From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
plugins/zipdownload/zipdownload.php | 493 +++++++++++++++++++++++++++++++-----------------------
1 files changed, 282 insertions(+), 211 deletions(-)
diff --git a/plugins/zipdownload/zipdownload.php b/plugins/zipdownload/zipdownload.php
index 96c76ee..241de54 100644
--- a/plugins/zipdownload/zipdownload.php
+++ b/plugins/zipdownload/zipdownload.php
@@ -4,269 +4,340 @@
* ZipDownload
*
* Plugin to allow the download of all message attachments in one zip file
+ * and downloading of many messages in one go.
*
- * @version @package_version@
+ * @version 3.0
* @requires php_zip extension (including ZipArchive class)
* @author Philip Weir
* @author Thomas Bruderli
+ * @author Aleksander Machniak
*/
class zipdownload extends rcube_plugin
{
- public $task = 'mail';
- private $charset = 'ASCII';
+ public $task = 'mail';
+ private $charset = 'ASCII';
- /**
- * Plugin initialization
- */
- public function init()
- {
- // check requirements first
- if (!class_exists('ZipArchive', false)) {
- rcmail::raise_error(array(
- 'code' => 520, 'type' => 'php',
- 'file' => __FILE__, 'line' => __LINE__,
- 'message' => "php_zip extension is required for the zipdownload plugin"), true, false);
- return;
- }
+ /**
+ * Plugin initialization
+ */
+ public function init()
+ {
+ // check requirements first
+ if (!class_exists('ZipArchive', false)) {
+ rcmail::raise_error(array(
+ 'code' => 520,
+ 'file' => __FILE__,
+ 'line' => __LINE__,
+ 'message' => "php_zip extension is required for the zipdownload plugin"), true, false);
+ return;
+ }
- $rcmail = rcmail::get_instance();
- $this->charset = $rcmail->config->get('zipdownload_charset', RCUBE_CHARSET);
+ $rcmail = rcmail::get_instance();
- $this->load_config();
- $this->add_texts('localization');
+ $this->load_config();
+ $this->charset = $rcmail->config->get('zipdownload_charset', RCUBE_CHARSET);
+ $this->add_texts('localization');
- if ($rcmail->config->get('zipdownload_attachments', 1) > -1 && ($rcmail->action == 'show' || $rcmail->action == 'preview'))
- $this->add_hook('template_object_messageattachments', array($this, 'attachment_ziplink'));
+ if ($rcmail->config->get('zipdownload_attachments', 1) > -1 && ($rcmail->action == 'show' || $rcmail->action == 'preview')) {
+ $this->add_hook('template_object_messageattachments', array($this, 'attachment_ziplink'));
+ }
- $this->register_action('plugin.zipdownload.zip_attachments', array($this, 'download_attachments'));
- $this->register_action('plugin.zipdownload.zip_messages', array($this, 'download_selection'));
- $this->register_action('plugin.zipdownload.zip_folder', array($this, 'download_folder'));
+ $this->register_action('plugin.zipdownload.attachments', array($this, 'download_attachments'));
+ $this->register_action('plugin.zipdownload.messages', array($this, 'download_messages'));
- if ($rcmail->config->get('zipdownload_folder', false) || $rcmail->config->get('zipdownload_selection', false)) {
- $this->include_script('zipdownload.js');
- $this->api->output->set_env('zipdownload_selection', $rcmail->config->get('zipdownload_selection', false));
+ if (!$rcmail->action && $rcmail->config->get('zipdownload_selection')) {
+ $this->download_menu();
+ }
+ }
- if ($rcmail->config->get('zipdownload_folder', false) && ($rcmail->action == '' || $rcmail->action == 'show')) {
- $zipdownload = $this->api->output->button(array('command' => 'plugin.zipdownload.zip_folder', 'type' => 'link', 'classact' => 'active', 'content' => $this->gettext('downloadfolder')));
- $this->api->add_content(html::tag('li', array('class' => 'separator_above'), $zipdownload), 'mailboxoptions');
- }
- }
