | | $_get = $_GET + array('_mimewarning' => 1, '_embed' => 1); |
| | | unset($_get['_preload']); |
| | | $url = $RCMAIL->url($_get); |
| | | $message = $RCMAIL->gettext('loadingdata'); |
| | | |
| | | header('Content-Type: text/html; charset=' . RCUBE_CHARSET); |
| | |
| | | if ($part = $MESSAGE->mime_parts[$pid]) { |
| | | $thumbnail_size = $RCMAIL->config->get('image_thumbnail_size', 240); |
| | | $temp_dir = $RCMAIL->config->get('temp_dir'); |
| | | list(,$ext) = explode('/', $part->mimetype); |
| | | $mimetype = $part->mimetype; |
| | | $file_ident = $MESSAGE->headers->messageID . ':' . $part->mime_id . ':' . $part->size . ':' . $part->mimetype; |
| | | $cache_basename = $temp_dir . '/' . md5($file_ident . ':' . $RCMAIL->user->ID . ':' . $thumbnail_size); |
| | | $cache_file = $cache_basename . '.' . $ext; |
| | | $cache_file = $cache_basename . '.thumb'; |
| | | |
| | | // render thumbnail image if not done yet |
| | | if (!is_file($cache_file)) { |
| | | if ($fp = fopen(($orig_name = $cache_basename . '.orig.' . $ext), 'w')) { |
| | | $MESSAGE->get_part_content($part->mime_id, $fp); |
| | | if ($fp = fopen(($orig_name = $cache_basename . '.tmp'), 'w')) { |
| | | $MESSAGE->get_part_body($part->mime_id, false, 0, $fp); |
| | | fclose($fp); |
| | | |
| | | $image = new rcube_image($orig_name); |
| | |
| | | $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION)); |
| | | |
| | | // 1. compare filename suffix with expected suffix derived from mimetype |
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); |
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']); |
| | | |
| | | // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension |
| | | if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) { |
| | |
| | | |
| | | // accept text/plain with any extension |
| | | if ($real_mimetype == 'text/plain' && $real_mimetype == $mimetype) { |
| | | $file_extension = 'txt'; |
| | | } |
| | | |
| | | // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here |
| | | if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) { |
| | | $real_mimetype = $mimetype; |
| | | } |
| | | |
| | | // get valid file extensions |
| | | $extensions = rcube_mime::get_mime_extensions($real_mimetype); |
| | | $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions)); |
| | | |
| | | // ignore filename extension if mimeclass matches (#1489029) |
| | | if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) { |
| | | $valid_extension = true; |
| | | } |
| | | // ignore differences in text/* mimetypes. Filetype detection isn't very reliable here |
| | | else if ($real_ctype_primary == 'text' && strpos($mimetype, $real_ctype_primary) === 0) { |
| | | $real_mimetype = $mimetype; |
| | | $valid_extension = true; |
| | | } |
| | | // ignore filename extension if mimeclass matches (#1489029) |
| | | else if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) { |
| | | $valid_extension = true; |
| | | } |
| | | else { |
| | | // get valid file extensions |
| | | $extensions = rcube_mime::get_mime_extensions($real_mimetype); |
| | | $valid_extension = !$file_extension || empty($extensions) || in_array($file_extension, (array)$extensions); |
| | | } |
| | | |
| | | // fix mimetype for images wrongly declared as octet-stream |
| | |
| | | $mimetype = $real_mimetype; |
| | | } |
| | | |
| | | $valid = ($real_mimetype == $mimetype && $valid_extension); |
| | | // "fix" real mimetype the same way the original is before comparison |
| | | $real_mimetype = rcmail_fix_mimetype($real_mimetype); |
| | | |
| | | $valid = $real_mimetype == $mimetype && $valid_extension; |
| | | } |
| | | else { |
| | | $real_mimetype = $mimetype; |
| | |
| | | // send blocked.gif for expected images |
| | | if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) { |
| | | // Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. |
| | | $content = $RCMAIL->get_resource_content('blocked.gif'); |
| | | $OUTPUT->nocacheing_headers(); |
| | | header("Content-Type: image/gif"); |
| | | header("Content-Transfer-Encoding: binary"); |
| | | readfile(INSTALL_PATH . 'program/resources/blocked.gif'); |
| | | header("Content-Length: " . strlen($content)); |
| | | echo $content; |
| | | } |
| | | else { // html warning with a button to load the file anyway |
| | | $OUTPUT = new rcmail_html_page(); |
| | |
| | | $sent = true; |
| | | } |
| | | else if ($part->size) { |
| | | if ($size = (int)$part->d_parameters['size']) { |
| | | header("Content-Length: $size"); |
| | | } |
| | | // Don't be tempted to set Content-Length to $part->d_parameters['size'] (#1490482) |
| | | // RFC2183 says "The size parameter indicates an approximate size" |
| | | |
| | | $sent = $MESSAGE->get_part_body($part->mime_id, false, 0, -1); |
| | | } |