From a020858d5aa4ff59444ad5da1fd770a7c7867dc6 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Mon, 20 Oct 2014 18:11:40 +0000
Subject: [PATCH] do not use full path of attachments in compose popup

---
 mail/inc/class.mail_compose.inc.php | 38 ++++++++++++++++++++---------
 mail/js/app.js                      |  8 +++---
 2 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/mail/inc/class.mail_compose.inc.php b/mail/inc/class.mail_compose.inc.php
index d376d3f415..f08c6eaeaf 100644
--- a/mail/inc/class.mail_compose.inc.php
+++ b/mail/inc/class.mail_compose.inc.php
@@ -1745,25 +1745,34 @@ class mail_compose
 
 	function getAttachment()
 	{
-		if(isset($_GET['filename'])) $attachment['filename']	= $_GET['filename'];
 		if(isset($_GET['tmpname'])) $attachment['tmp_name']	= $_GET['tmpname'];
 		if(isset($_GET['name'])) $attachment['name']	= $_GET['name'];
 		//if(isset($_GET['size'])) $attachment['size']	= $_GET['size'];
 		if(isset($_GET['type'])) $attachment['type']	= $_GET['type'];
 
 		//error_log(__METHOD__.__LINE__.array2string($_GET));
-		if (isset($attachment['filename']) && parse_url($attachment['filename'],PHP_URL_SCHEME) == 'vfs')
+		if (isset($attachment['tmp_name']) && parse_url($attachment['tmp_name'],PHP_URL_SCHEME) == 'vfs')
 		{
 			egw_vfs::load_wrapper('vfs');
+			$attachment['attachment'] = file_get_contents($attachment['tmp_name']);
+		}
+		// attachment data in temp_dir, only use basename of given name, to not allow path traversal
+		elseif(!file_exists($tmp_path = $GLOBALS['egw_info']['server']['temp_dir'].SEP.basename($attachment['tmp_name'])))
+		{
+			header('HTTP/1.1 404 Not found');
+			die('Attachment '.htmlspecialchars($attachment['tmp_name']).' NOT found!');
+		}
+		else
+		{
+			$attachment['attachment'] = file_get_contents($tmp_path);
 		}
-		$attachment['attachment'] = file_get_contents($attachment['tmp_name']);
 		//error_log(__METHOD__.__LINE__.' FileSize:'.filesize($attachment['tmp_name']));
 		if ($_GET['mode'] != "save")
 		{
 			if (strtoupper($attachment['type']) == 'TEXT/DIRECTORY')
 			{
 				$sfxMimeType = $attachment['type'];
-				$buff = explode('.',$attachment['filename']);
+				$buff = explode('.',$attachment['tmp_name']);
 				$suffix = '';
 				if (is_array($buff)) $suffix = array_pop($buff); // take the last extension to check with ext2mime
 				if (!empty($suffix)) $sfxMimeType = mime_magic::ext2mime($suffix);
@@ -1821,12 +1830,10 @@ class mail_compose
 			}
 		}
 		//error_log(__METHOD__.__LINE__.'->'.array2string($attachment));
-		$filename = ($attachment['name']?$attachment['name']:($attachment['filename']?$attachment['filename']:$mailbox.'_uid'.$uid.'_part'.$part));
-		html::content_header($filename,$attachment['type'],0,True,($_GET['mode'] == "save"));
+		html::content_header($attachment['name'], $attachment['type'], 0, True, $_GET['mode'] == "save");
 		echo $attachment['attachment'];
 
-		$GLOBALS['egw']->common->egw_exit();
-		exit;
+		common::egw_exit();
 	}
 
 	/**
@@ -2284,22 +2291,29 @@ class mail_compose
 								break;
 
 						}
-					} else {
+					}
+					else
+					{
 						if (isset($attachment['file']) && parse_url($attachment['file'],PHP_URL_SCHEME) == 'vfs')
 						{
 							egw_vfs::load_wrapper('vfs');
+							$tmp_path = $attachment['file'];
+						}
+						else	// non-vfs file has to be in temp_dir
+						{
+							$tmp_path = $GLOBALS['egw_info']['server']['temp_dir'].SEP.basename($attachment['file']);
 						}
 						if (isset($attachment['type']) && stripos($attachment['type'],"text/calendar; method=")!==false )
 						{
-							$_mailObject->AltExtended = file_get_contents($attachment['file']);
+							$_mailObject->AltExtended = file_get_contents($tmp_path);
 							$_mailObject->AltExtendedContentType = $attachment['type'];
 						}
 						else
 						{
 							$_mailObject->AddAttachment (
-								$attachment['file'],
+								$tmp_path,
 								$_mailObject->EncodeHeader($attachment['name']),
-								(strtoupper($attachment['type'])=='MESSAGE/RFC822'?'7bit':'base64'),
+								strtoupper($attachment['type'])=='MESSAGE/RFC822' ? '7bit' : 'base64',
 								$attachment['type']
 							);
 						}
diff --git a/mail/js/app.js b/mail/js/app.js
index db392f1259..dd6d207df6 100644
--- a/mail/js/app.js
+++ b/mail/js/app.js
@@ -2346,7 +2346,6 @@ app.classes.mail = AppJS.extend(
 			case 'TEXT/CALENDAR':
 			case 'TEXT/X-VCALENDAR':
 				url += 'menuaction=mail.mail_compose.getAttachment';	// todo compose for Draft folder
-				url += '&filename='+attgrid.file;
 				url += '&tmpname='+attgrid.tmp_name;
 				url += '&name='+attgrid.name;
 				//url += '&size='+attgrid.size;
@@ -2391,7 +2390,6 @@ app.classes.mail = AppJS.extend(
 */
 			default:
 				url += 'menuaction=mail.mail_compose.getAttachment';	// todo compose for Draft folder
-				url += '&filename='+attgrid.file;
 				url += '&tmpname='+attgrid.tmp_name;
 				url += '&name='+attgrid.name;
 				//url += '&size='+attgrid.size;
@@ -2855,10 +2853,10 @@ app.classes.mail = AppJS.extend(
 		messages['all'] = _allMessagesChecked;
 		if (messages['all']=='cancel') return false;
 		if (messages['all']) messages['activeFilters'] = this.mail_getActiveFilters(_action);
-		
-		// Make sure a default target folder is set in case of drop target is parent 0 (mail account name) 
+
+		// Make sure a default target folder is set in case of drop target is parent 0 (mail account name)
 		if (!target.match(/::/g)) target += '::INBOX';
-		
+
 		var self = this;
 		egw.json('mail.mail_ui.ajax_copyMessages',[target, messages, 'move'], function(){self.unlock_tree();})
 			.sendRequest();