From cdea8caa5617f0cb77bcbc9803759abd2df50644 Mon Sep 17 00:00:00 2001
From: Niklas Olmes <niklas@olmes.de>
Date: Fri, 24 Apr 2026 19:30:00 +0200
Subject: stipcrm

---
 sendmail.php | 267 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 267 insertions(+)
 create mode 100644 sendmail.php

(limited to 'sendmail.php')

diff --git a/sendmail.php b/sendmail.php
new file mode 100644
index 0000000..2ce5739
--- /dev/null
+++ b/sendmail.php
@@ -0,0 +1,267 @@
+<?php
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+?>
+<?php
+/* vim: set ts=4 sw=4 et : */
+
+require_once __DIR__ . "/check_auth.php";
+require_once __DIR__ . "/../includes/common.php";
+
+session_write_close();
+
+if (isset($_SESSION['demo']) || isset($_GET['demo']) || isset($_POST['demo'])) {
+    $prop = 97;
+
+    if (rand(0, 100) > $prop) echo "0";
+    else echo "1";
+
+    exit(0);
+}
+
+$post_to = $_POST['to'];
+if (!assureString($post_to) || strlen($post_to) < 3 || strstr($post_to, '@') === false) {
+    echo "1";
+    exit(0);
+}
+
+if (isset($_SESSION['demoself']) || isset($_GET['demoself']) || isset($_POST['demoself'])) {
+    $post_to = $_POST['from'];
+}
+
+$sql = "SELECT ID FROM Personen WHERE (TRIM(LOWER(Email)) = ? OR TRIM(LOWER(`Email-Privat`)) = ? OR TRIM(LOWER(`Email-Geschäftlich`)) = ?) AND `wuenscht_keine_Emails` LIMIT 1;";
+$post_to_clean = trim(strtolower($post_to));
+$stmt = $mysqli->prepare($sql);
+$stmt->bind_param('sss', $post_to_clean, $post_to_clean, $post_to_clean);
+$stmt->bind_result($no_email);
+$stmt->execute();
+$stmt->fetch();
+$stmt->reset();
+
+if ($no_email > 0) {
+    echo "3";
+    exit(0);
+}
+
+if (
+   stristr($_POST['from'], '@upb.de') === false
+&& stristr($_POST['from'], '@uni-paderborn.de') === false
+&& stristr($_POST['from'], '@uni-paderborn.de') === false
+&& stristr($_POST['from'], '@hochschule-rhein-waal.de') === false
+&& stristr($_POST['from'], '@hsrw.dein-stip.de') === false
+) {
+    echo "4";
+    exit(0);
+}
+
+$mid = "" . time() . "-" . base_convert(bin2hex(random_bytes(8)), 16, 36) . "@hsrw.dein-stip.de";
+$boundary = "sfowl" . md5(uniqid('', true));
+
+$h = "From: " . $_POST['from'] . "\r\n";
+$h .= "Sender: " . $_POST['from'] . "\r\n";
+$h .= "Reply-To: " . "deutschlandstipendium@hochschule-rhein-waal.de" . "\r\n";
+$h .= "Errors-To: " . "deutschlandstipendium@hochschule-rhein-waal.de" . "\r\n";
+
+if (!isset($_SESSION['demoself'])) {
+    if (strlen($_POST['cc'])> 0) {
+        $h .= "Cc: " . $_POST['cc'] . "\r\n";
+    }
+
+    if (strlen($_POST['bcc'])> 0) {
+        $h .= "Bcc: " . $_POST['bcc'] . "\r\n";
+    }
+}
+
+$h .= "Message-ID: <" . $mid . ">\r\n";
+$h .= "MIME-Version: 1.0\r\n";
+
+$full = "";
+
+$html = '<style> body { font-family: "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' h1, h2, h3, h4, p { font-family:  "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' ul, ol, li, strong, b, em, u, i, s, sup, sub, span, blockquote { font-family: "Arial Narrow", "Arial", sans-serif; } ' . "\r\n" . ' .ql-size-normal { font-size: 100%; } .ql-size-small { font-size: 70%; } .ql-size-large { font-size: 130%; } .ql-size-huge { font-size: 180%; } </style>' . "\r\n" . $_POST['html'];
+if (strstr($html, '<!DOCTYPE') || strstr($html, '<html')) {
+    $html = trim($_POST['html']);
+}
+
+function strip_tags_content($text, $tags = '', $invert = FALSE) {
+    preg_match_all('/<(.+?)[\s]*\/?[\s]*>/si', trim($tags), $tags);
+    $tags = array_unique($tags[1]);
+    if(is_array($tags) AND count($tags) > 0) {
+        if($invert == FALSE) {
+            return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text);