- }
+ /**
+ * Place a link/button after attachments listing to trigger download
+ */
+ public function attachment_ziplink($p)
+ {
+ $rcmail = rcmail::get_instance();
- /**
- * Place a link/button after attachments listing to trigger download
- */
- public function attachment_ziplink($p)
- {
- $rcmail = rcmail::get_instance();
+ // only show the link if there is more than the configured number of attachments
+ if (substr_count($p['content'], '<li') > $rcmail->config->get('zipdownload_attachments', 1)) {
+ $href = $rcmail->url(array(
+ '_action' => 'plugin.zipdownload.attachments',
+ '_mbox' => $rcmail->output->env['mailbox'],
+ '_uid' => $rcmail->output->env['uid'],
+ ), false, false, true);
- // only show the link if there is more than the configured number of attachments
- if (substr_count($p['content'], '<li') > $rcmail->config->get('zipdownload_attachments', 1)) {
- $href = $rcmail->url(array(
- '_action' => 'plugin.zipdownload.zip_attachments',
- '_mbox' => $rcmail->output->env['mailbox'],
- '_uid' => $rcmail->output->env['uid'],
- ));
+ $link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
+ rcube::Q($this->gettext('downloadall'))
+ );
- $link = html::a(array('href' => $href, 'class' => 'button zipdownload'),
- rcube::Q($this->gettext('downloadall'))
- );
+ // append link to attachments list, slightly different in some skins
+ switch (rcmail::get_instance()->config->get('skin')) {
+ case 'classic':
+ $p['content'] = str_replace('</ul>', html::tag('li', array('class' => 'zipdownload'), $link) . '</ul>', $p['content']);
+ break;
- // append link to attachments list, slightly different in some skins
- switch (rcmail::get_instance()->config->get('skin')) {
- case 'classic':
- $p['content'] = str_replace('</ul>', html::tag('li', array('class' => 'zipdownload'), $link) . '</ul>', $p['content']);
- break;
+ default:
+ $p['content'] .= $link;
+ break;
+ }
- default:
- $p['content'] .= $link;
- break;
- }
+ $this->include_stylesheet($this->local_skin_path() . '/zipdownload.css');
+ }
- $this->include_stylesheet($this->local_skin_path() . '/zipdownload.css');
- }
+ return $p;
+ }
- return $p;
- }
+ /**
+ * Adds download options menu to the page
+ */
+ public function download_menu()
+ {
+ $this->include_script('zipdownload.js');
+ $this->add_label('download');
- /**
- * Handler for attachment download action
- */
- public function download_attachments()
- {
- $rcmail = rcmail::get_instance();
- $imap = $rcmail->storage;
- $temp_dir = $rcmail->config->get('temp_dir');
- $tmpfname = tempnam($temp_dir, 'zipdownload');
- $tempfiles = array($tmpfname);
- $message = new rcube_message(rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GET));
+ $rcmail = rcmail::get_instance();
+ $menu = array();
+ $ul_attr = array('role' => 'menu', 'aria-labelledby' => 'aria-label-zipdownloadmenu');
+ if ($rcmail->config->get('skin') != 'classic') {
+ $ul_attr['class'] = 'toolbarmenu';
+ }
- // open zip file
- $zip = new ZipArchive();
- $zip->open($tmpfname, ZIPARCHIVE::OVERWRITE);
+ foreach (array('eml', 'mbox', 'maildir') as $type) {
+ $menu[] = html::tag('li', null, $rcmail->output->button(array(
+ 'command' => "download-$type",
+ 'label' => "zipdownload.download$type",
+ 'classact' => 'active',
+ )));
+ }
- foreach ($message->attachments as $part) {
- $pid = $part->mime_id;
- $part = $message->mime_parts[$pid];
- $disp_name = $this->_convert_filename($part->filename, $part->charset);
+ $rcmail->output->add_footer(html::div(array('id' => 'zipdownload-menu', 'class' => 'popupmenu', 'aria-hidden' => 'true'),
+ html::tag('h2', array('class' => 'voice', 'id' => 'aria-label-zipdownloadmenu'), "Message Download Options Menu") .
