functions/global.php

   1 <?php
   2
   3 /**
   4  * global.php
   5  *
   6  * This includes code to update < 4.1.0 globals to the newer format
   7  * It also has some session register functions that work across various
   8  * php versions.
   9  *
  10  * @copyright &copy; 1999-2005 The SquirrelMail Project Team
  11  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  12  * @version $Id$
  13  * @package squirrelmail
  14  */
  15
  16 /**
  17  */
  18 define('SQ_INORDER',0);
  19 define('SQ_GET',1);
  20 define('SQ_POST',2);
  21 define('SQ_SESSION',3);
  22 define('SQ_COOKIE',4);
  23 define('SQ_SERVER',5);
  24 define('SQ_FORM',6);
  25
  26 /**
  27  * returns true if current php version is at mimimum a.b.c
  28  *
  29  * Called: check_php_version(4,1)
  30  * @param int a major version number
  31  * @param int b minor version number
  32  * @param int c release number
  33  * @return bool
  34  */
  35 function check_php_version ($a = '0', $b = '0', $c = '0')
  36 {
  37     return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' );
  38 }
  39
  40 /**
  41  * returns true if the current internal SM version is at minimum a.b.c
  42  * These are plain integer comparisons, as our internal version is
  43  * constructed by us, as an array of 3 ints.
  44  *
  45  * Called: check_sm_version(1,3,3)
  46  * @param int a major version number
  47  * @param int b minor version number
  48  * @param int c release number
  49  * @return bool
  50  */
  51 function check_sm_version($a = 0, $b = 0, $c = 0)
  52 {
  53     global $SQM_INTERNAL_VERSION;
  54     if ( !isset($SQM_INTERNAL_VERSION) ||
  55          $SQM_INTERNAL_VERSION[0] < $a ||
  56          ( $SQM_INTERNAL_VERSION[0] == $a &&
  57            $SQM_INTERNAL_VERSION[1] < $b) ||
  58          ( $SQM_INTERNAL_VERSION[0] == $a &&
  59            $SQM_INTERNAL_VERSION[1] == $b &&
  60            $SQM_INTERNAL_VERSION[2] < $c ) ) {
  61         return FALSE;
  62     }
  63     return TRUE;
  64 }
  65
  66
  67 /**
  68  * Recursively strip slashes from the values of an array.
  69  * @param array array the array to strip, passed by reference
  70  * @return void
  71  */
  72 function sqstripslashes(&$array) {
  73     if(count($array) > 0) {
  74         foreach ($array as $index=>$value) {
  75             if (is_array($array[$index])) {
  76                 sqstripslashes($array[$index]);
  77             }
  78             else {
  79                 $array[$index] = stripslashes($value);
  80             }
  81         }
  82     }
  83 }
  84
  85 /**
  86  * Add a variable to the session.
  87  * @param mixed $var the variable to register
  88  * @param string $name the name to refer to this variable
  89  * @return void
  90  */
  91 function sqsession_register ($var, $name) {
  92
  93     sqsession_is_active();
  94
  95     $_SESSION["$name"] = $var;
  96
  97     session_register("$name");
  98 }
  99
 100 /**
 101  * Delete a variable from the session.
 102  * @param string $name the name of the var to delete
 103  * @return void
 104  */
 105 function sqsession_unregister ($name) {
 106
 107     sqsession_is_active();
 108
 109     unset($_SESSION[$name]);
 110
 111     session_unregister("$name");
 112 }
 113
 114 /**
 115  * Checks to see if a variable has already been registered
 116  * in the session.
 117  * @param string $name the name of the var to check
 118  * @return bool whether the var has been registered
 119  */
 120 function sqsession_is_registered ($name) {
 121     $test_name = &$name;
 122     $result = false;
 123
 124     if (isset($_SESSION[$test_name])) {
 125         $result = true;
 126     }
 127
 128     return $result;
 129 }
 130
 131 /**
 132  * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER
 133  * and set it in provided var.
 134  *
 135  * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION,
 136  * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and
 137  * $_GET.  Otherwise, use one of the defined constants to look for a var in one
 138  * place specifically.
 139  *
 140  * Note: $search is an int value equal to one of the constants defined above.
 141  *
 142  * Example:
 143  * sqgetGlobalVar('username',$username,SQ_SESSION);
 144  * // No quotes around last param, it's a constant - not a string!
