From 0304d757712e84c7d0a82b8ffb5dbaaad7b4e2c8 Mon Sep 17 00:00:00 2001
From: Jos Groot Lipman <jos.grootlipman@aareon.nl>
Date: Wed, 31 Jul 2013 07:31:25 +0000
Subject: [PATCH] FSN#24372 Bijlagen met 'Foute' extensies via whitelist ipv.
 blacklist

svn path=/Website/trunk/; revision=18562
---
 UTILS/mail_receive/EventHandlers.js | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/UTILS/mail_receive/EventHandlers.js b/UTILS/mail_receive/EventHandlers.js
index 6295bac9e8..c07540cd32 100644
--- a/UTILS/mail_receive/EventHandlers.js
+++ b/UTILS/mail_receive/EventHandlers.js
@@ -1,9 +1,7 @@
 // Hieronder worden XXXX/XXXX/UDL's gezocht
-var facilPath = 'c:/Websites/Facilitor/csu_prep/cust/';
+var facilPath = 'd:/apps/Facilitor/FPlace5i/cust/';
 var cust = 'XXXX';
 
-flexForbiddenExt = ".*\\.(asp|aspx|inc|bat|exe|com|scr|dll|hta|js|vbs|wsh|lnk|udl)$"; // Regexp forbidden extensions
-
 safe = { // extracted from shared.inc
     quoted_sql: function (tekst, maxlen) // maxlen is optioneel
     {
@@ -13,11 +11,11 @@ safe = { // extracted from shared.inc
             maxlen = 4000;
         tekst = tekst.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F]+/g, "?");
         tekst = tekst.substr(0, maxlen);
-        return "'" + tekst.replace(/\'/g,"''") + "'";
+        return "'" + tekst.replace(/\'/g,"''") + "'"; // " syntax highlight correctie
     },
-    filename: function (naam) // geen 'lage' karakters een geen (back)slashes, *,%,<,>
+    filename: function (naam) // geen 'lage' karakters en geen (back)slashes, *,%,<,>
     {
-        return naam.replace(/[\x00-\x1F|\/|\\|\*|\%\<\>]+/g, "_");
+        return naam.replace(/[\x00-\x1F|\/|\\|\*|\%\<\>\"\:\?\|]+/g, "_"); // " syntax highlight correctie
     }
 }
 
@@ -35,7 +33,6 @@ function stripHtml(html)
     return html;
 }
 
-
 function CreateFullPath(sPath)
 {
     var fso = new ActiveXObject("Scripting.FileSystemObject");
@@ -180,17 +177,30 @@ function OnAcceptMessage(oClient, oMessage)
            }
            oRs1.Close();
 
-           EventLog.write(oMessage.Attachments.Count+' bijlage(s) naar ' + path);
+           // Veilige extensies
+           sql = "SELECT COALESCE(fac_setting_pvalue, fac_setting_default)"
+               + "  FROM fac_setting"
+               + " WHERE fac_setting_name = 'flexallowedext'";
+           var oRs1 = Oracle.Execute(sql);
+           var flexAllowedExt = oRs1("fac_result_waarde").Value;
+           oRs1.Close();
+
            CreateFullPath(path);
            for (i=0; i < oMessage.Attachments.Count; i++)
            {
               filenm = "" + safe.filename(oMessage.Attachments.Item(i).fileName);
-              if (filenm.match(flexForbiddenExt))
+              if (filenm == 'tmpl_logo.gif')
+              { // Waarschijnlijk een FACILITOR bon gereply'd
+                EventLog.write("Bijlage " + filenm + " genegeerd.");
+              }
+              else if (!new RegExp(flexAllowedExt, "ig").test(filenm))
               {
+                // TODO: Misschien ook terugkoppelen aan zender?
                 EventLog.write("Onveilig bestand: " + filenm + " is niet opgeslagen.");
               }
               else
               {
+                EventLog.write(filenm + ' bijlage (' + oMessage.Attachments.Item(i).Size + ' bytes) naar ' + path);
                 filePath = path + filenm;
                 oMessage.Attachments.Item(i).SaveAs(filePath);
               }