Opened 6 years ago
Closed 5 years ago
#1484313 closed Feature Patches (fixed)
Mailbox name not quoted when used in URL - patch available
| Reported by: | Emil Wojak | Owned by: | thomasb |
|---|---|---|---|
| Priority: | 2 | Milestone: | 0.1.1 |
| Component: | Core functionality | Version: | git-master |
| Severity: | major | Keywords: | |
| Cc: |
Description
Whenever a mailbox's name has some non-ASCII characters encoded in UTF-7, it then
contains an ampersand, which should be encoded each time it's used in URL.
There are some variables both in PHP and JS code, that are used literally,
which causes some failures when dealing with such mailboxes.
In particular, you can't fetch attachments.
So here's the resolution:
Index: program/js/app.js
===================================================================
--- program/js/app.js (wersja 536)
+++ program/js/app.js (kopia robocza)
@@ -668,7 +668,7 @@
break;
case 'load-attachment':
- var qstring = '_mbox='+this.env.mailbox+'&_uid='+this.env.uid+'&_part='+props.part;
+ var qstring = '_mbox='+urlencode(this.env.mailbox)+'&_uid='+this.env.uid+'&_part='+props.part;
// open attachment in frame if it's of a supported mimetype
if (this.env.uid && props.mimetype && find_in_array(props.mimetype, this.mimetypes)>=0)
@@ -1948,7 +1948,7 @@
{
this.message_list.clear();
this.set_busy(true, 'searching');
- this.http_request('search', '_search='+value+'&_mbox='+mbox, true);
+ this.http_request('search', '_search='+value+'&_mbox='+urlencode(mbox), true);
}
return true;
};
Index: program/steps/mail/func.inc
===================================================================
--- program/steps/mail/func.inc (wersja 536)
+++ program/steps/mail/func.inc (kopia robocza)
@@ -59,7 +59,7 @@
// define url for getting message parts
if (strlen($_GET['_uid']))
- $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), get_input_value('_uid', RCUBE_INPUT_GET));
+ $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, urlencode($IMAP->get_mailbox_name()), get_input_value('_uid', RCUBE_INPUT_GET));
// set current mailbox in client environment
Attachments (3)
Change History (9)
comment:1 Changed 6 years ago by Saiph
- Priority changed from 8 to 2
Changed 6 years ago by Emil Wojak
comment:2 Changed 5 years ago by seansan
- Milestone set to 0.1.1
- Summary changed from Mailbox name not quoted when used in URL to Mailbox name not quoted when used in URL - patch available
review in 0.1.1 - patch available
Changed 5 years ago by lancey
E-mail with attachments, open from a folder with an & and non-ASCII chars in it
comment:3 follow-up: ↓ 4 Changed 5 years ago by lancey
I can't replicate the problem with SVN v1107. Indeed, there are places where we don't URLencode the this.env.mailbox variable, so it's possible that problems appear. Patch added. (Seems like the second change to app.js was already done in SVN)
comment:4 in reply to: ↑ 3 Changed 5 years ago by memoryhole
Replying to lancey:
I can't replicate the problem with SVN v1107. Indeed, there are places where we don't URLencode the this.env.mailbox variable, so it's possible that problems appear. Patch added. (Seems like the second change to app.js was already done in SVN)
Agreed that there are lots of potential problems here. You left out one other instance where mbox needs to be urlencode'd---around line 2035 or so of program/js/app.js, the line that looks like this:
this.http_request('search', '_q='+urlencode(value)+(this.env.mailbox ? '&_mbox='+this.env.mailbox : '')+(this.env.source ? urlencode(this.env.source) : ''), true);
...should look like this:
this.http_request('search', '_q='+urlencode(value)+(this.env.mailbox ? '&_mbox='+urlencode(this.env.mailbox) : '')+(this.env.source ? urlencode(this.env.source) : ''), true);
comment:5 Changed 5 years ago by thomasb
- Owner set to thomasb
comment:6 Changed 5 years ago by thomasb
- Resolution set to fixed
- Status changed from new to closed
Committed in [c5418bd8]
Solution