From bde85428d69069637782d9507475df78890f08d0 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 10 May 2013 03:37:25 -0400
Subject: [PATCH] Fix handling of invalid email addresses in headers (#1489092)
---
program/steps/mail/func.inc | 24 ++++++++++++++++--------
1 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/program/steps/mail/func.inc b/program/steps/mail/func.inc
index f82e60a..0dae6de 100644
--- a/program/steps/mail/func.inc
+++ b/program/steps/mail/func.inc
@@ -772,10 +772,12 @@
if ($q > $quote_level) {
$body[$n] = $replacer->get_replacement($replacer->add(
str_repeat('<blockquote>', $q - $quote_level))) . $body[$n];
+ $last = $n;
}
else if ($q < $quote_level) {
$body[$n] = $replacer->get_replacement($replacer->add(
str_repeat('</blockquote>', $quote_level - $q))) . $body[$n];
+ $last = $n;
}
else if ($flowed) {
// previous line is flowed
@@ -888,7 +890,7 @@
* return table with message headers
*/
function rcmail_message_headers($attrib, $headers=null)
- {
+{
global $OUTPUT, $MESSAGE, $PRINT_MODE, $RCMAIL;
static $sa_attrib;
@@ -1079,9 +1081,9 @@
$out .= html::div('message-partheaders', rcmail_message_headers(sizeof($header_attrib) ? $header_attrib : null, $part->headers));
}
else if ($part->type == 'content') {
- // unsapported
+ // unsupported (e.g. encrypted)
if ($part->realtype) {
- if ($part->realtype == 'multipart/encrypted') {
+ if ($part->realtype == 'multipart/encrypted' || $part->realtype == 'application/pkcs7-mime') {
$out .= html::span('part-notice', rcube_label('encryptedmessage'));
}
continue;
@@ -1187,7 +1189,7 @@
html::a($show_link + array('class' => 'image-link', 'style' => sprintf('width:%dpx', $thumbnail_size)),
html::img(array(
'class' => 'image-thumbnail',
- 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, true) . '&_thumb=1',
+ 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, 'image') . '&_thumb=1',
'title' => $attach_prop->filename,
'alt' => $attach_prop->filename,
'style' => sprintf('max-width:%dpx; max-height:%dpx', $thumbnail_size, $thumbnail_size),
@@ -1207,7 +1209,7 @@
html::tag('legend', 'image-filename', Q($attach_prop->filename)) .
html::p(array('align' => "center"),
html::img(array(
- 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, true),
+ 'src' => $MESSAGE->get_part_url($attach_prop->mime_id, 'image'),
'title' => $attach_prop->filename,
'alt' => $attach_prop->filename,
)))
@@ -1439,6 +1441,12 @@
$name = $part['name'];
$mailto = $part['mailto'];
$string = $part['string'];
+ $valid = check_email($mailto, false);
+
+ // phishing email prevention (#1488981), e.g. "valid@email.addr <phishing@email.addr>"
+ if ($name && $valid && $name != $mailto && strpos($name, '@')) {
+ $name = '';
+ }
// IDNA ASCII to Unicode
if ($name == $mailto)
@@ -1452,7 +1460,7 @@
// for printing we display all addresses
continue;
}
- else if (check_email($part['mailto'], false)) {
+ else if ($valid) {
if ($linked) {
$address = html::a(array(
'href' => 'mailto:'.$mailto,
@@ -1485,7 +1493,7 @@
if ($name)
$address .= Q($name);
if ($mailto)
- $address .= (strlen($address) ? ' ' : '') . sprintf('<%s>', Q($mailto));
+ $address = trim($address . ' ' . Q($name ? sprintf('<%s>', $mailto) : $mailto));
}
$address = html::span('adr', $address);
@@ -1850,7 +1858,7 @@
$filename = rcube_label('htmlmessage');
}
else {
- $ext = rcube_mime::get_mime_extensions($attachment->mimetype);
+ $ext = (array) rcube_mime::get_mime_extensions($attachment->mimetype);
$ext = array_shift($ext);
$filename = rcube_label('messagepart') . ' ' . $attachment->mime_id;
if ($ext) {
--
Gitblit v1.9.1