From 4a2a62de30eae35398dc1e6fcca99c469dd218e6 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 19 Feb 2015 07:43:43 -0500
Subject: [PATCH] Fix needless security warning on BMP attachments display (#1490282)

---
 CHANGELOG                   |    1 +
 program/steps/mail/func.inc |    9 ++++++++-
 program/steps/mail/get.inc  |    9 ++++++---
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index c53ab10..f70c0b6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,7 @@
 - Fix saving/sending emoticon images when assets_dir is set
 - Fix PHP fatal error when visiting Vacation interface and there's no sieve script yet
 - Fix setting max packet size for DB caches and check packet size also in shared cache
+- Fix needless security warning on BMP attachments display (#1490282)
 
 RELEASE 1.1.0
 -------------
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index 48d9899..c45fd2f 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -1959,9 +1959,16 @@
 // Fixes some content-type names
 function rcmail_fix_mimetype($name)
 {
+    $map = array(
+        'image/x-ms-bmp' => 'image/bmp', // #1490282
+    );
+
+    if ($alias = $map[strtolower($name)]) {
+        $name = $alias;
+    }
     // Some versions of Outlook create garbage Content-Type:
     // application/pdf.A520491B_3BF7_494D_8855_7FAC2C6C0608
-    if (preg_match('/^application\/pdf.+/', $name)) {
+    else if (preg_match('/^application\/pdf.+/', $name)) {
         $name = 'application/pdf';
     }
     // treat image/pjpeg (image/pjpg, image/jpg) as image/jpeg (#1489097)
diff --git a/program/steps/mail/get.inc b/program/steps/mail/get.inc
index 256af52..02ec5a4 100644
--- a/program/steps/mail/get.inc
+++ b/program/steps/mail/get.inc
@@ -138,7 +138,7 @@
             $file_extension = strtolower(pathinfo($part->filename, PATHINFO_EXTENSION));
 
             // 1. compare filename suffix with expected suffix derived from mimetype
-            $valid = $file_extension && in_array($file_extension, (array)$extensions) || !empty($_REQUEST['_mimeclass']);
+            $valid = $file_extension && in_array($file_extension, (array)$extensions) || empty($extensions) || !empty($_REQUEST['_mimeclass']);
 
             // 2. detect the real mimetype of the attachment part and compare it with the stated mimetype and filename extension
             if ($valid || !$file_extension || $mimetype == 'application/octet-stream' || stripos($mimetype, 'text/') === 0) {
@@ -164,7 +164,7 @@
                 else {
                     // get valid file extensions
                     $extensions      = rcube_mime::get_mime_extensions($real_mimetype);
-                    $valid_extension = (!$file_extension || in_array($file_extension, (array)$extensions));
+                    $valid_extension = !$file_extension || in_array($file_extension, (array)$extensions);
                 }
 
                 // fix mimetype for images wrongly declared as octet-stream
@@ -172,7 +172,10 @@
                     $mimetype = $real_mimetype;
                 }
 
-                $valid = ($real_mimetype == $mimetype && $valid_extension);
+                // "fix" real mimetype the same way the original is before comparison
+                $real_mimetype = rcmail_fix_mimetype($real_mimetype);
+
+                $valid = $real_mimetype == $mimetype && $valid_extension;
             }
             else {
                 $real_mimetype = $mimetype;

--
Gitblit v1.9.1