Author Topic: Images loading via file_get_contents to keep https-connection  (Read 4449 times)

Offline kevinx

  • Newbie
  • *
  • Posts: 4
Hello,

I have a https:// connection for my webmail. This works fine. But, when a mail contains images (e.g. newsletters from company's or webshops) and those images has to be downloaded from the (non secure) website from those company's or webshops, then my webmail loses it's secure connection. I don't like that.

At this moment is the source of an image in a mail something like this:

<img src="http://image.webshop.com/example/image.jpg">
 
I do know a little bit of php-scripting and I know that is possible to download an image via the 'file_get_contents'-command and keep the webmail-connection secure. The way to do that is to alter the <img>-line  into:

<img src="img.php?i=http://image.webshop.com/example/image.jpg">

And then you have to add the img.php-script-file with the following lines:

<?php
$image=file_get_contents($_GET['i']);
echo $image;
?>

That's all!

I'll hope you can add this suggestion in the next release.

Kind regards,
Kevin

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Images loading via file_get_contents to keep https-connection
« Reply #1 on: March 22, 2017, 11:57:31 AM »
This is extremely insecure, anything put into an image file could end up being execution inside Roundcube. For example create an image file with the following code:
Code: [Select]
<script>alert('Nope.');</script>

When fetched with your script would run the alert inside Roundcube. This easily allows for cross site scripting.

Offline kevinx

  • Newbie
  • *
  • Posts: 4
Re: Images loading via file_get_contents to keep https-connection
« Reply #2 on: March 22, 2017, 12:11:25 PM »
Thanks for your reply.

I guess my suggestion is not very good. But, maybe someone knows a much better solution for this (little) problem.  :)

Kind regards,
Kevin

Offline rm13

  • Full Member
  • ***
  • Posts: 129
Re: Images loading via file_get_contents to keep https-connection
« Reply #3 on: March 23, 2017, 07:10:32 PM »
Your webmail does not really lose its secure connection. It probably has  a "mixed content" icon or alert. The connection between your web browser and your webmail server is still secure.