61d9ec71 |
1 | <?php |
2 | |
3 | /** |
0c701a88 |
4 | * global.php |
61d9ec71 |
5 | * |
62f7daa5 |
6 | * This includes code to update < 4.1.0 globals to the newer format |
242342d0 |
7 | * It also has some session register functions that work across various |
62f7daa5 |
8 | * php versions. |
61d9ec71 |
9 | * |
4b5049de |
10 | * @copyright © 1999-2007 The SquirrelMail Project Team |
4b4abf93 |
11 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
31841a9e |
12 | * @version $Id$ |
d6c32258 |
13 | * @package squirrelmail |
61d9ec71 |
14 | */ |
15 | |
051f6245 |
16 | /** |
2ca4c65a |
17 | */ |
7f62aaef |
18 | define('SQ_INORDER',0); |
19 | define('SQ_GET',1); |
20 | define('SQ_POST',2); |
21 | define('SQ_SESSION',3); |
22 | define('SQ_COOKIE',4); |
23 | define('SQ_SERVER',5); |
24 | define('SQ_FORM',6); |
a32985a5 |
25 | |
202bcbcc |
26 | |
62f7daa5 |
27 | /** |
28 | * returns true if current php version is at mimimum a.b.c |
29 | * |
97bdc607 |
30 | * Called: check_php_version(4,1) |
8b096f0a |
31 | * @param int a major version number |
32 | * @param int b minor version number |
33 | * @param int c release number |
34 | * @return bool |
97bdc607 |
35 | */ |
62f7daa5 |
36 | function check_php_version ($a = '0', $b = '0', $c = '0') |
9697c5ab |
37 | { |
5673cabe |
38 | return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' ); |
9697c5ab |
39 | } |
40 | |
97bdc607 |
41 | /** |
62f7daa5 |
42 | * returns true if the current internal SM version is at minimum a.b.c |
43 | * These are plain integer comparisons, as our internal version is |
97bdc607 |
44 | * constructed by us, as an array of 3 ints. |
45 | * |
46 | * Called: check_sm_version(1,3,3) |
8b096f0a |
47 | * @param int a major version number |
48 | * @param int b minor version number |
49 | * @param int c release number |
50 | * @return bool |
97bdc607 |
51 | */ |
52 | function check_sm_version($a = 0, $b = 0, $c = 0) |
53 | { |
54 | global $SQM_INTERNAL_VERSION; |
55 | if ( !isset($SQM_INTERNAL_VERSION) || |
56 | $SQM_INTERNAL_VERSION[0] < $a || |
150c28d6 |
57 | ( $SQM_INTERNAL_VERSION[0] == $a && |
58 | $SQM_INTERNAL_VERSION[1] < $b) || |
59 | ( $SQM_INTERNAL_VERSION[0] == $a && |
60 | $SQM_INTERNAL_VERSION[1] == $b && |
97bdc607 |
61 | $SQM_INTERNAL_VERSION[2] < $c ) ) { |
62 | return FALSE; |
62f7daa5 |
63 | } |
64 | return TRUE; |
97bdc607 |
65 | } |
66 | |
67 | |
8b096f0a |
68 | /** |
69 | * Recursively strip slashes from the values of an array. |
70 | * @param array array the array to strip, passed by reference |
71 | * @return void |
72 | */ |
a32985a5 |
73 | function sqstripslashes(&$array) { |
3aa17cf9 |
74 | if(count($array) > 0) { |
75 | foreach ($array as $index=>$value) { |
76 | if (is_array($array[$index])) { |
77 | sqstripslashes($array[$index]); |
78 | } |
79 | else { |
80 | $array[$index] = stripslashes($value); |
81 | } |
a32985a5 |
82 | } |
83 | } |
84 | } |
85 | |
8442ecb9 |
86 | /** |
87 | * Squelch error output to screen (only) for the given function. |
1888b1bf |
88 | * If the SquirrelMail debug mode SM_DEBUG_MODE_ADVANCED is not |
89 | * enabled, error output will not go to the log, either. |
8442ecb9 |
90 | * |
91 | * This provides an alternative to the @ error-suppression |
92 | * operator where errors will not be shown in the interface |
93 | * but will show up in the server log file (assuming the |
94 | * administrator has configured PHP logging). |
95 | * |
96 | * @since 1.4.12 and 1.5.2 |
97 | * |
98 | * @param string $function The function to be executed |
99 | * @param array $args The arguments to be passed to the function |
100 | * (OPTIONAL; default no arguments) |
101 | * NOTE: The caller must take extra action if |
102 | * the function being called is supposed |
103 | * to use any of the parameters by |
104 | * reference. In the following example, |
105 | * $x is passed by reference and $y is |
106 | * passed by value to the "my_func" |
107 | * function. |
108 | * sq_call_function_suppress_errors('my_func', array(&$x, $y)); |
109 | * |
110 | * @return mixed The return value, if any, of the function being |
