* This code provides various string manipulation functions that are
* used by the rest of the SquirrelMail code.
*
- * @copyright 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2012 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
* @since 1.0.3
*/
function quoteimap($str) {
- return preg_replace("/([\"\\\\])/", "\\\\$1", $str);
+ return str_replace(array('\\', '"'), array('\\\\', '\\"'), $str);
}
/**
* stores control symbols in those charsets.
* Use preg_match instead of ereg in order to avoid problems
* with mbstring overloading
+NOTES:
+NOTES:
+ 37 (base 8) = 31 (base 10) (LAST CONTROL CHAR)
+ 40 (base 8) = 32 (base 10) (FIRST PRINTABLE ASCII)
+ 176 (base 8) = 126 (base 10) (LAST PRINTABLE ASCII)
+ 177 (base 8) = 127 (base 10) (DEL)
+ 200 (base 8) = 128 (base 10)
+ 237 (base 8) = 159 (base 10)
+ 240 (base 8) = 160 (base 10) (FIRST EXTRA PRINTABLE)
+ 377 (base 8) = 255 (base 10) (LAST EXTRA PRINTABLE)
+ 400 (base 8) = 256 (base 10)
+
+ Traditional ASCII 0 - 127 (octal 0 - 177)
+ Printable ASCII 32 - 126 (octal 40 - 176)
+ Additional Printables for ISO Latin 1 160 - 255 (octal 240 - 377)
+
+ 240 (160) is the first character of the extra 7-bit printable characer
+ range, sometimes used as the no-break space, but the regular expression
+ ranges are broken up at 240 only because RH 7.2 PHP seemed to have
+ problems otherwise - this is a PHP/preg issue, NOT a charset issue
+
+ So supposedly printable chars in an 8859 charset are 32-126 (octal 40-176)
+ and 160/161-255 (octal 240/241-377))
+
+ So checking for the range between the two makes sense (128-159 or octal 200-237)
+ (wait, no, to skip DEL too, it's 127-159 (octal 177-237))
+
+ But why not for 0-31 (octal 0-37) and DEL (127 or 177 octal)????
+ (or do we need a new fxn that detects *printable* 7-bit chars?)
+ (if we do, note that some control characters are "printable",
+ notably the CR, LF and TAB characters)
+
+ And why is 241-377 octal considered 8-bit for iso 8859??? Isn't it
+ the opposite for iso 8859???? aren't these 7 bit characters?
+ see http://www.cs.tut.fi/~jkorpela/chars.html#latin1
+ Uh, well, anything more than 127 (octal 177) takes 8 bits to represent
+ but errrrr, these are simple non-multibyte characters, right? but
+ maybe this "is 8-bit" business is NOT the same as "is multibyte"????
+
+ That begs the question how this fxn is actually used - what's its purpose?
+ (is it being misused in some places?)
+
*/
if (preg_match("/^iso-8859/i",$charset)) {
$needle='/\240|[\241-\377]/';
* @link http://www.php.net/substr
* @link http://www.php.net/mb_substr
*/
-function sq_substr($string,$start,$length,$charset='auto') {
+function sq_substr($string,$start,$length=NULL,$charset='auto') {
+
+ // if $length is NULL, use the full string length...
+ // we have to do this to mimick the use of substr()
+ // where $length is not given
+ //
+ if (is_null($length))
+ $length = sq_strlen($length);
+
+
// use automatic charset detection, if function call asks for it
static $charset_auto, $bUse_mb;
return substr($string,$start,$length);
}
+/**
+ * This is a replacement for PHP's substr_replace() that is
+ * multibyte-aware.
+ *
+ * @param string $string The string to operate upon
+ * @param string $replacement The string to be inserted
+ * @param int $start The offset at which to begin substring replacement
+ * @param int $length The number of characters after $start to remove
+ * NOTE that if you need to specify a charset but
+ * want to achieve normal substr_replace() behavior
+ * where $length is not specified, use NULL (OPTIONAL;
+ * default from $start to end of string)
+ * @param string $charset The charset of the given string. A value of NULL
+ * here will force the use of PHP's standard substr().
+ * (OPTIONAL; default is "auto", which indicates that
+ * the user's current charset should be used).
+ *
+ * @return string The manipulated string
+ *
+ * Of course, you can use more advanced (e.g., negative) values
+ * for $start and $length as needed - see the PHP manual for more
+ * information: http://www.php.net/manual/function.substr-replace.php
+ *
+ */
+function sq_substr_replace($string, $replacement, $start, $length=NULL,
+ $charset='auto')
+{
+
+ // NULL charset? Just use substr_replace()
+ //
+ if (is_null($charset))
+ return is_null($length) ? substr_replace($string, $replacement, $start)
+ : substr_replace($string, $replacement, $start, $length);
+
+
+ // use current character set?
