[squirrelmail.git] / include / init.php

<?php

/**
 * init.php -- initialisation file
 *
 * File should be loaded in every file in src/ or plugins that occupate an entire frame
 *
 * @copyright &copy; 2006 The SquirrelMail Project Team
 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
 * @version $Id$
 * @package squirrelmail
 */

/**
 * This is a development version so in order to track programmer mistakes we
 * set the error reporting to E_ALL
 */
error_reporting(E_ALL);


/**
 * If register_globals are on, unregister globals.
 * Code requires PHP 4.1.0 or newer.
 * Second test covers boolean set as string (php_value register_globals off).
 */
if ((bool) @ini_get('register_globals') &&
    strtolower(ini_get('register_globals'))!='off') {
    /**
     * Remove all globals from $_GET, $_POST, and $_COOKIE.
     */
    foreach ($_REQUEST as $key => $value) {
        unset($GLOBALS[$key]);
    }
    /**
     * Remove globalized $_FILES variables
     * Before 4.3.0 $_FILES are included in $_REQUEST.
     * Unglobalize them in separate call in order to remove dependency
     * on PHP version.
     */
    foreach ($_FILES as $key => $value) {
        unset($GLOBALS[$key]);
        // there are three undocumented $_FILES globals.
        unset($GLOBALS[$key.'_type']);
        unset($GLOBALS[$key.'_name']);
        unset($GLOBALS[$key.'_size']);
    }
    /**
     * Remove globalized environment variables.
     */
    foreach ($_ENV as $key => $value) {
        unset($GLOBALS[$key]);
    }
    /**
     * Remove globalized server variables.
     */
    foreach ($_SERVER as $key => $value) {
        unset($GLOBALS[$key]);
    }
}

/**
 * [#1518885] session.use_cookies = off breaks SquirrelMail
 *
 * When session cookies are not used, all http redirects, meta refreshes, 
 * src/download.php and javascript URLs are broken. Setting must be set 
 * before session is started.
 */
if (!(bool)ini_get('session.use_cookies') ||
    ini_get('session.use_cookies') == 'off') {
    ini_set('session.use_cookies','1');
}

/**
 * calculate SM_PATH and calculate the base_uri
 * assumptions made: init.php is only called from plugins or from the src dir.
 * files in the plugin directory may not be part of a subdirectory called "src"
 *
 */
if (isset($_SERVER['SCRIPT_NAME'])) {
    $a = explode('/',$_SERVER['SCRIPT_NAME']);
} elseif (isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) {
    $a = explode('/',$HTTP_SERVER_VARS['SCRIPT_NAME']);
} else {
    $error = 'Unable to detect script environment. '
	.'Please test your PHP settings and send PHP core config, $_SERVER '
	.'and $HTTP_SERVER_VARS to SquirrelMail developers.';
    die($error);
}
$sSM_PATH = '';
for($i = count($a) -2;$i > -1; --$i) {
    $sSM_PATH .= '../';
    if ($a[$i] === 'src' || $a[$i] === 'plugins') {
        break;
    }
}

$base_uri = implode('/',array_slice($a,0,$i)). '/';

define('SM_PATH',$sSM_PATH);
define('SM_BASE_URI', $base_uri);
/**
 * global var $bInit is used to check if initialisation took place.
 * At this moment it's a workarounf for the include of addrbook_search_html
 * inside compose.php. If we found a better way then remove this. Do only use
 * this var if you know for sure a page can be called stand alone and be included
 * in another file.
 */
$bInit = true;

/**
 * This theme as a failsafe if no themes were found, or if we error
 * out before anything could be initialised.
 */
$color = array();
$color[0]  = '#DCDCDC';  /* light gray    TitleBar               */
$color[1]  = '#800000';  /* red                                  */
$color[2]  = '#CC0000';  /* light red     Warning/Error Messages */
$color[3]  = '#A0B8C8';  /* green-blue    Left Bar Background    */
$color[4]  = '#FFFFFF';  /* white         Normal Background      */
$color[5]  = '#FFFFCC';  /* light yellow  Table Headers          */
$color[6]  = '#000000';  /* black         Text on left bar       */
$color[7]  = '#0000CC';  /* blue          Links                  */
$color[8]  = '#000000';  /* black         Normal text            */
$color[9]  = '#ABABAB';  /* mid-gray      Darker version of #0   */
$color[10] = '#666666';  /* dark gray     Darker version of #9   */
$color[11] = '#770000';  /* dark red      Special Folders color  */
$color[12] = '#EDEDED';
$color[13] = '#800000';  /* (dark red)    Color for quoted text -- > 1 quote */
$color[14] = '#ff0000';  /* (red)         Color for quoted text -- >> 2 or more */
$color[15] = '#002266';  /* (dark blue)   Unselectable folders */
$color[16] = '#ff9933';  /* (orange)      Highlight color */

require(SM_PATH . 'functions/global.php');
require(SM_PATH . 'config/config.php');
require(SM_PATH . 'functions/plugin.php');
require(SM_PATH . 'include/constants.php');
require(SM_PATH . 'include/languages.php');