111 | * executed will be returned. |
112 | * |
113 | */ |
114 | function sq_call_function_suppress_errors($function, $args=NULL) { |
1888b1bf |
115 | global $sm_debug_mode; |
116 | |
8442ecb9 |
117 | $display_errors = ini_get('display_errors'); |
118 | ini_set('display_errors', '0'); |
1888b1bf |
119 | |
120 | // if advanced debug mode isn't enabled, don't log the error, either |
121 | // |
122 | if (!($sm_debug_mode & SM_DEBUG_MODE_ADVANCED)) |
123 | $error_reporting = error_reporting(0); |
124 | |
8442ecb9 |
125 | $ret = call_user_func_array($function, $args); |
1888b1bf |
126 | |
127 | if (!($sm_debug_mode & SM_DEBUG_MODE_ADVANCED)) |
128 | error_reporting($error_reporting); |
129 | |
8442ecb9 |
130 | ini_set('display_errors', $display_errors); |
131 | return $ret; |
132 | } |
133 | |
8b096f0a |
134 | /** |
135 | * Add a variable to the session. |
136 | * @param mixed $var the variable to register |
137 | * @param string $name the name to refer to this variable |
138 | * @return void |
139 | */ |
61d9ec71 |
140 | function sqsession_register ($var, $name) { |
281c3d5b |
141 | |
142 | sqsession_is_active(); |
143 | |
04ce2477 |
144 | $_SESSION[$name] = $var; |
61d9ec71 |
145 | } |
3aa17cf9 |
146 | |
8b096f0a |
147 | /** |
148 | * Delete a variable from the session. |
149 | * @param string $name the name of the var to delete |
150 | * @return void |
151 | */ |
61d9ec71 |
152 | function sqsession_unregister ($name) { |
281c3d5b |
153 | |
154 | sqsession_is_active(); |
155 | |
abd74f7d |
156 | unset($_SESSION[$name]); |
62f7daa5 |
157 | |
dcc1cc82 |
158 | session_unregister("$name"); |
61d9ec71 |
159 | } |
3aa17cf9 |
160 | |
8b096f0a |
161 | /** |
162 | * Checks to see if a variable has already been registered |
163 | * in the session. |
164 | * @param string $name the name of the var to check |
165 | * @return bool whether the var has been registered |
166 | */ |
d7c82551 |
167 | function sqsession_is_registered ($name) { |
168 | $test_name = &$name; |
169 | $result = false; |
62f7daa5 |
170 | |
abd74f7d |
171 | if (isset($_SESSION[$test_name])) { |
172 | $result = true; |
d7c82551 |
173 | } |
62f7daa5 |
174 | |
d7c82551 |
175 | return $result; |
176 | } |
177 | |
54ce41dd |
178 | |
179 | /** |
180 | * Retrieves a form variable, from a set of possible similarly named |
181 | * form variables, based on finding a different, single field. This |
68a7e1d6 |
182 | * is intended to allow more than one same-named inputs in a single |
183 | * <form>, where the submit button that is clicked tells us which |
54ce41dd |
184 | * input we should retrieve. An example is if we have: |
185 | * <select name="startMessage_1"> |
186 | * <select name="startMessage_2"> |
b116fd78 |
187 | * <input type="submit" name="form_submit_1" /> |
188 | * <input type="submit" name="form_submit_2" /> |
68a7e1d6 |
189 | * and we want to know which one of the select inputs should be |
54ce41dd |
190 | * returned as $startMessage (without the suffix!), this function |
191 | * decides by looking for either "form_submit_1" or "form_submit_2" |
192 | * (both should not appear). In this example, $name should be |
193 | * "startMessage" and $indicator_field should be "form_submit". |
194 | * |
195 | * NOTE that form widgets must be named with the suffix "_1", "_2", "_3" |
196 | * and so on, or this function will not work. |
197 | * |
198 | * If more than one of the indicator fields is found, the first one |
199 | * (numerically) will win. |
200 | * |
68a7e1d6 |
201 | * If an indicator field is found without a matching input ($name) |
139a4b99 |
202 | * field, FALSE is returned. |
203 | * |
68a7e1d6 |
204 | * If no indicator fields are found, a field of $name *without* any |
205 | * suffix is searched for (but only if $fallback_no_suffix is TRUE), |
139a4b99 |
206 | * and if not found, FALSE is ultimately returned. |
54ce41dd |
207 | * |
208 | * It should also be possible to use the same string for both |
209 | * $name and $indicator_field to look for the first possible |
210 | * widget with a suffix that can be found (and possibly fallback |
