From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)
---
program/lib/Mail/mime.php | 182 +++++++++++++++++++++++++-------------------
1 files changed, 103 insertions(+), 79 deletions(-)
diff --git a/program/lib/Mail/mime.php b/program/lib/Mail/mime.php
index a7dfa6d..db0fd1f 100644
--- a/program/lib/Mail/mime.php
+++ b/program/lib/Mail/mime.php
@@ -48,7 +48,7 @@
* @author Aleksander Machniak <alec@php.net>
* @copyright 2003-2006 PEAR <pear-group@php.net>
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
- * @version 1.8.4
+ * @version CVS: $Id$
* @link http://pear.php.net/package/Mail_mime
*
* This class is based on HTML Mime Mail class from
@@ -89,7 +89,7 @@
* @author Sean Coates <sean@php.net>
* @copyright 2003-2006 PEAR <pear-group@php.net>
* @license http://www.opensource.org/licenses/bsd-license.php BSD License
- * @version Release: 1.8.4
+ * @version Release: @package_version@
* @link http://pear.php.net/package/Mail_mime
*/
class Mail_mime
@@ -245,7 +245,7 @@
}
} else {
$cont = $this->_file2str($data);
- if (PEAR::isError($cont)) {
+ if ($this->_isError($cont)) {
return $cont;
}
if (!$append) {
@@ -254,6 +254,7 @@
$this->_txtbody .= $cont;
}
}
+
return true;
}
@@ -286,7 +287,7 @@
$this->_htmlbody = $data;
} else {
$cont = $this->_file2str($data);
- if (PEAR::isError($cont)) {
+ if ($this->_isError($cont)) {
return $cont;
}
$this->_htmlbody = $cont;
@@ -336,7 +337,7 @@
$filedata = null;
$bodyfile = $file;
} else {
- if (PEAR::isError($filedata = $this->_file2str($file))) {
+ if ($this->_isError($filedata = $this->_file2str($file))) {
return $filedata;
}
}
@@ -347,7 +348,7 @@
}
if (!$content_id) {
- $content_id = md5(uniqid(time()));
+ $content_id = preg_replace('/[^0-9a-zA-Z]/', '', uniqid(time(), true));
}
$this->_html_images[] = array(
@@ -387,7 +388,8 @@
* @param string $description Content-Description header
* @param string $h_charset The character set of the headers e.g. filename
* If not specified, $charset will be used
- * @param array $add_headers Additional part headers
+ * @param array $add_headers Additional part headers. Array keys can be in form
+ * of <header_name>:<parameter_name>
*
* @return mixed True on success or PEAR_Error object
* @access public
@@ -415,12 +417,12 @@
$filedata = null;
$bodyfile = $file;
} else {
- if (PEAR::isError($filedata = $this->_file2str($file))) {
+ if ($this->_isError($filedata = $this->_file2str($file))) {
return $filedata;
}
}
// Force the name the user supplied, otherwise use $file
- $filename = ($name ? $name : $file);
+ $filename = ($name ? $name : $this->_basename($file));
} else {
$filedata = $file;
$filename = $name;
@@ -428,10 +430,8 @@
if (!strlen($filename)) {
$msg = "The supplied filename for the attachment can't be empty";
- $err = PEAR::raiseError($msg);
- return $err;
+ return $this->_raiseError($msg);
}
- $filename = $this->_basename($filename);
$this->_parts[] = array(
'body' => $filedata,
@@ -461,20 +461,17 @@
* @return string Contents of $file_name
* @access private
*/
- function &_file2str($file_name)
+ function _file2str($file_name)
{
// Check state of file and raise an error properly
if (!file_exists($file_name)) {
- $err = PEAR::raiseError('File not found: ' . $file_name);
- return $err;
+ return $this->_raiseError('File not found: ' . $file_name);
}
if (!is_file($file_name)) {
- $err = PEAR::raiseError('Not a regular file: ' . $file_name);
- return $err;
+ return $this->_raiseError('Not a regular file: ' . $file_name);
}
if (!is_readable($file_name)) {
- $err = PEAR::raiseError('File is not readable: ' . $file_name);
- return $err;
+ return $this->_raiseError('File is not readable: ' . $file_name);
}
// Temporarily reset magic_quotes_runtime and read file contents
@@ -494,13 +491,13 @@
* returns it during the build process.
*
* @param mixed &$obj The object to add the part to, or
- * null if a new object is to be created.
+ * anything else if a new object is to be created.
* @param string $text The text to add.
*
* @return object The text mimePart object
* @access private
*/
- function &_addTextPart(&$obj, $text)
+ function &_addTextPart(&$obj, $text = '')
{
$params['content_type'] = 'text/plain';
$params['encoding'] = $this->_build_params['text_encoding'];
@@ -509,11 +506,11 @@
if (is_object($obj)) {
$ret = $obj->addSubpart($text, $params);
- return $ret;
} else {
$ret = new Mail_mimePart($text, $params);
- return $ret;
}
+
+ return $ret;
}
/**
@@ -521,7 +518,7 @@
* returns it during the build process.