/**
 * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
 * Force magic_quotes_runtime off.
 * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
 * If there's a better place, please let me know.
 */
ini_set('magic_quotes_runtime','0');


/* if running with magic_quotes_gpc then strip the slashes
   from POST and GET global arrays */
if (get_magic_quotes_gpc()) {
    sqstripslashes($_GET);
    sqstripslashes($_POST);
}


/* strip any tags added to the url from PHP_SELF.
This fixes hand crafted url XXS expoits for any
   page that uses PHP_SELF as the FORM action */
$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);

$PHP_SELF = php_self();

/**
 * Initialize the session
 */

/** set the name of the session cookie */
if (!isset($session_name) || !$session_name) {
    $session_name = 'SQMSESSID';
}

/**
 * if session.auto_start is On then close the session
 */
$sSessionAutostartName = session_name();
if ((isset($sSessionAutostartName) || $sSessionAutostartName == '') &&
     $sSessionAutostartName !== $session_name) {
    $sCookiePath = ini_get('session.cookie_path');
    $sCookieDomain = ini_get('session.cookie_domain');
    // reset the cookie
    setcookie($sSessionAutostartName,'',time() - 604800,$sCookiePath,$sCookieDomain);
    @session_destroy();
    session_write_close();
}

/**
 * includes from classes stored in the session
 */
require(SM_PATH . 'class/mime.class.php');

ini_set('session.name' , $session_name);
session_set_cookie_params (0, $base_uri);
sqsession_is_active();

/**
 * DISABLED.
 * Remove globalized session data in rg=on setups
 * 
 * Code can be utilized when session is started, but data is not loaded.
 * We have already loaded configuration and other important vars. Can't 
 * clean session globals here.
if ((bool) @ini_get('register_globals') &&
    strtolower(ini_get('register_globals'))!='off') {
    foreach ($_SESSION as $key => $value) {
        unset($GLOBALS[$key]);
    }
}
*/

sqsession_register(SM_BASE_URI,'base_uri');

/**
 * SquirrelMail version number -- DO NOT CHANGE
 */
$version = '1.5.2 [CVS]';

/**
 * SquirrelMail internal version number -- DO NOT CHANGE
 * $sm_internal_version = array (release, major, minor)
 */
$SQM_INTERNAL_VERSION = array(1,5,2);

/**
 * Retrieve the language cookie
 */
if (! sqgetGlobalVar('squirrelmail_language',$squirrelmail_language,SQ_COOKIE)) {
    $squirrelmail_language = '';
}


/**
 * @var $sInitlocation From where do we include.
 */
if (!isset($sInitLocation)) {
    $sInitLocation=NULL;
}

/**
 * MAIN PLUGIN LOADING CODE HERE
 */

/**
 * Include Compatibility plugin if available.
 */
if (file_exists(SM_PATH . 'plugins/compatibility/functions.php'))
    include_once(SM_PATH . 'plugins/compatibility/functions.php');
$squirrelmail_plugin_hooks = array();

/* On init, register all plugins configured for use. */
if (isset($plugins) && is_array($plugins)) {
    // turn on output buffering in order to prevent output of new lines
    ob_start();
    foreach ($plugins as $name) {
        use_plugin($name);
    }
    // get output and remove whitespace
    $output = trim(ob_get_contents());
    ob_end_clean();
    // if plugins output more than newlines and spacing, stop script execution.
    if (!empty($output)) {
        die($output);
    }
}


switch ($sInitLocation) {
    case 'style': session_write_close(); sqsetcookieflush(); break;
    case 'redirect':
        /**
         * directory hashing functions are needed for all setups in case
         * plugins use own pref files.
         */
        require(SM_PATH . 'functions/prefs.php');
        /* hook loads custom prefs backend plugins */
        $prefs_backend = do_hook_function('prefs_backend');
        if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
            require(SM_PATH . $prefs_backend);
        } elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
            require(SM_PATH . 'functions/db_prefs.php');
        } else {
            require(SM_PATH . 'functions/file_prefs.php');
        }
        //nobreak;
    case 'login':
        require(SM_PATH . 'functions/display_messages.php' );
        require(SM_PATH . 'functions/page_header.php');
        require(SM_PATH . 'functions/html.php');
        /**
         * cleanup old cookies with a cookie path the same as the standard php.ini
         * cookie path. All previous SquirrelMail version used the standard php.ini
         * cookie path for storing the session name. That behaviour changed.
         */
        if ($sCookiePath !== SM_BASE_URI) {
            /**
             * do not delete the standard sessions with session.name is i.e. PHPSESSID
             * because they probably belong to other php apps
             */
            if (ini_get('session.name') !== $sSessionAutostartName) {
                sqsetcookie(ini_get('session.name'),'',0,$sCookiePath);
            }
        }
        break;
    default:
        require(SM_PATH . 'functions/display_messages.php' );
        require(SM_PATH . 'functions/page_header.php');
        require(SM_PATH . 'functions/html.php');
        require(SM_PATH . 'functions/strings.php');


