githubFork/roundcubemail.git

parent: 89dc8499 | patch | commit | show whitespace

alecpl

2011-12-21 96c946ee6ced0a9a68ef251528a3f900d5a01396

- Applied fixes from trunk up to r5633

1 files added

5 files modified

	CHANGELOG	1 ●●●●● patch \| view \| raw \| blame \| history
	program/include/rcube_content_filter.php	55 ●●●●● patch \| view \| raw \| blame \| history
	program/js/app.js	2 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/autocomplete.inc	4 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/mail/get.inc	38 ●●●●● patch \| view \| raw \| blame \| history
	program/steps/settings/folders.inc	2 ●●●●● patch \| view \| raw \| blame \| history

 CHANGELOG

@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================

- Fix crash with eAccelerator (#1488256)
- Fix expanding folders during drag&drop (#1488260)
- Fix wrong postgres sequence name in upgrade from 0.6
- Fix broken CREATE INDEX queries in SQLite DDL files (#1488255)

 program/include/rcube_content_filter.php

New file
@@ -0,0 +1,55 @@
<?php

/*
 +-----------------------------------------------------------------------+
 | program/include/rcube_content_filter.php                              |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) 2011, The Roundcube Dev Team                            |
 | Licensed under the GNU GPL                                            |
 |                                                                       |
 | PURPOSE:                                                              |
 |   PHP stream filter to detect evil content in mail attachments        |
 |                                                                       |
 +-----------------------------------------------------------------------+
 | Author: Thomas Bruederli <roundcube@gmail.com>                        |
 +-----------------------------------------------------------------------+

 $Id$
*/

/**
 * PHP stream filter to detect html/javascript code in attachments
 */
class rcube_content_filter extends php_user_filter
{
  private $buffer = '';
  private $cutoff = 2048;

  function onCreate()
  {
    $this->cutoff = rand(2048, 3027);
    return true;
  }

  function filter($in, $out, &$consumed, $closing)
  {
    while ($bucket = stream_bucket_make_writeable($in)) {
      $this->buffer .= $bucket->data;

      // check for evil content and abort
      if (preg_match('/<(script|iframe|object)/i', $this->buffer))
        return PSFS_ERR_FATAL;

      // keep buffer small enough
      if (strlen($this->buffer) > 4096)
        $this->buffer = substr($this->buffer, $this->cutoff);

      $consumed += $bucket->datalen;
      stream_bucket_append($out, $bucket);
    }

    return PSFS_PASS_ON;
  }
}


 program/js/app.js

@@ -3082,7 +3082,7 @@
      if (!vis)
        this.stop_spellchecking();

      $(this.env.spellcheck.spell_container).css('visibility', vis ? 'visible' : 'hidden');
      $(this.env.spellcheck.spell_container)[vis ? 'show' : 'hide']();
    }
  };


 program/steps/mail/autocomplete.inc

@@ -28,8 +28,10 @@
    $abook->set_pagesize(1000);  // TODO: limit number of group members by config
    $result = $abook->list_records(array('email','name'));
    while ($result && ($sql_arr = $result->iterate())) {
      foreach ((array)$sql_arr['email'] as $email)
      foreach ((array)$sql_arr['email'] as $email) {
        $members[] = format_email_recipient($email, $sql_arr['name']);
        break;  // only expand one email per contact
      }
    }

    $separator = trim($RCMAIL->config->get('recipients_separator', ',')) . ' ';

 program/steps/mail/get.inc

@@ -5,7 +5,7 @@
 | program/steps/mail/get.inc                                            |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) 2005-2009, The Roundcube Dev Team                       |
 | Copyright (C) 2005-2011, The Roundcube Dev Team                       |
 | Licensed under the GNU GPL                                            |
 |                                                                       |
 | PURPOSE:                                                              |
@@ -178,40 +178,4 @@
header('HTTP/1.1 404 Not Found');
exit;



/**
 * PHP stream filter to detect html/javascript code in attachments
 */
class rcube_content_filter extends php_user_filter
{
  private $buffer = '';
  private $cutoff = 2048;

  function onCreate()
  {
    $this->cutoff = rand(2048, 3027);
    return true;
  }

  function filter($in, $out, &$consumed, $closing)
  {
    while ($bucket = stream_bucket_make_writeable($in)) {
      $this->buffer .= $bucket->data;

      // check for evil content and abort
      if (preg_match('/<(script|iframe|object)/i', $this->buffer))
        return PSFS_ERR_FATAL;

      // keep buffer small enough
      if (strlen($this->buffer) > 4096)
        $this->buffer = substr($this->buffer, $this->cutoff);

      $consumed += $bucket->datalen;
      stream_bucket_append($out, $bucket);
    }

    return PSFS_PASS_ON;
  }
}


 program/steps/settings/folders.inc

@@ -293,6 +293,7 @@
        if (!$disabled && $folder['virtual'] && $folder['level'] == 0 && !empty($namespace)) {
            $fname = $folder['id'] . $delimiter;
            foreach ($namespace as $ns) {
                if (is_array($ns)) {
                foreach ($ns as $item) {
                    if ($item[0] === $fname) {
                        $disabled = true;
@@ -301,6 +302,7 @@
                }
            }
        }
        }
        // check if the folder is an other users virtual-root folder, then disable subscription option on it
        if (!$disabled && $folder['virtual'] && $folder['level'] == 1
            && !empty($namespace) && !empty($namespace['other'])

