| | |
| | | |
| | | // show loading page |
| | | if (!empty($_GET['_preload'])) { |
| | | $url = preg_replace('/([&?]+)_preload=/', '\\1_embed=', $_SERVER['REQUEST_URI']); |
| | | $url = preg_replace('/([&?]+)_preload=/', '\\1_mimewarning=1&_embed=', $_SERVER['REQUEST_URI']); |
| | | $message = rcube_label('loadingdata'); |
| | | |
| | | header('Content-Type: text/html; charset=' . RCMAIL_CHARSET); |
| | |
| | | $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION)); |
| | | |
| | | // 1. compare filename suffix with expected suffix derived from mimetype |
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions); |
| | | $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']); |
| | | |
| | | // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension |
| | | if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || $mimetype == 'text/plain') { |
| | |
| | | $extensions = rcube_mime::get_mime_extensions($real_mimetype); |
| | | $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions)); |
| | | |
| | | // ignore filename extension if mimeclass matches (#1489029) |
| | | if (!empty($_REQUEST['_mimeclass']) && $real_ctype_primary == $_REQUEST['_mimeclass']) |
| | | $valid_extension = true; |
| | | |
| | | // fix mimetype for images wrongly declared as octet-stream |
| | | if ($mimetype == 'application/octet-stream' && strpos($real_mimetype, 'image/') === 0 && $valid_extension) |
| | | $mimetype = $real_mimetype; |
| | |
| | | |
| | | // show warning if validity checks failed |
| | | if (!$valid) { |
| | | $OUTPUT = new rcmail_html_page(); |
| | | $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed', |
| | | html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'), |
| | | rcube_label(array( |
| | | 'name' => 'attachmentvalidationerror', |
| | | 'vars' => array( |
| | | 'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''), |
| | | 'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''), |
| | | // send blocked.gif for expected images |
| | | if (empty($_REQUEST['_mimewarning']) && strpos($mimetype, 'image/') === 0) { |
| | | // Do not cache. Failure might be the result of a misconfiguration, thus real content should be returned once fixed. |
| | | $OUTPUT->nocacheing_headers(); |
| | | header("Content-Type: image/gif"); |
| | | header("Content-Transfer-Encoding: binary"); |
| | | readfile(INSTALL_PATH . 'program/resources/blocked.gif'); |
| | | } |
| | | else { // html warning with a button to load the file anyway |
| | | $OUTPUT = new rcmail_html_page(); |
| | | $OUTPUT->write(html::tag('html', null, html::tag('body', 'embed', |
| | | html::div(array('class' => 'rcmail-inline-message rcmail-inline-warning'), |
| | | rcube_label(array( |
| | | 'name' => 'attachmentvalidationerror', |
| | | 'vars' => array( |
| | | 'expected' => $mimetype . ($file_extension ? "(.$file_extension)" : ''), |
| | | 'detected' => $real_mimetype . ($extensions[0] ? "(.$extensions[0])" : ''), |
| | | ) |
| | | )) . |
| | | html::p(array('class' => 'rcmail-inline-buttons'), |
| | | html::tag('button', |
| | | array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"), |
| | | rcube_label('showanyway'))) |
| | | ) |
| | | )) . |
| | | html::p(array('class' => 'rcmail-inline-buttons'), |
| | | html::tag('button', |
| | | array('onclick' => "location.href='" . $RCMAIL->url(array_merge($_GET, array('_nocheck' => 1))) . "'"), |
| | | rcube_label('showanyway'))) |
| | | ) |
| | | ))); |
| | | ))); |
| | | } |
| | | exit; |
| | | } |
| | | } |