From fbf02ab360cbe003b9b90efb878969d82a3fc240 Mon Sep 17 00:00:00 2001
From: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>
Date: Fri, 22 Dec 2006 21:45:21 +0000
Subject: Applied security patches by Kees Cook (Ubuntu) + little visual
 enhancements

git-svn-id: https://svn.roundcube.net/trunk@425 208e9e7b-5314-0410-a742-e7e81cd9613c
---
 roundcubemail/program/steps/mail/sendmail.inc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'roundcubemail/program/steps/mail/sendmail.inc')

diff --git a/roundcubemail/program/steps/mail/sendmail.inc b/roundcubemail/program/steps/mail/sendmail.inc
index 716072a48..2d2cb33db 100644
--- a/roundcubemail/program/steps/mail/sendmail.inc
+++ b/roundcubemail/program/steps/mail/sendmail.inc
@@ -100,6 +100,8 @@ function rcmail_attach_emoticons(&$mime_message)
     $image_name = substr($body,
                          $pos + strlen($searchstr),
                          $pos2 - ($pos + strlen($searchstr)));
+    // sanitize image name so resulting attachment doesn't leave images dir
+    $image_name = preg_replace('/[^a-zA-Z0-9_\.\-]/i','',$image_name);
 
     $body_post = substr($body, $pos2);
 
-- 
cgit v1.2.3