+ //
+ if ($charset == 'auto')
+ {
+//FIXME: is there any reason why this cannot be a global flag used by all string wrapper functions?
+ static $auto_charset;
+ if (!isset($auto_charset))
+ {
+ global $default_charset;
+//FIXME - do we need this?
+global $squirrelmail_language;
+ set_my_charset();
+ $auto_charset = $default_charset;
+//FIXME - do we need this?
+if ($squirrelmail_language == 'ja_JP') $auto_charset = 'euc-jp';
+ }
+ $charset = $auto_charset;
+ }
+
+
+ // standardize character set name
+ //
+ $charset = strtolower($charset);
+
+
+/* ===== FIXME: this list is not used in 1.5.x, but if we need it, unless this differs between all our string function wrappers, we should store this info in the session
+ // only use mbstring with the following character sets
+ //
+ $sq_substr_replace_mb_charsets = array(
+ 'utf-8',
+ 'big5',
+ 'gb2312',
+ 'gb18030',
+ 'euc-jp',
+ 'euc-cn',
+ 'euc-tw',
+ 'euc-kr'
+ );
+
+
+ // now we can use our own implementation using
+ // mb_substr() and mb_strlen() if needed
+ //
+ if (in_array($charset, $sq_substr_replace_mb_charsets)
+ && in_array($charset, sq_mb_list_encodings()))
+===== */
+//FIXME: is there any reason why this cannot be a global array used by all string wrapper functions?
+ if (in_array($charset, sq_mb_list_encodings()))
+ {
+
+ $string_length = mb_strlen($string, $charset);
+
+ if ($start < 0)
+ $start = max(0, $string_length + $start);
+
+ else if ($start > $string_length)
+ $start = $string_length;
+
+ if ($length < 0)
+ $length = max(0, $string_length - $start + $length);
+
+ else if (is_null($length) || $length > $string_length)
+ $length = $string_length;
+
+ if ($start + $length > $string_length)
+ $length = $string_length - $start;
+
+ return mb_substr($string, 0, $start, $charset)
+ . $replacement
+ . mb_substr($string,
+ $start + $length,
+ $string_length, // FIXME: I can't see why this is needed: - $start - $length,
+ $charset);
+
+ }
+
+
+ // else use normal substr_replace()
+ //
+ return is_null($length) ? substr_replace($string, $replacement, $start)
+ : substr_replace($string, $replacement, $start, $length);
+
+}
+
/**
* Wrapper that is used to switch between vanilla and multibyte strpos
* functions.
$value = trim($value);
}
+/**
+ * Truncates the given string so that it has at
+ * most $max_chars characters. NOTE that a "character"
+ * may be a multibyte character, or (optionally), an
+ * HTML entity , so this function is different than
+ * using substr() or mb_substr().
+ *
+ * NOTE that if $elipses is given and used, the returned
+ * number of characters will be $max_chars PLUS the
+ * length of $elipses
+ *
+ * @param string $string The string to truncate
+ * @param int $max_chars The maximum allowable characters
+ * @param string $elipses A string that will be added to
+ * the end of the truncated string
+ * (ONLY if it is truncated) (OPTIONAL;
+ * default not used)
+ * @param boolean $html_entities_as_chars Whether or not to keep
+ * HTML entities together
+ * (OPTIONAL; default ignore
+ * HTML entities)
+ *
+ * @return string The truncated string
+ *
+ * @since 1.4.20 and 1.5.2 (replaced truncateWithEntities())
+ *
+ */
+function sm_truncate_string($string, $max_chars, $elipses='',
+ $html_entities_as_chars=FALSE)
+{
+
+ // if the length of the string is less than
+ // the allowable number of characters, just
+ // return it as is (even if it contains any
+ // HTML entities, that would just make the
+ // actual length even smaller)
+ //
+ $actual_strlen = sq_strlen($string, 'auto');
+ if ($max_chars <= 0 || $actual_strlen <= $max_chars)
+ return $string;
+
+
+ // if needed, count the number of HTML entities in
+ // the string up to the maximum character limit,
+ // pushing that limit up for each entity found
+ //
+ $adjusted_max_chars = $max_chars;
+ if ($html_entities_as_chars)
+ {
+
+ // $loop_count is needed to prevent an endless loop
+ // which is caused by buggy mbstring versions that
+ // return 0 (zero) instead of FALSE in some rare
+ // cases. Thanks, PHP.
