Sanity checking.

Since it is technically possible to pass in MIME IDs through URL
params, we need to sanity check when stripping parts.

diff --git a/imp/lib/Message.php b/imp/lib/Message.php
index 6d3c71c..ca6cc22 100644 (file)
--- a/imp/lib/Message.php
+++ b/imp/lib/Message.php
@@ -463,8 +463,19 @@ class IMP_Message
         if (is_null($partid)) {
             $partids = $contents->getDownloadAllList();
         } else {
+            /* Sanity checking: make sure part does not live under a
+             * message/rfc822 part. */
+            $content_map = $message->contentTypeMap();
+            $id = $partid;
+            while (($id = Horde_Mime::mimeIdArithmetic($id)) !== null) {
+                if ($content_map[$id] == 'message/rfc822') {
+                    return PEAR::raiseError(_("Cannot strip a MIME part contained within a message/rfc822 part."));
+                }
+            }
+
             $partids = array($partid);
         }
+
         foreach ($partids as $partid) {
             $oldPart = $message->getPart($partid);
             if (!is_a($oldPart, 'Horde_Mime_Part')) {