211 | * to a widget without a suffix). |
212 | * |
213 | * @param string name the name of the var to search |
214 | * @param mixed value the variable to return |
215 | * @param string indicator_field the name of the field upon which to base |
216 | * our decision upon (see above) |
217 | * @param int search constant defining where to look |
218 | * @param bool fallback_no_suffix whether or not to look for $name with |
219 | * no suffix when nothing else is found |
220 | * @param mixed default the value to assign to $value when nothing is found |
221 | * @param int typecast force variable to be cast to given type (please |
222 | * use SQ_TYPE_XXX constants or set to FALSE (default) |
223 | * to leave variable type unmolested) |
224 | * |
225 | * @return bool whether variable is found. |
226 | */ |
68a7e1d6 |
227 | function sqGetGlobalVarMultiple($name, &$value, $indicator_field, |
228 | $search = SQ_INORDER, |
229 | $fallback_no_suffix=TRUE, $default=NULL, |
54ce41dd |
230 | $typecast=FALSE) { |
231 | |
1793f985 |
232 | // Set arbitrary max limit -- should be much lower except on the |
233 | // search results page, if there are many (50 or more?) mailboxes |
234 | // shown, this may not be high enough. Is there some way we should |
235 | // automate this value? |
236 | // |
237 | $max_form_search = 100; |
54ce41dd |
238 | |
239 | for ($i = 1; $i <= $max_form_search; $i++) { |
240 | if (sqGetGlobalVar($indicator_field . '_' . $i, $temp, $search)) { |
241 | return sqGetGlobalVar($name . '_' . $i, $value, $search, $default, $typecast); |
242 | } |
243 | } |
244 | |
245 | |
246 | // no indicator field found; just try without suffix if allowed |
247 | // |
248 | if ($fallback_no_suffix) { |
249 | return sqGetGlobalVar($name, $value, $search, $default, $typecast); |
250 | } |
251 | |
252 | |
253 | // no dice, set default and return FALSE |
254 | // |
255 | if (!is_null($default)) { |
256 | $value = $default; |
257 | } |
258 | return FALSE; |
259 | |
260 | } |
261 | |
262 | |
4cd8ae7d |
263 | /** |
2d055f0a |
264 | * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER |
265 | * and set it in provided var. |
d1975c5b |
266 | * |
2d055f0a |
267 | * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION, |
268 | * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and |
269 | * $_GET. Otherwise, use one of the defined constants to look for a var in one |
270 | * place specifically. |
d1975c5b |
271 | * |
2d055f0a |
272 | * Note: $search is an int value equal to one of the constants defined above. |
d1975c5b |
273 | * |
2d055f0a |
274 | * Example: |
275 | * sqgetGlobalVar('username',$username,SQ_SESSION); |
276 | * // No quotes around last param, it's a constant - not a string! |
d1975c5b |
277 | * |
8b096f0a |
278 | * @param string name the name of the var to search |
279 | * @param mixed value the variable to return |
280 | * @param int search constant defining where to look |
54ce41dd |
281 | * @param mixed default the value to assign to $value when nothing is found |
c2b585c5 |
282 | * @param int typecast force variable to be cast to given type (please |
283 | * use SQ_TYPE_XXX constants or set to FALSE (default) |
284 | * to leave variable type unmolested) |
54ce41dd |
285 | * |
8b096f0a |
286 | * @return bool whether variable is found. |
4cd8ae7d |
287 | */ |
202bcbcc |
288 | function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $typecast = false) { |
289 | |
290 | $result = false; |
f79c19a4 |
291 | |
4cd8ae7d |
292 | switch ($search) { |
62f7daa5 |
293 | /* we want the default case to be first here, |
051f6245 |
294 | so that if a valid value isn't specified, |
295 | all three arrays will be searched. */ |
d1975c5b |
296 | default: |
d9ad2525 |
297 | case SQ_INORDER: // check session, post, get |
d1975c5b |
298 | case SQ_SESSION: |
299 | if( isset($_SESSION[$name]) ) { |
4cd8ae7d |
300 | $value = $_SESSION[$name]; |
202bcbcc |
301 | $result = TRUE; |
302 | break; |
d1975c5b |
303 | } elseif ( $search == SQ_SESSION ) { |
304 | break; |
305 | } |
d9ad2525 |
306 | case SQ_FORM: // check post, get |
