I tried RoundCube webmail on HTTPS site, but M$ Internet Explorer can't download attachments. It's known problem of IE, so I can fix it quickly.
In to file program/steps/mail/get.inc before line with if ($_GET['_download']) [about line 86]
add the following code:
if (isset($_SERVER['HTTPS']))
{
// We need to set the following headers to make downloads work
using IE in HTTPS mode. header('Pragma: '); header('Cache-Control: '); }
You can find more about this issue in user comments http://www.php.net/manual/en/function.fpassthru.php
But there are two things, which I don't understand:
1] Why is there condition if ($_GET['_download'])
for sending download
headers? I can't find when it is used. If I watch headers sent to the
browser in case of attachment download, it always use else
part
sending Content-Disposition: inline. Also I can't find any link with
_download in query string
2] Why are there files with .inc extension, which are not parsed by PHP interpreter by default (on many servers)? It can be potential security flaw.
At last - webmail can't be used with safe_mode=On if messages are sent by built-in php funcion mail() with fifth parameter.
But anyway - thanks for nice webmail!
Miroslav Lachman
2005/11/17, Quip quip@quip.cz:
I tried RoundCube webmail on HTTPS site, but M$ Internet Explorer can't download attachments. It's known problem of IE, so I can fix it quickly. [...]
Thanks, I know this problem but did not think of adding it to RoundCube...
You can find more about this issue in user comments http://www.php.net/manual/en/function.fpassthru.php
But there are two things, which I don't understand: 1] Why is there condition
if ($_GET['_download'])
for sending download headers? I can't find when it is used. If I watch headers sent to the browser in case of attachment download, it always useelse
part sending Content-Disposition: inline. Also I can't find any link with _download in query string
If for example, an image is attached to a message, RoundCube will open a new window and load that image into an iframe (Content-Disposition: inline). There's also a button "Download" where you can get the image to be saved onto your disk (sent with $_GET['_download']).
2] Why are there files with .inc extension, which are not parsed by PHP interpreter by default (on many servers)? It can be potential security flaw.
inc signalizes to me that this file can not be executed on its own (it's just an include). Access to .inc files is denied by the htaccess file in root folder. Also, this is an open source project and if one wants to get the code, it's not necessary to download each file separately from a RC installation. Configuration files are extended with .php for security reasons.
At last - webmail can't be used with safe_mode=On if messages are sent by built-in php funcion mail() with fifth parameter.
The current CVS version should solve this by checking safe_mode before calling mail(). There's also the possibility to configure an SMTP host which will be used to deliver mails directly without using mail().
But anyway - thanks for nice webmail!
Miroslav Lachman
Regards, Thomas