From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
program/lib/Mail/mimePart.php | 97 +++++++++++++++++++++++++++++++++++++-----------
1 files changed, 75 insertions(+), 22 deletions(-)
diff --git a/program/lib/Mail/mimePart.php b/program/lib/Mail/mimePart.php
index 5674792..f3e75dd 100644
--- a/program/lib/Mail/mimePart.php
+++ b/program/lib/Mail/mimePart.php
@@ -48,7 +48,7 @@
* @author Aleksander Machniak <alec@php.net>
* @copyright 2003-2006 PEAR <pear-group@php.net>
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
- * @version CVS: $Id$
+ * @version Release: 1.8.7
* @link http://pear.php.net/package/Mail_mime
*/
@@ -70,7 +70,7 @@
* @author Aleksander Machniak <alec@php.net>
* @copyright 2003-2006 PEAR <pear-group@php.net>
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
- * @version Release: @package_version@
+ * @version Release: 1.8.7
* @link http://pear.php.net/package/Mail_mime
*/
class Mail_mimePart
@@ -145,7 +145,7 @@
* charset - Content character set
* cid - Content ID to apply
* disposition - Content disposition, inline or attachment
- * dfilename - Filename parameter for content disposition
+ * filename - Filename parameter for content disposition
* description - Content description
* name_encoding - Encoding of the attachment name (Content-Type)
* By default filenames are encoded using RFC2231
@@ -156,6 +156,8 @@
* headers_charset - Charset of the headers e.g. filename, description.
* If not set, 'charset' will be used
* eol - End of line sequence. Default: "\r\n"
+ * headers - Hash array with additional part headers. Array keys can be
+ * in form of <header_name>:<parameter_name>
* body_file - Location of file with part's body (instead of $body)
*
* @access public
@@ -166,6 +168,11 @@
$this->_eol = $params['eol'];
} else if (defined('MAIL_MIMEPART_CRLF')) { // backward-copat.
$this->_eol = MAIL_MIMEPART_CRLF;
+ }
+
+ // Additional part headers
+ if (!empty($params['headers']) && is_array($params['headers'])) {
+ $headers = $params['headers'];
}
foreach ($params as $key => $value) {
@@ -185,6 +192,11 @@
case 'body_file':
$this->_body_file = $value;
+ break;
+
+ // for backward compatibility
+ case 'dfilename':
+ $params['filename'] = $value;
break;
}
}
@@ -211,13 +223,17 @@
$params['headers_charset'] = $params['charset'];
}
}
+
+ // header values encoding parameters
+ $h_charset = !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII';
+ $h_language = !empty($params['language']) ? $params['language'] : null;
+ $h_encoding = !empty($params['name_encoding']) ? $params['name_encoding'] : null;
+
+
if (!empty($params['filename'])) {
$headers['Content-Type'] .= ';' . $this->_eol;
$headers['Content-Type'] .= $this->_buildHeaderParam(
- 'name', $params['filename'],
- !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII',
- !empty($params['language']) ? $params['language'] : null,
- !empty($params['name_encoding']) ? $params['name_encoding'] : null
+ 'name', $params['filename'], $h_charset, $h_language, $h_encoding
);
}
@@ -227,21 +243,39 @@
if (!empty($params['filename'])) {
$headers['Content-Disposition'] .= ';' . $this->_eol;
$headers['Content-Disposition'] .= $this->_buildHeaderParam(
- 'filename', $params['filename'],
- !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII',
- !empty($params['language']) ? $params['language'] : null,
+ 'filename', $params['filename'], $h_charset, $h_language,
!empty($params['filename_encoding']) ? $params['filename_encoding'] : null
);
+ }
+
+ // add attachment size
+ $size = $this->_body_file ? filesize($this->_body_file) : strlen($body);
+ if ($size) {
+ $headers['Content-Disposition'] .= ';' . $this->_eol . ' size=' . $size;
}
}
if (!empty($params['description'])) {
