Fix security issue in contact photo handling (#1490379)
| | |
| | | - Fix duplicate entry on timezones list in rcube_config::timezone_name_from_abbr() (#1490293) |
| | | - Fix handling of %-encoded entities in mailto: URLs (#1490346) |
| | | - Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372) |
| | | - Fix security issue in contact photo handling (#1490379) |
| | | |
| | | RELEASE 1.0.5 |
| | | ------------- |
| | |
| | | $RCMAIL->output->redirect($data); |
| | | } |
| | | |
| | | // deliver alt image |
| | | if (!$data && ($alt_img = rcube_utils::get_input_value('_alt', rcube_utils::INPUT_GPC)) && is_file($alt_img)) { |
| | | $data = file_get_contents($alt_img); |
| | | } |
| | | |
| | | // cache for one day if requested by email |
| | | if (!$cid && $email) { |
| | | $RCMAIL->output->future_expire_header(86400); |
| | |
| | | '_task' => 'addressbook', |
| | | '_action' => 'photo', |
| | | '_email' => $MESSAGE->sender['mailto'], |
| | | '_alt' => $placeholder, |
| | | )); |
| | | |
| | | $attrib['onerror'] = "this.src = '" . ($placeholder ? $placeholder : 'program/resources/blank.gif') . "'"; |