61d9ec71 |
1 | <?php |
2 | |
3 | /** |
0c701a88 |
4 | * global.php |
61d9ec71 |
5 | * |
62f7daa5 |
6 | * This includes code to update < 4.1.0 globals to the newer format |
242342d0 |
7 | * It also has some session register functions that work across various |
62f7daa5 |
8 | * php versions. |
61d9ec71 |
9 | * |
47ccfad4 |
10 | * @copyright © 1999-2006 The SquirrelMail Project Team |
4b4abf93 |
11 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
31841a9e |
12 | * @version $Id$ |
d6c32258 |
13 | * @package squirrelmail |
61d9ec71 |
14 | */ |
15 | |
051f6245 |
16 | /** |
2ca4c65a |
17 | */ |
7f62aaef |
18 | define('SQ_INORDER',0); |
19 | define('SQ_GET',1); |
20 | define('SQ_POST',2); |
21 | define('SQ_SESSION',3); |
22 | define('SQ_COOKIE',4); |
23 | define('SQ_SERVER',5); |
24 | define('SQ_FORM',6); |
a32985a5 |
25 | |
62f7daa5 |
26 | /** |
27 | * returns true if current php version is at mimimum a.b.c |
28 | * |
97bdc607 |
29 | * Called: check_php_version(4,1) |
8b096f0a |
30 | * @param int a major version number |
31 | * @param int b minor version number |
32 | * @param int c release number |
33 | * @return bool |
97bdc607 |
34 | */ |
62f7daa5 |
35 | function check_php_version ($a = '0', $b = '0', $c = '0') |
9697c5ab |
36 | { |
5673cabe |
37 | return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' ); |
9697c5ab |
38 | } |
39 | |
97bdc607 |
40 | /** |
62f7daa5 |
41 | * returns true if the current internal SM version is at minimum a.b.c |
42 | * These are plain integer comparisons, as our internal version is |
97bdc607 |
43 | * constructed by us, as an array of 3 ints. |
44 | * |
45 | * Called: check_sm_version(1,3,3) |
8b096f0a |
46 | * @param int a major version number |
47 | * @param int b minor version number |
48 | * @param int c release number |
49 | * @return bool |
97bdc607 |
50 | */ |
51 | function check_sm_version($a = 0, $b = 0, $c = 0) |
52 | { |
53 | global $SQM_INTERNAL_VERSION; |
54 | if ( !isset($SQM_INTERNAL_VERSION) || |
55 | $SQM_INTERNAL_VERSION[0] < $a || |
150c28d6 |
56 | ( $SQM_INTERNAL_VERSION[0] == $a && |
57 | $SQM_INTERNAL_VERSION[1] < $b) || |
58 | ( $SQM_INTERNAL_VERSION[0] == $a && |
59 | $SQM_INTERNAL_VERSION[1] == $b && |
97bdc607 |
60 | $SQM_INTERNAL_VERSION[2] < $c ) ) { |
61 | return FALSE; |
62f7daa5 |
62 | } |
63 | return TRUE; |
97bdc607 |
64 | } |
65 | |
66 | |
8b096f0a |
67 | /** |
68 | * Recursively strip slashes from the values of an array. |
69 | * @param array array the array to strip, passed by reference |
70 | * @return void |
71 | */ |
a32985a5 |
72 | function sqstripslashes(&$array) { |
3aa17cf9 |
73 | if(count($array) > 0) { |
74 | foreach ($array as $index=>$value) { |
75 | if (is_array($array[$index])) { |
76 | sqstripslashes($array[$index]); |
77 | } |
78 | else { |
79 | $array[$index] = stripslashes($value); |
80 | } |
a32985a5 |
81 | } |
82 | } |
83 | } |
84 | |
8b096f0a |
85 | /** |
86 | * Add a variable to the session. |
87 | * @param mixed $var the variable to register |
88 | * @param string $name the name to refer to this variable |
89 | * @return void |
90 | */ |
61d9ec71 |
91 | function sqsession_register ($var, $name) { |
281c3d5b |
92 | |
93 | sqsession_is_active(); |
94 | |
62f7daa5 |
95 | $_SESSION["$name"] = $var; |
96 | |
dcc1cc82 |
97 | session_register("$name"); |
61d9ec71 |
98 | } |
3aa17cf9 |
99 | |
8b096f0a |
100 | /** |
101 | * Delete a variable from the session. |
102 | * @param string $name the name of the var to delete |
103 | * @return void |
104 | */ |
61d9ec71 |
105 | function sqsession_unregister ($name) { |
281c3d5b |
106 | |
107 | sqsession_is_active(); |
108 | |
abd74f7d |
109 | unset($_SESSION[$name]); |
62f7daa5 |
110 | |
dcc1cc82 |
111 | session_unregister("$name"); |
