Mailbox name not quoted when used in URL - patch available

[Emil Wojak]

Whenever a mailbox's name has some non-ASCII characters encoded in UTF-7, it then contains an ampersand, which should be encoded each time it's used in URL. There are some variables both in PHP and JS code, that are used literally, which causes some failures when dealing with such mailboxes.

In particular, you can't fetch attachments.

So here's the resolution:

Index: program/js/app.js
===================================================================
--- program/js/app.js   (wersja 536)
+++ program/js/app.js   (kopia robocza)
@@ -668,7 +668,7 @@
         break;

       case 'load-attachment':
-        var qstring = '_mbox='+this.env.mailbox+'&_uid='+this.env.uid+'&_part='+props.part;
+        var qstring = '_mbox='+urlencode(this.env.mailbox)+'&_uid='+this.env.uid+'&_part='+props.part;

         // open attachment in frame if it's of a supported mimetype
         if (this.env.uid && props.mimetype && find_in_array(props.mimetype, this.mimetypes)>=0)
@@ -1948,7 +1948,7 @@
       {
       this.message_list.clear();
       this.set_busy(true, 'searching');
-      this.http_request('search', '_search='+value+'&_mbox='+mbox, true);
+      this.http_request('search', '_search='+value+'&_mbox='+urlencode(mbox), true);
       }
     return true;
     };
Index: program/steps/mail/func.inc
===================================================================
--- program/steps/mail/func.inc (wersja 536)
+++ program/steps/mail/func.inc (kopia robocza)
@@ -59,7 +59,7 @@

 // define url for getting message parts
 if (strlen($_GET['_uid']))
-  $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, $IMAP->get_mailbox_name(), get_input_value('_uid', RCUBE_INPUT_GET));
+  $GET_URL = sprintf('%s&_action=get&_mbox=%s&_uid=%d', $COMM_PATH, urlencode($IMAP->get_mailbox_name()), get_input_value('_uid', RCUBE_INPUT_GET));


 // set current mailbox in client environment

[Emil Wojak]

Solution

[seansan]

review in 0.1.1 - patch available

[lancey]

E-mail with attachments, open from a folder with an & and non-ASCII chars in it

[lancey]

I can't replicate the problem with SVN v1107. Indeed, there are places where we don't URLencode the this.env.mailbox variable, so it's possible that problems appear. Patch added. (Seems like the second change to app.js was already done in SVN)

[lancey]

Patch against current SVN (v1107)

[memoryhole]

Replying to lancey:

I can't replicate the problem with SVN v1107. Indeed, there are places where we don't URLencode the this.env.mailbox variable, so it's possible that problems appear. Patch added. (Seems like the second change to app.js was already done in SVN)

Agreed that there are lots of potential problems here. You left out one other instance where mbox needs to be urlencode'd---around line 2035 or so of program/js/app.js, the line that looks like this:

  this.http_request('search', '_q='+urlencode(value)+(this.env.mailbox ? '&_mbox='+this.env.mailbox : '')+(this.env.source ? urlencode(this.env.source) : ''), true);

...should look like this:

  this.http_request('search', '_q='+urlencode(value)+(this.env.mailbox ? '&_mbox='+urlencode(this.env.mailbox) : '')+(this.env.source ? urlencode(this.env.source) : ''), true);

[thomasb]

Committed in r1189