Fixed bug #10454: t3lib_div::makeInstanceClassName() allows to bypass checks for...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_formmail.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 1999-2008 Kasper Skaarhoj (kasperYYYY@typo3.com)
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the textfile GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27 /**
28 * Contains a class for formmail
29 *
30 * $Id$
31 * Revised for TYPO3 3.6 July/2003 by Kasper Skaarhoj
32 *
33 * @author Kasper Skaarhoj <kasperYYYY@typo3.com>
34 */
35 /**
36 * [CLASS/FUNCTION INDEX of SCRIPT]
37 *
38 *
39 *
40 * 69: class t3lib_formmail extends t3lib_htmlmail
41 * 95: function start($V,$base64=false)
42 * 172: function addAttachment($file, $filename)
43 *
44 * TOTAL FUNCTIONS: 2
45 * (This index is automatically created/updated by the extension "extdeveval")
46 *
47 */
48
49
50
51
52
53
54
55
56
57
58
59
60
61 /**
62 * Formmail class, used by the TYPO3 "cms" extension (default frontend) to send email forms.
63 *
64 * @author Kasper Skaarhoj <kasperYYYY@typo3.com>
65 * @package TYPO3
66 * @subpackage t3lib
67 * @see tslib_fe::sendFormmail(), t3lib/formmail.php
68 */
69 class t3lib_formmail extends t3lib_htmlmail {
70 var $reserved_names = 'recipient,recipient_copy,auto_respond_msg,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
71 var $dirtyHeaders = array(); // collection of suspicious header data, used for logging
72
73
74 /**
75 * Start function
76 * This class is able to generate a mail in formmail-style from the data in $V
77 * Fields:
78 *
79 * [recipient]: email-adress of the one to receive the mail. If array, then all values are expected to be recipients
80 * [attachment]: ....
81 *
82 * [subject]: The subject of the mail
83 * [from_email]: Sender email. If not set, [email] is used
84 * [from_name]: Sender name. If not set, [name] is used
85 * [replyto_email]: Reply-to email. If not set [from_email] is used
86 * [replyto_name]: Reply-to name. If not set [from_name] is used
87 * [organisation]: Organisation (header)
88 * [priority]: Priority, 1-5, default 3
89 * [html_enabled]: If mail is sent as html
90 * [use_base64]: If set, base64 encoding will be used instead of quoted-printable
91 *
92 * @param array Contains values for the field names listed above (with slashes removed if from POST input)
93 * @param boolean Whether to base64 encode the mail content
94 * @return void
95 */
96 function start($V,$base64=false) {
97 $convCharset = FALSE; // do we need to convert form data?
98
99 if ($GLOBALS['TSFE']->config['config']['formMailCharset']) { // Respect formMailCharset if it was set
100 $this->charset = $GLOBALS['TSFE']->csConvObj->parse_charset($GLOBALS['TSFE']->config['config']['formMailCharset']);
101 $convCharset = TRUE;
102
103 } elseif ($GLOBALS['TSFE']->metaCharset != $GLOBALS['TSFE']->renderCharset) { // Use metaCharset for mail if different from renderCharset
104 $this->charset = $GLOBALS['TSFE']->metaCharset;
105 $convCharset = TRUE;
106 }
107
108 parent::start();
109
110 if ($base64 || $V['use_base64']) { $this->useBase64(); }
111
112 if (isset($V['recipient'])) {
113 // convert form data from renderCharset to mail charset
114 $val = ($V['subject']) ? $V['subject'] : 'Formmail on '.t3lib_div::getIndpEnv('HTTP_HOST');
115 $this->subject = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
116 $this->subject = $this->sanitizeHeaderString($this->subject);
117 $val = ($V['from_name']) ? $V['from_name'] : (($V['name'])?$V['name']:''); // Be careful when changing $val! It is used again as the fallback value for replyto_name
118 $this->from_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
119 $this->from_name = $this->sanitizeHeaderString($this->from_name);
120 $this->from_name = preg_match( '/\s|,/', $this->from_name ) >= 1 ? '"'.$this->from_name.'"' : $this->from_name;
121 $val = ($V['replyto_name']) ? $V['replyto_name'] : $val;
122 $this->replyto_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
123 $this->replyto_name = $this->sanitizeHeaderString($this->replyto_name);
124 $this->replyto_name = preg_match( '/\s|,/', $this->replyto_name ) >= 1 ? '"'.$this->replyto_name.'"' : $this->replyto_name;
125 $val = ($V['organisation']) ? $V['organisation'] : '';
126 $this->organisation = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
127 $this->organisation = $this->sanitizeHeaderString($this->organisation);
128
129 $this->from_email = ($V['from_email']) ? $V['from_email'] : (($V['email'])?$V['email']:'');
130 $this->from_email = t3lib_div::validEmail($this->from_email) ? $this->from_email : '';
131 $this->replyto_email = ($V['replyto_email']) ? $V['replyto_email'] : $this->from_email;
132 $this->replyto_email = t3lib_div::validEmail($this->replyto_email) ? $this->replyto_email : '';
133 $this->priority = ($V['priority']) ? t3lib_div::intInRange($V['priority'],1,5) : 3;
134
135 // Auto responder.