d1975c5b |
307 | case SQ_POST: |
308 | if( isset($_POST[$name]) ) { |
4cd8ae7d |
309 | $value = $_POST[$name]; |
202bcbcc |
310 | $result = TRUE; |
311 | break; |
d1975c5b |
312 | } elseif ( $search == SQ_POST ) { |
27d0841c |
313 | break; |
d1975c5b |
314 | } |
315 | case SQ_GET: |
316 | if ( isset($_GET[$name]) ) { |
317 | $value = $_GET[$name]; |
202bcbcc |
318 | $result = TRUE; |
319 | break; |
62f7daa5 |
320 | } |
d1975c5b |
321 | /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */ |
322 | break; |
323 | case SQ_COOKIE: |
324 | if ( isset($_COOKIE[$name]) ) { |
325 | $value = $_COOKIE[$name]; |
202bcbcc |
326 | $result = TRUE; |
327 | break; |
d1975c5b |
328 | } |
329 | break; |
330 | case SQ_SERVER: |
d1975c5b |
331 | if ( isset($_SERVER[$name]) ) { |
332 | $value = $_SERVER[$name]; |
202bcbcc |
333 | $result = TRUE; |
334 | break; |
d1975c5b |
335 | } |
336 | break; |
4cd8ae7d |
337 | } |
202bcbcc |
338 | if ($result && $typecast) { |
339 | switch ($typecast) { |
c2b585c5 |
340 | case SQ_TYPE_INT: $value = (int) $value; break; |
341 | case SQ_TYPE_STRING: $value = (string) $value; break; |
342 | case SQ_TYPE_BOOL: $value = (bool) $value; break; |
1c2963ab |
343 | case SQ_TYPE_BIGINT: |
344 | $value = (preg_match('/^[0-9]+$/', $value) ? $value : '0'); |
345 | break; |
202bcbcc |
346 | default: break; |
347 | } |
ced8272a |
348 | } else if (!$result && !is_null($default)) { |
202bcbcc |
349 | $value = $default; |
350 | } |
351 | return $result; |
4cd8ae7d |
352 | } |
353 | |
061108dc |
354 | /** |
355 | * Get an immutable copy of a configuration variable if SquirrelMail |
356 | * is in "secured configuration" mode. This guarantees the caller |
357 | * gets a copy of the requested value as it is set in the main |
358 | * application configuration (including config_local overrides), and |
359 | * not what it might be after possibly having been modified by some |
360 | * other code (usually a plugin overriding configuration values for |
361 | * one reason or another). |
362 | * |
363 | * WARNING: Please use this function as little as possible, because |
364 | * every time it is called, it forcibly reloads the main configuration |
365 | * file(s). |
366 | * |
367 | * Caller beware that this function will do nothing if SquirrelMail |
368 | * is not in "secured configuration" mode per the $secured_config |
369 | * setting. |
370 | * |
371 | * @param string $var_name The name of the desired variable |
372 | * |
373 | * @return mixed The desired value |
374 | * |
375 | * @since 1.5.2 |
376 | * |
377 | */ |
378 | function get_secured_config_value($var_name) { |
379 | |
380 | static $return_values = array(); |
381 | |
382 | // if we can avoid it, return values that have |
383 | // already been retrieved (so we don't have to |
384 | // include the config file yet again) |
385 | // |
386 | if (isset($return_values[$var_name])) { |
387 | return $return_values[$var_name]; |
388 | } |
389 | |
390 | |
391 | // load site configuration |
392 | // |
393 | require(SM_PATH . 'config/config.php'); |
394 | |
395 | // load local configuration overrides |
396 | // |
397 | if (file_exists(SM_PATH . 'config/config_local.php')) { |
398 | require(SM_PATH . 'config/config_local.php'); |
399 | } |
400 | |
401 | // if SM isn't in "secured configuration" mode, |
402 | // just return the desired value from the global scope |
403 | // |
404 | if (!$secured_config) { |
405 | global $$var_name; |
406 | $return_values[$var_name] = $$var_name; |
407 | return $$var_name; |
408 | } |
409 | |
410 | // else we return what we got from the config file |
411 | // |
412 | $return_values[$var_name] = $$var_name; |
413 | return $$var_name; |
414 | |
415 | } |
416 | |
8b096f0a |
417 | /** |
418 | * Deletes an existing session, more advanced than the standard PHP |
419 | * session_destroy(), it explicitly deletes the cookies and global vars. |
66c7cd3f |
420 | * |
421 | * WARNING: Older PHP versions have some issues with session management. |
68a7e1d6 |
422 | * See http://bugs.php.net/11643 (warning, spammed bug tracker) and |
66c7cd3f |
