Updating version number to 4.2-dev after release of 4.2.0beta2a
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_formmail.php
index f3846ba..6d44718 100644 (file)
@@ -1,22 +1,22 @@
 <?php
 /***************************************************************
 *  Copyright notice
-*  
-*  (c) 1999-2004 Kasper Skaarhoj (kasper@typo3.com)
+*
+*  (c) 1999-2007 Kasper Skaarhoj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
-*  This script is part of the TYPO3 project. The TYPO3 project is 
+*  This script is part of the TYPO3 project. The TYPO3 project is
 *  free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
-* 
+*
 *  The GNU General Public License can be found at
 *  http://www.gnu.org/copyleft/gpl.html.
-*  A copy is found in the textfile GPL.txt and important notices to the license 
+*  A copy is found in the textfile GPL.txt and important notices to the license
 *  from the author is found in LICENSE.txt distributed with these scripts.
 *
-* 
+*
 *  This script is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * $Id$
  * Revised for TYPO3 3.6 July/2003 by Kasper Skaarhoj
  *
- * @author     Kasper Skaarhoj <kasper@typo3.com>
+ * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
  */
 /**
  * [CLASS/FUNCTION INDEX of SCRIPT]
  *
  *
  *
- *   69: class t3lib_formmail extends t3lib_htmlmail 
- *   95:     function start($V,$base64=1)      
- *  169:     function addAttachment($file, $filename)  
+ *   69: class t3lib_formmail extends t3lib_htmlmail
+ *   95:     function start($V,$base64=false)
+ *  172:     function addAttachment($file, $filename)
  *
  * TOTAL FUNCTIONS: 2
  * (This index is automatically created/updated by the extension "extdeveval")
 
 /**
  * Formmail class, used by the TYPO3 "cms" extension (default frontend) to send email forms.
- * 
- * @author     Kasper Skaarhoj <kasper@typo3.com>
+ *
+ * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage t3lib
  * @see tslib_fe::sendFormmail(), t3lib/formmail.php
  */
 class t3lib_formmail extends t3lib_htmlmail {
        var $reserved_names = 'recipient,recipient_copy,auto_respond_msg,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
+       var $dirtyHeaders = array();    // collection of suspicious header data, used for logging
 