+ // see: http://bugs.php.net/bug.php?id=52731
+ // also: tracker $3053349
+ //
+ $loop_count = 0;
+ $entity_pos = $entity_end_pos = -1;
+ while ($entity_end_pos + 1 < $actual_strlen
+ && ($entity_pos = sq_strpos($string, '&', $entity_end_pos + 1)) !== FALSE
+ && ($entity_end_pos = sq_strpos($string, ';', $entity_pos)) !== FALSE
+ && $entity_pos <= $adjusted_max_chars
+ && $loop_count++ < $max_chars)
+ {
+ $adjusted_max_chars += $entity_end_pos - $entity_pos;
+ }
+
+
+ // this isn't necessary because sq_substr() would figure this
+ // out anyway, but we can avoid a sq_substr() call and we
+ // know that we don't have to add an elipses (this is now
+ // an accurate comparison, since $adjusted_max_chars, like
+ // $actual_strlen, does not take into account HTML entities)
+ //
+ if ($actual_strlen <= $adjusted_max_chars)
+ return $string;
+
+ }
+
+
+ // get the truncated string
+ //
+ $truncated_string = sq_substr($string, 0, $adjusted_max_chars);
+
+
+ // return with added elipses
+ //
+ return $truncated_string . $elipses;
+
+}
+
/**
* Gathers the list of secuirty tokens currently
* stored in the user's preferences and optionally
*
* @param boolean $purge_old Indicates if old tokens
* should be purged from the
- * list ("old" is 30 days or
+ * list ("old" is 2 days or
* older unless the administrator
* overrides that value using
- * $max_security_token_age in
+ * $max_token_age_days in
* config/config_local.php)
* (OPTIONAL; default is to always
* purge old tokens)
//
if ($purge_old)
{
- if (empty($max_token_age_days)) $max_token_age_days = 30;
+ if (empty($max_token_age_days)) $max_token_age_days = 2;
$now = time();
$discard_token_date = $now - ($max_token_age_days * 86400);
$cleaned_tokens = array();
* the user's preferences with a timestamp for later
* verification/use.
*
+ * NOTE: The administrator can force SquirrelMail to generate
+ * a new token every time one is requested (which may increase
+ * obscurity through token randomness at the cost of some
+ * performance) by adding the following to
+ * config/config_local.php: $do_not_use_single_token = TRUE;
+ * Otherwise, only one token will be generated per user which
+ * will change only after it expires or is used outside of the
+ * validity period specified when calling sm_validate_security_token()
+ *
* WARNING: If the administrator has turned the token system
* off by setting $disable_security_tokens to TRUE in
* config/config.php or the configuration tool, this
* preferences (but it will still generate and return
* a random string).
*
- * @return void
+ * @param boolean $force_generate_new When TRUE, a new token will
+ * always be created even if current
+ * configuration dictates otherwise
+ * (OPTIONAL; default FALSE)
+ *
+ * @return string A security token
*
* @since 1.4.19 and 1.5.2
*
*/
-function sm_generate_security_token()
+function sm_generate_security_token($force_generate_new=FALSE)
{
- global $data_dir, $username, $disable_security_tokens;
+ global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
$max_generation_tries = 1000;
$tokens = sm_get_user_security_tokens();
+ if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
+ return key($tokens);
+
$new_token = GenerateRandomString(12, '', 7);
$count = 0;
while (isset($tokens[$new_token]))
* from the user's preferences if it was valid. If the token
* is too old but otherwise valid, it will still be rejected.
*
- * "Too old" is 30 days or older unless the administrator
- * overrides that value using $max_security_token_age in
+ * "Too old" is 2 days or older unless the administrator
+ * overrides that value using $max_token_age_days in
* config/config_local.php
*
* WARNING: If the administrator has turned the token system
* tokens to be reused for an hour)
* (OPTIONAL; default is to only allow tokens
* to be used once)
+ * NOTE this is unrelated to $max_token_age_days
+ * or rather is an additional time constraint on
+ * tokens that allows them to be re-used (or not)
+ * within a more narrow timeframe
* @param boolean $show_error Indicates that if the token is not
* valid, this function should display
* a generic error, log the user out
// reject tokens that are too old
//
- if (empty($max_token_age_days)) $max_token_age_days = 30;
+ if (empty($max_token_age_days)) $max_token_age_days = 2;
$old_token_date = $now - ($max_token_age_days * 86400);
if ($timestamp < $old_token_date)
{