Lines 1388-1399
Link Here
|
1388 |
} |
1388 |
} |
1389 |
} |
1389 |
} |
1390 |
} |
1390 |
} |
|
|
1391 |
|
1392 |
/** |
1393 |
* Replace empty src tags with the blank image. src is only used |
1394 |
* for frames, images, and image inputs. Doing a replace should |
1395 |
* not affect them working as should be, however it will stop |
1396 |
* IE from being kicked off when src for img tags are not set |
1397 |
*/ |
1398 |
if (($attname == 'src') && ($attvalue == '""')) { |
1399 |
$attary{$attname} = '"' . SM_PATH . 'images/blank.png"'; |
1400 |
} |
1401 |
|
1391 |
/** |
1402 |
/** |
1392 |
* Turn cid: urls into http-friendly ones. |
1403 |
* Turn cid: urls into http-friendly ones. |
1393 |
*/ |
1404 |
*/ |
1394 |
if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ |
1405 |
if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ |
1395 |
$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); |
1406 |
$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); |
1396 |
} |
1407 |
} |
|
|
1408 |
|
1409 |
/** |
1410 |
* "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. |
1411 |
* One day MS might actually make it match something useful, for now, falling |
1412 |
* back to using cid2http, so we can grab the blank.png. |
1413 |
*/ |
1414 |
if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) { |
1415 |
$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); |
1416 |
} |
1417 |
|
1397 |
} |
1418 |
} |
1398 |
/** |
1419 |
/** |
1399 |
* See if we need to append any attributes to this tag. |
1420 |
* See if we need to append any attributes to this tag. |
Lines 1436-1462
Link Here
|
1436 |
/** |
1457 |
/** |
1437 |
* Fix url('blah') declarations. |
1458 |
* Fix url('blah') declarations. |
1438 |
*/ |
1459 |
*/ |
1439 |
$content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", |
1460 |
// $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", |
1440 |
"url(\\1$secremoveimg\\2)", $content); |
1461 |
// "url(\\1$secremoveimg\\2)", $content); |
|
|
1462 |
// remove NUL |
1463 |
$content = str_replace("\0", "", $content); |
1464 |
// NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. |
1465 |
while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { |
1466 |
$sProto = strtolower($matches[1]); |
1467 |
switch ($sProto) { |
1441 |
/** |
1468 |
/** |
1442 |
* Fix url('https*://.*) declarations but only if $view_unsafe_images |
1469 |
* Fix url('https*://.*) declarations but only if $view_unsafe_images |
1443 |
* is false. |
1470 |
* is false. |
1444 |
*/ |
1471 |
*/ |
|
|
1472 |
case 'https': |
1473 |
case 'http': |
1445 |
if (!$view_unsafe_images){ |
1474 |
if (!$view_unsafe_images){ |
1446 |
$content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si", |
1475 |
$sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si"; |
1447 |
"url(\\1$secremoveimg\\2)", $content); |
1476 |
$content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content); |
1448 |
} |
1477 |
} |
1449 |
|
1478 |
break; |
1450 |
/** |
1479 |
/** |
1451 |
* Fix urls that refer to cid: |
1480 |
* Fix urls that refer to cid: |
1452 |
*/ |
1481 |
*/ |
1453 |
while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si", |
1482 |
case 'cid': |
1454 |
$content, $matches)){ |
1483 |
$cidurl = 'cid:'. $matches[2]; |
1455 |
$cidurl = $matches{1}; |
|
|
1456 |
$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); |
1484 |
$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); |
1457 |
$content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", |
1485 |
$content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", |
1458 |
"url($httpurl)", $content); |
1486 |
"u\0r\0l($httpurl)", $content); |
|
|
1487 |
break; |
1488 |
default: |
1489 |
/** |
1490 |
* replace url with protocol other then the white list |
1491 |
* http,https and cid by an empty string. |
1492 |
*/ |
1493 |
$content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", |
1494 |
"", $content); |
1495 |
break; |
1459 |
} |
1496 |
} |
|
|
1497 |
break; |
1498 |
} |
1499 |
// remove NUL |
1500 |
$content = str_replace("\0", "", $content); |
1501 |
|
1502 |
/** |
1503 |
* Remove any backslashes, entities, and extraneous whitespace. |
1504 |
*/ |
1505 |
$contentTemp = $content; |
1506 |
sq_defang($contentTemp); |
1507 |
sq_unspace($contentTemp); |
1460 |
|
1508 |
|
1461 |
/** |
1509 |
/** |
1462 |
* Fix stupid css declarations which lead to vulnerabilities |
1510 |
* Fix stupid css declarations which lead to vulnerabilities |
Lines 1467-1476
Link Here
|
1467 |
'/binding/i', |
1515 |
'/binding/i', |
1468 |
'/include-source/i'); |
1516 |
'/include-source/i'); |
1469 |
$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy'); |
1517 |
$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy'); |
1470 |
$content = preg_replace($match, $replace, $content); |
1518 |
$contentNew = preg_replace($match, $replace, $contentTemp); |
|
|
1519 |
