diff options
Diffstat (limited to 'sendmail.php')
| -rw-r--r-- | sendmail.php | 267 |
1 files changed, 267 insertions, 0 deletions
diff --git a/sendmail.php b/sendmail.php new file mode 100644 index 0000000..2ce5739 --- /dev/null +++ b/sendmail.php @@ -0,0 +1,267 @@ +<?php +/* + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ +?> +<?php +/* vim: set ts=4 sw=4 et : */ + +require_once __DIR__ . "/check_auth.php"; +require_once __DIR__ . "/../includes/common.php"; + +session_write_close(); + +if (isset($_SESSION['demo']) || isset($_GET['demo']) || isset($_POST['demo'])) { + $prop = 97; + + if (rand(0, 100) > $prop) echo "0"; + else echo "1"; + + exit(0); +} + +$post_to = $_POST['to']; +if (!assureString($post_to) || strlen($post_to) < 3 || strstr($post_to, '@') === false) { + echo "1"; + exit(0); +} + +if (isset($_SESSION['demoself']) || isset($_GET['demoself']) || isset($_POST['demoself'])) { + $post_to = $_POST['from']; +} + +$sql = "SELECT ID FROM Personen WHERE (TRIM(LOWER(Email)) = ? OR TRIM(LOWER(`Email-Privat`)) = ? OR TRIM(LOWER(`Email-Geschäftlich`)) = ?) AND `wuenscht_keine_Emails` LIMIT 1;"; +$post_to_clean = trim(strtolower($post_to)); +$stmt = $mysqli->prepare($sql); +$stmt->bind_param('sss', $post_to_clean, $post_to_clean, $post_to_clean); +$stmt->bind_result($no_email); +$stmt->execute(); +$stmt->fetch(); +$stmt->reset(); + +if ($no_email > 0) { + echo "3"; + exit(0); +} + +if ( + stristr($_POST['from'], '@upb.de') === false +&& stristr($_POST['from'], '@uni-paderborn.de') === false +&& stristr($_POST['from'], '@uni-paderborn.de') === false +&& stristr($_POST['from'], '@hochschule-rhein-waal.de') === false +&& stristr($_POST['from'], '@hsrw.dein-stip.de') === false +) { + echo "4"; + exit(0); +} + +$mid = "" . time() . "-" . base_convert(bin2hex(random_bytes(8)), 16, 36) . "@hsrw.dein-stip.de"; +$boundary = "sfowl" . md5(uniqid('', true)); + +$h = "From: " . $_POST['from'] . "\r\n"; +$h .= "Sender: " . $_POST['from'] . "\r\n"; +$h .= "Reply-To: " . "deutschlandstipendium@hochschule-rhein-waal.de" . "\r\n"; +$h .= "Errors-To: " . "deutschlandstipendium@hochschule-rhein-waal.de" . "\r\n"; + +if (!isset($_SESSION['demoself'])) { + if (strlen($_POST['cc'])> 0) { + $h .= "Cc: " . $_POST['cc'] . "\r\n"; + } + + if (strlen($_POST['bcc'])> 0) { + $h .= "Bcc: " . $_POST['bcc'] . "\r\n"; + } +} + +$h .= "Message-ID: <" . $mid . ">\r\n"; +$h .= "MIME-Version: 1.0\r\n"; + +$full = ""; + +$html = '<style> body { font-family: "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' h1, h2, h3, h4, p { font-family: "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' ul, ol, li, strong, b, em, u, i, s, sup, sub, span, blockquote { font-family: "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' .ql-size-normal { font-size: 100%; } .ql-size-small { font-size: 70%; } .ql-size-large { font-size: 130%; } .ql-size-huge { font-size: 180%; } </style>' . "\r\n" . $_POST['html']; +if (strstr($html, '<!DOCTYPE') || strstr($html, '<html')) { + $html = trim($_POST['html']); +} + +function strip_tags_content($text, $tags = '', $invert = FALSE) { + preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags); + $tags = array_unique($tags[1]); + if(is_array($tags) AND count($tags) > 0) { + if($invert == FALSE) { + return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text); + } else { + return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text); + } + } + elseif($invert == FALSE) { + return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text); + } + return $text; +} + +$text = trim(strip_tags(str_replace("<br>", "\r\n", str_replace("</p>", "\r\n", str_replace("<p>", "\r\n", strip_tags(strip_tags_content($_POST['html'], '<style>', TRUE), "<p><br>")))))); +$text = preg_replace('/\h+/', ' ', $text); +$text = preg_replace('/(\r\n\h*\r\n)+/', "\r\n", $text); +$text = preg_replace('/(\r\n\h*\r\n)+/', "\r\n", $text); +$text = preg_replace('/(\n\h*\n)+/', "\n", $text); +$text = preg_replace('/(\n\h*\n)+/', "\n", $text); + +$exactmatch = false; +if (isset($_POST['exactmatch']) && $_POST['exactmatch']) $exactmatch = true; + +$attach = false; +$attach_fn = ""; +$attach_data = ""; +if ($_POST['attachments'] && $_POST['attachments_fn'] && $_POST['attachments_mime']) { + $attach = true; + $attach_fn = $_POST['attachments_fn']; + $attach_data = []; + foreach ($_POST['attachments'] as $el) { + if ($el[0] === '~') { + $attach_data[] = file_get_contents("/var/www/uploads/" . substr($el, 1)); + if (!