diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2006-12-22 21:45:21 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2006-12-22 21:45:21 +0000 |
| commit | fbf02ab360cbe003b9b90efb878969d82a3fc240 (patch) | |
| tree | 3304274f10ad0fda2b49a307b38d1cd755ac94bc /roundcubemail/program/steps/mail/sendmail.inc | |
| parent | 55491988926ec76a2a31914c3eb766790ca82b06 (diff) | |
Applied security patches by Kees Cook (Ubuntu) + little visual enhancements
git-svn-id: https://svn.roundcube.net/trunk@425 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/program/steps/mail/sendmail.inc')
| -rw-r--r-- | roundcubemail/program/steps/mail/sendmail.inc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/roundcubemail/program/steps/mail/sendmail.inc b/roundcubemail/program/steps/mail/sendmail.inc index 716072a48..2d2cb33db 100644 --- a/roundcubemail/program/steps/mail/sendmail.inc +++ b/roundcubemail/program/steps/mail/sendmail.inc @@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message) $image_name = substr($body, $pos + strlen($searchstr), $pos2 - ($pos + strlen($searchstr))); + // sanitize image name so resulting attachment doesn't leave images dir + $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name); $body_post = substr($body, $pos2); |