61d9ec71 |
112 | } |
3aa17cf9 |
113 | |
8b096f0a |
114 | /** |
115 | * Checks to see if a variable has already been registered |
116 | * in the session. |
117 | * @param string $name the name of the var to check |
118 | * @return bool whether the var has been registered |
119 | */ |
d7c82551 |
120 | function sqsession_is_registered ($name) { |
121 | $test_name = &$name; |
122 | $result = false; |
62f7daa5 |
123 | |
abd74f7d |
124 | if (isset($_SESSION[$test_name])) { |
125 | $result = true; |
d7c82551 |
126 | } |
62f7daa5 |
127 | |
d7c82551 |
128 | return $result; |
129 | } |
130 | |
4cd8ae7d |
131 | /** |
2d055f0a |
132 | * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER |
133 | * and set it in provided var. |
d1975c5b |
134 | * |
2d055f0a |
135 | * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION, |
136 | * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and |
137 | * $_GET. Otherwise, use one of the defined constants to look for a var in one |
138 | * place specifically. |
d1975c5b |
139 | * |
2d055f0a |
140 | * Note: $search is an int value equal to one of the constants defined above. |
d1975c5b |
141 | * |
2d055f0a |
142 | * Example: |
143 | * sqgetGlobalVar('username',$username,SQ_SESSION); |
144 | * // No quotes around last param, it's a constant - not a string! |
d1975c5b |
145 | * |
8b096f0a |
146 | * @param string name the name of the var to search |
147 | * @param mixed value the variable to return |
148 | * @param int search constant defining where to look |
149 | * @return bool whether variable is found. |
4cd8ae7d |
150 | */ |
151 | function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) { |
f79c19a4 |
152 | |
d1975c5b |
153 | /* NOTE: DO NOT enclose the constants in the switch |
154 | statement with quotes. They are constant values, |
155 | enclosing them in quotes will cause them to evaluate |
156 | as strings. */ |
4cd8ae7d |
157 | switch ($search) { |
62f7daa5 |
158 | /* we want the default case to be first here, |
051f6245 |
159 | so that if a valid value isn't specified, |
160 | all three arrays will be searched. */ |
d1975c5b |
161 | default: |
d9ad2525 |
162 | case SQ_INORDER: // check session, post, get |
d1975c5b |
163 | case SQ_SESSION: |
164 | if( isset($_SESSION[$name]) ) { |
4cd8ae7d |
165 | $value = $_SESSION[$name]; |
d1975c5b |
166 | return TRUE; |
167 | } elseif ( $search == SQ_SESSION ) { |
168 | break; |
169 | } |
d9ad2525 |
170 | case SQ_FORM: // check post, get |
d1975c5b |
171 | case SQ_POST: |
172 | if( isset($_POST[$name]) ) { |
4cd8ae7d |
173 | $value = $_POST[$name]; |
d1975c5b |
174 | return TRUE; |
175 | } elseif ( $search == SQ_POST ) { |
27d0841c |
176 | break; |
d1975c5b |
177 | } |
178 | case SQ_GET: |
179 | if ( isset($_GET[$name]) ) { |
180 | $value = $_GET[$name]; |
181 | return TRUE; |
62f7daa5 |
182 | } |
d1975c5b |
183 | /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */ |
184 | break; |
185 | case SQ_COOKIE: |
186 | if ( isset($_COOKIE[$name]) ) { |
187 | $value = $_COOKIE[$name]; |
62f7daa5 |
188 | return TRUE; |
d1975c5b |
189 | } |
190 | break; |
191 | case SQ_SERVER: |
d1975c5b |
192 | if ( isset($_SERVER[$name]) ) { |
193 | $value = $_SERVER[$name]; |
194 | return TRUE; |
195 | } |
196 | break; |
4cd8ae7d |
197 | } |
511f5c33 |
198 | /* Nothing found, return FALSE */ |
4cd8ae7d |
199 | return FALSE; |
200 | } |
201 | |
8b096f0a |
202 | /** |
203 | * Deletes an existing session, more advanced than the standard PHP |
204 | * session_destroy(), it explicitly deletes the cookies and global vars. |
205 | */ |
513db22c |
206 | function sqsession_destroy() { |
242342d0 |
207 | |
281c3d5b |
208 | /* |
209 | * php.net says we can kill the cookie by setting just the name: |