			@@ -1,6 +1,7 @@
			CHANGELOG Roundcube Webmail
			===========================

			- Fix crash with eAccelerator (#1488256)
			- Fix expanding folders during drag&drop (#1488260)
			- Fix wrong postgres sequence name in upgrade from 0.6
			- Fix broken CREATE INDEX queries in SQLite DDL files (#1488255)

New file
			@@ -0,0 +1,55 @@
			<?php

			/*
			+-----------------------------------------------------------------------+
			\| program/include/rcube_content_filter.php \|
			\| \|
			\| This file is part of the Roundcube Webmail client \|
			\| Copyright (C) 2011, The Roundcube Dev Team \|
			\| Licensed under the GNU GPL \|
			\| \|
			\| PURPOSE: \|
			\| PHP stream filter to detect evil content in mail attachments \|
			\| \|
			+-----------------------------------------------------------------------+
			\| Author: Thomas Bruederli <roundcube@gmail.com> \|
			+-----------------------------------------------------------------------+

			$Id$
			*/

			/**
			* PHP stream filter to detect html/javascript code in attachments
			*/
			class rcube_content_filter extends php_user_filter
			{
			private $buffer = '';
			private $cutoff = 2048;

			function onCreate()
			{
			$this->cutoff = rand(2048, 3027);
			return true;
			}

			function filter($in, $out, &$consumed, $closing)
			{
			while ($bucket = stream_bucket_make_writeable($in)) {
			$this->buffer .= $bucket->data;

			// check for evil content and abort
			if (preg_match('/<(script\|iframe\|object)/i', $this->buffer))
			return PSFS_ERR_FATAL;

			// keep buffer small enough
			if (strlen($this->buffer) > 4096)
			$this->buffer = substr($this->buffer, $this->cutoff);

			$consumed += $bucket->datalen;
			stream_bucket_append($out, $bucket);
			}

			return PSFS_PASS_ON;
			}
			}

			@@ -3082,7 +3082,7 @@
			if (!vis)
			this.stop_spellchecking();

			$(this.env.spellcheck.spell_container).css('visibility', vis ? 'visible' : 'hidden');
			$(this.env.spellcheck.spell_container)[vis ? 'show' : 'hide']();
			}
			};

			@@ -28,8 +28,10 @@
			$abook->set_pagesize(1000); // TODO: limit number of group members by config
			$result = $abook->list_records(array('email','name'));
			while ($result && ($sql_arr = $result->iterate())) {
			foreach ((array)$sql_arr['email'] as $email)
			foreach ((array)$sql_arr['email'] as $email) {
			$members[] = format_email_recipient($email, $sql_arr['name']);
			break; // only expand one email per contact
			}
			}

			$separator = trim($RCMAIL->config->get('recipients_separator', ',')) . ' ';

			@@ -5,7 +5,7 @@
			\| program/steps/mail/get.inc \|
			\| \|
			\| This file is part of the Roundcube Webmail client \|
			\| Copyright (C) 2005-2009, The Roundcube Dev Team \|
			\| Copyright (C) 2005-2011, The Roundcube Dev Team \|
			\| Licensed under the GNU GPL \|
			\| \|
			\| PURPOSE: \|
			@@ -178,40 +178,4 @@
			header('HTTP/1.1 404 Not Found');
			exit;



			/**
			* PHP stream filter to detect html/javascript code in attachments
			*/
			class rcube_content_filter extends php_user_filter
			{
			private $buffer = '';
			private $cutoff = 2048;

			function onCreate()
			{
			$this->cutoff = rand(2048, 3027);
			return true;
			}

			function filter($in, $out, &$consumed, $closing)
			{
			while ($bucket = stream_bucket_make_writeable($in)) {
			$this->buffer .= $bucket->data;

			// check for evil content and abort
			if (preg_match('/<(script\|iframe\|object)/i', $this->buffer))
			return PSFS_ERR_FATAL;

			// keep buffer small enough
			if (strlen($this->buffer) > 4096)
			$this->buffer = substr($this->buffer, $this->cutoff);

			$consumed += $bucket->datalen;
			stream_bucket_append($out, $bucket);
			}

			return PSFS_PASS_ON;
			}
			}

			@@ -293,6 +293,7 @@
			if (!$disabled && $folder['virtual'] && $folder['level'] == 0 && !empty($namespace)) {
			$fname = $folder['id'] . $delimiter;
			foreach ($namespace as $ns) {
			if (is_array($ns)) {
			foreach ($ns as $item) {
			if ($item[0] === $fname) {
			$disabled = true;
			@@ -301,6 +302,7 @@
			}
			}
			}
			}
			// check if the folder is an other users virtual-root folder, then disable subscription option on it
			if (!$disabled && $folder['virtual'] && $folder['level'] == 1
			&& !empty($namespace) && !empty($namespace['other'])