Index: class/deliver/Deliver.class.php
===================================================================
--- class/deliver/Deliver.class.php
+++ class/deliver/Deliver.class.php 2018-03-25 13:47:44.106079142 +0200
@@ -41,7 +41,7 @@
* (when FALSE, nothing will be
* written to the stream; this can
* be used to determine the actual
- * number of bytes that will be
+ * number of bytes that will be
* written to the stream)
* @param string $reply_id Identifies message being replied to
* (OPTIONAL; caller should ONLY specify
@@ -50,9 +50,9 @@
* @param string $reply_ent_id Identifies message being replied to
* in the case it was an embedded/attached
* message inside another (OPTIONAL; caller
- * should ONLY specify a value for this
+ * should ONLY specify a value for this
* when the message being sent is a reply)
- * @param resource $imap_stream If there is an open IMAP stream in
+ * @param resource $imap_stream If there is an open IMAP stream in
* the caller's context, it should be
* passed in here. This is OPTIONAL,
* as one will be created if not given,
@@ -72,7 +72,7 @@
* written) to the output stream.
*
*/
- function mail(&$message, $stream=false, $reply_id=0, $reply_ent_id=0,
+ function mail(&$message, $stream=false, $reply_id=0, $reply_ent_id=0,
$imap_stream=NULL, $extra=NULL) {
$rfc822_header = &$message->rfc822_header;
@@ -89,7 +89,7 @@
// calculate reply header if needed
//
if ($reply_id) {
- global $imapConnection, $username, $key, $imapServerAddress,
+ global $imapConnection, $username, $key, $imapServerAddress,
$imapPort, $mailbox;
// try our best to use an existing IMAP handle
@@ -105,7 +105,7 @@
$close_imap_stream = TRUE;
$my_imap_stream = sqimap_login($username, $key,
$imapServerAddress, $imapPort, 0);
- }
+ }
sqimap_mailbox_select($my_imap_stream, $mailbox);
$reply_message = sqimap_get_message($my_imap_stream, $reply_id, $mailbox);
@@ -127,7 +127,7 @@
} else {
$orig_header = $reply_message->rfc822_header;
}
- $message->reply_rfc822_header = $orig_header;
+ $message->reply_rfc822_header = $orig_header;
}
@@ -153,7 +153,7 @@
* number of bytes that will be
* written to the stream)
* @param int &$raw_length The number of bytes written (or that
- * would have been written) to the
+ * would have been written) to the
* output stream - NOTE that this is
* passed by reference
* @param mixed $extra Any implementation-specific variables
@@ -164,7 +164,7 @@
* @return void
*
*/
- function send_mail($message, $header, $boundary, $stream=false,
+ function send_mail($message, $header, $boundary, $stream=false,
&$raw_length, $extra=NULL) {
if ($stream) {
@@ -185,7 +185,7 @@
* (when FALSE, nothing will be
* written to the stream; this can
* be used to determine the actual
- * number of bytes that will be
+ * number of bytes that will be
* written to the stream)
* @param integer &$length_raw raw length of the message (part)
* as returned by mail fn
@@ -248,7 +248,7 @@
* (when FALSE, nothing will be
* written to the stream; this can
* be used to determine the actual
- * number of bytes that will be
+ * number of bytes that will be
* written to the stream)
* @param integer &$length length of the message part
* as returned by mail fn
@@ -281,6 +281,11 @@
global $username, $attachment_dir;
$hashed_attachment_dir = getHashedDir($username, $attachment_dir);
$filename = $message->att_local_name;
+ //CVE-2018-8741
+ if (strpos(realpath($hashed_attachment_dir . '/' . $filename),realpath($hashed_attachment_dir)) !== 0) {
+ //don't add attachment and continue
+ break;
+ }
// inspect attached file for lines longer than allowed by RFC,
// in which case we'll be using base64 encoding (so we can split
@@ -339,8 +344,13 @@
global $username, $attachment_dir;
$hashed_attachment_dir = getHashedDir($username, $attachment_dir);
$filename = $message->att_local_name;
+ //CVE-2018-8741
+ if (strpos(realpath($hashed_attachment_dir . '/' . $filename),realpath($hashed_attachment_dir)) !== 0) {
+ //don't add attachment and continue
+ break;
+ }
$file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb');
-
+
while ($tmp = fread($file, 570)) {
$body_part = chunk_split(base64_encode($tmp));
// Up to 4.3.10 chunk_split always appends a newline,
@@ -1131,7 +1141,7 @@
$aReferences = preg_split('/\s+/', $hdr->references);
$message_id = $hdr->message_id;
$in_reply_to = $hdr->in_reply_to;
-
+
// if References already exists, add the current message ID at the end.
// no References exists; if we know a IRT, add that aswell
if (count($aReferences) == 0 && $in_reply_to) {
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
0796f3a4146744711e43968234de3795
>
files
>
1
