summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--README.txt4
-rw-r--r--mimemail.inc6
-rw-r--r--mimemail.module2
3 files changed, 11 insertions, 1 deletions
diff --git a/README.txt b/README.txt
index e8bf69b..903f88e 100644
--- a/README.txt
+++ b/README.txt
@@ -61,6 +61,10 @@ USAGE
CSS definitions into tags within the HTML based on the CSS selectors. To use the
Compressor, just enable it.
+ The 'send arbitrary files' permission allows you to attach or embed files located
+ outside Drupal's public files directory. Note that this has security implications:
+ arbitrary means even your settings.php! Give to trusted roles only!
+
CREDITS
MAINTAINER: Allie Micka < allie at pajunas dot com >
diff --git a/mimemail.inc b/mimemail.inc
index 6fb71bd..e54ff1a 100644
--- a/mimemail.inc
+++ b/mimemail.inc
@@ -177,6 +177,12 @@ function _mimemail_file($url = NULL, $content = NULL, $name = '', $type = '', $d
}
if (isset($file) && (@is_file($file) || $content)) {
+ $public_path = file_directory_path();
+ $no_access = !user_access('send arbitrary files - Warning: has security implications!');
+ $not_in_public_path = strpos(realpath($file), $public_path) === FALSE;
+ if (@is_file($file) && $not_in_public_path && $no_access) {
+ return $url;
+ }
if (!$name) $name = (@is_file($file)) ? basename($file) : 'attachment.dat';
if (!$type) $type = ($name) ? file_get_mimetype($name) : file_get_mimetype($file);
diff --git a/mimemail.module b/mimemail.module
index a3f156d..0fa638f 100644
--- a/mimemail.module
+++ b/mimemail.module
@@ -41,7 +41,7 @@ function mimemail_incoming_access() {
* Implements hook_perm().
*/
function mimemail_perm() {
- return array('edit mimemail user settings');
+ return array('send arbitrary files - Warning: has security implications!', 'edit mimemail user settings');
}
/**