Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php /* +-----------------------------------------------------------------------+ | Th..

Decoded Output download

<?php

/*
 +-----------------------------------------------------------------------+
 | This file is part of the Roundcube Webmail client                     |
 |                                                                       |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 |                                                                       |
 | PURPOSE:                                                              |
 |   Attachment uploads handler for the compose form                     |
 +-----------------------------------------------------------------------+
 | Author: Thomas Bruederli <[email protected]>                        |
 +-----------------------------------------------------------------------+
*/

class rcmail_action_mail_attachment_upload extends rcmail_action_mail_index
{
    // only process ajax requests
    protected static $mode = self::MODE_AJAX;

    protected static $SESSION_KEY;
    protected static $COMPOSE;
    protected static $COMPOSE_ID;
    protected static $file_id;

    /**
     * Request handler.
     *
     * @param array $args Arguments from the previous step(s)
     */
    #[Override]
    public function run($args = [])
    {
        $rcmail = rcmail::get_instance();

        self::init();

        // clear all stored output properties (like scripts and env vars)
        $rcmail->output->reset();

        $uploadid = rcube_utils::get_input_string('_uploadid', rcube_utils::INPUT_GPC);
        $uri = rcube_utils::get_input_string('_uri', rcube_utils::INPUT_POST);

        // handle dropping a reference to an attachment part of some message
        if ($uri) {
            $attachment = null;

            $url = parse_url($uri);

            if (!empty($url['query'])) {
                parse_str($url['query'], $params);
            }

            if (
                !empty($params) && isset($params['_mbox']) && strlen($params['_mbox'])
                && !empty($params['_uid']) && !empty($params['_part'])
            ) {
                // @TODO: at some point we might support drag-n-drop between
                // two different accounts on the same server, for now make sure
                // this is the same server and the same user
                [$host, $port] = rcube_utils::explode(':', $_SERVER['HTTP_HOST']);

                if (
                    $host == $url['host']
                    && $port == ($url['port'] ?? null)
                    && $rcmail->get_user_name() == rawurldecode($url['user'])
                ) {
                    $message = new rcube_message($params['_uid'], $params['_mbox']);

                    if (!empty($message->headers)) {
                        $attachment = rcmail_action_mail_compose::save_attachment($message, $params['_part'], self::$COMPOSE_ID);
                    }
                }
            }

            $plugin = $rcmail->plugins->exec_hook('attachment_from_uri', [
                'attachment' => $attachment,
                'uri' => $uri,
                'compose_id' => self::$COMPOSE_ID,
            ]);

            if ($plugin['attachment']) {
                self::attachment_success($plugin['attachment'], $uploadid);
            } else {
                $rcmail->output->command('display_message', $rcmail->gettext('filelinkerror'), 'error');
                $rcmail->output->command('remove_from_attachment_list', $uploadid);
            }

            $rcmail->output->send();
        }

        // handle file(s) upload
        if (isset($_FILES['_attachments']['tmp_name']) && is_array($_FILES['_attachments']['tmp_name'])) {
            $errors = [];

            foreach ($_FILES['_attachments']['tmp_name'] as $i => $filepath) {
                // Process uploaded attachment if there is no error
                $err = $_FILES['_attachments']['error'][$i];
                $inserted = false;
                $attachment = null;

                if (!$err) {
                    $filename = $_FILES['_attachments']['name'][$i];
                    $filesize = $_FILES['_attachments']['size'][$i];
                    $filetype = rcube_mime::file_content_type($filepath, $filename, $_FILES['_attachments']['type'][$i]);

                    if ($err = self::check_message_size($filesize, $filetype)) {
                        if (!in_array($err, $errors)) {
                            $rcmail->output->command('display_message', $err, 'error');
                            $rcmail->output->command('remove_from_attachment_list', $uploadid);
                            $errors[] = $err;
                        }

                        continue;
                    }

                    $attachment = [
                        'path' => $filepath,
                        'name' => $filename,
                        'size' => $filesize,
                        'mimetype' => $filetype,
                        'group' => self::$COMPOSE_ID,
                    ];

                    $inserted = $rcmail->insert_uploaded_file($attachment);
                }

                if (!$err && $inserted) {
                    self::attachment_success($attachment, $uploadid);
                } else {  // upload failed
                    if ($err == \UPLOAD_ERR_INI_SIZE || $err == \UPLOAD_ERR_FORM_SIZE) {
                        $size = self::show_bytes(rcube_utils::max_upload_size());
                        $msg = $rcmail->gettext(['name' => 'filesizeerror', 'vars' => ['size' => $size]]);
                    } elseif (!empty($attachment['error'])) {
                        $msg = $attachment['error'];
                    } else {
                        $msg = $rcmail->gettext('fileuploaderror');
                    }

                    if (!empty($attachment['error']) || $err != \UPLOAD_ERR_NO_FILE) {
                        if (!in_array($msg, $errors)) {
                            $rcmail->output->command('display_message', $msg, 'error');
                            $rcmail->output->command('remove_from_attachment_list', $uploadid);
                            $errors[] = $msg;
                        }
                    }
                }
            }
        } elseif (self::upload_failure()) {
            $rcmail->output->command('remove_from_attachment_list', $uploadid);
        }

