X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=functions%2Fstrings.php;h=8e6b045c4e9c1c320714e1fbedb5bf1aab7456d6;hb=382075ff59aeba192d648d13e67a897adf7c44b3;hp=b8166754d2d57b6a52ee7d61b2f6194d7f015bcf;hpb=b1fbb25f561e6b151f7cf72744b03253f8d395fb;p=squirrelmail.git diff --git a/functions/strings.php b/functions/strings.php index b8166754..8e6b045c 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -6,7 +6,7 @@ * This code provides various string manipulation functions that are * used by the rest of the SquirrelMail code. * - * @copyright 1999-2012 The SquirrelMail Project Team + * @copyright 1999-2018 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -1494,7 +1494,8 @@ function sm_truncate_string($string, $max_chars, $elipses='', function sm_get_user_security_tokens($purge_old=TRUE) { - global $data_dir, $username, $max_token_age_days; + global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens; $tokens = getPref($data_dir, $username, 'security_tokens', ''); if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) @@ -1521,7 +1522,17 @@ function sm_get_user_security_tokens($purge_old=TRUE) /** * Generates a security token that is then stored in * the user's preferences with a timestamp for later - * verification/use. + * verification/use (although session-based tokens + * are not stored in user preferences). + * + * NOTE: By default SquirrelMail will use a single session-based + * token, but if desired, user tokens can have expiration + * dates associated with them and become invalid even during + * the same login session. When in that mode, the note + * immediately below applies, otherwise it is irrelevant. + * To enable that mode, the administrator must add the + * following to config/config_local.php: + * $use_expiring_security_tokens = TRUE; * * NOTE: The administrator can force SquirrelMail to generate * a new token every time one is requested (which may increase @@ -1552,9 +1563,24 @@ function sm_get_user_security_tokens($purge_old=TRUE) function sm_generate_security_token($force_generate_new=FALSE) { - global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token; + global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token, + $use_expiring_security_tokens; $max_generation_tries = 1000; + // if we're using session-based tokens, just return + // the same one every time (generate it if it's not there) + // + if (!$use_expiring_security_tokens) + { + if (sqgetGlobalVar('sm_security_token', $token, SQ_SESSION)) + return $token; + + // create new one since there was none in session + $token = GenerateRandomString(12, '', 7); + sqsession_register($token, 'sm_security_token'); + return $token; + } + $tokens = sm_get_user_security_tokens(); if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens)) @@ -1593,6 +1619,9 @@ function sm_generate_security_token($force_generate_new=FALSE) * overrides that value using $max_token_age_days in * config/config_local.php * + * Session-based tokens of course are always reused and are + * valid for the lifetime of the login session. + * * WARNING: If the administrator has turned the token system * off by setting $disable_security_tokens to TRUE in * config/config.php or the configuration tool, this @@ -1601,10 +1630,12 @@ function sm_generate_security_token($force_generate_new=FALSE) * @param string $token The token to validate * @param int $validity_period The number of seconds tokens are valid * for (set to zero to remove valid tokens - * after only one use; use 3600 to allow - * tokens to be reused for an hour) - * (OPTIONAL; default is to only allow tokens - * to be used once) + * after only one use; set to -1 to allow + * indefinite re-use (but still subject to + * $max_token_age_days - see elsewhere); + * use 3600 to allow tokens to be reused for + * an hour) (OPTIONAL; default is to only + * allow tokens to be used once) * NOTE this is unrelated to $max_token_age_days * or rather is an additional time constraint on * tokens that allows them to be re-used (or not) @@ -1625,12 +1656,33 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS { global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens, $disable_security_tokens; // bypass token validation? CAREFUL! // if ($disable_security_tokens) return TRUE; + // if we're using session-based tokens, just compare + // the same one every time + // + if (!$use_expiring_security_tokens) + { + if (!sqgetGlobalVar('sm_security_token', $session_token, SQ_SESSION)) + { + if (!$show_error) return FALSE; + logout_error(_("Fatal security token error; please log in again")); + exit; + } + if ($token !== $session_token) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + return TRUE; + } + // don't purge old tokens here because we already // do it when generating tokens // @@ -1649,9 +1701,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS $timestamp = $tokens[$token]; // whether valid or not, we want to remove it from - // user prefs if it's old enough + // user prefs if it's old enough (unless requested to + // bypass this (in which case $validity_period is -1)) // - if ($timestamp < $now - $validity_period) + if ($validity_period >= 0 + && $timestamp < $now - $validity_period) { unset($tokens[$token]); setPref($data_dir, $username, 'security_tokens', serialize($tokens)); @@ -1674,3 +1728,43 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS } +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT, ENT_COMPAT | ENT_SUBSTITUTE for PHP >=5.4) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + + if (check_php_version(5, 2, 3)) { + // Replace invalid characters with a symbol instead of returning + // empty string for the entire to be encoded string. + if (check_php_version(5, 4, 0) && $flags == ENT_COMPAT) { + $flags = $flags | ENT_SUBSTITUTE; + } + return htmlspecialchars($string, $flags, $encoding, $double_encode); + } + + return htmlspecialchars($string, $flags, $encoding); +} +