*
* @param mixed &$obj The object to add the part to, or
- * null if a new object is to be created.
+ * anything else if a new object is to be created.
*
* @return object The html mimePart object
* @access private
@@ -535,11 +532,11 @@
if (is_object($obj)) {
$ret = $obj->addSubpart($this->_htmlbody, $params);
- return $ret;
} else {
$ret = new Mail_mimePart($this->_htmlbody, $params);
- return $ret;
}
+
+ return $ret;
}
/**
@@ -552,7 +549,6 @@
*/
function &_addMixedPart()
{
- $params = array();
$params['content_type'] = 'multipart/mixed';
$params['eol'] = $this->_build_params['eol'];
@@ -567,7 +563,7 @@
* the build process.
*
* @param mixed &$obj The object to add the part to, or
- * null if a new object is to be created.
+ * anything else if a new object is to be created.
*
* @return object The multipart/mixed mimePart object
* @access private
@@ -578,11 +574,12 @@
$params['eol'] = $this->_build_params['eol'];
if (is_object($obj)) {
- return $obj->addSubpart('', $params);
+ $ret = $obj->addSubpart('', $params);
} else {
$ret = new Mail_mimePart('', $params);
- return $ret;
}
+
+ return $ret;
}
/**
@@ -591,7 +588,7 @@
* the build process.
*
* @param mixed &$obj The object to add the part to, or
- * null if a new object is to be created
+ * anything else if a new object is to be created
*
* @return object The multipart/mixed mimePart object
* @access private
@@ -602,11 +599,12 @@
$params['eol'] = $this->_build_params['eol'];
if (is_object($obj)) {
- return $obj->addSubpart('', $params);
+ $ret = $obj->addSubpart('', $params);
} else {
$ret = new Mail_mimePart('', $params);
- return $ret;
}
+
+ return $ret;
}
/**
@@ -700,9 +698,9 @@
*
* @param string $separation The separation between these two parts.
* @param array $params The Build parameters passed to the
- * &get() function. See &get for more info.
+ * get() function. See get() for more info.
* @param array $headers The extra headers that should be passed
- * to the &headers() function.
+ * to the headers() method.
* See that function for more info.
* @param bool $overwrite Overwrite the existing headers with new.
*
@@ -718,13 +716,11 @@
$body = $this->get($params);
- if (PEAR::isError($body)) {
+ if ($this->_isError($body)) {
return $body;
}
- $head = $this->txtHeaders($headers, $overwrite);
- $mail = $head . $separation . $body;
- return $mail;
+ return $this->txtHeaders($headers, $overwrite) . $separation . $body;
}
/**
@@ -732,7 +728,7 @@
* mail delivery method.
*
* @param array $params The Build parameters passed to the
- * &get() function. See &get for more info.
+ * get() method. See get() for more info.
*
* @return mixed The e-mail body or PEAR error object
* @access public
@@ -748,9 +744,9 @@
*
* @param string $filename Output file location
* @param array $params The Build parameters passed to the
- * &get() function. See &get for more info.
+ * get() method. See get() for more info.
* @param array $headers The extra headers that should be passed
- * to the &headers() function.
+ * to the headers() function.
* See that function for more info.
* @param bool $overwrite Overwrite the existing headers with new.
*
@@ -762,8 +758,7 @@
{
// Check state of file and raise an error properly
if (file_exists($filename) && !is_writable($filename)) {
- $err = PEAR::raiseError('File is not writable: ' . $filename);
- return $err;
+ return $this->_raiseError('File is not writable: ' . $filename);
}
// Temporarily reset magic_quotes_runtime and read file contents
@@ -772,15 +767,13 @@
}
if (!($fh = fopen($filename, 'ab'))) {
- $err = PEAR::raiseError('Unable to open file: ' . $filename);
- return $err;
+ return $this->_raiseError('Unable to open file: ' . $filename);
}
// Write message headers into file (skipping Content-* headers)
$head = $this->txtHeaders($headers, $overwrite, true);
if (fwrite($fh, $head) === false) {
- $err = PEAR::raiseError('Error writing to file: ' . $filename);
- return $err;
+ return $this->_raiseError('Error writing to file: ' . $filename);
}
fclose($fh);
@@ -797,10 +790,10 @@
/**
* Writes (appends) the complete e-mail body into file.
- *
+ *
* @param string $filename Output file location
* @param array $params The Build parameters passed to the
- * &get() function. See &get for more info.
+ * get() method. See get() for more info.