+ html::tag('ul', $ul_attr, implode('', $menu))));
+ }
- if ($part->body) {
- $orig_message_raw = $part->body;
- $zip->addFromString($disp_name, $orig_message_raw);
- }
- else {
- $tmpfn = tempnam($temp_dir, 'zipattach');
- $tmpfp = fopen($tmpfn, 'w');
- $imap->get_message_part($message->uid, $part->mime_id, $part, null, $tmpfp, true);
- $tempfiles[] = $tmpfn;
- fclose($tmpfp);
- $zip->addFile($tmpfn, $disp_name);
- }
+ /**
+ * Handler for attachment download action
+ */
+ public function download_attachments()
+ {
+ $rcmail = rcmail::get_instance();
- }
+ // require CSRF protected request
+ $rcmail->request_security_check(rcube_utils::INPUT_GET);
- $zip->close();
+ $imap = $rcmail->get_storage();
+ $temp_dir = $rcmail->config->get('temp_dir');
+ $tmpfname = tempnam($temp_dir, 'zipdownload');
+ $tempfiles = array($tmpfname);
+ $message = new rcube_message(rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GET));
- $filename = ($message->subject ? $message->subject : 'roundcube') . '.zip';
- $this->_deliver_zipfile($tmpfname, $filename);
+ // open zip file
+ $zip = new ZipArchive();
+ $zip->open($tmpfname, ZIPARCHIVE::OVERWRITE);
- // delete temporary files from disk
- foreach ($tempfiles as $tmpfn)
- unlink($tmpfn);
+ foreach ($message->attachments as $part) {
+ $pid = $part->mime_id;
+ $part = $message->mime_parts[$pid];
+ $filename = $part->filename;
- exit;
- }
+ if ($filename === null || $filename === '') {
+ $ext = (array) rcube_mime::get_mime_extensions($part->mimetype);
+ $ext = array_shift($ext);
+ $filename = $rcmail->gettext('messagepart') . ' ' . $pid;
+ if ($ext) {
+ $filename .= '.' . $ext;
+ }
+ }
- /**
- * Handler for message download action
- */
- public function download_selection()
- {
- if (isset($_REQUEST['_uid'])) {
- $uids = explode(",", rcube_utils::get_input_value('_uid', rcube_utils::INPUT_GPC));
+ $disp_name = $this->_convert_filename($filename);
+ $tmpfn = tempnam($temp_dir, 'zipattach');
+ $tmpfp = fopen($tmpfn, 'w');
+ $tempfiles[] = $tmpfn;
- if (sizeof($uids) > 0)
- $this->_download_messages($uids);
- }
- }
+ $message->get_part_body($part->mime_id, false, 0, $tmpfp);
+ $zip->addFile($tmpfn, $disp_name);
+ fclose($tmpfp);
+ }
- /**
- * Handler for folder download action
- */
- public function download_folder()
- {
- $imap = rcmail::get_instance()->storage;
- $mbox_name = $imap->get_folder();
+ $zip->close();
- // initialize searching result if search_filter is used
- if ($_SESSION['search_filter'] && $_SESSION['search_filter'] != 'ALL') {
- $imap->search($mbox_name, $_SESSION['search_filter'], RCUBE_CHARSET);
- }
+ $filename = ($message->subject ?: 'roundcube') . '.zip';
+ $this->_deliver_zipfile($tmpfname, $filename);
- // fetch message headers for all pages
- $uids = array();
- if ($count = $imap->count($mbox_name, $imap->get_threading() ? 'THREADS' : 'ALL', FALSE)) {
- for ($i = 0; ($i * $imap->get_pagesize()) <= $count; $i++) {
- $a_headers = $imap->list_messages($mbox_name, ($i + 1));
+ // delete temporary files from disk
+ foreach ($tempfiles as $tmpfn) {
+ unlink($tmpfn);
+ }
- foreach ($a_headers as $n => $header) {
- if (empty($header))
- continue;
+ exit;
+ }
- array_push($uids, $header->uid);
- }
- }
- }
+ /**
+ * Handler for message download action
+ */
+ public function download_messages()
+ {
+ $rcmail = rcmail::get_instance();
- if (sizeof($uids) > 0)