        /**
         * Check if we are logged in
         */
        require(SM_PATH . 'functions/auth.php');

        if ( !sqsession_is_registered('user_is_logged_in') ) {
            //  First we store some information in the new session to prevent
            //  information-loss.
            //
            $session_expired_post = $_POST;
            $session_expired_location = $PHP_SELF;
            if (!sqsession_is_registered('session_expired_post')) {
                sqsession_register($session_expired_post,'session_expired_post');
            }
            if (!sqsession_is_registered('session_expired_location')) {
                sqsession_register($session_expired_location,'session_expired_location');
            }
            // signout page will deal with users who aren't logged
            // in on its own; don't show error here
            //
            if (strpos($PHP_SELF, 'signout.php') !== FALSE) {
            return;
            }

            /**
             * Initialize the template object (logout_error uses it)
             */
            require(SM_PATH . 'class/template/template.class.php');
            /*
             * $sTplDir is not initialized when a user is not logged in, so we will use
             * the config file defaults here.  If the neccesary variables are net set,
             * force a default value.
             */
            $aTemplateSet = ( !isset($aTemplateSet) ? array() : $aTemplateSet );
            $templateset_default = ( !isset($templateset_default) ? 0 : $templateset_default );

            $sTplDir = ( !isset($aTemplateSet[$templateset_default]['PATH']) ?
                         SM_PATH . 'templates/default/' :
                         $aTemplateSet[$templateset_default]['PATH'] );
            $oTemplate = new Template($sTplDir);

            set_up_language($squirrelmail_language, true);
            logout_error( _("You must be logged in to access this page.") );
            exit;
        }

        sqgetGlobalVar('username',$username,SQ_SESSION);

        /**
         * Setting the prefs backend
         */
        sqgetGlobalVar('prefs_cache', $prefs_cache, SQ_SESSION );
        sqgetGlobalVar('prefs_are_cached', $prefs_are_cached, SQ_SESSION );

        if ( !sqsession_is_registered('prefs_are_cached') ||
            !isset( $prefs_cache) ||
            !is_array( $prefs_cache)) {
            $prefs_are_cached = false;
            $prefs_cache = false; //array();
        }

        /* see 'redirect' switch */
        require(SM_PATH . 'functions/prefs.php');

        $prefs_backend = do_hook_function('prefs_backend');
        if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
            require(SM_PATH . $prefs_backend);
        } elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
            require(SM_PATH . 'functions/db_prefs.php');
        } else {
            require(SM_PATH . 'functions/file_prefs.php');
        }

        /**
         * initializing user settings
         */
        require(SM_PATH . 'include/load_prefs.php');


// i do not understand the frames language cookie story
        /**
         * We'll need this to later have a noframes version
         *
         * Check if the user has a language preference, but no cookie.
         * Send him a cookie with his language preference, if there is
         * such discrepancy.
         */
         $my_language = getPref($data_dir, $username, 'language');
         if ($my_language != $squirrelmail_language) {
             sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
         }
// /dont understand

        /**
         * Set up the language.
         */
        $err=set_up_language(getPref($data_dir, $username, 'language'));
        /* this is the last cookie we set so flush it. */
        sqsetcookieflush();

        // Japanese translation used without mbstring support
        if ($err==2) {
            $sError =
                "<p>You need to have PHP installed with the multibyte string function \n".
                "enabled (using configure option --enable-mbstring).</p>\n".
                "<p>System assumed that you accidently switched to Japanese translation \n".
                "and reverted your language preference to English.</p>\n".
                "<p>Please refresh this page in order to use webmail.</p>\n";
            error_box($sError);
        }

        $timeZone = getPref($data_dir, $username, 'timezone');

        /* Check to see if we are allowed to set the TZ environment variable.
         * We are able to do this if ...
         *   safe_mode is disabled OR
         *   safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
         *   safe_mode_allowed_env_vars contains TZ
         */
        $tzChangeAllowed = (!ini_get('safe_mode')) ||
                            !strcmp(ini_get('safe_mode_allowed_env_vars'),'') ||
                            preg_match('/^([\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars'));

        if ( $timeZone != SMPREF_NONE && ($timeZone != "")
            && $tzChangeAllowed ) {

            // get time zone key, if strict or custom strict timezones are used
            if (isset($time_zone_type) &&
                ($time_zone_type == 1 || $time_zone_type == 3)) {
                /* load time zone functions */
                require(SM_PATH . 'include/timezones.php');
                $realTimeZone = sq_get_tz_key($timeZone);
            } else {
                $realTimeZone = $timeZone;
            }

            // set time zone
            if ($realTimeZone) {
                putenv("TZ=".$realTimeZone);
            }
        }

        /**
         * php 5.1.0 added time zone functions. Set time zone with them in order
         * to prevent E_STRICT notices and allow time zone modifications in safe_mode.
         */
        if (function_exists('date_default_timezone_set')) {
            if ($timeZone != SMPREF_NONE && $timeZone != "") {
                date_default_timezone_set($timeZone);
            } else {
                // interface runs on server's time zone. Remove php E_STRICT complains
                $default_timezone = @date_default_timezone_get();
                date_default_timezone_set($default_timezone);        
            }
        }
        break;
}

/**
 * Initialize the template object
 */
require(SM_PATH . 'class/template/template.class.php');
/*
 * $sTplDir is not initialized when a user is not logged in, so we will use
 * the config file defaults here.  If the neccesary variables are net set,
 * force a default value.
 */
$aTemplateSet = ( !isset($aTemplateSet) ? array() : $aTemplateSet );
$templateset_default = ( !isset($templateset_default) ? 0 : $templateset_default );

$sTplDir = ( !isset($aTemplateSet[$templateset_default]['PATH']) ?
             SM_PATH . 'templates/default/' :
             $aTemplateSet[$templateset_default]['PATH'] );
$oTemplate = new Template($sTplDir);

/**
 * Initialize our custom error handler object
 */
require(SM_PATH . 'class/error.class.php');
$oErrorHandler = new ErrorHandler($oTemplate,'error_message.tpl');

/**
 * Activate custom error handling
 */
if (version_compare(PHP_VERSION, "4.3.0", ">=")) {
    $oldErrorHandler = set_error_handler(array($oErrorHandler, 'SquirrelMailErrorhandler'));
} else {
    $oldErrorHandler = set_error_handler('SquirrelMailErrorhandler');
}

/**
 * Javascript support detection function
 * @param boolean $reset recheck javascript support if set to true.
 * @return integer SMPREF_JS_ON or SMPREF_JS_OFF ({@see include/constants.php})
 * @since 1.5.1
 */
function checkForJavascript($reset = FALSE) {
  global $data_dir, $username, $javascript_on, $javascript_setting;

  if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
    return $javascript_on;

  if ( $reset || !isset($javascript_setting) )
    $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);

  if ( !sqGetGlobalVar('new_js_autodetect_results', $js_autodetect_results) &&
       !sqGetGlobalVar('js_autodetect_results', $js_autodetect_results) )
    $js_autodetect_results = SMPREF_JS_OFF;

  if ( $javascript_setting == SMPREF_JS_AUTODETECT )
    $javascript_on = $js_autodetect_results;
  else
    $javascript_on = $javascript_setting;

  sqsession_register($javascript_on, 'javascript_on');
  return $javascript_on;
}

function sqm_baseuri() {
    global $base_uri;
    return $base_uri;
}
Commit	Line	Data
202bcbcc	1	<?php
	2
	3	/**
	4	* init.php -- initialisation file
	5	*
	6	* File should be loaded in every file in src/ or plugins that occupate an entire frame
	7	*
	8	* @copyright © 2006 The SquirrelMail Project Team
	9	* @license http://opensource.org/licenses/gpl-license.php GNU Public License
	10	* @version $Id$
	11	* @package squirrelmail
	12	*/
	13
202bcbcc	14	/**
	15	* This is a development version so in order to track programmer mistakes we
	16	* set the error reporting to E_ALL
	17	*/
202bcbcc	18	error_reporting(E_ALL);
	19
	20
6a2a6e44	21	/**
	22	* If register_globals are on, unregister globals.
	23	* Code requires PHP 4.1.0 or newer.
a3b99374	24	* Second test covers boolean set as string (php_value register_globals off).
6a2a6e44	25	*/
826ddd72	26	if ((bool) @ini_get('register_globals') &&
a3b99374	27	strtolower(ini_get('register_globals'))!='off') {
6a2a6e44	28	/**
	29	* Remove all globals from $_GET, $_POST, and $_COOKIE.
	30	*/
	31	foreach ($_REQUEST as $key => $value) {
	32	unset($GLOBALS[$key]);
	33	}
	34	/**
	35	* Remove globalized $_FILES variables
	36	* Before 4.3.0 $_FILES are included in $_REQUEST.
	37	* Unglobalize them in separate call in order to remove dependency
	38	* on PHP version.
	39	*/
	40	foreach ($_FILES as $key => $value) {
	41	unset($GLOBALS[$key]);
	42	// there are three undocumented $_FILES globals.
	43	unset($GLOBALS[$key.'_type']);
	44	unset($GLOBALS[$key.'_name']);
	45	unset($GLOBALS[$key.'_size']);
	46	}
	47	/**
	48	* Remove globalized environment variables.
	49	*/
	50	foreach ($_ENV as $key => $value) {
	51	unset($GLOBALS[$key]);
	52	}
	53	/**
	54	* Remove globalized server variables.
	55	*/
	56	foreach ($_SERVER as $key => $value) {
	57	unset($GLOBALS[$key]);
	58	}
	59	}
	60
71efd1ed	61	/**
	62	* [#1518885] session.use_cookies = off breaks SquirrelMail
	63	*
	64	* When session cookies are not used, all http redirects, meta refreshes,
	65	* src/download.php and javascript URLs are broken. Setting must be set
	66	* before session is started.
	67	*/
	68	if (!(bool)ini_get('session.use_cookies') \|\|
	69	ini_get('session.use_cookies') == 'off') {
	70	ini_set('session.use_cookies','1');
	71	}
6a2a6e44	72
202bcbcc	73	/**
	74	* calculate SM_PATH and calculate the base_uri
	75	* assumptions made: init.php is only called from plugins or from the src dir.
	76	* files in the plugin directory may not be part of a subdirectory called "src"
	77	*
	78	*/
	79	if (isset($_SERVER['SCRIPT_NAME'])) {
	80	$a = explode('/',$_SERVER['SCRIPT_NAME']);
	81	} elseif (isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) {
b0829edf	82	$a = explode('/',$HTTP_SERVER_VARS['SCRIPT_NAME']);
	83	} else {
	84	$error = 'Unable to detect script environment. '
	85	.'Please test your PHP settings and send PHP core config, $_SERVER '
	86	.'and $HTTP_SERVER_VARS to SquirrelMail developers.';
	87	die($error);
202bcbcc	88	}
	89	$sSM_PATH = '';
	90	for($i = count($a) -2;$i > -1; --$i) {
	91	$sSM_PATH .= '../';
	92	if ($a[$i] === 'src' \|\| $a[$i] === 'plugins') {
	93	break;
	94	}
	95	}
	96
	97	$base_uri = implode('/',array_slice($a,0,$i)). '/';
	98
202bcbcc	99	define('SM_PATH',$sSM_PATH);
6a2a6e44	100	define('SM_BASE_URI', $base_uri);
202bcbcc	101	/**
	102	* global var $bInit is used to check if initialisation took place.
	103	* At this moment it's a workarounf for the include of addrbook_search_html
	104	* inside compose.php. If we found a better way then remove this. Do only use
	105	* this var if you know for sure a page can be called stand alone and be included
	106	* in another file.
	107	*/
	108	$bInit = true;
	109
8e1e2794	110	/**
	111	* This theme as a failsafe if no themes were found, or if we error
	112	* out before anything could be initialised.
	113	*/
	114	$color = array();
	115	$color[0] = '#DCDCDC'; /* light gray TitleBar */
	116	$color[1] = '#800000'; /* red */
	117	$color[2] = '#CC0000'; /* light red Warning/Error Messages */
	118	$color[3] = '#A0B8C8'; /* green-blue Left Bar Background */
	119	$color[4] = '#FFFFFF'; /* white Normal Background */
	120	$color[5] = '#FFFFCC'; /* light yellow Table Headers */
	121	$color[6] = '#000000'; /* black Text on left bar */
	122	$color[7] = '#0000CC'; /* blue Links */
	123	$color[8] = '#000000'; /* black Normal text */
	124	$color[9] = '#ABABAB'; /* mid-gray Darker version of #0 */
	125	$color[10] = '#666666'; /* dark gray Darker version of #9 */
	126	$color[11] = '#770000'; /* dark red Special Folders color */
	127	$color[12] = '#EDEDED';
	128	$color[13] = '#800000'; /* (dark red) Color for quoted text -- > 1 quote */
	129	$color[14] = '#ff0000'; /* (red) Color for quoted text -- >> 2 or more */
	130	$color[15] = '#002266'; /* (dark blue) Unselectable folders */
	131	$color[16] = '#ff9933'; /* (orange) Highlight color */
	132
202bcbcc	133	require(SM_PATH . 'functions/global.php');
	134	require(SM_PATH . 'config/config.php');
	135	require(SM_PATH . 'functions/plugin.php');
	136	require(SM_PATH . 'include/constants.php');
	137	require(SM_PATH . 'include/languages.php');
	138
	139	/**
	140	* If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
	141	* Force magic_quotes_runtime off.
	142	* tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
	143	* If there's a better place, please let me know.
	144	*/
	145	ini_set('magic_quotes_runtime','0');
	146
	147
	148	/* if running with magic_quotes_gpc then strip the slashes
	149	from POST and GET global arrays */
	150	if (get_magic_quotes_gpc()) {
	151	sqstripslashes($_GET);
	152	sqstripslashes($_POST);
	153	}
	154
202bcbcc	155
	156	/* strip any tags added to the url from PHP_SELF.
	157	This fixes hand crafted url XXS expoits for any
	158	page that uses PHP_SELF as the FORM action */
	159	$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
	160
	161	$PHP_SELF = php_self();
	162
	163	/**
	164	* Initialize the session
	165	*/
	166
e8c4e350	167	/** set the name of the session cookie */
	168	if (!isset($session_name) \|\| !$session_name) {
	169	$session_name = 'SQMSESSID';
	170	}
	171
	172	/**
	173	* if session.auto_start is On then close the session
1d537493	174	*/
	175	$sSessionAutostartName = session_name();
	176	if ((isset($sSessionAutostartName) \|\| $sSessionAutostartName == '') &&
	177	$sSessionAutostartName !== $session_name) {
	178	$sCookiePath = ini_get('session.cookie_path');
	179	$sCookieDomain = ini_get('session.cookie_domain');
e8c4e350	180	// reset the cookie
1d537493	181	setcookie($sSessionAutostartName,'',time() - 604800,$sCookiePath,$sCookieDomain);
e8c4e350	182	@session_destroy();
e8c4e350	183	session_write_close();
1d537493	184	}
e8c4e350	185
202bcbcc	186	/**
	187	* includes from classes stored in the session
	188	*/
	189	require(SM_PATH . 'class/mime.class.php');
	190
202bcbcc	191	ini_set('session.name' , $session_name);
	192	session_set_cookie_params (0, $base_uri);
	193	sqsession_is_active();
	194
202bcbcc	195	/**
3464e1f4	196	* DISABLED.
202bcbcc	197	* Remove globalized session data in rg=on setups
3464e1f4	198	*
	199	* Code can be utilized when session is started, but data is not loaded.
	200	* We have already loaded configuration and other important vars. Can't
	201	* clean session globals here.
	202	if ((bool) @ini_get('register_globals') &&
	203	strtolower(ini_get('register_globals'))!='off') {
202bcbcc	204	foreach ($_SESSION as $key => $value) {
	205	unset($GLOBALS[$key]);
	206	}
	207	}
3464e1f4	208	*/
6a2a6e44	209
826ddd72	210	sqsession_register(SM_BASE_URI,'base_uri');
6a2a6e44	211
e8c4e350	212	/**
	213	* SquirrelMail version number -- DO NOT CHANGE
	214	*/
	215	$version = '1.5.2 [CVS]';
	216
1d537493	217	/**
	218	* SquirrelMail internal version number -- DO NOT CHANGE
	219	* $sm_internal_version = array (release, major, minor)
	220	*/
	221	$SQM_INTERNAL_VERSION = array(1,5,2);
	222
202bcbcc	223	/**
	224	* Retrieve the language cookie
	225	*/
	226	if (! sqgetGlobalVar('squirrelmail_language',$squirrelmail_language,SQ_COOKIE)) {
	227	$squirrelmail_language = '';
	228	}
	229
	230
	231	/**
	232	* @var $sInitlocation From where do we include.
	233	*/
	234	if (!isset($sInitLocation)) {
	235	$sInitLocation=NULL;
	236	}
	237
	238	/**
	239	* MAIN PLUGIN LOADING CODE HERE
	240	*/
	241
	242	/**
	243	* Include Compatibility plugin if available.
	244	*/
	245	if (file_exists(SM_PATH . 'plugins/compatibility/functions.php'))
	246	include_once(SM_PATH . 'plugins/compatibility/functions.php');
	247	$squirrelmail_plugin_hooks = array();
	248
	249	/* On init, register all plugins configured for use. */
	250	if (isset($plugins) && is_array($plugins)) {
	251	// turn on output buffering in order to prevent output of new lines
	252	ob_start();
	253	foreach ($plugins as $name) {
	254	use_plugin($name);
	255	}
	256	// get output and remove whitespace
	257	$output = trim(ob_get_contents());
	258	ob_end_clean();
	259	// if plugins output more than newlines and spacing, stop script execution.
	260	if (!empty($output)) {
	261	die($output);
	262	}
	263	}
	264
	265
	266	switch ($sInitLocation) {
	267	case 'style': session_write_close(); sqsetcookieflush(); break;
	268	case 'redirect':
4d2f7565	269	/**
826ddd72	270	* directory hashing functions are needed for all setups in case
4d2f7565	271	* plugins use own pref files.
	272	*/
	273	require(SM_PATH . 'functions/prefs.php');
	274	/* hook loads custom prefs backend plugins */
202bcbcc	275	$prefs_backend = do_hook_function('prefs_backend');
	276	if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
	277	require(SM_PATH . $prefs_backend);
	278	} elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
	279	require(SM_PATH . 'functions/db_prefs.php');
	280	} else {
202bcbcc	281	require(SM_PATH . 'functions/file_prefs.php');
	282	}
	283	//nobreak;
	284	case 'login':
	285	require(SM_PATH . 'functions/display_messages.php' );
	286	require(SM_PATH . 'functions/page_header.php');
	287	require(SM_PATH . 'functions/html.php');
1d537493	288	/**
	289	* cleanup old cookies with a cookie path the same as the standard php.ini
	290	* cookie path. All previous SquirrelMail version used the standard php.ini
	291	* cookie path for storing the session name. That behaviour changed.
	292	*/
	293	if ($sCookiePath !== SM_BASE_URI) {
	294	/**
	295	* do not delete the standard sessions with session.name is i.e. PHPSESSID
	296	* because they probably belong to other php apps
	297	*/
	298	if (ini_get('session.name') !== $sSessionAutostartName) {
	299	sqsetcookie(ini_get('session.name'),'',0,$sCookiePath);
	300	}
	301	}
202bcbcc	302	break;
	303	default:
	304	require(SM_PATH . 'functions/display_messages.php' );
	305	require(SM_PATH . 'functions/page_header.php');
	306	require(SM_PATH . 'functions/html.php');
	307	require(SM_PATH . 'functions/strings.php');
	308
	309
	310	/**
	311	* Check if we are logged in
	312	*/
	313	require(SM_PATH . 'functions/auth.php');
	314
	315	if ( !sqsession_is_registered('user_is_logged_in') ) {
	316	// First we store some information in the new session to prevent
	317	// information-loss.
	318	//
	319	$session_expired_post = $_POST;
	320	$session_expired_location = $PHP_SELF;
	321	if (!sqsession_is_registered('session_expired_post')) {
	322	sqsession_register($session_expired_post,'session_expired_post');
	323	}
	324	if (!sqsession_is_registered('session_expired_location')) {
	325	sqsession_register($session_expired_location,'session_expired_location');
	326	}
	327	// signout page will deal with users who aren't logged
	328	// in on its own; don't show error here
	329	//
	330	if (strpos($PHP_SELF, 'signout.php') !== FALSE) {
	331	return;
	332	}
	333
8efadc6b	334	/**
	335	* Initialize the template object (logout_error uses it)
	336	*/
	337	require(SM_PATH . 'class/template/template.class.php');
	338	/*
	339	* $sTplDir is not initialized when a user is not logged in, so we will use
	340	* the config file defaults here. If the neccesary variables are net set,
	341	* force a default value.
	342	*/
	343	$aTemplateSet = ( !isset($aTemplateSet) ? array() : $aTemplateSet );
	344	$templateset_default = ( !isset($templateset_default) ? 0 : $templateset_default );
	345
	346	$sTplDir = ( !isset($aTemplateSet[$templateset_default]['PATH']) ?
	347	SM_PATH . 'templates/default/' :
	348	$aTemplateSet[$templateset_default]['PATH'] );
	349	$oTemplate = new Template($sTplDir);
	350
202bcbcc	351	set_up_language($squirrelmail_language, true);
	352	logout_error( _("You must be logged in to access this page.") );
	353	exit;
	354	}
	355
	356	sqgetGlobalVar('username',$username,SQ_SESSION);
	357
	358	/**
	359	* Setting the prefs backend
	360	*/
	361	sqgetGlobalVar('prefs_cache', $prefs_cache, SQ_SESSION );
	362	sqgetGlobalVar('prefs_are_cached', $prefs_are_cached, SQ_SESSION );
	363
	364	if ( !sqsession_is_registered('prefs_are_cached') \|\|
	365	!isset( $prefs_cache) \|\|
	366	!is_array( $prefs_cache)) {
	367	$prefs_are_cached = false;
	368	$prefs_cache = false; //array();
	369	}
	370
4d2f7565	371	/* see 'redirect' switch */
	372	require(SM_PATH . 'functions/prefs.php');
	373
202bcbcc	374	$prefs_backend = do_hook_function('prefs_backend');
	375	if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
	376	require(SM_PATH . $prefs_backend);
	377	} elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
	378	require(SM_PATH . 'functions/db_prefs.php');
	379	} else {
202bcbcc	380	require(SM_PATH . 'functions/file_prefs.php');
	381	}
	382
	383	/**
	384	* initializing user settings
	385	*/
	386	require(SM_PATH . 'include/load_prefs.php');
	387
	388
	389	// i do not understand the frames language cookie story
	390	/**
	391	* We'll need this to later have a noframes version
	392	*
	393	* Check if the user has a language preference, but no cookie.
	394	* Send him a cookie with his language preference, if there is
	395	* such discrepancy.
	396	*/
	397	$my_language = getPref($data_dir, $username, 'language');
	398	if ($my_language != $squirrelmail_language) {
	399	sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
	400	}
	401	// /dont understand