*
* @return mixed True or PEAR error object
* @access public
@@ -810,8 +803,7 @@
{
// Check state of file and raise an error properly
if (file_exists($filename) && !is_writable($filename)) {
- $err = PEAR::raiseError('File is not writable: ' . $filename);
- return $err;
+ return $this->_raiseError('File is not writable: ' . $filename);
}
// Temporarily reset magic_quotes_runtime and read file contents
@@ -820,8 +812,7 @@
}
if (!($fh = fopen($filename, 'ab'))) {
- $err = PEAR::raiseError('Unable to open file: ' . $filename);
- return $err;
+ return $this->_raiseError('Unable to open file: ' . $filename);
}
// Write the rest of the message into file
@@ -844,7 +835,7 @@
* @return mixed The MIME message content string, null or PEAR error object
* @access public
*/
- function &get($params = null, $filename = null, $skip_head = false)
+ function get($params = null, $filename = null, $skip_head = false)
{
if (isset($params)) {
while (list($key, $value) = each($params)) {
@@ -887,11 +878,11 @@
$this->_checkParams();
- $null = null;
- $attachments = count($this->_parts) ? true : false;
- $html_images = count($this->_html_images) ? true : false;
- $html = strlen($this->_htmlbody) ? true : false;
- $text = (!$html && strlen($this->_txtbody)) ? true : false;
+ $null = -1;
+ $attachments = count($this->_parts) > 0;
+ $html_images = count($this->_html_images) > 0;
+ $html = strlen($this->_htmlbody) > 0;
+ $text = !$html && strlen($this->_txtbody);
switch (true) {
case $text && !$attachments:
@@ -1000,12 +991,10 @@
$this->_addAttachmentPart($message, $this->_parts[$i]);
}
break;
-
}
if (!isset($message)) {
- $ret = null;
- return $ret;
+ return null;
}
// Use saved boundary
@@ -1019,20 +1008,18 @@
if ($filename) {
// Append mimePart message headers and body into file
$headers = $message->encodeToFile($filename, $boundary, $skip_head);
- if (PEAR::isError($headers)) {
+ if ($this->_isError($headers)) {
return $headers;
}
$this->_headers = array_merge($this->_headers, $headers);
- $ret = null;
- return $ret;
+ return null;
} else {
$output = $message->encode($boundary, $skip_head);
- if (PEAR::isError($output)) {
+ if ($this->_isError($output)) {
return $output;
}
$this->_headers = array_merge($this->_headers, $output['headers']);
- $body = $output['body'];
- return $body;
+ return $output['body'];
}
}
@@ -1050,7 +1037,7 @@
* @return array Assoc array with the mime headers
* @access public
*/
- function &headers($xtra_headers = null, $overwrite = false, $skip_content = false)
+ function headers($xtra_headers = null, $overwrite = false, $skip_content = false)
{
// Add mime version header
$headers['MIME-Version'] = '1.0';
@@ -1400,19 +1387,24 @@
if ($headers['Content-Type'] == 'text/plain') {
// single-part message: add charset and encoding
- $charset = 'charset=' . $this->_build_params['text_charset'];
- // place charset parameter in the same line, if possible
- // 26 = strlen("Content-Type: text/plain; ")
- $headers['Content-Type']
- .= (strlen($charset) + 26 <= 76) ? "; $charset" : ";$eol $charset";
+ if ($this->_build_params['text_charset']) {
+ $charset = 'charset=' . $this->_build_params['text_charset'];
+ // place charset parameter in the same line, if possible
+ // 26 = strlen("Content-Type: text/plain; ")
+ $headers['Content-Type']
+ .= (strlen($charset) + 26 <= 76) ? "; $charset" : ";$eol $charset";
+ }
+
$headers['Content-Transfer-Encoding']
= $this->_build_params['text_encoding'];
} else if ($headers['Content-Type'] == 'text/html') {
// single-part message: add charset and encoding
- $charset = 'charset=' . $this->_build_params['html_charset'];
- // place charset parameter in the same line, if possible
- $headers['Content-Type']
- .= (strlen($charset) + 25 <= 76) ? "; $charset" : ";$eol $charset";
+ if ($this->_build_params['html_charset']) {
+ $charset = 'charset=' . $this->_build_params['html_charset'];
+ // place charset parameter in the same line, if possible
+ $headers['Content-Type']
+ .= (strlen($charset) + 25 <= 76) ? "; $charset" : ";$eol $charset";
+ }
$headers['Content-Transfer-Encoding']
= $this->_build_params['html_encoding'];
} else {
@@ -1472,4 +1464,36 @@
}
}
+ /**
+ * PEAR::isError implementation
+ *
+ * @param mixed $data Object
+ *
+ * @return bool True if object is an instance of PEAR_Error
+ * @access private
+ */
+ function _isError($data)
+ {
+ // PEAR::isError() is not PHP 5.4 compatible (see Bug #19473)
+ if (is_object($data) && is_a($data, 'PEAR_Error')) {
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * PEAR::raiseError implementation
+ *
+ * @param $message A text error message
+ *
+ * @return PEAR_Error Instance of PEAR_Error
+ * @access private
+ */
+ function _raiseError($message)
+ {
+ // PEAR::raiseError() is not PHP 5.4 compatible
+ return new PEAR_Error($message);
+ }
+
} // End of class
--
Gitblit v1.9.1