filesystem_attachments.php
8.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
<?php
/**
* Filesystem Attachments
*
* This is a core plugin which provides basic, filesystem based
* attachment temporary file handling. This includes storing
* attachments of messages currently being composed, writing attachments
* to disk when drafts with attachments are re-opened and writing
* attachments to disk for inline display in current html compositions.
* It also handles uploaded files for other uses, so not only attachments.
*
* Developers may wish to extend this class when creating attachment
* handler plugins:
* require_once('plugins/filesystem_attachments/filesystem_attachments.php');
* class myCustom_attachments extends filesystem_attachments
*
* Note for developers: It is plugin's responsibility to care about security.
* So, e.g. if the plugin is asked about some file path it should check
* if it's really the storage path of the plugin and not e.g. /etc/passwd.
* It is done by setting 'status' flag on every plugin hook it uses.
* Roundcube core will trust the returned path if status=true.
*
* @license GNU GPLv3+
* @author Ziba Scott <ziba@umich.edu>
* @author Thomas Bruederli <roundcube@gmail.com>
*/
class filesystem_attachments extends rcube_plugin
{
public $task = '?(?!login).*';
public $initialized = false;
function init()
{
// Find filesystem_attachments-based plugins, we can use only one
foreach ($this->api->loaded_plugins() as $plugin_name) {
$plugin = $this->api->get_plugin($plugin_name);
if (($plugin instanceof filesystem_attachments) && $plugin->initialized) {
rcube::raise_error([
'file' => __FILE__, 'line' => __LINE__,
'message' => "Can use only one plugin for attachments/file uploads! Using '$plugin_name', ignoring others.",
], true, false
);
return;
}
}
$this->initialized = true;
// Save a newly uploaded attachment
$this->add_hook('attachment_upload', [$this, 'upload']);
// Save an attachment from a non-upload source (draft or forward)
$this->add_hook('attachment_save', [$this, 'save']);
// Remove an attachment from storage
$this->add_hook('attachment_delete', [$this, 'remove']);
// When composing an html message, image attachments may be shown
$this->add_hook('attachment_display', [$this, 'display']);
// Get the attachment from storage and place it on disk to be sent
$this->add_hook('attachment_get', [$this, 'get']);
// Delete all temp files associated with this user
$this->add_hook('attachments_cleanup', [$this, 'cleanup']);
$this->add_hook('session_destroy', [$this, 'cleanup']);
}
/**
* Save a newly uploaded attachment
*/
function upload($args)
{
$args['status'] = false;
$group = $args['group'];
// use common temp dir for file uploads
$tmpfname = rcube_utils::temp_filename('attmnt');
if (move_uploaded_file($args['path'], $tmpfname) && file_exists($tmpfname)) {
$args['id'] = $this->file_id();
$args['path'] = $tmpfname;
$args['status'] = true;
@chmod($tmpfname, 0600); // set correct permissions (#1488996)
// Note the file for later cleanup
$_SESSION['plugins']['filesystem_attachments'][$group][$args['id']] = $tmpfname;
}
return $args;
}
/**
* Save an attachment from a non-upload source (draft or forward)
*/
function save($args)
{
$group = $args['group'];
$args['status'] = false;
if (empty($args['path'])) {
$tmp_path = rcube_utils::temp_filename('attmnt');
if ($fp = fopen($tmp_path, 'w')) {
fwrite($fp, $args['data']);
fclose($fp);
$args['path'] = $tmp_path;
}
else {
return $args;
}
}
$args['id'] = $this->file_id();
$args['status'] = true;
// Note the file for later cleanup
$_SESSION['plugins']['filesystem_attachments'][$group][$args['id']] = $args['path'];
return $args;
}
/**
* Remove an attachment from storage
* This is triggered by the remove attachment button on the compose screen
*/
function remove($args)
{
$args['status'] = $this->verify_path($args['path']) && @unlink($args['path']);
return $args;
}
/**
* When composing an html message, image attachments may be shown
* For this plugin, the file is already in place, just check for
* the existence of the proper metadata
*/
function display($args)
{
$args['status'] = $this->verify_path($args['path']) && file_exists($args['path']);
return $args;
}
/**
* This attachment plugin doesn't require any steps to put the file
* on disk for use. This stub function is kept here to make this
* class handy as a parent class for other plugins which may need it.
*/
function get($args)
{
if (!$this->verify_path($args['path'])) {
$args['path'] = null;
}
return $args;
}
/**
* Delete all temp files associated with this user
*/
function cleanup($args)
{
// $_SESSION['compose']['attachments'] is not a complete record of
// temporary files because loading a draft or starting a forward copies
// the file to disk, but does not make an entry in that array
if (!empty($_SESSION['plugins']['filesystem_attachments'])) {
foreach ($_SESSION['plugins']['filesystem_attachments'] as $group => $files) {
if (!empty($args['group']) && $args['group'] != $group) {
continue;
}
foreach ((array) $files as $filename) {
if (file_exists($filename)) {
unlink($filename);
}
}
unset($_SESSION['plugins']['filesystem_attachments'][$group]);
}
}
return $args;
}
protected static function file_id()
{
$userid = rcube::get_instance()->user->ID;
list($usec, $sec) = explode(' ', microtime());
$id = preg_replace('/[^0-9]/', '', $userid . $sec . $usec);
// make sure the ID is really unique (#1489546)
while (self::find_file_by_id($id)) {
// increment last four characters
$x = substr($id, -4) + 1;
$id = substr($id, 0, -4) . sprintf('%04d', ($x > 9999 ? $x - 9999 : $x));
}
return $id;
}
private static function find_file_by_id($id)
{
if (!empty($_SESSION['plugins']['filesystem_attachments'])) {
foreach ((array) $_SESSION['plugins']['filesystem_attachments'] as $files) {
if (isset($files[$id])) {
return true;
}
}
}
}
/**
* For security we'll always verify the file path stored in session,
* as session entries can be faked in various ways e.g. #6026.
* We allow only files in Roundcube temp dir
*/
protected static function verify_path($path)
{
if (empty($path)) {
return false;
}
$rcmail = rcube::get_instance();
$temp_dir = $rcmail->config->get('temp_dir');
$file_path = pathinfo($path, PATHINFO_DIRNAME);
if ($temp_dir !== $file_path) {
// When the configured directory is not writable, or out of open_basedir path
// tempnam() fallbacks to system temp without a warning.
// We allow that, but we'll let to know the user about the misconfiguration.
if ($file_path == sys_get_temp_dir()) {
rcube::raise_error([
'file' => __FILE__,
'line' => __LINE__,
'message' => "Detected 'temp_dir' change. "
. "Access to '$temp_dir' restricted by filesystem permissions or open_basedir",
], true, false
);
return true;
}
rcube::raise_error([
'file' => __FILE__,
'line' => __LINE__,
'message' => sprintf("%s can't read %s (not in temp_dir)",
$rcmail->get_user_name(), substr($path, 0, 512))
], true, false
);
return false;
}
return true;
}
}