        // send html page with JS calls as response
        $rcmail->output->command('auto_save_start', false);
        $rcmail->output->send('iframe');
    }

    public static function init()
    {
        self::$COMPOSE_ID = rcube_utils::get_input_string('_id', rcube_utils::INPUT_GPC);
        self::$COMPOSE = null;
        self::$SESSION_KEY = 'compose_data_' . self::$COMPOSE_ID;

        if (self::$COMPOSE_ID && !empty($_SESSION[self::$SESSION_KEY])) {
            self::$COMPOSE = &$_SESSION[self::$SESSION_KEY];
        }

        if (!self::$COMPOSE) {
            exit('Invalid session var!');
        }

        self::$file_id = rcube_utils::get_input_string('_file', rcube_utils::INPUT_GPC);
        self::$file_id = preg_replace('/^rcmfile/', '', self::$file_id) ?: 'unknown';
    }

    public static function attachment_success($attachment, $uploadid)
    {
        $rcmail = rcmail::get_instance();
        $id = $attachment['id'];

        if (!empty(self::$COMPOSE['deleteicon']) && is_file(self::$COMPOSE['deleteicon'])) {
            $button = html::img([
                'src' => self::$COMPOSE['deleteicon'],
                'alt' => $rcmail->gettext('delete'),
            ]);
        } elseif (!empty(self::$COMPOSE['textbuttons'])) {
            $button = rcube::Q($rcmail->gettext('delete'));
        } else {
            $button = '';
        }

        $link_content = sprintf(
            '<span class="attachment-name">%s</span><span class="attachment-size">(%s)</span>',
            rcube::Q($attachment['name']), self::show_bytes($attachment['size'])
        );

        $content_link = html::a([
            'href' => '#load',
            'class' => 'filename',
            'onclick' => sprintf(
                "return %s.command('load-attachment','rcmfile%s', this, event)",
                rcmail_output::JS_OBJECT_NAME,
                $id
            ),
        ], $link_content);

        $delete_link = html::a([
            'href' => '#delete',
            'onclick' => sprintf(
                "return %s.command('remove-attachment','rcmfile%s', this, event)",
                rcmail_output::JS_OBJECT_NAME,
                $id
            ),
            'title' => $rcmail->gettext('delete'),
            'class' => 'delete',
            'aria-label' => $rcmail->gettext('delete') . ' ' . $attachment['name'],
        ], $button);

        if (!empty(self::$COMPOSE['icon_pos']) && self::$COMPOSE['icon_pos'] == 'left') {
            $content = $delete_link . $content_link;
        } else {
            $content = $content_link . $delete_link;
        }

        $rcmail->output->command('add2attachment_list', "rcmfile{$id}", [
                'html' => $content,
                'name' => $attachment['name'],
                'mimetype' => $attachment['mimetype'],
                'classname' => rcube_utils::file2class($attachment['mimetype'], $attachment['name']),
                'complete' => true,
            ],
            $uploadid
        );
    }

    /**
     * Checks if the attached file will fit in message size limit.
     * Calculates size of all attachments and compares with the limit.
     *
     * @param int    $filesize File size
     * @param string $filetype File mimetype
     *
     * @return ?string Error message if the limit is exceeded
     */
    public static function check_message_size($filesize, $filetype)
    {
        $rcmail = rcmail::get_instance();
        $limit = parse_bytes($rcmail->config->get('max_message_size'));
        $size = 10 * 1024; // size of message body

        if (!$limit) {
            return null;
        }

        // add size of already attached files
        foreach ($rcmail->list_uploaded_files(self::$COMPOSE_ID) as $att) {
            // All attachments are base64-encoded except message/rfc822
            $multip = $att['mimetype'] == 'message/rfc822' ? 1 : 1.33;
            $size += $att['size'] * $multip;
        }

        // add size of the new attachment
        $multip = $filetype == 'message/rfc822' ? 1 : 1.33;
        $size += $filesize * $multip;

        if ($size > $limit) {
            $limit = self::show_bytes($limit);
            return $rcmail->gettext(['name' => 'msgsizeerror', 'vars' => ['size' => $limit]]);
        }

        return null;
    }
}
 ?>

Did this file decode correctly?

