* It also has some session register functions that work across various
* php versions.
*
- * @copyright © 1999-2007 The SquirrelMail Project Team
+ * @copyright © 1999-2009 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
unset($_SESSION[$name]);
- session_unregister("$name");
+ // starts throwing warnings in PHP 5.3.0 and is
+ // removed in PHP 6 and is redundant anyway
+ //session_unregister("$name");
}
/**
case SQ_TYPE_INT: $value = (int) $value; break;
case SQ_TYPE_STRING: $value = (string) $value; break;
case SQ_TYPE_BOOL: $value = (bool) $value; break;
+ case SQ_TYPE_BIGINT:
+ $value = (preg_match('/^[0-9]+$/', $value) ? $value : '0');
+ break;
default: break;
}
} else if (!$result && !is_null($default)) {
global $base_uri, $_COOKIE, $_SESSION;
- if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
+ if (isset($_COOKIE[session_name()]) && session_name()) {
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
+
+ /*
+ * Make sure to kill /src and /src/ cookies, just in case there are
+ * some left-over or malicious ones set in user's browser.
+ * NB: Note that an attacker could try to plant a cookie for one
+ * of the /plugins/* directories. Such cookies can block
+ * access to certain plugin pages, but they do not influence
+ * or fixate the $base_uri cookie, so we don't worry about
+ * trying to delete all of them here.
+ */
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src/');
+ }
+
if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','SQMTRASH',1,$base_uri);
+ /* Make sure new session id is generated on subsequent session_start() */
+ unset($_COOKIE[session_name()]);
+ unset($_GET[session_name()]);
+ unset($_POST[session_name()]);
+
$sessid = session_id();
if (!empty( $sessid )) {
$_SESSION = array();
* session_regenerate_id replacement for PHP < 4.3.2
*
* This code is borrowed from Gallery, session.php version 1.53.2.1
+FIXME: I saw this code on php.net (in the manual); that's where it comes from originally, but I don't think we need it - it's just redundant to all the hard work we already did seeding the random number generator IMO. I think we can just call to GenerateRandomString() and dump the rest.
*/
if (!function_exists('session_regenerate_id')) {