X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fglobal.php;h=d211773c2e091fe625eff920b0b63367e7ef5512;hb=26bd38971ac8ea65405e7265654bef31b7594bc1;hp=c09716d691ff2557081744bc3b6ea95b873e22a3;hpb=1888b1bf6c31106cfe87a82bc692bfd8efcf0224;p=squirrelmail.git diff --git a/functions/global.php b/functions/global.php index c09716d6..d211773c 100644 --- a/functions/global.php +++ b/functions/global.php @@ -348,6 +348,69 @@ function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $ return $result; } +/** + * Get an immutable copy of a configuration variable if SquirrelMail + * is in "secured configuration" mode. This guarantees the caller + * gets a copy of the requested value as it is set in the main + * application configuration (including config_local overrides), and + * not what it might be after possibly having been modified by some + * other code (usually a plugin overriding configuration values for + * one reason or another). + * + * WARNING: Please use this function as little as possible, because + * every time it is called, it forcibly reloads the main configuration + * file(s). + * + * Caller beware that this function will do nothing if SquirrelMail + * is not in "secured configuration" mode per the $secured_config + * setting. + * + * @param string $var_name The name of the desired variable + * + * @return mixed The desired value + * + * @since 1.5.2 + * + */ +function get_secured_config_value($var_name) { + + static $return_values = array(); + + // if we can avoid it, return values that have + // already been retrieved (so we don't have to + // include the config file yet again) + // + if (isset($return_values[$var_name])) { + return $return_values[$var_name]; + } + + + // load site configuration + // + require(SM_PATH . 'config/config.php'); + + // load local configuration overrides + // + if (file_exists(SM_PATH . 'config/config_local.php')) { + require(SM_PATH . 'config/config_local.php'); + } + + // if SM isn't in "secured configuration" mode, + // just return the desired value from the global scope + // + if (!$secured_config) { + global $$var_name; + $return_values[$var_name] = $$var_name; + return $$var_name; + } + + // else we return what we got from the config file + // + $return_values[$var_name] = $$var_name; + return $$var_name; + +} + /** * Deletes an existing session, more advanced than the standard PHP * session_destroy(), it explicitly deletes the cookies and global vars. @@ -374,9 +437,8 @@ function sqsession_destroy() { global $base_uri, $_COOKIE, $_SESSION; - if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), '', 0, $base_uri); - if (isset($_COOKIE['username']) && $_COOKIE['username']) sqsetcookie('username','',0,$base_uri); - if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','',0,$base_uri); + if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','SQMTRASH',1,$base_uri); $sessid = session_id(); if (!empty( $sessid )) { @@ -417,12 +479,19 @@ function sqsession_start() { // was: @session_start(); $session_id = session_id(); - // session_starts sets the sessionid cookie buth without the httponly var + // session_starts sets the sessionid cookie but without the httponly var // setting the cookie again sets the httponly cookie attribute - sqsetcookie(session_name(),$session_id,false,$base_uri); + // + // need to check if headers have been sent, since sqsession_is_active() + // has become just a passthru to this function, so the sqsetcookie() + // below is called every time, even after headers have already been sent + // + if (!headers_sent()) + sqsetcookie(session_name(),$session_id,false,$base_uri); } + /** * Set a cookie * @param string $sName The name of the cookie.