Original Code

<?php

/*
 +-----------------------------------------------------------------------+
 | This file is part of the Roundcube Webmail client                     |
 |                                                                       |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 |                                                                       |
 | PURPOSE:                                                              |
 |   Attachment uploads handler for the compose form                     |
 +-----------------------------------------------------------------------+
 | Author: Thomas Bruederli <[email protected]>                        |
 +-----------------------------------------------------------------------+
*/

class rcmail_action_mail_attachment_upload extends rcmail_action_mail_index
{
    // only process ajax requests
    protected static $mode = self::MODE_AJAX;

    protected static $SESSION_KEY;
    protected static $COMPOSE;
    protected static $COMPOSE_ID;
    protected static $file_id;

    /**
     * Request handler.
     *
     * @param array $args Arguments from the previous step(s)
     */
    #[Override]
    public function run($args = [])
    {
        $rcmail = rcmail::get_instance();

        self::init();

        // clear all stored output properties (like scripts and env vars)
        $rcmail->output->reset();

        $uploadid = rcube_utils::get_input_string('_uploadid', rcube_utils::INPUT_GPC);
        $uri = rcube_utils::get_input_string('_uri', rcube_utils::INPUT_POST);

        // handle dropping a reference to an attachment part of some message
        if ($uri) {
            $attachment = null;

            $url = parse_url($uri);

            if (!empty($url['query'])) {
                parse_str($url['query'], $params);
            }

            if (
                !empty($params) && isset($params['_mbox']) && strlen($params['_mbox'])
                && !empty($params['_uid']) && !empty($params['_part'])
            ) {
                // @TODO: at some point we might support drag-n-drop between
                // two different accounts on the same server, for now make sure
                // this is the same server and the same user
                [$host, $port] = rcube_utils::explode(':', $_SERVER['HTTP_HOST']);

                if (
                    $host == $url['host']
                    && $port == ($url['port'] ?? null)
                    && $rcmail->get_user_name() == rawurldecode($url['user'])
                ) {
                    $message = new rcube_message($params['_uid'], $params['_mbox']);

                    if (!empty($message->headers)) {
                        $attachment = rcmail_action_mail_compose::save_attachment($message, $params['_part'], self::$COMPOSE_ID);
                    }
                }
            }

            $plugin = $rcmail->plugins->exec_hook('attachment_from_uri', [
                'attachment' => $attachment,
                'uri' => $uri,
                'compose_id' => self::$COMPOSE_ID,
            ]);

            if ($plugin['attachment']) {
                self::attachment_success($plugin['attachment'], $uploadid);
            } else {
                $rcmail->output->command('display_message', $rcmail->gettext('filelinkerror'), 'error');
                $rcmail->output->command('remove_from_attachment_list', $uploadid);
            }

            $rcmail->output->send();
        }

        // handle file(s) upload
        if (isset($_FILES['_attachments']['tmp_name']) && is_array($_FILES['_attachments']['tmp_name'])) {
            $errors = [];

            foreach ($_FILES['_attachments']['tmp_name'] as $i => $filepath) {
                // Process uploaded attachment if there is no error
                $err = $_FILES['_attachments']['error'][$i];
                $inserted = false;
                $attachment = null;

                if (!$err) {
                    $filename = $_FILES['_attachments']['name'][$i];
                    $filesize = $_FILES['_attachments']['size'][$i];
                    $filetype = rcube_mime::file_content_type($filepath, $filename, $_FILES['_attachments']['type'][$i]);

                    if ($err = self::check_message_size($filesize, $filetype)) {
                        if (!in_array($err, $errors)) {
                            $rcmail->output->command('display_message', $err, 'error');
                            $rcmail->output->command('remove_from_attachment_list', $uploadid);
                            $errors[] = $err;
                        }

                        continue;
                    }

                    $attachment = [
                        'path' => $filepath,
                        'name' => $filename,
                        'size' => $filesize,
                        'mimetype' => $filetype,
                        'group' => self::$COMPOSE_ID,
                    ];

                    $inserted = $rcmail->insert_uploaded_file($attachment);
                }

                if (!$err && $inserted) {
                    self::attachment_success($attachment, $uploadid);
                } else {  // upload failed
                    if ($err == \UPLOAD_ERR_INI_SIZE || $err == \UPLOAD_ERR_FORM_SIZE) {
                        $size = self::show_bytes(rcube_utils::max_upload_size());
                        $msg = $rcmail->gettext(['name' => 'filesizeerror', 'vars' => ['size' => $size]]);
                    } elseif (!empty($attachment['error'])) {
                        $msg = $attachment['error'];
                    } else {
                        $msg = $rcmail->gettext('fileuploaderror');
                    }

                    if (!empty($attachment['error']) || $err != \UPLOAD_ERR_NO_FILE) {
                        if (!in_array($msg, $errors)) {
                            $rcmail->output->command('display_message', $msg, 'error');
                            $rcmail->output->command('remove_from_attachment_list', $uploadid);
                            $errors[] = $msg;
                        }
                    }
                }
            }
        } elseif (self::upload_failure()) {
            $rcmail->output->command('remove_from_attachment_list', $uploadid);
        }