423 | * http://bugs.php.net/13834. SID constant is not destroyed in PHP 4.1.2, |
68a7e1d6 |
424 | * 4.2.3 and maybe other versions. If you restart session after session |
425 | * is destroyed, affected PHP versions produce PHP notice. Bug should |
66c7cd3f |
426 | * be fixed only in 4.3.0 |
8b096f0a |
427 | */ |
513db22c |
428 | function sqsession_destroy() { |
242342d0 |
429 | |
281c3d5b |
430 | /* |
431 | * php.net says we can kill the cookie by setting just the name: |
432 | * http://www.php.net/manual/en/function.setcookie.php |
433 | * maybe this will help fix the session merging again. |
434 | * |
435 | * Changed the theory on this to kill the cookies first starting |
436 | * a new session will provide a new session for all instances of |
437 | * the browser, we don't want that, as that is what is causing the |
438 | * merging of sessions. |
439 | */ |
242342d0 |
440 | |
716cc530 |
441 | global $base_uri, $_COOKIE, $_SESSION; |
f31687f6 |
442 | |
f6cd95a1 |
443 | if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); |
444 | if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','SQMTRASH',1,$base_uri); |
281c3d5b |
445 | |
446 | $sessid = session_id(); |
447 | if (!empty( $sessid )) { |
abd74f7d |
448 | $_SESSION = array(); |
21e18f59 |
449 | @session_destroy(); |
242342d0 |
450 | } |
281c3d5b |
451 | } |
242342d0 |
452 | |
8b096f0a |
453 | /** |
281c3d5b |
454 | * Function to verify a session has been started. If it hasn't |
455 | * start a session up. php.net doesn't tell you that $_SESSION |
456 | * (even though autoglobal), is not created unless a session is |
457 | * started, unlike $_POST, $_GET and such |
253ca97e |
458 | * Update: (see #1685031) the session ID is left over after the |
459 | * session is closed in some PHP setups; this function just becomes |
460 | * a passthru to sqsession_start(), but leaving old code in for |
461 | * edification. |
281c3d5b |
462 | */ |
281c3d5b |
463 | function sqsession_is_active() { |
253ca97e |
464 | //$sessid = session_id(); |
465 | //if ( empty( $sessid ) ) { |
3a1de9f1 |
466 | sqsession_start(); |
253ca97e |
467 | //} |
513db22c |
468 | } |
469 | |
3a1de9f1 |
470 | /** |
471 | * Function to start the session and store the cookie with the session_id as |
472 | * HttpOnly cookie which means that the cookie isn't accessible by javascript |
473 | * (IE6 only) |
253ca97e |
474 | * Note that as sqsession_is_active() no longer discriminates as to when |
475 | * it calls this function, session_start() has to have E_NOTICE suppression |
476 | * (thus the @ sign). |
3a1de9f1 |
477 | */ |
478 | function sqsession_start() { |
202bcbcc |
479 | global $base_uri; |
7f62aaef |
480 | |
8442ecb9 |
481 | sq_call_function_suppress_errors('session_start'); |
482 | // was: @session_start(); |
202bcbcc |
483 | $session_id = session_id(); |
484 | |
79a7fdf5 |
485 | // session_starts sets the sessionid cookie but without the httponly var |
3a1de9f1 |
486 | // setting the cookie again sets the httponly cookie attribute |
79a7fdf5 |
487 | // |
488 | // need to check if headers have been sent, since sqsession_is_active() |
489 | // has become just a passthru to this function, so the sqsetcookie() |
490 | // below is called every time, even after headers have already been sent |
491 | // |
492 | if (!headers_sent()) |
493 | sqsetcookie(session_name(),$session_id,false,$base_uri); |
3a1de9f1 |
494 | } |
495 | |
496 | |
79a7fdf5 |
497 | |
3a1de9f1 |
498 | /** |
499 | * Set a cookie |
945c733e |
500 | * |
3a1de9f1 |
501 | * @param string $sName The name of the cookie. |
502 | * @param string $sValue The value of the cookie. |
945c733e |
503 | * @param int $iExpire The time the cookie expires. This is a Unix |
504 | * timestamp so is in number of seconds since |
505 | * the epoch. |
506 | * @param string $sPath The path on the server in which the cookie |
507 | * will be available on. |
3a1de9f1 |
508 | * @param string $sDomain The domain that the cookie is available. |
945c733e |
509 | * @param boolean $bSecure Indicates that the cookie should only be |
510 | * transmitted over a secure HTTPS connection. |
