From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
program/lib/Roundcube/rcube_charset.php | 82 ++++++++++++++++++++++------------------
1 files changed, 45 insertions(+), 37 deletions(-)
diff --git a/program/lib/Roundcube/rcube_charset.php b/program/lib/Roundcube/rcube_charset.php
index 3e6e614..2d6d9d3 100644
--- a/program/lib/Roundcube/rcube_charset.php
+++ b/program/lib/Roundcube/rcube_charset.php
@@ -70,8 +70,8 @@
/**
* Catch an error and throw an exception.
*
- * @param int Level of the error
- * @param string Error message
+ * @param int $errno Level of the error
+ * @param string $errstr Error message
*/
public static function error_handler($errno, $errstr)
{
@@ -119,7 +119,7 @@
}
// ISO-8859
else if (preg_match('/ISO8859([0-9]{0,2})/', $str, $m)) {
- $iso = 'ISO-8859-' . ($m[1] ? $m[1] : 1);
+ $iso = 'ISO-8859-' . ($m[1] ?: 1);
// some clients sends windows-1252 text as latin1,
// it is safe to use windows-1252 for all latin1
$result = $iso == 'ISO-8859-1' ? 'WINDOWS-1252' : $iso;
@@ -162,19 +162,19 @@
* Convert a string from one charset to another.
* Uses mbstring and iconv functions if possible
*
- * @param string Input string
- * @param string Suspected charset of the input string
- * @param string Target charset to convert to; defaults to RCUBE_CHARSET
+ * @param string $str Input string
+ * @param string $from Suspected charset of the input string
+ * @param string $to Target charset to convert to; defaults to RCUBE_CHARSET
*
* @return string Converted string
*/
public static function convert($str, $from, $to = null)
{
- static $iconv_options = null;
- static $mbstring_list = null;
- static $mbstring_sch = null;
+ static $iconv_options = null;
+ static $mbstring_list = null;
+ static $mbstring_sch = null;
- $to = empty($to) ? RCUBE_CHARSET : $to;
+ $to = empty($to) ? RCUBE_CHARSET : strtoupper($to);
$from = self::parse_charset($from);
// It is a common case when UTF-16 charset is used with US-ASCII content (#1488654)
@@ -207,14 +207,15 @@
// it means that input string has been truncated
set_error_handler(array('rcube_charset', 'error_handler'), E_NOTICE);
try {
- $_iconv = iconv($from, $to . $iconv_options, $str);
- } catch (ErrorException $e) {
- $_iconv = false;
+ $out = iconv($from, $to . $iconv_options, $str);
+ }
+ catch (ErrorException $e) {
+ $out = false;
}
restore_error_handler();
- if ($_iconv !== false) {
- return $_iconv;
+ if ($out !== false) {
+ return $out;
}
}
@@ -237,20 +238,29 @@
$aliases['US-ASCII'] = 'ASCII';
}
- $mb_from = $aliases[$from] ? $aliases[$from] : $from;
- $mb_to = $aliases[$to] ? $aliases[$to] : $to;
+ $mb_from = $aliases[$from] ?: $from;
+ $mb_to = $aliases[$to] ?: $to;
// return if encoding found, string matches encoding and convert succeeded
if (in_array($mb_from, $mbstring_list) && in_array($mb_to, $mbstring_list)) {
- if (mb_check_encoding($str, $mb_from)) {
- // Do the same as //IGNORE with iconv
- mb_substitute_character('none');
- $out = mb_convert_encoding($str, $mb_to, $mb_from);
- mb_substitute_character($mbstring_sch);
+ // Do the same as //IGNORE with iconv
+ mb_substitute_character('none');
- if ($out !== false) {
- return $out;
- }
+ // throw an exception if mbstring reports an illegal character in input
+ // using mb_check_encoding() is much slower
+ set_error_handler(array('rcube_charset', 'error_handler'), E_WARNING);
+ try {
+ $out = mb_convert_encoding($str, $mb_to, $mb_from);
+ }
+ catch (ErrorException $e) {
+ $out = false;
+ }
+ restore_error_handler();
+
+ mb_substitute_character($mbstring_sch);
+
+ if ($out !== false) {
+ return $out;
}
}
}
@@ -258,20 +268,17 @@
// convert charset using bundled classes/functions
if ($to == 'UTF-8') {
if ($from == 'UTF7-IMAP') {
- if ($_str = self::utf7imap_to_utf8($str)) {
- return $_str;
+ if ($out = self::utf7imap_to_utf8($str)) {
+ return $out;
}
}
else if ($from == 'UTF-7') {
- if ($_str = self::utf7_to_utf8($str)) {
- return $_str;
+ if ($out = self::utf7_to_utf8($str)) {
+ return $out;
}
}
else if ($from == 'ISO-8859-1' && function_exists('utf8_encode')) {
return utf8_encode($str);
- }
- else {
- trigger_error("No suitable function found for UTF-8 encoding");
}
}
@@ -279,16 +286,17 @@
if ($from == 'UTF-8') {
// @TODO: we need a function for UTF-7 (RFC2152) conversion
if ($to == 'UTF7-IMAP' || $to == 'UTF-7') {
- if ($_str = self::utf8_to_utf7imap($str)) {
- return $_str;
+ if ($out = self::utf8_to_utf7imap($str)) {
+ return $out;
}
}
else if ($to == 'ISO-8859-1' && function_exists('utf8_decode')) {
return utf8_decode($str);
}
- else {
- trigger_error("No suitable function found for UTF-8 decoding");
- }
+ }
+
+ if (!isset($out)) {
+ trigger_error("No suitable function found for '$from' to '$to' conversion");
}
// return original string
--
Gitblit v1.9.1