        // send html page with JS calls as response
        $rcmail->output->command('auto_save_start', false);
        $rcmail->output->send('iframe');
    }

    public static function init()
    {
        self::$COMPOSE_ID = rcube_utils::get_input_string('_id', rcube_utils::INPUT_GPC);
        self::$COMPOSE = null;
        self::$SESSION_KEY = 'compose_data_' . self::$COMPOSE_ID;

        if (self::$COMPOSE_ID && !empty($_SESSION[self::$SESSION_KEY])) {
            self::$COMPOSE = &$_SESSION[self::$SESSION_KEY];
        }

        if (!self::$COMPOSE) {
            exit('Invalid session var!');
        }

        self::$file_id = rcube_utils::get_input_string('_file', rcube_utils::INPUT_GPC);
        self::$file_id = preg_replace('/^rcmfile/', '', self::$file_id) ?: 'unknown';
    }

    public static function attachment_success($attachment, $uploadid)
    {
        $rcmail = rcmail::get_instance();
        $id = $attachment['id'];

        if (!empty(self::$COMPOSE['deleteicon']) && is_file(self::$COMPOSE['deleteicon'])) {
            $button = html::img([
                'src' => self::$COMPOSE['deleteicon'],
                'alt' => $rcmail->gettext('delete'),
            ]);
        } elseif (!empty(self::$COMPOSE['textbuttons'])) {
            $button = rcube::Q($rcmail->gettext('delete'));
        } else {
            $button = '';
        }

        $link_content = sprintf(
            '<span class="attachment-name">%s</span><span class="attachment-size">(%s)</span>',
            rcube::Q($attachment['name']), self::show_bytes($attachment['size'])
        );

        $content_link = html::a([
            'href' => '#load',
            'class' => 'filename',
            'onclick' => sprintf(
                "return %s.command('load-attachment','rcmfile%s', this, event)",
                rcmail_output::JS_OBJECT_NAME,
                $id
            ),
        ], $link_content);

        $delete_link = html::a([
            'href' => '#delete',
            'onclick' => sprintf(
                "return %s.command('remove-attachment','rcmfile%s', this, event)",
                rcmail_output::JS_OBJECT_NAME,
                $id
            ),
            'title' => $rcmail->gettext('delete'),
            'class' => 'delete',
            'aria-label' => $rcmail->gettext('delete') . ' ' . $attachment['name'],
        ], $button);

        if (!empty(self::$COMPOSE['icon_pos']) && self::$COMPOSE['icon_pos'] == 'left') {
            $content = $delete_link . $content_link;
        } else {
            $content = $content_link . $delete_link;
        }

        $rcmail->output->command('add2attachment_list', "rcmfile{$id}", [
                'html' => $content,
                'name' => $attachment['name'],
                'mimetype' => $attachment['mimetype'],
                'classname' => rcube_utils::file2class($attachment['mimetype'], $attachment['name']),
                'complete' => true,
            ],
            $uploadid
        );
    }

    /**
     * Checks if the attached file will fit in message size limit.
     * Calculates size of all attachments and compares with the limit.
     *
     * @param int    $filesize File size
     * @param string $filetype File mimetype
     *
     * @return ?string Error message if the limit is exceeded
     */
    public static function check_message_size($filesize, $filetype)
    {
        $rcmail = rcmail::get_instance();
        $limit = parse_bytes($rcmail->config->get('max_message_size'));
        $size = 10 * 1024; // size of message body

        if (!$limit) {
            return null;
        }

        // add size of already attached files
        foreach ($rcmail->list_uploaded_files(self::$COMPOSE_ID) as $att) {
            // All attachments are base64-encoded except message/rfc822
            $multip = $att['mimetype'] == 'message/rfc822' ? 1 : 1.33;
            $size += $att['size'] * $multip;
        }

        // add size of the new attachment
        $multip = $filetype == 'message/rfc822' ? 1 : 1.33;
        $size += $filesize * $multip;

        if ($size > $limit) {
            $limit = self::show_bytes($limit);
            return $rcmail->gettext(['name' => 'msgsizeerror', 'vars' => ['size' => $limit]]);
        }

        return null;
    }
}

Function Calls

None

Variables

None

Stats

MD5 4d1744d012baba22b0d6911e16fa5b6d
Eval Count 0
Decode Time 99 ms