+        } else {
+            return preg_replace('@<('. implode('|', $tags) .')\b.*?>.*?</\1>@si', '', $text);
+        }
+    }
+    elseif($invert == FALSE) {
+        return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
+    }
+    return $text;
+}
+
+$text = trim(strip_tags(str_replace("<br>", "\r\n", str_replace("</p>", "\r\n", str_replace("<p>", "\r\n", strip_tags(strip_tags_content($_POST['html'], '<style>', TRUE), "<p><br>"))))));
+$text = preg_replace('/\h+/', ' ', $text);
+$text = preg_replace('/(\r\n\h*\r\n)+/', "\r\n", $text);
+$text = preg_replace('/(\r\n\h*\r\n)+/', "\r\n", $text);
+$text = preg_replace('/(\n\h*\n)+/', "\n", $text);
+$text = preg_replace('/(\n\h*\n)+/', "\n", $text);
+
+$exactmatch = false;
+if (isset($_POST['exactmatch']) && $_POST['exactmatch']) $exactmatch = true;
+
+$attach = false;
+$attach_fn = "";
+$attach_data = "";
+if ($_POST['attachments'] && $_POST['attachments_fn'] && $_POST['attachments_mime']) {
+    $attach = true;
+    $attach_fn = $_POST['attachments_fn'];
+    $attach_data = [];
+    foreach ($_POST['attachments'] as $el) {
+        if ($el[0] === '~') {
+            $attach_data[] = file_get_contents("/var/www/uploads/" . substr($el, 1));
+            if (!$exactmatch && end($attach_data) === false) {
+                $dn = dirname(substr($el, 1));
+                $bn = basename(substr($el, 1));
+                $ddd = glob("/var/www/uploads/*" . substr($dn, 1, -1) . "*_/" . $bn);
+                if (is_array($ddd)) {
+                    $ddd = usort($ddd, function($a, $b) { return filemtime($a) - filemtime($b); });
+                    reset($attach_data);
+                    array_pop($attach_data);
+                    $attach_data[] = file_get_contents($ddd[0]);
+                    if (end($attach_data) === false) {
+                        $altalt = explode('-', $dn);
+                        if ($altalt == false || (is_array($altalt) && count($altalt) < 2)) {
+                            echo "2";
+                            exit(1);
+                        }
+
+                        $altddd = glob("/var/www/uploads/*" . $altalt[0] . "-*_/" . $bn);
+                        if (is_array($altddd)) {
+                            $ddd = usort($altddd, function($a, $b) { return filemtime($a) - filemtime($b); });
+                            reset($attach_data);
+                            array_pop($attach_data);
+                            $attach_data[] = file_get_contents($altddd[0]);
+                            if (end($attach_data) === false) {
+                                echo "2";
+                                exit(1);
+                            }
+                        } else {
+                            echo "2";
+                            exit(1);
+                        }
+                    }
+                } else {
+                    echo "2";
+                    exit(1);
+                }
+            }
+            reset($attach_data);
+        } else {
+            $attach_data[] = file_get_contents("/var/www/intern/pages/storage/" . $el[0] . "/" . $el[1] . "/" . $el[2] . "/" . substr($el, 3));
+        }
+    }
+    $attach_mime = $_POST['attachments_mime'];
+}
+
+if ($attach) {
+    $h .= "Content-Type: multipart/mixed; boundary=\"full_$boundary\"\r\n";
+    $full .= "--full_$boundary\r\n";
+    $full .= "Content-Type: multipart/alternative; boundary=\"$boundary\"\r\n";
+    $full .= "\r\n\r\n";
+} else {
+    $h .= "Content-Type: multipart/alternative; boundary=\"$boundary\"\r\n";
+}
+
+$full .= "--$boundary\r\n" .