 145  *
 146  * @param string name the name of the var to search
 147  * @param mixed value the variable to return
 148  * @param int search constant defining where to look
 149  * @return bool whether variable is found.
 150  */
 151 function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
 152
 153     /* NOTE: DO NOT enclose the constants in the switch
 154        statement with quotes. They are constant values,
 155        enclosing them in quotes will cause them to evaluate
 156        as strings. */
 157     switch ($search) {
 158         /* we want the default case to be first here,
 159            so that if a valid value isn't specified,
 160            all three arrays will be searched. */
 161       default:
 162       case SQ_INORDER: // check session, post, get
 163       case SQ_SESSION:
 164         if( isset($_SESSION[$name]) ) {
 165             $value = $_SESSION[$name];
 166             return TRUE;
 167         } elseif ( $search == SQ_SESSION ) {
 168             break;
 169         }
 170       case SQ_FORM:   // check post, get
 171       case SQ_POST:
 172         if( isset($_POST[$name]) ) {
 173             $value = $_POST[$name];
 174             return TRUE;
 175         } elseif ( $search == SQ_POST ) {
 176           break;
 177         }
 178       case SQ_GET:
 179         if ( isset($_GET[$name]) ) {
 180             $value = $_GET[$name];
 181             return TRUE;
 182         }
 183         /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
 184         break;
 185       case SQ_COOKIE:
 186         if ( isset($_COOKIE[$name]) ) {
 187             $value = $_COOKIE[$name];
 188             return TRUE;
 189         }
 190         break;
 191       case SQ_SERVER:
 192         if ( isset($_SERVER[$name]) ) {
 193             $value = $_SERVER[$name];
 194             return TRUE;
 195         }
 196         break;
 197     }
 198     /* Nothing found, return FALSE */
 199     return FALSE;
 200 }
 201
 202 /**
 203  * Deletes an existing session, more advanced than the standard PHP
 204  * session_destroy(), it explicitly deletes the cookies and global vars.
 205  */
 206 function sqsession_destroy() {
 207
 208     /*
 209      * php.net says we can kill the cookie by setting just the name:
 210      * http://www.php.net/manual/en/function.setcookie.php
 211      * maybe this will help fix the session merging again.
 212      *
 213      * Changed the theory on this to kill the cookies first starting
 214      * a new session will provide a new session for all instances of
 215      * the browser, we don't want that, as that is what is causing the
 216      * merging of sessions.
 217      */
 218
 219     global $base_uri;
 220
 221     if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
 222     if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
 223     if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
 224
 225     $sessid = session_id();
 226     if (!empty( $sessid )) {
 227         $_SESSION = array();
 228         @session_destroy();
 229         session_regenerate_id(true);
 230         sqsetcookie(session_name(), '', 0, $base_uri);
 231         session_write_close();
 232     }
 233
 234 }
 235
 236 /**
 237  * Function to verify a session has been started.  If it hasn't
 238  * start a session up.  php.net doesn't tell you that $_SESSION
 239  * (even though autoglobal), is not created unless a session is
 240  * started, unlike $_POST, $_GET and such
 241  */
 242 function sqsession_is_active() {
 243     $sessid = session_id();
 244     if ( empty( $sessid ) ) {
 245         sqsession_start();
 246     }
 247 }
 248
 249 /**
 250  * Function to start the session and store the cookie with the session_id as
 251  * HttpOnly cookie which means that the cookie isn't accessible by javascript
 252  * (IE6 only)
 253  */
 254 function sqsession_start() {
 255     global $PHP_SELF;
 256
 257     $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
 258     $repl = array('', '', '');
 259     $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
 260
 261
 262     session_start();
 263     $sessid = session_id();
 264     // session_starts sets the sessionid cookie buth without the httponly var
 265     // setting the cookie again sets the httponly cookie attribute
 266     sqsetcookie(session_name(),$sessid,false,$base_uri);
 267 }
 268
 269
 270 /**
 271  * Set a cookie
 272  * @param string  $sName     The name of the cookie.
 273  * @param string  $sValue    The value of the cookie.
 274  * @param int     $iExpire   The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
 275  * @param string  $sPath     The path on the server in which the cookie will be available on.
 276  * @param string  $sDomain   The domain that the cookie is available.
 277  * @param boolean $bSecure   Indicates that the cookie should only be transmitted over a secure HTTPS connection.