- $this->_download_messages($uids);
- }
+ if ($rcmail->config->get('zipdownload_selection') && !empty($_POST['_uid'])) {
+ $messageset = rcmail::get_uids();
+ if (sizeof($messageset)) {
+ $this->_download_messages($messageset);
+ }
+ }
+ }
- /**
- * Helper method to packs all the given messages into a zip archive
- *
- * @param array List of message UIDs to download
- */
- private function _download_messages($uids)
- {
- $rcmail = rcmail::get_instance();
- $imap = $rcmail->storage;
- $temp_dir = $rcmail->config->get('temp_dir');
- $tmpfname = tempnam($temp_dir, 'zipdownload');
- $tempfiles = array($tmpfname);
+ /**
+ * Helper method to packs all the given messages into a zip archive
+ *
+ * @param array List of message UIDs to download
+ */
+ private function _download_messages($messageset)
+ {
+ $rcmail = rcmail::get_instance();
+ $imap = $rcmail->get_storage();
+ $mode = rcube_utils::get_input_value('_mode', rcube_utils::INPUT_POST);
+ $temp_dir = $rcmail->config->get('temp_dir');
+ $tmpfname = tempnam($temp_dir, 'zipdownload');
+ $tempfiles = array($tmpfname);
+ $folders = count($messageset) > 1;
- // open zip file
- $zip = new ZipArchive();
- $zip->open($tmpfname, ZIPARCHIVE::OVERWRITE);
+ // @TODO: file size limit
- foreach ($uids as $key => $uid){
- $headers = $imap->get_message_headers($uid);
- $subject = rcube_mime::decode_mime_string((string)$headers->subject);
- $subject = $this->_convert_filename($subject);
- $subject = substr($subject, 0, 16);
+ // open zip file
+ $zip = new ZipArchive();
+ $zip->open($tmpfname, ZIPARCHIVE::OVERWRITE);
- if (isset($subject) && $subject !="")
- $disp_name = $subject . ".eml";
- else
- $disp_name = "message_rfc822.eml";
+ if ($mode == 'mbox') {
+ $tmpfp = fopen($tmpfname . '.mbox', 'w');
+ }
- $disp_name = $uid . "_" . $disp_name;
-
- $tmpfn = tempnam($temp_dir, 'zipmessage');
- $tmpfp = fopen($tmpfn, 'w');
- $imap->get_raw_body($uid, $tmpfp);
- $tempfiles[] = $tmpfn;
- fclose($tmpfp);
- $zip->addFile($tmpfn, $disp_name);
- }
+ foreach ($messageset as $mbox => $uids) {
+ $imap->set_folder($mbox);
+ $path = $folders ? str_replace($imap->get_hierarchy_delimiter(), '/', $mbox) . '/' : '';
- $zip->close();
+ if ($uids === '*') {
+ $index = $imap->index($mbox, null, null, true);
+ $uids = $index->get();
+ }
- $this->_deliver_zipfile($tmpfname, $imap->get_folder() . '.zip');
+ foreach ($uids as $uid) {
+ $headers = $imap->get_message_headers($uid);
- // delete temporary files from disk
- foreach ($tempfiles as $tmpfn)
- unlink($tmpfn);
+ if ($mode == 'mbox') {
+ $from = rcube_mime::decode_address_list($headers->from, null, true, $headers->charset, true);
+ $from = array_shift($from);
- exit;
- }
+ // Mbox format header
+ // @FIXME: \r\n or \n
+ // @FIXME: date format
+ $header = sprintf("From %s %s\r\n",
+ // replace spaces with hyphens
+ $from ? preg_replace('/\s/', '-', $from) : 'MAILER-DAEMON',
+ // internaldate
+ $headers->internaldate
+ );
- /**
- * Helper method to send the zip archive to the browser
- */
- private function _deliver_zipfile($tmpfname, $filename)
- {
- $browser = new rcube_browser;
- $rcmail = rcmail::get_instance();
+ fwrite($tmpfp, $header);
- $rcmail->output->nocacheing_headers();
+ // Use stream filter to quote "From " in the message body
+ stream_filter_register('mbox_filter', 'zipdownload_mbox_filter');
+ $filter = stream_filter_append($tmpfp, 'mbox_filter');
