PageRenderTime 42ms CodeModel.GetById 16ms RepoModel.GetById 0ms app.codeStats 0ms

/components/com_mailto/controller.php

https://github.com/joebushi/joomla
PHP | 152 lines | 87 code | 23 blank | 42 comment | 11 complexity | e3700dc3c1efe28b3b5d81cbaf6e3dbe MD5 | raw file
Possible License(s): LGPL-2.1, Apache-2.0
  1. <?php
  2. /**
  3. * @version $Id$
  4. * @package Joomla.Site
  5. * @subpackage MailTo
  6. * @copyright Copyright (C) 2005 - 2010 Open Source Matters, Inc. All rights reserved.
  7. * @license GNU General Public License version 2 or later; see LICENSE.txt
  8. */
  9. // No direct access
  10. defined('_JEXEC') or die;
  11. jimport('joomla.application.component.controller');
  12. /**
  13. * @package Joomla.Site
  14. * @subpackage MailTo
  15. */
  16. class MailtoController extends JController
  17. {
  18. /**
  19. * Show the form so that the user can send the link to someone
  20. *
  21. * @access public
  22. * @since 1.5
  23. */
  24. function mailto()
  25. {
  26. $session = &JFactory::getSession();
  27. $session->set('com_mailto.formtime', time());
  28. JRequest::setVar('view', 'mailto');
  29. $this->display();
  30. }
  31. /**
  32. * Send the message and display a notice
  33. *
  34. * @access public
  35. * @since 1.5
  36. */
  37. function send()
  38. {
  39. // Check for request forgeries
  40. JRequest::checkToken() or jexit(JText::_('JInvalid_Token'));
  41. $app = &JFactory::getApplication();
  42. $session = &JFactory::getSession();
  43. $db = &JFactory::getDbo();
  44. $timeout = $session->get('com_mailto.formtime', 0);
  45. if ($timeout == 0 || time() - $timeout < 20) {
  46. JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
  47. return $this->mailto();
  48. }
  49. jimport('joomla.mail.helper');
  50. $SiteName = $app->getCfg('sitename');
  51. $MailFrom = $app->getCfg('mailfrom');
  52. $FromName = $app->getCfg('fromname');
  53. $link = base64_decode(JRequest::getVar('link', '', 'post', 'base64'));
  54. // Verify that this is a local link
  55. if (!JURI::isInternal($link)) {
  56. //Non-local url...
  57. JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
  58. return $this->mailto();
  59. }
  60. // An array of e-mail headers we do not want to allow as input
  61. $headers = array ( 'Content-Type:',
  62. 'MIME-Version:',
  63. 'Content-Transfer-Encoding:',
  64. 'bcc:',
  65. 'cc:');
  66. // An array of the input fields to scan for injected headers
  67. $fields = array ('mailto',
  68. 'sender',
  69. 'from',
  70. 'subject',
  71. );
  72. /*
  73. * Here is the meat and potatoes of the header injection test. We
  74. * iterate over the array of form input and check for header strings.
  75. * If we find one, send an unauthorized header and die.
  76. */
  77. foreach ($fields as $field)
  78. {
  79. foreach ($headers as $header)
  80. {
  81. if (strpos($_POST[$field], $header) !== false)
  82. {
  83. JError::raiseError(403, '');
  84. }
  85. }
  86. }
  87. /*
  88. * Free up memory
  89. */
  90. unset ($headers, $fields);
  91. $email = JRequest::getString('mailto', '', 'post');
  92. $sender = JRequest::getString('sender', '', 'post');
  93. $from = JRequest::getString('from', '', 'post');
  94. $subject_default = JText::sprintf('Item sent by', $sender);
  95. $subject = JRequest::getString('subject', $subject_default, 'post');
  96. // Check for a valid to address
  97. $error = false;
  98. if (! $email || ! JMailHelper::isEmailAddress($email))
  99. {
  100. $error = JText::sprintf('EMAIL_INVALID', $email);
  101. JError::raiseWarning(0, $error);
  102. }
  103. // Check for a valid from address
  104. if (! $from || ! JMailHelper::isEmailAddress($from))
  105. {
  106. $error = JText::sprintf('EMAIL_INVALID', $from);
  107. JError::raiseWarning(0, $error);
  108. }
  109. if ($error)
  110. {
  111. return $this->mailto();
  112. }
  113. // Build the message to send
  114. $msg = JText :: _('EMAIL_MSG');
  115. $body = sprintf($msg, $SiteName, $sender, $from, $link);
  116. // Clean the email data
  117. $subject = JMailHelper::cleanSubject($subject);
  118. $body = JMailHelper::cleanBody($body);
  119. $sender = JMailHelper::cleanAddress($sender);
  120. // Send the email
  121. if (JUtility::sendMail($from, $sender, $email, $subject, $body) !== true)
  122. {
  123. JError::raiseNotice(500, JText:: _ ('EMAIL_NOT_SENT'));
  124. return $this->mailto();
  125. }
  126. JRequest::setVar('view', 'sent');
  127. $this->display();
  128. }
  129. }