3a1de9f1 |
511 | * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) |
945c733e |
512 | * @param boolean $bReplace Replace previous cookies with same name? |
513 | * |
3a1de9f1 |
514 | * @return void |
945c733e |
515 | * |
b80887b4 |
516 | * @since 1.4.16 and 1.5.1 |
517 | * |
3a1de9f1 |
518 | */ |
945c733e |
519 | function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="", |
520 | $bSecure=false, $bHttpOnly=true, $bReplace=false) { |
521 | |
68a7e1d6 |
522 | // if we have a secure connection then limit the cookies to https only. |
8f557b94 |
523 | global $is_secure_connection; |
524 | if ($sName && $is_secure_connection) |
68a7e1d6 |
525 | $bSecure = true; |
9c0f1780 |
526 | |
527 | // admin config can override the restriction of secure-only cookies |
528 | global $only_secure_cookies; |
529 | if (!$only_secure_cookies) |
530 | $bSecure = false; |
531 | |
68a7e1d6 |
532 | if (false && check_php_version(5,2)) { |
533 | // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit |
534 | // broken we use the header function for php 5.2 as well. We might change that later. |
535 | //setcookie($sName,$sValue,(int) $iExpire,$sPath,$sDomain,$bSecure,$bHttpOnly); |
536 | } else { |
a14da8d6 |
537 | if (!empty($sDomain)) { |
68a7e1d6 |
538 | // Fix the domain to accept domains with and without 'www.'. |
a14da8d6 |
539 | if (strtolower(substr($sDomain, 0, 4)) == 'www.') $sDomain = substr($sDomain, 4); |
540 | $sDomain = '.' . $sDomain; |
68a7e1d6 |
541 | |
542 | // Remove port information. |
a14da8d6 |
543 | $Port = strpos($sDomain, ':'); |
544 | if ($Port !== false) $sDomain = substr($sDomain, 0, $Port); |
68a7e1d6 |
545 | } |
716cc530 |
546 | if (!$sValue) $sValue = 'deleted'; |
68a7e1d6 |
547 | header('Set-Cookie: ' . rawurlencode($sName) . '=' . rawurlencode($sValue) |
a14da8d6 |
548 | . (empty($iExpire) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s', $iExpire) . ' GMT') |
68a7e1d6 |
549 | . (empty($sPath) ? '' : '; path=' . $sPath) |
550 | . (empty($sDomain) ? '' : '; domain=' . $sDomain) |
551 | . (!$bSecure ? '' : '; secure') |
945c733e |
552 | . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace); |
68a7e1d6 |
553 | } |
202bcbcc |
554 | } |
555 | |
945c733e |
556 | |
202bcbcc |
557 | /** |
558 | * session_regenerate_id replacement for PHP < 4.3.2 |
559 | * |
560 | * This code is borrowed from Gallery, session.php version 1.53.2.1 |
561 | */ |
562 | if (!function_exists('session_regenerate_id')) { |
202bcbcc |
563 | |
564 | function php_combined_lcg() { |
202bcbcc |
565 | $tv = gettimeofday(); |
566 | $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']); |
567 | $lcg['s2'] = mt_rand(); |
568 | $q = (int) ($lcg['s1'] / 53668); |
569 | $lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q); |
570 | if ($lcg['s1'] < 0) { |
571 | $lcg['s1'] += 2147483563; |
572 | } |
573 | $q = (int) ($lcg['s2'] / 52774); |
574 | $lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q); |
575 | if ($lcg['s2'] < 0) { |
576 | $lcg['s2'] += 2147483399; |
577 | } |
578 | $z = (int) ($lcg['s1'] - $lcg['s2']); |
579 | if ($z < 1) { |
580 | $z += 2147483562; |
581 | } |
582 | return $z * 4.656613e-10; |
583 | } |
3a1de9f1 |
584 | |
202bcbcc |
585 | function session_regenerate_id() { |
586 | global $base_uri; |
587 | $tv = gettimeofday(); |
588 | sqgetGlobalVar('REMOTE_ADDR',$remote_addr,SQ_SERVER); |
589 | $buf = sprintf("%.15s%ld%ld%0.8f", $remote_addr, $tv['sec'], $tv['usec'], php_combined_lcg() * 10); |
590 | session_id(md5($buf)); |
591 | if (ini_get('session.use_cookies')) { |
73ee0267 |
592 | sqsetcookie(session_name(), session_id(), 0, $base_uri); |
202bcbcc |
593 | } |
594 | return TRUE; |
595 | } |
3a1de9f1 |
596 | } |
7f62aaef |
597 | |
202bcbcc |
598 | |
7f62aaef |
599 | /** |
600 | * php_self |
601 | * |
602 | * Creates an URL for the page calling this function, using either the PHP global |
603 | * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1 |
604 | * function was stored in function/strings.php. |
605 | * |
606 | * @return string the complete url for this page |