 278  * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
 279  * @return void
 280  */
 281 function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
 282     $sHeader = "Set-Cookie: $sName=$sValue";
 283     if ($sPath) {
 284         $sHeader .= "; path=$sPath";
 285     }
 286     if ($iExpire !== false) {
 287         $sHeader .= "; Max-Age=$iExpire";
 288         // php uses Expire header, also add the expire header
 289         if ($iExpire === 0) {
 290             $sHeader .= "; expires=". date("r",time() - 3600);
 291         } else {
 292             $sHeader .= "; expires=". date("r",$iExpire);
 293         }
 294     }
 295     if ($sDomain) {
 296         $sHeader .= "; Domain=$sDomain";
 297     }
 298     if ($bSecure) {
 299         $sHeader .= "; Secure";
 300     }
 301     if ($bHttpOnly) {
 302         $sHeader .= "; HttpOnly";
 303     }
 304     // $sHeader .= "; Version=1";
 305
 306     header($sHeader);
 307 }
 308
 309 function php_combined_lcg() {
 310     $tv = gettimeofday();
 311     $lcg['s1'] = $tv['sec'] ^ (~$tv['usec']);
 312     $lcg['s2'] = posix_getpid();
 313
 314     $q = (int) ($lcg['s1'] / 53668);
 315     $lcg['s1'] = (int) (40014 * ($lcg['s1'] - 53668 * $q) - 12211 * $q);
 316     if ($lcg['s1'] < 0)
 317         $lcg['s1'] += 2147483563;
 318
 319     $q = (int) ($lcg['s2'] / 52774);
 320     $lcg['s2'] = (int) (40692 * ($lcg['s2'] - 52774 * $q) - 3791 * $q);
 321     if ($lcg['s2'] < 0)
 322         $lcg['s2'] += 2147483399;
 323
 324     $z = (int) ($lcg['s1'] - $lcg['s2']);
 325     if ($z < 1) {
 326         $z += 2147483562;
 327     }
 328
 329     return $z * 4.656613e-10;
 330 }
 331
 332
 333 if (!function_exists('session_regenerate_id')) {
 334
 335     function session_regenerate_id() {
 336         global $base_uri;
 337
 338         $tv = gettimeofday();
 339         $buf = sprintf("%.15s%ld%ld%0.8f", $_SERVER['REMOTE_ADDR'], $tv['sec'], $tv['usec'], php_combined_lcg() * 10);
 340         $sessid = session_id(md5($buf));
 341         if (ini_get('session.use_cookies')) {
 342             if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), $sessid, 0, $base_uri);
 343         }
 344         return true;
 345     }
 346 }
 347
 348
 349 /**
 350  * php_self
 351  *
 352  * Creates an URL for the page calling this function, using either the PHP global
 353  * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
 354  * function was stored in function/strings.php.
 355  *
 356  * @return string the complete url for this page
 357  * @since 1.2.3
 358  */
 359 function php_self () {
 360     if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) {
 361       return $req_uri;
 362     }
 363
 364     if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) {
 365
 366       // need to add query string to end of PHP_SELF to match REQUEST_URI
 367       //
 368       if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) {
 369          $php_self .= '?' . $query_string;
 370       }
 371
 372       return $php_self;
 373     }
 374
 375     return '';
 376 }
 377
 378 /** set the name of the session cookie */
 379 if(isset($session_name) && $session_name) {
 380     ini_set('session.name' , $session_name);
 381 } else {
 382     ini_set('session.name' , 'SQMSESSID');
 383 }
 384
 385 /**
 386  * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
 387  * Force magic_quotes_runtime off.
 388  * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
 389  * If there's a better place, please let me know.
 390  */
 391 ini_set('magic_quotes_runtime','0');
 392
 393 /* Since we decided all IMAP servers must implement the UID command as defined in
 394  * the IMAP RFC, we force $uid_support to be on.
 395  */
 396
 397 global $uid_support;
 398 $uid_support = true;
 399
 400 /* if running with magic_quotes_gpc then strip the slashes
 401    from POST and GET global arrays */
 402
 403 if (get_magic_quotes_gpc()) {
 404     sqstripslashes($_GET);
 405     sqstripslashes($_POST);
 406 }
 407
 408 /* strip any tags added to the url from PHP_SELF.
 409    This fixes hand crafted url XXS expoits for any
 410    page that uses PHP_SELF as the FORM action */
 411 $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
 412
 413 $PHP_SELF = php_self();
 414
 415 sqsession_is_active();
 416
 417 ?>