$headers['Content-Description'] = $this->encodeHeader(
- 'Content-Description', $params['description'],
- !empty($params['headers_charset']) ? $params['headers_charset'] : 'US-ASCII',
- !empty($params['name_encoding']) ? $params['name_encoding'] : 'quoted-printable',
+ 'Content-Description', $params['description'], $h_charset, $h_encoding,
$this->_eol
);
+ }
+
+ // Search and add existing headers' parameters
+ foreach ($headers as $key => $value) {
+ $items = explode(':', $key);
+ if (count($items) == 2) {
+ $header = $items[0];
+ $param = $items[1];
+ if (isset($headers[$header])) {
+ $headers[$header] .= ';' . $this->_eol;
+ }
+ $headers[$header] .= $this->_buildHeaderParam(
+ $param, $value, $h_charset, $h_language, $h_encoding
+ );
+ unset($headers[$key]);
+ }
}
// Default encoding
@@ -281,7 +315,7 @@
for ($i = 0; $i < count($this->_subparts); $i++) {
$encoded['body'] .= '--' . $boundary . $eol;
$tmp = $this->_subparts[$i]->encode();
- if (PEAR::isError($tmp)) {
+ if ($this->_isError($tmp)) {
return $tmp;
}
foreach ($tmp['headers'] as $key => $value) {
@@ -304,7 +338,7 @@
@ini_set('magic_quotes_runtime', $magic_quote_setting);
}
- if (PEAR::isError($body)) {
+ if ($this->_isError($body)) {
return $body;
}
$encoded['body'] = $body;
@@ -356,7 +390,7 @@
@ini_set('magic_quotes_runtime', $magic_quote_setting);
}
- return PEAR::isError($res) ? $res : $this->_headers;
+ return $this->_isError($res) ? $res : $this->_headers;
}
/**
@@ -391,7 +425,7 @@
for ($i = 0; $i < count($this->_subparts); $i++) {
fwrite($fh, $f_eol . '--' . $boundary . $eol);
$res = $this->_subparts[$i]->_encodePartToFile($fh);
- if (PEAR::isError($res)) {
+ if ($this->_isError($res)) {
return $res;
}
$f_eol = $eol;
@@ -406,7 +440,7 @@
$res = $this->_getEncodedDataFromFile(
$this->_body_file, $this->_encoding, $fh
);
- if (PEAR::isError($res)) {
+ if ($this->_isError($res)) {
return $res;
}
}
@@ -634,8 +668,8 @@
// RFC 2045:
// value needs encoding if contains non-ASCII chars or is longer than 78 chars
if (!preg_match('#[^\x20-\x7E]#', $value)) {
- $token_regexp = '#([^\x21,\x23-\x27,\x2A,\x2B,\x2D'
- . ',\x2E,\x30-\x39,\x41-\x5A,\x5E-\x7E])#';
+ $token_regexp = '#([^\x21\x23-\x27\x2A\x2B\x2D'
+ . '\x2E\x30-\x39\x41-\x5A\x5E-\x7E])#';
if (!preg_match($token_regexp, $value)) {
// token
if (strlen($name) + strlen($value) + 3 <= $maxLength) {
@@ -657,7 +691,7 @@
// RFC2231:
$encValue = preg_replace_callback(
- '/([^\x21,\x23,\x24,\x26,\x2B,\x2D,\x2E,\x30-\x39,\x41-\x5A,\x5E-\x7E])/',
+ '/([^\x21\x23\x24\x26\x2B\x2D\x2E\x30-\x39\x41-\x5A\x5E-\x7E])/',
array($this, '_encodeReplaceCallback'), $value
);
$value = "$charset'$language'$encValue";
@@ -781,6 +815,7 @@
'from', 'to', 'cc', 'bcc', 'sender', 'reply-to',
'resent-from', 'resent-to', 'resent-cc', 'resent-bcc',
'resent-sender', 'resent-reply-to',
+ 'mail-reply-to', 'mail-followup-to',
'return-receipt-to', 'disposition-notification-to',
);
$other_headers = array(
@@ -802,7 +837,7 @@
// Structured header (make sure addr-spec inside is not encoded)
if (!empty($separator)) {
// Simple e-mail address regexp
- $email_regexp = '(\S+|("\s*(?:[^"\f\n\r\t\v\b\s]+\s*)+"))@\S+';
+ $email_regexp = '([^\s<]+|("[^\r\n"]+"))@\S+';
$parts = Mail_mimePart::_explodeQuotedString($separator, $value);
$value = '';
@@ -1191,4 +1226,22 @@
return sprintf('%%%02X', ord($matches[1]));
}
+ /**
+ * PEAR::isError wrapper
+ *
+ * @param mixed $data Object
+ *
+ * @return bool True if object is an instance of PEAR_Error
+ * @access private
+ */
+ function _isError($data)
+ {
+ // PEAR::isError() is not PHP 5.4 compatible (see Bug #19473)
+ if (is_object($data) && is_a($data, 'PEAR_Error')) {
+ return true;
+ }
+
+ return false;
+ }
+
} // End of class
--
Gitblit v1.9.1