607 | * @since 1.2.3 |
608 | */ |
609 | function php_self () { |
f151e745 |
610 | // PHP 4.4.4 apparently gives the wrong value here - missing the query string |
611 | // this code is commented out in the 1.4.x code, so we'll do the same here |
612 | //if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { |
613 | // return $req_uri; |
614 | //} |
7f62aaef |
615 | |
616 | if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { |
617 | |
618 | // need to add query string to end of PHP_SELF to match REQUEST_URI |
619 | // |
620 | if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { |
621 | $php_self .= '?' . $query_string; |
622 | } |
623 | |
624 | return $php_self; |
625 | } |
626 | |
627 | return ''; |
628 | } |
aa201211 |
629 | |
630 | |
aa201211 |
631 | /** |
632 | * Print variable |
633 | * |
634 | * sm_print_r($some_variable, [$some_other_variable [, ...]]); |
635 | * |
636 | * Debugging function - does the same as print_r, but makes sure special |
637 | * characters are converted to htmlentities first. This will allow |
638 | * values like <some@email.address> to be displayed. |
639 | * The output is wrapped in <<pre>> and <</pre>> tags. |
640 | * Since 1.4.2 accepts unlimited number of arguments. |
641 | * @since 1.4.1 |
642 | * @return void |
643 | */ |
644 | function sm_print_r() { |
645 | ob_start(); // Buffer output |
646 | foreach(func_get_args() as $var) { |
647 | print_r($var); |
648 | echo "\n"; |
649 | // php has get_class_methods function that can print class methods |
650 | if (is_object($var)) { |
651 | // get class methods if $var is object |
652 | $aMethods=get_class_methods(get_class($var)); |
653 | // make sure that $aMethods is array and array is not empty |
654 | if (is_array($aMethods) && $aMethods!=array()) { |
655 | echo "Object methods:\n"; |
656 | foreach($aMethods as $method) { |
657 | echo '* ' . $method . "\n"; |
658 | } |
659 | } |
660 | echo "\n"; |
661 | } |
662 | } |
663 | $buffer = ob_get_contents(); // Grab the print_r output |
664 | ob_end_clean(); // Silently discard the output & stop buffering |
665 | print '<div align="left"><pre>'; |
666 | print htmlentities($buffer); |
667 | print '</pre></div>'; |
668 | } |
45ca6962 |
669 | |
670 | |
253ca97e |
671 | /** |
672 | * Sanitize a value using htmlspecialchars() or similar, but also |
673 | * recursively run htmlspecialchars() (or similar) on array keys |
674 | * and values. |
675 | * |
676 | * If $value is not a string or an array with strings in it, |
677 | * the value is returned as is. |
678 | * |
679 | * @param mixed $value The value to be sanitized. |
680 | * @param mixed $quote_style Either boolean or an integer. If it |
681 | * is an integer, it must be the PHP |
682 | * constant indicating if/how to escape |
683 | * quotes: ENT_QUOTES, ENT_COMPAT, or |
684 | * ENT_NOQUOTES. If it is a boolean value, |
685 | * it must be TRUE and thus indicates |
686 | * that the only sanitizing to be done |
687 | * herein is to replace single and double |
688 | * quotes with ' and ", no other |
689 | * changes are made to $value. If it is |
690 | * boolean and FALSE, behavior reverts |
691 | * to same as if the value was ENT_QUOTES |
692 | * (OPTIONAL; default is ENT_QUOTES). |
693 | * |
694 | * @return mixed The sanitized value. |
695 | * |
696 | * @since 1.5.2 |
697 | * |
698 | **/ |
699 | function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) { |
700 | |
701 | if ($quote_style === FALSE) $quote_style = ENT_QUOTES; |
702 | |
703 | // array? go recursive... |
704 | // |
705 | if (is_array($value)) { |
706 | $return_array = array(); |
707 | foreach ($value as $key => $val) { |
708 | $return_array[sq_htmlspecialchars($key, $quote_style)] |
709 | = sq_htmlspecialchars($val, $quote_style); |
710 | } |
711 | return $return_array; |
712 | |
713 | // sanitize strings only |
714 | // |
715 | } else if (is_string($value)) { |
716 | if ($quote_style === TRUE) |
717 | return str_replace(array('\'', '"'), array(''', '"'), $value); |
718 | else |
719 | return htmlspecialchars($value, $quote_style); |
720 | } |
