Aparently, within a javascript "window" function you don't need to escape

[squirrelmail.git] / include / validate.php

diff --git a/include/validate.php b/include/validate.php
index 79b1bd15a83780716b6e4673f17d51e4effb441f..41116656267f2012eaaf7a63b29143d4ef95cab7 100644 (file)
--- a/include/validate.php
+++ b/include/validate.php
@@ -40,19 +40,6 @@ require_once(SM_PATH . 'functions/global.php');
 
 is_logged_in();
 
-/* Remove all slashes for form values. */
-if (get_magic_quotes_gpc()) {
-    global $REQUEST_METHOD;
-
-    if ($REQUEST_METHOD == 'POST') {
-        global $HTTP_POST_VARS;
-        RemoveSlashes($HTTP_POST_VARS);
-    } else if ($REQUEST_METHOD == 'GET') {
-        global $HTTP_GET_VARS;
-        RemoveSlashes($HTTP_GET_VARS);
-    }
-}
-
 /**
 * Auto-detection
 *
@@ -103,8 +90,19 @@ global $username, $data_dir;
 set_up_language(getPref($data_dir, $username, 'language'));
 
 $timeZone = getPref($data_dir, $username, 'timezone');
+
+/* Check to see if we are allowed to set the TZ environment variable.
+ * We are able to do this if ... 
+ *   safe_mode is disabled OR
+ *   safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
+ *   safe_mode_allowed_env_vars contains TZ 
+ */
+$tzChangeAllowed = (!ini_get('safe_mode')) ||
+                    !strcmp(ini_get('safe_mode_allowed_env_vars'),'') || 
+                    preg_match('/^([\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars')); 
+
 if ( $timeZone != SMPREF_NONE && ($timeZone != "") 
-    && !ini_get("safe_mode")) {
+    && $tzChangeAllowed ) {
     putenv("TZ=".$timeZone);
 }
 ?>