Get rid of vulnerable preg_replace eval and create_function (#1485686) + correctly handle base and link tags in html messages
parent
4f27148d40
commit
aa055c931a
@ -0,0 +1,116 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
+-----------------------------------------------------------------------+
|
||||
| program/include/rcube_string_replacer.php |
|
||||
| |
|
||||
| This file is part of the RoundCube Webmail client |
|
||||
| Copyright (C) 2009, RoundCube Dev. - Switzerland |
|
||||
| Licensed under the GNU GPL |
|
||||
| |
|
||||
| PURPOSE: |
|
||||
| Handle string replacements based on preg_replace_callback |
|
||||
| |
|
||||
+-----------------------------------------------------------------------+
|
||||
| Author: Thomas Bruederli <roundcube@gmail.com> |
|
||||
+-----------------------------------------------------------------------+
|
||||
|
||||
$Id: $
|
||||
|
||||
*/
|
||||
|
||||
|
||||
/**
|
||||
* Helper class for string replacements based on preg_replace_callback
|
||||
*
|
||||
* @package Core
|
||||
*/
|
||||
class rcube_string_replacer
|
||||
{
|
||||
public static $pattern = '/##str_replacement\[([0-9]+)\]##/';
|
||||
|
||||
private $values = array();
|
||||
|
||||
|
||||
/**
|
||||
* Add a string to the internal list
|
||||
*
|
||||
* @param string String value
|
||||
* @return int Index of value for retrieval
|
||||
*/
|
||||
public function add($str)
|
||||
{
|
||||
$i = count($this->values);
|
||||
$this->values[$i] = $str;
|
||||
return $i;
|
||||
}
|
||||
|
||||
/**
|
||||
* Build replacement string
|
||||
*/
|
||||
public function get_replacement($i)
|
||||
{
|
||||
return '##str_replacement['.$i.']##';
|
||||
}
|
||||
|
||||
/**
|
||||
* Callback function used to build HTML links around URL strings
|
||||
*
|
||||
* @param array Matches result from preg_replace_callback
|
||||
* @return int Index of saved string value
|
||||
*/
|
||||
public function link_callback($matches)
|
||||
{
|
||||
$i = -1;
|
||||
$scheme = strtolower($matches[1]);
|
||||
|
||||
if ($scheme == 'http' || $scheme == 'https' || $scheme == 'ftp') {
|
||||
$url = $matches[1] . '://' . $matches[2];
|
||||
$i = $this->add(html::a(array('href' => $url, 'target' => "_blank"), Q($url)));
|
||||
}
|
||||
else if ($matches[2] == 'www.') {
|
||||
$url = $matches[2] . $matches[3];
|
||||
$i = $this->add($matches[1] . html::a(array('href' => 'http://' . $url, 'target' => "_blank"), Q($url)));
|
||||
}
|
||||
|
||||
return $i >= 0 ? $this->get_replacement($i) : '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Callback function used to build mailto: links around e-mail strings
|
||||
*
|
||||
* @param array Matches result from preg_replace_callback
|
||||
* @return int Index of saved string value
|
||||
*/
|
||||
public function mailto_callback($matches)
|
||||
{
|
||||
$i = $this->add(html::a(array(
|
||||
'href' => 'mailto:' . $matches[1],
|
||||
'onclick' => "return ".JS_OBJECT_NAME.".command('compose','".JQ($matches[1])."',this)",
|
||||
),
|
||||
Q($matches[1])));
|
||||
|
||||
return $i >= 0 ? $this->get_replacement($i) : '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Look up the index from the preg_replace matches array
|
||||
* and return the substitution value.
|
||||
*
|
||||
* @param array Matches result from preg_replace_callback
|
||||
* @return string Value at index $matches[1]
|
||||
*/
|
||||
public function replace_callback($matches)
|
||||
{
|
||||
return $this->values[$matches[1]];
|
||||
}
|
||||
|
||||
/**
|
||||
* Replace substituted strings with original values
|
||||
*/
|
||||
public function resolve($str)
|
||||
{
|
||||
return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str);
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue