/components/com_mailto/controller.php
PHP | 152 lines | 87 code | 23 blank | 42 comment | 11 complexity | e3700dc3c1efe28b3b5d81cbaf6e3dbe MD5 | raw file
Possible License(s): LGPL-2.1, Apache-2.0
- <?php
- /**
- * @version $Id$
- * @package Joomla.Site
- * @subpackage MailTo
- * @copyright Copyright (C) 2005 - 2010 Open Source Matters, Inc. All rights reserved.
- * @license GNU General Public License version 2 or later; see LICENSE.txt
- */
- // No direct access
- defined('_JEXEC') or die;
- jimport('joomla.application.component.controller');
- /**
- * @package Joomla.Site
- * @subpackage MailTo
- */
- class MailtoController extends JController
- {
- /**
- * Show the form so that the user can send the link to someone
- *
- * @access public
- * @since 1.5
- */
- function mailto()
- {
- $session = &JFactory::getSession();
- $session->set('com_mailto.formtime', time());
- JRequest::setVar('view', 'mailto');
- $this->display();
- }
- /**
- * Send the message and display a notice
- *
- * @access public
- * @since 1.5
- */
- function send()
- {
- // Check for request forgeries
- JRequest::checkToken() or jexit(JText::_('JInvalid_Token'));
- $app = &JFactory::getApplication();
- $session = &JFactory::getSession();
- $db = &JFactory::getDbo();
- $timeout = $session->get('com_mailto.formtime', 0);
- if ($timeout == 0 || time() - $timeout < 20) {
- JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
- return $this->mailto();
- }
- jimport('joomla.mail.helper');
- $SiteName = $app->getCfg('sitename');
- $MailFrom = $app->getCfg('mailfrom');
- $FromName = $app->getCfg('fromname');
- $link = base64_decode(JRequest::getVar('link', '', 'post', 'base64'));
- // Verify that this is a local link
- if (!JURI::isInternal($link)) {
- //Non-local url...
- JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
- return $this->mailto();
- }
- // An array of e-mail headers we do not want to allow as input
- $headers = array ( 'Content-Type:',
- 'MIME-Version:',
- 'Content-Transfer-Encoding:',
- 'bcc:',
- 'cc:');
- // An array of the input fields to scan for injected headers
- $fields = array ('mailto',
- 'sender',
- 'from',
- 'subject',
- );
- /*
- * Here is the meat and potatoes of the header injection test. We
- * iterate over the array of form input and check for header strings.
- * If we find one, send an unauthorized header and die.
- */
- foreach ($fields as $field)
- {
- foreach ($headers as $header)
- {
- if (strpos($_POST[$field], $header) !== false)
- {
- JError::raiseError(403, '');
- }
- }
- }
- /*
- * Free up memory
- */
- unset ($headers, $fields);
- $email = JRequest::getString('mailto', '', 'post');
- $sender = JRequest::getString('sender', '', 'post');
- $from = JRequest::getString('from', '', 'post');
- $subject_default = JText::sprintf('Item sent by', $sender);
- $subject = JRequest::getString('subject', $subject_default, 'post');
- // Check for a valid to address
- $error = false;
- if (! $email || ! JMailHelper::isEmailAddress($email))
- {
- $error = JText::sprintf('EMAIL_INVALID', $email);
- JError::raiseWarning(0, $error);
- }
- // Check for a valid from address
- if (! $from || ! JMailHelper::isEmailAddress($from))
- {
- $error = JText::sprintf('EMAIL_INVALID', $from);
- JError::raiseWarning(0, $error);
- }
- if ($error)
- {
- return $this->mailto();
- }
- // Build the message to send
- $msg = JText :: _('EMAIL_MSG');
- $body = sprintf($msg, $SiteName, $sender, $from, $link);
- // Clean the email data
- $subject = JMailHelper::cleanSubject($subject);
- $body = JMailHelper::cleanBody($body);
- $sender = JMailHelper::cleanAddress($sender);
- // Send the email
- if (JUtility::sendMail($from, $sender, $email, $subject, $body) !== true)
- {
- JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
- return $this->mailto();
- }
- JRequest::setVar('view', 'sent');
- $this->display();
- }
- }