136 $this->auto_respond_msg = (trim($V['auto_respond_msg']) && $this->from_email) ? trim($V['auto_respond_msg']) : '';
137 $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg);
138
139 $Plain_content = '';
140 $HTML_content = '<table border="0" cellpadding="2" cellspacing="2">';
141
142 // Runs through $V and generates the mail
143 if (is_array($V)) {
144 reset($V);
145 while (list($key,$val)=each($V)) {
146 if (!t3lib_div::inList($this->reserved_names,$key)) {
147 $space = (strlen($val)>60)?chr(10):'';
148 $val = (is_array($val) ? implode($val,chr(10)) : $val);
149
150 // convert form data from renderCharset to mail charset (HTML may use entities)
151 $Plain_val = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset,0) : $val;
152 $HTML_val = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv(htmlspecialchars($val),$GLOBALS['TSFE']->renderCharset,$this->charset,1) : htmlspecialchars($val);
153
154 $Plain_content.= strtoupper($key).': '.$space.$Plain_val."\n".$space;
155 $HTML_content.= '<tr><td bgcolor="#eeeeee"><font face="Verdana" size="1"><b>'.strtoupper($key).'</b></font></td><td bgcolor="#eeeeee"><font face="Verdana" size="1">'.nl2br($HTML_val).'&nbsp;</font></td></tr>';
156 }
157 }
158 }
159 $HTML_content.= '</table>';
160
161 if ($V['html_enabled']) {
162 $this->setHTML($this->encodeMsg($HTML_content));
163 }
164 $this->addPlain($Plain_content);
165
166 for ($a=0;$a<10;$a++) {
167 $varname = 'attachment'.(($a)?$a:'');
168 if (!is_uploaded_file($_FILES[$varname]['tmp_name'])) {
169 t3lib_div::sysLog('Possible abuse of t3lib_formmail: temporary file "'.$_FILES[$varname]['tmp_name'].'" ("'.$_FILES[$varname]['name'].'") was not an uploaded file.', 'Core', 3);
170 continue;
171 }
172 $theFile = t3lib_div::upload_to_tempfile($_FILES[$varname]['tmp_name']);
173 $theName = $_FILES[$varname]['name'];
174
175 if ($theFile && file_exists($theFile)) {
176 if (filesize($theFile) < $GLOBALS['TYPO3_CONF_VARS']['FE']['formmailMaxAttachmentSize']) {
177 $this->addAttachment($theFile, $theName);
178 }
179 }
180 t3lib_div::unlink_tempfile($theFile);
181 }
182
183 $this->setHeaders();
184 $this->setContent();
185 $this->setRecipient($V['recipient']);
186 if ($V['recipient_copy']) {
187 $this->recipient_copy = trim($V['recipient_copy']);
188 }
189 // log dirty header lines
190 if ($this->dirtyHeaders) {
191 t3lib_div::sysLog( 'Possible misuse of t3lib_formmail: see TYPO3 devLog', 'Core', 3 );
192 if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG']) {
193 t3lib_div::devLog( 't3lib_formmail: '. t3lib_div::arrayToLogString($this->dirtyHeaders, '', 200 ), 'Core', 3 );
194 }
195 }
196 }
197 }
198
199 /**
200 * Adds an attachment to the mail
201 *
202 * @param string The absolute path to the file to add as attachment
203 * @param string The files original filename (not necessarily the same as the current since this could be uploaded files...)
204 * @return boolean True if the file existed and was added.
205 * @access private
206 */
207 function addAttachment($file, $filename) {
208 $content = $this->getURL($file); // We fetch the content and the mime-type
209 $fileInfo = $this->split_fileref($filename);
210 if ($fileInfo['fileext'] == 'gif') {$content_type = 'image/gif';}
211 if ($fileInfo['fileext'] == 'bmp') {$content_type = 'image/bmp';}
212 if ($fileInfo['fileext'] == 'jpg' || $fileInfo['fileext'] == 'jpeg') {$content_type = 'image/jpeg';}
213 if ($fileInfo['fileext'] == 'html' || $fileInfo['fileext'] == 'htm') {$content_type = 'text/html';}
214 if (!$content_type) {$content_type = 'application/octet-stream';}
215
216 if ($content) {
217 $theArr['content_type']= $content_type;
218 $theArr['content']= $content;
219 $theArr['filename']= $filename;
220 $this->theParts['attach'][]=$theArr;
221 return true;
222 } else { return false;}
223 }
224
225
226 /**
227 * Checks string for suspicious characters
228 *
229 * @param string String to check
230 * @return string Valid or empty string
231 */
232 function sanitizeHeaderString ($string) {
233 $pattern = '/[\r\n\f\e]/';
234 if (preg_match($pattern, $string) > 0) {
235 $this->dirtyHeaders[] = $string;
236 $string = '';
237 }
238 return $string;
239 }
240 }
241
242
243 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_formmail.php']) {
244 include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_formmail.php']);
245 }
246
247 ?>