 
        /**
         * Start function
         * This class is able to generate a mail in formmail-style from the data in $V
         * Fields:
-        * 
-        * [recipient]:         email-adress of the one to receive the mail. If array, then all values are expected to be recipients
+        *
+        * [recipient]:                 email-adress of the one to receive the mail. If array, then all values are expected to be recipients
         * [attachment]:                ....
-        * 
+        *
         * [subject]:                   The subject of the mail
         * [from_email]:                Sender email. If not set, [email] is used
-        * [from_name]:         Sender name. If not set, [name] is used
-        * [replyto_email]:     Reply-to email. If not set [from_email] is used
+        * [from_name]:                 Sender name. If not set, [name] is used
+        * [replyto_email]:             Reply-to email. If not set [from_email] is used
         * [replyto_name]:              Reply-to name. If not set [from_name] is used
         * [organisation]:              Organisation (header)
         * [priority]:                  Priority, 1-5, default 3
         * [html_enabled]:              If mail is sent as html
-        * [quoted_printable]:  if set, quoted-printable will be used instead of base 64
-        * 
-        * @param       array           Contains values for the field names listed above
+        * [use_base64]:                If set, base64 encoding will be used instead of quoted-printable
+        *
+        * @param       array           Contains values for the field names listed above (with slashes removed if from POST input)
         * @param       boolean         Whether to base64 encode the mail content
-        * @return      void            
+        * @return      void
         */
-       function start($V,$base64=1)    {
-               if ($base64 && !$V['quoted_printable']) {$this->useBase64();}
-               if (is_array($V))       {
-                       t3lib_div::stripSlashesOnArray($V);
+       function start($V,$base64=false)        {
+               $convCharset = FALSE;   // do we need to convert form data?
+
+               if ($GLOBALS['TSFE']->config['config']['formMailCharset'])      {       // Respect formMailCharset if it was set
+                       $this->charset = $GLOBALS['TSFE']->csConvObj->parse_charset($GLOBALS['TSFE']->config['config']['formMailCharset']);
+                       $convCharset = TRUE;
+
+               } elseif ($GLOBALS['TSFE']->metaCharset != $GLOBALS['TSFE']->renderCharset)     {       // Use metaCharset for mail if different from renderCharset
+                       $this->charset = $GLOBALS['TSFE']->metaCharset;
+                       $convCharset = TRUE;
                }
-               
+
+               parent::start();
+
+               if ($base64 || $V['use_base64'])        { $this->useBase64(); }
+
                if (isset($V['recipient']))     {
-                               // Sets the message id
-                       $this->messageid = '<'.md5(microtime()).'@domain.tld>';
-               
-                       $this->subject = ($V['subject']) ? $V['subject'] : 'Formmail on '.t3lib_div::getIndpEnv('HTTP_HOST');
+                               // convert form data from renderCharset to mail charset
+                       $val = ($V['subject']) ? $V['subject'] : 'Formmail on '.t3lib_div::getIndpEnv('HTTP_HOST');
+                       $this->subject = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
+                       $this->subject = $this->sanitizeHeaderString($this->subject);
+                       $val = ($V['from_name']) ? $V['from_name'] : (($V['name'])?$V['name']:'');      // Be careful when changing $val! It is used again as the fallback value for replyto_name
+                       $this->from_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
+                       $this->from_name = $this->sanitizeHeaderString($this->from_name);
+                       $this->from_name = preg_match( '/\s|,/', $this->from_name ) >= 1 ? '"'.$this->from_name.'"' : $this->from_name;
+                       $val = ($V['replyto_name']) ? $V['replyto_name'] : $val;
+                       $this->replyto_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
+                       $this->replyto_name = $this->sanitizeHeaderString($this->replyto_name);
+                       $this->replyto_name = preg_match( '/\s|,/', $this->replyto_name ) >= 1 ? '"'.$this->replyto_name.'"' : $this->replyto_name;
+                       $val = ($V['organisation']) ? $V['organisation'] : '';
+                       $this->organisation = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
+                       $this->organisation = $this->sanitizeHeaderString($this->organisation);
+
                        $this->from_email = ($V['from_email']) ? $V['from_email'] : (($V['email'])?$V['email']:'');
-                       $this->from_name = ($V['from_name']) ? $V['from_name'] : (($V['name'])?$V['name']:'');
+                       $this->from_email = t3lib_div::validEmail($this->from_email) ? $this->from_email : '';
                        $this->replyto_email = ($V['replyto_email']) ? $V['replyto_email'] : $this->from_email;
-                       $this->replyto_name = ($V['replyto_name']) ? $V['replyto_name'] : $this->from_name;
-                       $this->organisation = ($V['organisation']) ? $V['organisation'] : '';
+                       $this->replyto_email = t3lib_div::validEmail($this->replyto_email) ? $this->replyto_email : '';
                        $this->priority = ($V['priority']) ? t3lib_div::intInRange($V['priority'],1,5) : 3;
 
                                // Auto responder.
                        $this->auto_respond_msg = (trim($V['auto_respond_msg']) && $this->from_email) ? trim($V['auto_respond_msg']) : '';
-                       
+                       $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg);
+
                        $Plain_content = '';
                        $HTML_content = '<table border="0" cellpadding="2" cellspacing="2">';
-                       
+
                                // Runs through $V and generates the mail
                        if (is_array($V))       {
                                reset($V);
@@ -123,14 +146,18 @@ class t3lib_formmail extends t3lib_htmlmail {
                                        if (!t3lib_div::inList($this->reserved_names,$key))     {
                                                $space = (strlen($val)>60)?chr(10):'';
                                                $val = (is_array($val) ? implode($val,chr(10)) : $val);
-                                               $Plain_content.= strtoupper($key).':  '.$space.$val."\n".$space;
-                                               $HTML_content.='<tr><td bgcolor="#eeeeee"><font face="Verdana" size="1"><b>'.strtoupper($key).'</b></font></td><td bgcolor="#eeeeee"><font face="Verdana" size="1">'.nl2br(HTMLSpecialChars($val)).'&nbsp</font></td></tr>';
+
+                                                       // convert form data from renderCharset to mail charset (HTML may use entities)
+                                               $Plain_val = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset,0) : $val;
+                                               $HTML_val = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv(htmlspecialchars($val),$GLOBALS['TSFE']->renderCharset,$this->charset,1) : htmlspecialchars($val);
+
+                                               $Plain_content.= strtoupper($key).':  '.$space.$Plain_val."\n".$space;
+                                               $HTML_content.= '<tr><td bgcolor="#eeeeee"><font face="Verdana" size="1"><b>'.strtoupper($key).'</b></font></td><td bgcolor="#eeeeee"><font face="Verdana" size="1">'.nl2br($HTML_val).'&nbsp;</font></td></tr>';
                                        }
                                }
                        }
                        $HTML_content.= '</table>';
 
