Index: class/deliver/Deliver.class.php =================================================================== --- class/deliver/Deliver.class.php +++ class/deliver/Deliver.class.php 2018-03-25 13:47:44.106079142 +0200 @@ -41,7 +41,7 @@ * (when FALSE, nothing will be * written to the stream; this can * be used to determine the actual - * number of bytes that will be + * number of bytes that will be * written to the stream) * @param string $reply_id Identifies message being replied to * (OPTIONAL; caller should ONLY specify @@ -50,9 +50,9 @@ * @param string $reply_ent_id Identifies message being replied to * in the case it was an embedded/attached * message inside another (OPTIONAL; caller - * should ONLY specify a value for this + * should ONLY specify a value for this * when the message being sent is a reply) - * @param resource $imap_stream If there is an open IMAP stream in + * @param resource $imap_stream If there is an open IMAP stream in * the caller's context, it should be * passed in here. This is OPTIONAL, * as one will be created if not given, @@ -72,7 +72,7 @@ * written) to the output stream. * */ - function mail(&$message, $stream=false, $reply_id=0, $reply_ent_id=0, + function mail(&$message, $stream=false, $reply_id=0, $reply_ent_id=0, $imap_stream=NULL, $extra=NULL) { $rfc822_header = &$message->rfc822_header; @@ -89,7 +89,7 @@ // calculate reply header if needed // if ($reply_id) { - global $imapConnection, $username, $key, $imapServerAddress, + global $imapConnection, $username, $key, $imapServerAddress, $imapPort, $mailbox; // try our best to use an existing IMAP handle @@ -105,7 +105,7 @@ $close_imap_stream = TRUE; $my_imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); - } + } sqimap_mailbox_select($my_imap_stream, $mailbox); $reply_message = sqimap_get_message($my_imap_stream, $reply_id, $mailbox); @@ -127,7 +127,7 @@ } else { $orig_header = $reply_message->rfc822_header; } - $message->reply_rfc822_header = $orig_header; + $message->reply_rfc822_header = $orig_header; } @@ -153,7 +153,7 @@ * number of bytes that will be * written to the stream) * @param int &$raw_length The number of bytes written (or that - * would have been written) to the + * would have been written) to the * output stream - NOTE that this is * passed by reference * @param mixed $extra Any implementation-specific variables @@ -164,7 +164,7 @@ * @return void * */ - function send_mail($message, $header, $boundary, $stream=false, + function send_mail($message, $header, $boundary, $stream=false, &$raw_length, $extra=NULL) { if ($stream) { @@ -185,7 +185,7 @@ * (when FALSE, nothing will be * written to the stream; this can * be used to determine the actual - * number of bytes that will be + * number of bytes that will be * written to the stream) * @param integer &$length_raw raw length of the message (part) * as returned by mail fn @@ -248,7 +248,7 @@ * (when FALSE, nothing will be * written to the stream; this can * be used to determine the actual - * number of bytes that will be + * number of bytes that will be * written to the stream) * @param integer &$length length of the message part * as returned by mail fn @@ -281,6 +281,11 @@ global $username, $attachment_dir; $hashed_attachment_dir = getHashedDir($username, $attachment_dir); $filename = $message->att_local_name; + //CVE-2018-8741 + if (strpos(realpath($hashed_attachment_dir . '/' . $filename),realpath($hashed_attachment_dir)) !== 0) { + //don't add attachment and continue + break; + } // inspect attached file for lines longer than allowed by RFC, // in which case we'll be using base64 encoding (so we can split @@ -339,8 +344,13 @@ global $username, $attachment_dir; $hashed_attachment_dir = getHashedDir($username, $attachment_dir); $filename = $message->att_local_name; + //CVE-2018-8741 + if (strpos(realpath($hashed_attachment_dir . '/' . $filename),realpath($hashed_attachment_dir)) !== 0) { + //don't add attachment and continue + break; + } $file = fopen ($hashed_attachment_dir . '/' . $filename, 'rb'); - + while ($tmp = fread($file, 570)) { $body_part = chunk_split(base64_encode($tmp)); // Up to 4.3.10 chunk_split always appends a newline, @@ -1131,7 +1141,7 @@ $aReferences = preg_split('/\s+/', $hdr->references); $message_id = $hdr->message_id; $in_reply_to = $hdr->in_reply_to; - + // if References already exists, add the current message ID at the end. // no References exists; if we know a IRT, add that aswell if (count($aReferences) == 0 && $in_reply_to) {