Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update fMailbox.php handling 5.6+ Security #218

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

BrendonKoz
Copy link

As of PHP version 5.6 there is much stricter security checking being done on various levels. Flourish's excellent Mailbox class unfortunately isn't up-to-date enough to handle the new restrictions by default. This fix is simply a fallback to allow for its previous level of functionality. It bypasses the new security implementations that PHP 5.6 brings to the table, but users of Gmail's mail server, or users of shared hosting will be able to continue to use this library with the class as expected. (It has to do with domain mismatch.)

As of PHP version 5.6 there is much stricter security checking being done on various levels. Flourish's excellent Mailbox class unfortunately isn't up-to-date enough to handle the new restrictions by default. This fix is simply a fallback to allow for its previous level of functionality. It bypasses the new security implementations that PHP 5.6 brings to the table, but users of Gmail's mail server, or users of shared hosting will be able to continue to use this library with the class as expected. (It has to do with domain mismatch.)
Fixes an issue with how Microsoft Exchange (2010) and Outlook Web Access incorrectly handles some file attachment types and therefore cause the attachment to be seen as an inline attachment, but with no ability to recover the file from the body.
@BrendonKoz
Copy link
Author

Also fixed an issue with Exchange server's OWA attachments. See Issue #220 for further explanation.

In most circumstances there's little reason to need to know the filename of the related email attachments (those embedded in to the body of the email) since most email clients render HTML now. However, when rendered in plaintext and the related file becomes an attachment, there's no filename that can be provided for the attachment, only the data and the mimetype. I'm not sure if this was simply an oversight or it was purposefully left out. I can't personally think of a reason not to provide the filename *if it's provided*, and if it's not the value will simply be blank as is the case with "inline" or embedded attachment types as well. At least this way a file extension can be provided to associate the file with an application.

This change simply moves the detection of content_id and inline attachments inside the test for **$has_disposition** in the __handleParts()__ method.
@BrendonKoz
Copy link
Author

Added the ability to recover, if provided, the filename of "related" attachment types in the case of plaintext emails (or programmatic systems) needing access to the downloaded file(s) and its type (file extensions are super handy here). This was the only attachment type that did not include the filename value in its data array.

See commit 9d29ac0

Fixes cases where email clients do not separate the *references* in the header with a simple space, or space character. The RFC somehow even allows textual comments between references. By simply splitting on everything not a closing angle bracket after an open angle bracket (non-greedy) this should work and split the string to an array, as expected, for all edge cases.
@BrendonKoz
Copy link
Author

Fixed an issue where reference headers were not being split from a string to an array properly.

See commit 4df21b7

Fixes #222

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant