6 * This includes code to update < 4.1.0 globals to the newer format
7 * It also has some session register functions that work across various
10 * @copyright © 1999-2006 The SquirrelMail Project Team
11 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
13 * @package squirrelmail
18 define('SQ_INORDER',0);
21 define('SQ_SESSION',3);
22 define('SQ_COOKIE',4);
23 define('SQ_SERVER',5);
27 * returns true if current php version is at mimimum a.b.c
29 * Called: check_php_version(4,1)
30 * @param int a major version number
31 * @param int b minor version number
32 * @param int c release number
35 function check_php_version ($a = '0', $b = '0', $c = '0')
37 return version_compare ( PHP_VERSION
, "$a.$b.$c", 'ge' );
41 * returns true if the current internal SM version is at minimum a.b.c
42 * These are plain integer comparisons, as our internal version is
43 * constructed by us, as an array of 3 ints.
45 * Called: check_sm_version(1,3,3)
46 * @param int a major version number
47 * @param int b minor version number
48 * @param int c release number
51 function check_sm_version($a = 0, $b = 0, $c = 0)
53 global $SQM_INTERNAL_VERSION;
54 if ( !isset($SQM_INTERNAL_VERSION) ||
55 $SQM_INTERNAL_VERSION[0] < $a ||
56 ( $SQM_INTERNAL_VERSION[0] == $a &&
57 $SQM_INTERNAL_VERSION[1] < $b) ||
58 ( $SQM_INTERNAL_VERSION[0] == $a &&
59 $SQM_INTERNAL_VERSION[1] == $b &&
60 $SQM_INTERNAL_VERSION[2] < $c ) ) {
68 * Recursively strip slashes from the values of an array.
69 * @param array array the array to strip, passed by reference
72 function sqstripslashes(&$array) {
73 if(count($array) > 0) {
74 foreach ($array as $index=>$value) {
75 if (is_array($array[$index])) {
76 sqstripslashes($array[$index]);
79 $array[$index] = stripslashes($value);
86 * Add a variable to the session.
87 * @param mixed $var the variable to register
88 * @param string $name the name to refer to this variable
91 function sqsession_register ($var, $name) {
93 sqsession_is_active();
95 $_SESSION["$name"] = $var;
97 session_register("$name");
101 * Delete a variable from the session.
102 * @param string $name the name of the var to delete
105 function sqsession_unregister ($name) {
107 sqsession_is_active();
109 unset($_SESSION[$name]);
111 session_unregister("$name");
115 * Checks to see if a variable has already been registered
117 * @param string $name the name of the var to check
118 * @return bool whether the var has been registered
120 function sqsession_is_registered ($name) {
124 if (isset($_SESSION[$test_name])) {
132 * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER
133 * and set it in provided var.
135 * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION,
136 * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and
137 * $_GET. Otherwise, use one of the defined constants to look for a var in one
138 * place specifically.
140 * Note: $search is an int value equal to one of the constants defined above.
143 * sqgetGlobalVar('username',$username,SQ_SESSION);
144 * // No quotes around last param, it's a constant - not a string!
146 * @param string name the name of the var to search
147 * @param mixed value the variable to return
148 * @param int search constant defining where to look
149 * @return bool whether variable is found.
151 function sqgetGlobalVar($name, &$value, $search = SQ_INORDER
) {
153 /* NOTE: DO NOT enclose the constants in the switch
154 statement with quotes. They are constant values,
155 enclosing them in quotes will cause them to evaluate
158 /* we want the default case to be first here,
159 so that if a valid value isn't specified,
160 all three arrays will be searched. */
162 case SQ_INORDER
: // check session, post, get
164 if( isset($_SESSION[$name]) ) {
165 $value = $_SESSION[$name];
167 } elseif ( $search == SQ_SESSION
) {
170 case SQ_FORM
: // check post, get
172 if( isset($_POST[$name]) ) {
173 $value = $_POST[$name];
175 } elseif ( $search == SQ_POST
) {
179 if ( isset($_GET[$name]) ) {
180 $value = $_GET[$name];
183 /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
186 if ( isset($_COOKIE[$name]) ) {
187 $value = $_COOKIE[$name];
192 if ( isset($_SERVER[$name]) ) {
193 $value = $_SERVER[$name];
198 /* Nothing found, return FALSE */
203 * Deletes an existing session, more advanced than the standard PHP
204 * session_destroy(), it explicitly deletes the cookies and global vars.
206 function sqsession_destroy() {
209 * php.net says we can kill the cookie by setting just the name:
210 * http://www.php.net/manual/en/function.setcookie.php
211 * maybe this will help fix the session merging again.
213 * Changed the theory on this to kill the cookies first starting
214 * a new session will provide a new session for all instances of
215 * the browser, we don't want that, as that is what is causing the
216 * merging of sessions.
221 if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
222 if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
223 if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
225 $sessid = session_id();
226 if (!empty( $sessid )) {
234 * Function to verify a session has been started. If it hasn't
235 * start a session up. php.net doesn't tell you that $_SESSION
236 * (even though autoglobal), is not created unless a session is
237 * started, unlike $_POST, $_GET and such
239 function sqsession_is_active() {
240 $sessid = session_id();
241 if ( empty( $sessid ) ) {
247 * Function to start the session and store the cookie with the session_id as
248 * HttpOnly cookie which means that the cookie isn't accessible by javascript
251 function sqsession_start() {
254 $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
255 $repl = array('', '', '');
256 $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
260 $sessid = session_id();
261 // session_starts sets the sessionid cookie buth without the httponly var
262 // setting the cookie again sets the httponly cookie attribute
263 sqsetcookie(session_name(),$sessid,false,$base_uri);
269 * @param string $sName The name of the cookie.
270 * @param string $sValue The value of the cookie.
271 * @param int $iExpire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
272 * @param string $sPath The path on the server in which the cookie will be available on.
273 * @param string $sDomain The domain that the cookie is available.
274 * @param boolean $bSecure Indicates that the cookie should only be transmitted over a secure HTTPS connection.
275 * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
278 function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
279 $sHeader = "Set-Cookie: $sName=$sValue";
281 $sHeader .= "; path=$sPath";
283 if ($iExpire !== false) {
284 $sHeader .= "; Max-Age=$iExpire";
285 // php uses Expire header, also add the expire header
286 $sHeader .= "; expires=". gmdate('D, d-M-Y H:i:s T',$iExpire);
289 $sHeader .= "; Domain=$sDomain";
292 $sHeader .= "; Secure";
295 $sHeader .= "; HttpOnly";
297 // $sHeader .= "; Version=1";
305 * Creates an URL for the page calling this function, using either the PHP global
306 * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
307 * function was stored in function/strings.php.
309 * @return string the complete url for this page
312 function php_self () {
313 if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER
) && !empty($req_uri) ) {
317 if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER
) && !empty($php_self) ) {
319 // need to add query string to end of PHP_SELF to match REQUEST_URI
321 if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER
) && !empty($query_string) ) {
322 $php_self .= '?' . $query_string;
331 /** set the name of the session cookie */
332 if(isset($session_name) && $session_name) {
333 ini_set('session.name' , $session_name);
335 ini_set('session.name' , 'SQMSESSID');
339 * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
340 * Force magic_quotes_runtime off.
341 * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
342 * If there's a better place, please let me know.
344 ini_set('magic_quotes_runtime','0');
346 /* Since we decided all IMAP servers must implement the UID command as defined in
347 * the IMAP RFC, we force $uid_support to be on.
353 /* if running with magic_quotes_gpc then strip the slashes
354 from POST and GET global arrays */
355 if (get_magic_quotes_gpc()) {
356 sqstripslashes($_GET);
357 sqstripslashes($_POST);
361 * If register_globals are on, unregister globals.
362 * Code requires PHP 4.1.0 or newer.
364 if ((bool) @ini_get
('register_globals')) {
366 * Remove all globals from $_GET, $_POST, and $_COOKIE.
368 foreach ($_REQUEST as $key => $value) {
369 unset($GLOBALS[$key]);
372 * Remove globalized $_FILES variables
373 * Before 4.3.0 $_FILES are included in $_REQUEST.
374 * Unglobalize them in separate call in order to remove dependency
377 foreach ($_FILES as $key => $value) {
378 unset($GLOBALS[$key]);
379 // there are three undocumented $_FILES globals.
380 unset($GLOBALS[$key.'_type']);
381 unset($GLOBALS[$key.'_name']);
382 unset($GLOBALS[$key.'_size']);
385 * Remove globalized environment variables.
387 foreach ($_ENV as $key => $value) {
388 unset($GLOBALS[$key]);
391 * Remove globalized server variables.
393 foreach ($_SERVER as $key => $value) {
394 unset($GLOBALS[$key]);
398 /* strip any tags added to the url from PHP_SELF.
399 This fixes hand crafted url XXS expoits for any
400 page that uses PHP_SELF as the FORM action */
401 $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
403 $PHP_SELF = php_self();
405 sqsession_is_active();
408 * Remove globalized session data in rg=on setups
410 if ((bool) @ini_get
('register_globals')) {
411 foreach ($_SESSION as $key => $value) {
412 unset($GLOBALS[$key]);