From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 05 Feb 2016 07:25:27 -0500 Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports --- program/lib/Roundcube/rcube_message.php | 87 +++++++++++++++++++++---------------------- 1 files changed, 42 insertions(+), 45 deletions(-) diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php index d022185..d065ac3 100644 --- a/program/lib/Roundcube/rcube_message.php +++ b/program/lib/Roundcube/rcube_message.php @@ -69,26 +69,27 @@ * * Provide a uid, and parse message structure. * - * @param string $uid The message UID. - * @param string $folder Folder name + * @param string $uid The message UID. + * @param string $folder Folder name + * @param bool $is_safe Security flag * * @see self::$app, self::$storage, self::$opt, self::$parts */ - function __construct($uid, $folder = null) + function __construct($uid, $folder = null, $is_safe = false) { // decode combined UID-folder identifier if (preg_match('/^\d+-.+/', $uid)) { list($uid, $folder) = explode('-', $uid, 2); } - $this->uid = $uid; - $this->app = rcube::get_instance(); + $this->uid = $uid; + $this->app = rcube::get_instance(); $this->storage = $this->app->get_storage(); $this->folder = strlen($folder) ? $folder : $this->storage->get_folder(); - $this->storage->set_options(array('all_headers' => true)); // Set current folder $this->storage->set_folder($this->folder); + $this->storage->set_options(array('all_headers' => true)); $this->headers = $this->storage->get_message($uid); @@ -96,19 +97,19 @@ return; } - $this->mime = new rcube_mime($this->headers->charset); - + $this->mime = new rcube_mime($this->headers->charset); $this->subject = $this->headers->get('subject'); list(, $this->sender) = each($this->mime->decode_address_list($this->headers->from, 1)); - $this->set_safe((intval($_GET['_safe']) || $_SESSION['safe_messages'][$this->folder.':'.$uid])); + $this->set_safe($is_safe || $_SESSION['safe_messages'][$this->folder.':'.$uid]); $this->opt = array( 'safe' => $this->is_safe, 'prefer_html' => $this->app->config->get('prefer_html'), 'get_url' => $this->app->url(array( 'action' => 'get', 'mbox' => $this->folder, - 'uid' => $uid)) + 'uid' => $uid), + false, false, true) ); if (!empty($this->headers->structure)) { @@ -484,6 +485,28 @@ } /** + * In a multipart/encrypted encrypted message, + * find the encrypted message payload part. + * + * @return rcube_message_part + */ + public function get_multipart_encrypted_part() + { + foreach ($this->mime_parts as $mime_id => $mpart) { + if ($mpart->mimetype == 'multipart/encrypted') { + $this->pgp_mime = true; + } + if ($this->pgp_mime && ($mpart->mimetype == 'application/octet-stream' || + (!empty($mpart->filename) && $mpart->filename != 'version.txt'))) { + $this->encrypted_part = $mime_id; + return $mpart; + } + } + + return false; + } + + /** * Read the message structure returend by the IMAP server * and build flat lists of content parts and attachments * @@ -674,24 +697,16 @@ $mail_part = &$structure->parts[$i]; $primary_type = $mail_part->ctype_primary; $secondary_type = $mail_part->ctype_secondary; + $part_mimetype = $mail_part->mimetype; - // real content-type of message/rfc822 - if ($mail_part->real_mimetype) { - $part_orig_mimetype = $mail_part->mimetype; - $part_mimetype = $mail_part->real_mimetype; - list($primary_type, $secondary_type) = explode('/', $part_mimetype); - } - else { - $part_mimetype = $part_orig_mimetype = $mail_part->mimetype; - } - - // multipart/alternative - if ($primary_type == 'multipart') { + // multipart/alternative or message/rfc822 + if ($primary_type == 'multipart' || $part_mimetype == 'message/rfc822') { $this->parse_structure($mail_part, true); // list message/rfc822 as attachment as well (mostly .eml) - if ($part_orig_mimetype == 'message/rfc822' && !empty($mail_part->filename)) + if ($primary_type == 'message' && !empty($mail_part->filename)) { $this->attachments[] = $mail_part; + } } // part text/[plain|html] or delivery status else if ((($part_mimetype == 'text/plain' || $part_mimetype == 'text/html') && $mail_part->disposition != 'attachment') || @@ -702,8 +717,9 @@ array('object' => $this, 'structure' => $mail_part, 'mimetype' => $part_mimetype, 'recursive' => true)); - if ($plugin['abort']) + if ($plugin['abort']) { continue; + } if ($part_mimetype == 'text/html' && $mail_part->size) { $this->got_html_part = true; @@ -725,14 +741,6 @@ if (!empty($mail_part->filename)) { $this->attachments[] = $mail_part; } - } - // part message/* - else if ($primary_type == 'message') { - $this->parse_structure($mail_part, true); - - // list as attachment as well (mostly .eml) - if (!empty($mail_part->filename)) - $this->attachments[] = $mail_part; } // ignore "virtual" protocol parts else if ($primary_type == 'protocol') { @@ -764,21 +772,14 @@ // part belongs to a related message and is linked if (preg_match('/^multipart\/(related|relative)/', $mimetype) - && ($mail_part->headers['content-id'] || $mail_part->headers['content-location'])) { + && ($mail_part->headers['content-id'] || $mail_part->headers['content-location']) + ) { if ($mail_part->headers['content-id']) $mail_part->content_id = preg_replace(array('/^</', '/>$/'), '', $mail_part->headers['content-id']); if ($mail_part->headers['content-location']) $mail_part->content_location = $mail_part->headers['content-base'] . $mail_part->headers['content-location']; $this->inline_parts[] = $mail_part; - } - // attachment encapsulated within message/rfc822 part needs further decoding (#1486743) - else if ($part_orig_mimetype == 'message/rfc822') { - $this->parse_structure($mail_part, true); - - // list as attachment as well (mostly .eml) - if (!empty($mail_part->filename)) - $this->attachments[] = $mail_part; } // regular attachment with valid content type // (content-type name regexp according to RFC4288.4.2) @@ -794,10 +795,6 @@ $this->attachments[] = $mail_part; } - } - // attachment part as message/rfc822 (#1488026) - else if ($mail_part->mimetype == 'message/rfc822') { - $this->parse_structure($mail_part); } // calendar part not marked as attachment (#1490325) else if ($part_mimetype == 'text/calendar') { -- Gitblit v1.9.1