-
                        if ($V['html_enabled']) {
                                $this->setHTML($this->encodeMsg($HTML_content));
                        }
@@ -138,29 +165,40 @@ class t3lib_formmail extends t3lib_htmlmail {
 
                        for ($a=0;$a<10;$a++)   {
                                $varname = 'attachment'.(($a)?$a:'');
-                               $theFile = t3lib_div::upload_to_tempfile($GLOBALS['HTTP_POST_FILES'][$varname]['tmp_name']);
-                               $theName = $GLOBALS['HTTP_POST_FILES'][$varname]['name'];
-                               
+                               if (!is_uploaded_file($_FILES[$varname]['tmp_name']))   {
+                                       t3lib_div::sysLog('Possible abuse of t3lib_formmail: temporary file "'.$_FILES[$varname]['tmp_name'].'" ("'.$_FILES[$varname]['name'].'") was not an uploaded file.', 'Core', 3);
+                                       continue;
+                               }
+                               $theFile = t3lib_div::upload_to_tempfile($_FILES[$varname]['tmp_name']);
+                               $theName = $_FILES[$varname]['name'];
+
                                if ($theFile && @file_exists($theFile)) {
-                                       if (filesize($theFile) < 250000)        {
+                                       if (filesize($theFile) < $GLOBALS['TYPO3_CONF_VARS']['FE']['formmailMaxAttachmentSize'])        {
                                                $this->addAttachment($theFile, $theName);
                                        }
                                }
                                t3lib_div::unlink_tempfile($theFile);
                        }
-                       
+
                        $this->setHeaders();
                        $this->setContent();
                        $this->setRecipient($V['recipient']);
                        if ($V['recipient_copy'])       {
                                $this->recipient_copy = trim($V['recipient_copy']);
                        }
+                               // log dirty header lines
+                       if ($this->dirtyHeaders)        {
+                               t3lib_div::sysLog( 'Possible misuse of t3lib_formmail: see TYPO3 devLog', 'Core', 3 );
+                               if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG'])  {
+                                       t3lib_div::devLog( 't3lib_formmail: '. t3lib_div::arrayToLogString($this->dirtyHeaders, '', 200 ), 'Core', 3 );
+                               }
+                       }
                }
        }
 
        /**
         * Adds an attachment to the mail
-        * 
+        *
         * @param       string          The absolute path to the file to add as attachment
         * @param       string          The files original filename (not necessarily the same as the current since this could be uploaded files...)
         * @return      boolean         True if the file existed and was added.
@@ -174,7 +212,7 @@ class t3lib_formmail extends t3lib_htmlmail {
                if ($fileInfo['fileext'] == 'jpg' || $fileInfo['fileext'] == 'jpeg')    {$content_type = 'image/jpeg';}
                if ($fileInfo['fileext'] == 'html' || $fileInfo['fileext'] == 'htm')    {$content_type = 'text/html';}
                if (!$content_type) {$content_type = 'application/octet-stream';}
-               
+
                if ($content)   {
                        $theArr['content_type']= $content_type;
                        $theArr['content']= $content;
@@ -183,10 +221,26 @@ class t3lib_formmail extends t3lib_htmlmail {
                        return true;
                } else { return false;}
        }
+
+
+       /**
+        * Checks string for suspicious characters
+        *
+        * @param       string  String to check
+        * @return      string  Valid or empty string
+        */
+       function sanitizeHeaderString ($string) {
+               $pattern = '/[\r\n\f\e]/';
+               if (preg_match($pattern, $string) > 0)  {
+                       $this->dirtyHeaders[] = $string;
+                       $string = '';
+               }
+               return $string;
+       }
 }
 
 
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_formmail.php']) {
        include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_formmail.php']);
 }
-?>
\ No newline at end of file
+?>