+ $imap->get_raw_body($uid, $tmpfp);
+ stream_filter_remove($filter);
+ fwrite($tmpfp, "\r\n");
+ }
+ else { // maildir
+ $subject = rcube_mime::decode_mime_string((string)$headers->subject);
+ $subject = $this->_convert_filename($subject);
+ $subject = substr($subject, 0, 16);
- if ($browser->ie && $browser->ver < 7)
- $filename = rawurlencode(abbreviate_string($filename, 55));
- else if ($browser->ie)
- $filename = rawurlencode($filename);
- else
- $filename = addcslashes($filename, '"');
+ $disp_name = ($subject ?: 'message_rfc822') . ".eml";
+ $disp_name = $path . $uid . "_" . $disp_name;
- // send download headers
- header("Content-Type: application/octet-stream");
- if ($browser->ie)
- header("Content-Type: application/force-download");
+ $tmpfn = tempnam($temp_dir, 'zipmessage');
+ $tmpfp = fopen($tmpfn, 'w');
+ $imap->get_raw_body($uid, $tmpfp);
+ $tempfiles[] = $tmpfn;
+ fclose($tmpfp);
+ $zip->addFile($tmpfn, $disp_name);
+ }
+ }
+ }
- // don't kill the connection if download takes more than 30 sec.
- @set_time_limit(0);
- header("Content-Disposition: attachment; filename=\"". $filename ."\"");
- header("Content-length: " . filesize($tmpfname));
- readfile($tmpfname);
- }
+ $filename = $folders ? 'messages' : $imap->get_folder();
- /**
- * Helper function to convert filenames to the configured charset
- */
- private function _convert_filename($str, $from = RCUBE_CHARSET)
- {
- return strtr(rcube_charset::convert($str, $from, $this->charset), array(':'=>'', '/'=>'-'));
- }
+ if ($mode == 'mbox') {
+ $tempfiles[] = $tmpfname . '.mbox';
+ fclose($tmpfp);
+ $zip->addFile($tmpfname . '.mbox', $filename . '.mbox');
+ }
+
+ $zip->close();
+
+ $this->_deliver_zipfile($tmpfname, $filename . '.zip');
+
+ // delete temporary files from disk
+ foreach ($tempfiles as $tmpfn) {
+ unlink($tmpfn);
+ }
+
+ exit;
+ }
+
+ /**
+ * Helper method to send the zip archive to the browser
+ */
+ private function _deliver_zipfile($tmpfname, $filename)
+ {
+ $browser = new rcube_browser;
+ $rcmail = rcmail::get_instance();
+
+ $rcmail->output->nocacheing_headers();
+
+ if ($browser->ie)
+ $filename = rawurlencode($filename);
+ else
+ $filename = addcslashes($filename, '"');
+
+ // send download headers
+ header("Content-Type: application/octet-stream");
+ if ($browser->ie) {
+ header("Content-Type: application/force-download");
+ }
+
+ // don't kill the connection if download takes more than 30 sec.
+ @set_time_limit(0);
+ header("Content-Disposition: attachment; filename=\"". $filename ."\"");
+ header("Content-length: " . filesize($tmpfname));
+ readfile($tmpfname);
+ }
+
+ /**
+ * Helper function to convert filenames to the configured charset
+ */
+ private function _convert_filename($str)
+ {
+ $str = rcube_charset::convert($str, RCUBE_CHARSET, $this->charset);
+
+ return strtr($str, array(':' => '', '/' => '-'));
+ }
}
-?>
\ No newline at end of file
+class zipdownload_mbox_filter extends php_user_filter
+{
+ function filter($in, $out, &$consumed, $closing)
+ {
+ while ($bucket = stream_bucket_make_writeable($in)) {
+ // messages are read line by line
+ if (preg_match('/^>*From /', $bucket->data)) {
+ $bucket->data = '>' . $bucket->data;
+ $bucket->datalen += 1;
+ }
+
+ $consumed += $bucket->datalen;
+ stream_bucket_append($out, $bucket);
+ }
+
+ return PSFS_PASS_ON;
+ }
+}
--
Gitblit v1.9.1