210 | * http://www.php.net/manual/en/function.setcookie.php |
211 | * maybe this will help fix the session merging again. |
212 | * |
213 | * Changed the theory on this to kill the cookies first starting |
214 | * a new session will provide a new session for all instances of |
215 | * the browser, we don't want that, as that is what is causing the |
216 | * merging of sessions. |
217 | */ |
242342d0 |
218 | |
f9902ccb |
219 | global $base_uri; |
f31687f6 |
220 | |
3a1de9f1 |
221 | if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri); |
222 | if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri); |
223 | if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri); |
281c3d5b |
224 | |
225 | $sessid = session_id(); |
226 | if (!empty( $sessid )) { |
abd74f7d |
227 | $_SESSION = array(); |
21e18f59 |
228 | @session_destroy(); |
242342d0 |
229 | } |
230 | |
281c3d5b |
231 | } |
242342d0 |
232 | |
8b096f0a |
233 | /** |
281c3d5b |
234 | * Function to verify a session has been started. If it hasn't |
235 | * start a session up. php.net doesn't tell you that $_SESSION |
236 | * (even though autoglobal), is not created unless a session is |
237 | * started, unlike $_POST, $_GET and such |
238 | */ |
281c3d5b |
239 | function sqsession_is_active() { |
281c3d5b |
240 | $sessid = session_id(); |
241 | if ( empty( $sessid ) ) { |
3a1de9f1 |
242 | sqsession_start(); |
281c3d5b |
243 | } |
513db22c |
244 | } |
245 | |
3a1de9f1 |
246 | /** |
247 | * Function to start the session and store the cookie with the session_id as |
248 | * HttpOnly cookie which means that the cookie isn't accessible by javascript |
249 | * (IE6 only) |
250 | */ |
251 | function sqsession_start() { |
252 | global $PHP_SELF; |
253 | |
254 | $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|'); |
255 | $repl = array('', '', ''); |
256 | $base_uri = preg_replace($dirs, $repl, $PHP_SELF); |
257 | |
7f62aaef |
258 | |
3a1de9f1 |
259 | session_start(); |
260 | $sessid = session_id(); |
261 | // session_starts sets the sessionid cookie buth without the httponly var |
262 | // setting the cookie again sets the httponly cookie attribute |
263 | sqsetcookie(session_name(),$sessid,false,$base_uri); |
264 | } |
265 | |
266 | |
267 | /** |
268 | * Set a cookie |
269 | * @param string $sName The name of the cookie. |
270 | * @param string $sValue The value of the cookie. |
271 | * @param int $iExpire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. |
272 | * @param string $sPath The path on the server in which the cookie will be available on. |
273 | * @param string $sDomain The domain that the cookie is available. |
274 | * @param boolean $bSecure Indicates that the cookie should only be transmitted over a secure HTTPS connection. |
275 | * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) |
276 | * @return void |
277 | */ |
278 | function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) { |
279 | $sHeader = "Set-Cookie: $sName=$sValue"; |
280 | if ($sPath) { |
6f9fa51a |
281 | $sHeader .= "; path=$sPath"; |
3a1de9f1 |
282 | } |
6f9fa51a |
283 | if ($iExpire !== false) { |
3a1de9f1 |
284 | $sHeader .= "; Max-Age=$iExpire"; |
6f9fa51a |
285 | // php uses Expire header, also add the expire header |
a1ef1d05 |
286 | $sHeader .= "; expires=". gmdate('D, d-M-Y H:i:s T',$iExpire); |
3a1de9f1 |
287 | } |
288 | if ($sDomain) { |
289 | $sHeader .= "; Domain=$sDomain"; |
290 | } |
291 | if ($bSecure) { |
292 | $sHeader .= "; Secure"; |
293 | } |
294 | if ($bHttpOnly) { |
295 | $sHeader .= "; HttpOnly"; |
296 | } |
6f9fa51a |
297 | // $sHeader .= "; Version=1"; |
3a1de9f1 |
298 | |
299 | header($sHeader); |
300 | } |
7f62aaef |
301 | |
302 | /** |
303 | * php_self |
304 | * |