if ($contentNew !== $contentTemp) { |
1520 |
// insecure css declarations are used. From now on we don't care |
1521 |
// anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash |
1522 |
$content = $contentNew; |
1523 |
} |
1471 |
return array($content, $newpos); |
1524 |
return array($content, $newpos); |
1472 |
} |
1525 |
} |
1473 |
|
1526 |
|
|
|
1527 |
|
1474 |
/** |
1528 |
/** |
1475 |
* This function converts cid: url's into the ones that can be viewed in |
1529 |
* This function converts cid: url's into the ones that can be viewed in |
1476 |
* the browser. |
1530 |
* the browser. |
Lines 1492-1506
Link Here
|
1492 |
$quotchar = ''; |
1546 |
$quotchar = ''; |
1493 |
} |
1547 |
} |
1494 |
$cidurl = substr(trim($cidurl), 4); |
1548 |
$cidurl = substr(trim($cidurl), 4); |
|
|
1549 |
|
1550 |
$match_str = '/\{.*?\}\//'; |
1551 |
$str_rep = ''; |
1552 |
$cidurl = preg_replace($match_str, $str_rep, $cidurl); |
1553 |
|
1495 |
$linkurl = find_ent_id($cidurl, $message); |
1554 |
$linkurl = find_ent_id($cidurl, $message); |
1496 |
/* in case of non-save cid links $httpurl should be replaced by a sort of |
1555 |
/* in case of non-save cid links $httpurl should be replaced by a sort of |
1497 |
unsave link image */ |
1556 |
unsave link image */ |
1498 |
$httpurl = ''; |
1557 |
$httpurl = ''; |
1499 |
if ($linkurl) { |
1558 |
|
|
|
1559 |
/** |
1560 |
* This is part of a fix for Outlook Express 6.x generating |
1561 |
* cid URLs without creating content-id headers. These images are |
1562 |
* not part of the multipart/related html mail. The html contains |
1563 |
* <img src="cid:{some_id}/image_filename.ext"> references to |
1564 |
* attached images with as goal to render them inline although |
1565 |
* the attachment disposition property is not inline. |
1566 |
*/ |
1567 |
|
1568 |
if (empty($linkurl)) { |
1569 |
if (preg_match('/{.*}\//', $cidurl)) { |
1570 |
$cidurl = preg_replace('/{.*}\//','', $cidurl); |
1571 |
if (!empty($cidurl)) { |
1572 |
$linkurl = find_ent_id($cidurl, $message); |
1573 |
} |
1574 |
} |
1575 |
} |
1576 |
|
1577 |
if (!empty($linkurl)) { |
1500 |
$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' . |
1578 |
$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' . |
1501 |
"passed_id=$id&mailbox=" . urlencode($mailbox) . |
1579 |
"passed_id=$id&mailbox=" . urlencode($mailbox) . |
1502 |
'&ent_id=' . $linkurl . $quotchar; |
1580 |
'&ent_id=' . $linkurl . $quotchar; |
|
|
1581 |
} else { |
1582 |
/** |
1583 |
* If we couldn't generate a proper img url, drop in a blank image |
1584 |
* instead of sending back empty, otherwise it causes unusual behaviour |
1585 |
*/ |
1586 |
$httpurl = $quotchar . SM_PATH . 'images/blank.png'; |
1503 |
} |
1587 |
} |
|
|
1588 |
|
1504 |
return $httpurl; |
1589 |
return $httpurl; |
1505 |
} |
1590 |
} |
1506 |
|
1591 |
|
Lines 1526-1533
Link Here
|
1526 |
$attvalue = str_replace($quotchar, "", $attvalue); |
1611 |
$attvalue = str_replace($quotchar, "", $attvalue); |
1527 |
switch ($attname){ |
1612 |
switch ($attname){ |
1528 |
case 'background': |
1613 |
case 'background': |
1529 |
$attvalue = sq_cid2http($message, $id, |
1614 |
$attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); |
1530 |
$attvalue, $mailbox); |
|
|
1531 |
$styledef .= "background-image: url('$attvalue'); "; |
1615 |
$styledef .= "background-image: url('$attvalue'); "; |
1532 |
break; |
1616 |
break; |
1533 |
case 'bgcolor': |
1617 |
case 'bgcolor': |
Lines 1754-1759
Link Here
|
1754 |
"embed", |
1838 |
"embed", |
1755 |
"title", |
1839 |
"title", |
1756 |
"frameset", |
1840 |
"frameset", |
|
|
1841 |
"xmp", |
1757 |
"xml" |
1842 |
"xml" |
1758 |
); |
1843 |
); |
1759 |
|
1844 |
|
Lines 1761-1767
Link Here
|
1761 |
"img", |
1846 |
"img", |
1762 |
"br", |
1847 |
"br", |
1763 |
"hr", |
1848 |
"hr", |
1764 |
"input" |
1849 |
"input", |
|
|
1850 |
"outbind" |
1765 |
); |
1851 |
); |
1766 |
|
1852 |
|
1767 |
$force_tag_closing = true; |
1853 |
$force_tag_closing = true; |
Lines 1816-1821
Link Here
|
1816 |
"/binding/i", |
1902 |
"/binding/i", |
1817 |
"/behaviou*r/i", |
1903 |
"/behaviou*r/i", |
1818 |
"/include-source/i", |
1904 |
"/include-source/i", |
|
|
1905 |
"/position\s*:\s*absolute/i", |
1819 |
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", |
1906 |
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", |
1820 |
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", |
1907 |
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", |
1821 |
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", |
1908 |
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", |
Lines 1826-1831
Link Here
|
1826 |
"idiocy", |
1913 |
"idiocy", |
1827 |
"idiocy", |
1914 |
"idiocy", |
1828 |
"idiocy", |
1915 |
"idiocy", |
|
|
1916 |
"", |
1829 |
"url(\\1#\\1)", |
1917 |
"url(\\1#\\1)", |
1830 |
"url(\\1#\\1)", |
1918 |
"url(\\1#\\1)", |
1831 |
"url(\\1#\\1)", |
1919 |
"url(\\1#\\1)", |