+    "Content-Type: text/plain; charset=utf-8\r\n" .
+    "Content-Transfer-Encoding: quoted-printable\r\n\r\n" .
+
+    quoted_printable_encode(
+        $text
+    ) .
+
+    "\r\n\r\n" .
+
+    "--$boundary\r\n" .
+    "Content-Type: text/html; charset=utf-8\r\n" .
+    "Content-Transfer-Encoding: quoted-printable\r\n\r\n" .
+
+    quoted_printable_encode(
+        $html
+    ) .
+
+    "\r\n\r\n" .
+    "--$boundary--";
+
+if ($attach) {
+    $prefs = ['input-charset' => 'UTF-8', 'output-charset' => 'UTF-8'];
+    for ($i = 0; $i < count($attach_fn) && $i < count($attach_data) && $i < count($attach_mime); $i++) {
+        if ($attach_fn[$i][0] === '~') $attach_fn[$i] = basename($_POST['attachments'][$i]);
+        $en_fn = iconv_mime_encode("filename", $attach_fn[$i], $prefs);
+        $en_fn = substr($en_fn, strlen('filename: '));
+
+        $full .= "\r\n\r\n--full_$boundary\r\n";
+        $full .= "Content-Type: " . $attach_mime[$i] . "; name=\"" . $en_fn . "\"\r\n";
+        $full .= "Content-Disposition: attachment; filename=\"" . $en_fn . "\"\r\n";
+        $full .= "Content-Location: CID:att" . ($i+1) . "\r\n";
+        $full .= "Content-ID: <att" . ($i+1) . ">\r\n";
+        $full .= "Content-Transfer-Encoding: base64\r\n\r\n";
+
+        $full .= chunk_split(base64_encode($attach_data[$i]), 76, "\r\n");
+    }
+
+    $full .= "\r\n\r\n";
+    $full .= "--full_$boundary--";
+}
+
+$prefs = ['input-charset' => 'UTF-8', 'output-charset' => 'UTF-8'];
+$encoded_subject = iconv_mime_encode('Subject', $_POST['subject'], $prefs);
+$encoded_subject = substr($encoded_subject, strlen('Subject: '));
+
+if (isset($_SESSION['demoself'])) {
+        $e = mail($_POST['from'], $encoded_subject,
+        $full,
+        $h,
+        "-f " . $_POST['from']
+    );
+    echo 1;
+
+    exit(0);
+}
+
+$e = mail($post_to, $encoded_subject,
+    $full,
+    $h,
+    "-f " . $_POST['from']
+);
+
+syslog(LOG_INFO, 'sendmail for ' . $post_to . ' from ' . $_POST['from'] . ', errorlevel: ' . $e);
+
+if ($e == true) {
+    $persid = $_POST['persid'];
+    $stipid = $_POST['stipid'];
+    if ($persid == 0) $persid = null;
+    if ($stipid == 0) $stipid = null;
+
+    $sql = "INSERT INTO mails (mid, uid, persid, stipid, `from`, `to`, subject, html, text, header, attached) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);";
+    $stmt = $mysqli->prepare($sql);
+    $alist = "";
+    if ($_POST['attachments'] && is_array($_POST['attachments'])) {
+        $alist = implode(',', $_POST['attachments']);
+    }
+    $stmt->bind_param('ssiisssssss', $mid, $_POST['uid'], $persid, $stipid, $_POST['from'], $post_to, $_POST['subject'], $html, $text, $h, $alist);
+    $stmt->execute();
+    $stmt->reset();
+    $mysqli->close();
+}
+
+echo $e;
+?>
-- 
cgit v1.3.1