305 | * Creates an URL for the page calling this function, using either the PHP global |
306 | * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1 |
307 | * function was stored in function/strings.php. |
308 | * |
309 | * @return string the complete url for this page |
310 | * @since 1.2.3 |
311 | */ |
312 | function php_self () { |
313 | if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { |
314 | return $req_uri; |
315 | } |
316 | |
317 | if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { |
318 | |
319 | // need to add query string to end of PHP_SELF to match REQUEST_URI |
320 | // |
321 | if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { |
322 | $php_self .= '?' . $query_string; |
323 | } |
324 | |
325 | return $php_self; |
326 | } |
327 | |
328 | return ''; |
329 | } |
330 | |
331 | /** set the name of the session cookie */ |
332 | if(isset($session_name) && $session_name) { |
333 | ini_set('session.name' , $session_name); |
334 | } else { |
335 | ini_set('session.name' , 'SQMSESSID'); |
336 | } |
337 | |
338 | /** |
339 | * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways. |
340 | * Force magic_quotes_runtime off. |
341 | * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this. |
342 | * If there's a better place, please let me know. |
343 | */ |
344 | ini_set('magic_quotes_runtime','0'); |
345 | |
346 | /* Since we decided all IMAP servers must implement the UID command as defined in |
347 | * the IMAP RFC, we force $uid_support to be on. |
348 | */ |
349 | |
350 | global $uid_support; |
351 | $uid_support = true; |
352 | |
353 | /* if running with magic_quotes_gpc then strip the slashes |
354 | from POST and GET global arrays */ |
7f62aaef |
355 | if (get_magic_quotes_gpc()) { |
356 | sqstripslashes($_GET); |
357 | sqstripslashes($_POST); |
358 | } |
359 | |
5cc4a272 |
360 | /** |
4753eae2 |
361 | * If register_globals are on, unregister globals. |
362 | * Code requires PHP 4.1.0 or newer. |
5cc4a272 |
363 | */ |
364 | if ((bool) @ini_get('register_globals')) { |
4753eae2 |
365 | /** |
366 | * Remove all globals from $_GET, $_POST, and $_COOKIE. |
367 | */ |
5cc4a272 |
368 | foreach ($_REQUEST as $key => $value) { |
369 | unset($GLOBALS[$key]); |
370 | } |
4753eae2 |
371 | /** |
372 | * Remove globalized $_FILES variables |
373 | * Before 4.3.0 $_FILES are included in $_REQUEST. |
5fe8257d |
374 | * Unglobalize them in separate call in order to remove dependency |
4753eae2 |
375 | * on PHP version. |
376 | */ |
377 | foreach ($_FILES as $key => $value) { |
378 | unset($GLOBALS[$key]); |
379 | // there are three undocumented $_FILES globals. |
380 | unset($GLOBALS[$key.'_type']); |
381 | unset($GLOBALS[$key.'_name']); |
382 | unset($GLOBALS[$key.'_size']); |
383 | } |
384 | /** |
385 | * Remove globalized environment variables. |
386 | */ |
387 | foreach ($_ENV as $key => $value) { |
388 | unset($GLOBALS[$key]); |
389 | } |
390 | /** |
391 | * Remove globalized server variables. |
392 | */ |
393 | foreach ($_SERVER as $key => $value) { |
394 | unset($GLOBALS[$key]); |
395 | } |
5cc4a272 |
396 | } |
397 | |
7f62aaef |
398 | /* strip any tags added to the url from PHP_SELF. |
399 | This fixes hand crafted url XXS expoits for any |
400 | page that uses PHP_SELF as the FORM action */ |
401 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
402 | |
403 | $PHP_SELF = php_self(); |
404 | |
405 | sqsession_is_active(); |
406 | |
5fe8257d |
407 | /** |
4753eae2 |
408 | * Remove globalized session data in rg=on setups |
409 | */ |
410 | if ((bool) @ini_get('register_globals')) { |
411 | foreach ($_SESSION as $key => $value) { |
412 | unset($GLOBALS[$key]); |
413 | } |
414 | } |
5fe8257d |
415 | |
753afc63 |
416 | ?> |