X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;ds=sidebyside;f=functions%2Fstrings.php;h=d03163b0f4ab56b9b61cca66d15e9030eabd9b7d;hb=f197ec8835b64975ff47dc6cd86dae75605baebf;hp=7a660ff9625a519b0a77197cf7a312d815680d5c;hpb=c0d968010e710870fdfee2f22d7cc9fad370c7a9;p=squirrelmail.git

diff --git a/functions/strings.php b/functions/strings.php
index 7a660ff9..d03163b0 100644
--- a/functions/strings.php
+++ b/functions/strings.php
@@ -6,7 +6,7 @@
  * This code provides various string manipulation functions that are
  * used by the rest of the SquirrelMail code.
  *
- * @copyright 1999-2012 The SquirrelMail Project Team
+ * @copyright 1999-2016 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -1481,7 +1481,7 @@ function sm_truncate_string($string, $max_chars, $elipses='',
   *                           list ("old" is 2 days or
   *                           older unless the administrator
   *                           overrides that value using
-  *                           $max_security_token_age in
+  *                           $max_token_age_days in
   *                           config/config_local.php)
   *                           (OPTIONAL; default is to always
   *                           purge old tokens)
@@ -1523,6 +1523,15 @@ function sm_get_user_security_tokens($purge_old=TRUE)
   * the user's preferences with a timestamp for later
   * verification/use.
   *
+  * NOTE: The administrator can force SquirrelMail to generate
+  * a new token every time one is requested (which may increase
+  * obscurity through token randomness at the cost of some
+  * performance) by adding the following to
+  * config/config_local.php:   $do_not_use_single_token = TRUE;
+  * Otherwise, only one token will be generated per user which
+  * will change only after it expires or is used outside of the
+  * validity period specified when calling sm_validate_security_token()
+  *
   * WARNING: If the administrator has turned the token system
   *          off by setting $disable_security_tokens to TRUE in
   *          config/config.php or the configuration tool, this
@@ -1530,19 +1539,27 @@ function sm_get_user_security_tokens($purge_old=TRUE)
   *          preferences (but it will still generate and return
   *          a random string).
   *
+  * @param boolean $force_generate_new When TRUE, a new token will
+  *                                    always be created even if current
+  *                                    configuration dictates otherwise
+  *                                    (OPTIONAL; default FALSE)
+  *
   * @return string A security token
   *
   * @since 1.4.19 and 1.5.2
   *
   */
-function sm_generate_security_token()
+function sm_generate_security_token($force_generate_new=FALSE)
 {
 
-   global $data_dir, $username, $disable_security_tokens;
+   global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
    $max_generation_tries = 1000;
 
    $tokens = sm_get_user_security_tokens();
 
+   if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
+      return key($tokens);
+
    $new_token = GenerateRandomString(12, '', 7);
    $count = 0;
    while (isset($tokens[$new_token]))
@@ -1573,7 +1590,7 @@ function sm_generate_security_token()
   * is too old but otherwise valid, it will still be rejected.
   *
   * "Too old" is 2 days or older unless the administrator
-  * overrides that value using $max_security_token_age in
+  * overrides that value using $max_token_age_days in
   * config/config_local.php
   *
   * WARNING: If the administrator has turned the token system
@@ -1584,10 +1601,16 @@ function sm_generate_security_token()
   * @param string  $token           The token to validate
   * @param int     $validity_period The number of seconds tokens are valid
   *                                 for (set to zero to remove valid tokens
-  *                                 after only one use; use 3600 to allow
-  *                                 tokens to be reused for an hour)
-  *                                 (OPTIONAL; default is to only allow tokens
-  *                                 to be used once)
+  *                                 after only one use; set to -1 to allow
+  *                                 indefinite re-use (but still subject to
+  *                                 $max_token_age_days - see elsewhere);
+  *                                 use 3600 to allow tokens to be reused for
+  *                                 an hour) (OPTIONAL; default is to only
+  *                                 allow tokens to be used once)
+  *                                 NOTE this is unrelated to $max_token_age_days
+  *                                 or rather is an additional time constraint on
+  *                                 tokens that allows them to be re-used (or not)
+  *                                 within a more narrow timeframe
   * @param boolean $show_error      Indicates that if the token is not
   *                                 valid, this function should display
   *                                 a generic error, log the user out
@@ -1628,9 +1651,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
    $timestamp = $tokens[$token];
 
    // whether valid or not, we want to remove it from
-   // user prefs if it's old enough
+   // user prefs if it's old enough (unless requested to
+   // bypass this (in which case $validity_period is -1))
    //
-   if ($timestamp < $now - $validity_period)
+   if ($validity_period >= 0
+    && $timestamp < $now - $validity_period)
    {
       unset($tokens[$token]);
       setPref($data_dir, $username, 'security_tokens', serialize($tokens));
@@ -1653,3 +1678,43 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS
 
 }
 
+/**
+  * Wrapper for PHP's htmlspecialchars() that
+  * attempts to add the correct character encoding
+  *
+  * @param string $string The string to be converted
+  * @param int $flags A bitmask that controls the behavior of htmlspecialchars()
+  *                   (See http://php.net/manual/function.htmlspecialchars.php )
+  *                   (OPTIONAL; default ENT_COMPAT, ENT_COMPAT | ENT_SUBSTITUTE for PHP >=5.4)
+  * @param string $encoding The character encoding to use in the conversion
+  *                         (OPTIONAL; default automatic detection)
+  * @param boolean $double_encode Whether or not to convert entities that are
+  *                               already in the string (only supported in
+  *                               PHP 5.2.3+) (OPTIONAL; default TRUE)
+  *
+  * @return string The converted text
+  *
+  */
+function sm_encode_html_special_chars($string, $flags=ENT_COMPAT,
+                                      $encoding=NULL, $double_encode=TRUE)
+{
+   if (!$encoding)
+   {
+      global $default_charset;
+      if ($default_charset == 'iso-2022-jp')
+         $default_charset = 'EUC-JP';
+      $encoding = $default_charset;
+   }
+
+   if (check_php_version(5, 2, 3)) {
+      // Replace invalid characters with a symbol instead of returning
+      // empty string for the entire to be encoded string.
+      if (check_php_version(5, 4, 0) && $flags == ENT_COMPAT) {
+         $flags = $flags | ENT_SUBSTITUTE;
+      }
+      return htmlspecialchars($string, $flags, $encoding, $double_encode);
+   }
+
+   return htmlspecialchars($string, $flags, $encoding);
+}
+