	402
	403	/**
	404	* Set up the language.
	405	*/
	406	$err=set_up_language(getPref($data_dir, $username, 'language'));
	407	/* this is the last cookie we set so flush it. */
	408	sqsetcookieflush();
	409
	410	// Japanese translation used without mbstring support
	411	if ($err==2) {
	412	$sError =
	413	"<p>You need to have PHP installed with the multibyte string function \n".
	414	"enabled (using configure option --enable-mbstring).</p>\n".
	415	"<p>System assumed that you accidently switched to Japanese translation \n".
	416	"and reverted your language preference to English.</p>\n".
	417	"<p>Please refresh this page in order to use webmail.</p>\n";
	418	error_box($sError);
	419	}
	420
	421	$timeZone = getPref($data_dir, $username, 'timezone');
	422
	423	/* Check to see if we are allowed to set the TZ environment variable.
	424	* We are able to do this if ...
	425	* safe_mode is disabled OR
	426	* safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
	427	* safe_mode_allowed_env_vars contains TZ
	428	*/
	429	$tzChangeAllowed = (!ini_get('safe_mode')) \|\|
	430	!strcmp(ini_get('safe_mode_allowed_env_vars'),'') \|\|
	431	preg_match('/^([\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars'));
	432
	433	if ( $timeZone != SMPREF_NONE && ($timeZone != "")
	434	&& $tzChangeAllowed ) {
	435
	436	// get time zone key, if strict or custom strict timezones are used
	437	if (isset($time_zone_type) &&
	438	($time_zone_type == 1 \|\| $time_zone_type == 3)) {
	439	/* load time zone functions */
	440	require(SM_PATH . 'include/timezones.php');
	441	$realTimeZone = sq_get_tz_key($timeZone);
	442	} else {
	443	$realTimeZone = $timeZone;
444	}
445
446	// set time zone
447	if ($realTimeZone) {
448	putenv("TZ=".$realTimeZone);
449	}
450	}
867fed37	451
	452	/**
	453	* php 5.1.0 added time zone functions. Set time zone with them in order
	454	* to prevent E_STRICT notices and allow time zone modifications in safe_mode.
	455	*/
	456	if (function_exists('date_default_timezone_set')) {
	457	if ($timeZone != SMPREF_NONE && $timeZone != "") {
	458	date_default_timezone_set($timeZone);
	459	} else {
	460	// interface runs on server's time zone. Remove php E_STRICT complains
	461	$default_timezone = @date_default_timezone_get();
	462	date_default_timezone_set($default_timezone);
	463	}
	464	}
202bcbcc	465	break;
	466	}
	467
	468	/**
	469	* Initialize the template object
	470	*/
	471	require(SM_PATH . 'class/template/template.class.php');
	472	/*
	473	* $sTplDir is not initialized when a user is not logged in, so we will use
	474	* the config file defaults here. If the neccesary variables are net set,
	475	* force a default value.
	476	*/
	477	$aTemplateSet = ( !isset($aTemplateSet) ? array() : $aTemplateSet );
	478	$templateset_default = ( !isset($templateset_default) ? 0 : $templateset_default );
	479
	480	$sTplDir = ( !isset($aTemplateSet[$templateset_default]['PATH']) ?
	481	SM_PATH . 'templates/default/' :
	482	$aTemplateSet[$templateset_default]['PATH'] );
	483	$oTemplate = new Template($sTplDir);
	484
	485	/**
	486	* Initialize our custom error handler object
	487	*/
	488	require(SM_PATH . 'class/error.class.php');
	489	$oErrorHandler = new ErrorHandler($oTemplate,'error_message.tpl');
	490
	491	/**
	492	* Activate custom error handling
	493	*/
	494	if (version_compare(PHP_VERSION, "4.3.0", ">=")) {
	495	$oldErrorHandler = set_error_handler(array($oErrorHandler, 'SquirrelMailErrorhandler'));
	496	} else {
	497	$oldErrorHandler = set_error_handler('SquirrelMailErrorhandler');
	498	}
	499
	500	/**
	501	* Javascript support detection function
	502	* @param boolean $reset recheck javascript support if set to true.
867fed37	503	* @return integer SMPREF_JS_ON or SMPREF_JS_OFF ({@see include/constants.php})
202bcbcc	504	* @since 1.5.1
202bcbcc	505	*/
202bcbcc	506	function checkForJavascript($reset = FALSE) {
	507	global $data_dir, $username, $javascript_on, $javascript_setting;
	508
	509	if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
	510	return $javascript_on;
	511
	512	if ( $reset \|\| !isset($javascript_setting) )
	513	$javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);
	514
	515	if ( !sqGetGlobalVar('new_js_autodetect_results', $js_autodetect_results) &&
	516	!sqGetGlobalVar('js_autodetect_results', $js_autodetect_results) )
	517	$js_autodetect_results = SMPREF_JS_OFF;
	518
	519	if ( $javascript_setting == SMPREF_JS_AUTODETECT )
	520	$javascript_on = $js_autodetect_results;
	521	else
	522	$javascript_on = $javascript_setting;
	523
	524	sqsession_register($javascript_on, 'javascript_on');
	525	return $javascript_on;
	526	}
	527
	528	function sqm_baseuri() {
	529	global $base_uri;
	530	return $base_uri;
8e1e2794	531	}