$exactmatch && end($attach_data) === false) { + $dn = dirname(substr($el, 1)); + $bn = basename(substr($el, 1)); + $ddd = glob("/var/www/uploads/*" . substr($dn, 1, -1) . "*_/" . $bn); + if (is_array($ddd)) { + $ddd = usort($ddd, function($a, $b) { return filemtime($a) - filemtime($b); }); + reset($attach_data); + array_pop($attach_data); + $attach_data[] = file_get_contents($ddd[0]); + if (end($attach_data) === false) { + $altalt = explode('-', $dn); + if ($altalt == false || (is_array($altalt) && count($altalt) < 2)) { + echo "2"; + exit(1); + } + + $altddd = glob("/var/www/uploads/*" . $altalt[0] . "-*_/" . $bn); + if (is_array($altddd)) { + $ddd = usort($altddd, function($a, $b) { return filemtime($a) - filemtime($b); }); + reset($attach_data); + array_pop($attach_data); + $attach_data[] = file_get_contents($altddd[0]); + if (end($attach_data) === false) { + echo "2"; + exit(1); + } + } else { + echo "2"; + exit(1); + } + } + } else { + echo "2"; + exit(1); + } + } + reset($attach_data); + } else { + $attach_data[] = file_get_contents("/var/www/intern/pages/storage/" . $el[0] . "/" . $el[1] . "/" . $el[2] . "/" . substr($el, 3)); + } + } + $attach_mime = $_POST['attachments_mime']; +} + +if ($attach) { + $h .= "Content-Type: multipart/mixed; boundary=\"full_$boundary\"\r\n"; + $full .= "--full_$boundary\r\n"; + $full .= "Content-Type: multipart/alternative; boundary=\"$boundary\"\r\n"; + $full .= "\r\n\r\n"; +} else { + $h .= "Content-Type: multipart/alternative; boundary=\"$boundary\"\r\n"; +} + +$full .= "--$boundary\r\n" . + "Content-Type: text/plain; charset=utf-8\r\n" . + "Content-Transfer-Encoding: quoted-printable\r\n\r\n" . + + quoted_printable_encode( + $text + ) . + + "\r\n\r\n" . + + "--$boundary\r\n" . + "Content-Type: text/html; charset=utf-8\r\n" . + "Content-Transfer-Encoding: quoted-printable\r\n\r\n" . + + quoted_printable_encode( + $html + ) . + + "\r\n\r\n" . + "--$boundary--"; + +if ($attach) { + $prefs = ['input-charset' => 'UTF-8', 'output-charset' => 'UTF-8']; + for ($i = 0; $i < count($attach_fn) && $i < count($attach_data) && $i < count($attach_mime); $i++) { + if ($attach_fn[$i][0] === '~') $attach_fn[$i] = basename($_POST['attachments'][$i]); + $en_fn = iconv_mime_encode("filename", $attach_fn[$i], $prefs); + $en_fn = substr($en_fn, strlen('filename: ')); + + $full .= "\r\n\r\n--full_$boundary\r\n"; + $full .= "Content-Type: " . $attach_mime[$i] . "; name=\"" . $en_fn . "\"\r\n"; + $full .= "Content-Disposition: attachment; filename=\"" . $en_fn . "\"\r\n"; + $full .= "Content-Location: CID:att" . ($i+1) . "\r\n"; + $full .= "Content-ID: <att" . ($i+1) . ">\r\n"; + $full .= "Content-Transfer-Encoding: base64\r\n\r\n"; + + $full .= chunk_split(base64_encode($attach_data[$i]), 76, "\r\n"); + } + + $full .= "\r\n\r\n"; + $full .= "--full_$boundary--"; +} + +$prefs = ['input-charset' => 'UTF-8', 'output-charset' => 'UTF-8']; +$encoded_subject = iconv_mime_encode('Subject', $_POST['subject'], $prefs); +$encoded_subject = substr($encoded_subject, strlen('Subject: ')); + +if (isset($_SESSION['demoself'])) { + $e = mail($_POST['from'], $encoded_subject, + $full, + $h, + "-f " . $_POST['from'] + ); + echo 1; + + exit(0); +} + +$e = mail($post_to, $encoded_subject, + $full, + $h, + "-f " . $_POST['from'] +); + +syslog(LOG_INFO, 'sendmail for ' . $post_to . ' from ' . $_POST['from'] . ', errorlevel: ' . $e); + +if ($e == true) { + $persid = $_POST['persid']; + $stipid = $_POST['stipid']; + if ($persid == 0) $persid = null; + if ($stipid == 0) $stipid = null; + + $sql = "INSERT INTO mails (mid, uid, persid, stipid, `from`, `to`, subject, html, text, header, attached) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);"; + $stmt = $mysqli->prepare($sql); + $alist = ""; + if ($_POST['attachments'] && is_array($_POST['attachments'])) { + $alist = implode(',', $_POST['attachments']); + } + $stmt->bind_param('ssiisssssss', $mid, $_POST['uid'], $persid, $stipid, $_POST['from'], $post_to, $_POST['subject'], $html, $text, $h, $alist); + $stmt->execute(); + $stmt->reset(); + $mysqli->close(); +} + +echo $e; +?> |