721 | |
722 | // anything else gets returned with no changes |
723 | // |
724 | return $value; |
725 | |
726 | } |
67c826ce |
727 | |
728 | |
8f557b94 |
729 | /** |
730 | * Detect whether or not we have a SSL secured (HTTPS) connection |
731 | * connection to the browser |
732 | * |
733 | * It is thought to be so if you have 'SSLOptions +StdEnvVars' |
734 | * in your Apache configuration, |
735 | * OR if you have HTTPS set to a non-empty value (except "off") |
736 | * in your HTTP_SERVER_VARS, |
737 | * OR if you have HTTP_X_FORWARDED_PROTO=https in your HTTP_SERVER_VARS, |
738 | * OR if you are on port 443. |
739 | * |
740 | * Note: HTTP_X_FORWARDED_PROTO could be sent from the client and |
741 | * therefore possibly spoofed/hackable. Thus, SquirrelMail |
742 | * ignores such headers by default. The administrator |
743 | * can tell SM to use such header values by setting |
744 | * $sq_ignore_http_x_forwarded_headers to boolean FALSE |
745 | * in config/config.php or by using config/conf.pl. |
746 | * |
747 | * Note: It is possible to run SSL on a port other than 443, and |
748 | * if that is the case, the administrator should set |
749 | * $sq_https_port in config/config.php or by using config/conf.pl. |
750 | * |
751 | * @return boolean TRUE if the current connection is SSL-encrypted; |
752 | * FALSE otherwise. |
753 | * |
754 | * @since 1.4.17 and 1.5.2 |
755 | * |
756 | */ |
757 | function is_ssl_secured_connection() |
758 | { |
759 | global $sq_ignore_http_x_forwarded_headers, $sq_https_port; |
760 | $https_env_var = getenv('HTTPS'); |
761 | if ($sq_ignore_http_x_forwarded_headers |
762 | || !sqgetGlobalVar('HTTP_X_FORWARDED_PROTO', $forwarded_proto, SQ_SERVER)) |
763 | $forwarded_proto = ''; |
764 | if (empty($sq_https_port)) // won't work with port 0 (zero) |
765 | $sq_https_port = 443; |
766 | if ((isset($https_env_var) && strcasecmp($https_env_var, 'on') === 0) |
767 | || (sqgetGlobalVar('HTTPS', $https, SQ_SERVER) && !empty($https) |
768 | && strcasecmp($https, 'off') !== 0) |
769 | || (strcasecmp($forwarded_proto, 'https') === 0) |
770 | || (sqgetGlobalVar('SERVER_PORT', $server_port, SQ_SERVER) |
771 | && $server_port == $sq_https_port)) |
772 | return TRUE; |
773 | return FALSE; |
774 | } |
775 | |
776 | |
e45a534b |
777 | /** |
778 | * Endeavor to detect what user and group PHP is currently |
779 | * running as. Probably only works in non-Windows environments. |
780 | * |
781 | * @return mixed Boolean FALSE is returned if something went wrong, |
782 | * otherwise an array is returned with the following |
783 | * elements: |
784 | * uid The current process' UID (integer) |
785 | * euid The current process' effective UID (integer) |
786 | * gid The current process' GID (integer) |
787 | * egid The current process' effective GID (integer) |
788 | * name The current process' name/handle (string) |
789 | * ename The current process' effective name/handle (string) |
790 | * group The current process' group name (string) |
791 | * egroup The current process' effective group name (string) |
792 | * Note that some of these elements may have empty |
793 | * values, especially if they could not be determined. |
794 | * |
795 | * @since 1.5.2 |
796 | * |
797 | */ |
798 | function get_process_owner_info() |
799 | { |
800 | if (!function_exists('posix_getuid')) |
801 | return FALSE; |
802 | |
803 | $process_info['uid'] = posix_getuid(); |
804 | $process_info['euid'] = posix_geteuid(); |
805 | $process_info['gid'] = posix_getgid(); |
806 | $process_info['egid'] = posix_getegid(); |
807 | |
808 | $user_info = posix_getpwuid($process_info['uid']); |
809 | $euser_info = posix_getpwuid($process_info['euid']); |
810 | $group_info = posix_getgrgid($process_info['gid']); |
811 | $egroup_info = posix_getgrgid($process_info['egid']); |
812 | |
813 | $process_info['name'] = $user_info['name']; |
814 | $process_info['ename'] = $euser_info['name']; |
815 | $process_info['group'] = $user_info['name']; |
816 | $process_info['egroup'] = $euser_info['name']; |
817 | |
818 | return $process_info; |
819 | } |
820 | |
821 | |