X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fimap_mailbox.php;h=b6a36c0fe6eb07cdae63ed9a6e341173d800b087;hb=88f6f618ecbe146746c174660942131badc5aa39;hp=d8eecb2867bdf4a5f6907a5221cf5af8ea376dda;hpb=dbd9ce25f075143b77011b59e48681bae0e971a7;p=squirrelmail.git
diff --git a/functions/imap_mailbox.php b/functions/imap_mailbox.php
index d8eecb28..b6a36c0f 100755
--- a/functions/imap_mailbox.php
+++ b/functions/imap_mailbox.php
@@ -220,12 +220,17 @@ function isBoxBelow( $subbox, $parentbox ) {
* Since 1.2.5 function includes special_mailbox hook.
* Since 1.4.3 hook supports more than one plugin.
* @param string $box mailbox name
+ * @param boolean $include_subs (since 1.5.2) if true, subfolders of system
+ * folders are special. if false, subfolders are not special mailboxes
+ * unless they are tagged as special in 'special_mailbox' hook.
* @return boolean
* @since 1.2.3
*/
-function isSpecialMailbox( $box ) {
+function isSpecialMailbox($box,$include_subs=true) {
$ret = ( (strtolower($box) == 'inbox') ||
- isTrashMailbox($box) || isSentMailbox($box) || isDraftMailbox($box) );
+ isTrashMailbox($box,$include_subs) ||
+ isSentMailbox($box,$include_subs) ||
+ isDraftMailbox($box,$include_subs) );
if ( !$ret ) {
$ret = boolean_hook_function('special_mailbox',$box,1);
@@ -236,37 +241,46 @@ function isSpecialMailbox( $box ) {
/**
* Detects if mailbox is a Trash folder or subfolder of Trash
* @param string $box mailbox name
+ * @param boolean $include_subs (since 1.5.2) if true, subfolders of system
+ * folders are special. if false, subfolders are not special mailboxes.
* @return bool whether this is a Trash folder
* @since 1.4.0
*/
-function isTrashMailbox ($box) {
+function isTrashMailbox ($box,$include_subs=true) {
global $trash_folder, $move_to_trash;
return $move_to_trash && $trash_folder &&
- ( $box == $trash_folder || isBoxBelow($box, $trash_folder) );
+ ( $box == $trash_folder ||
+ ($include_subs && isBoxBelow($box, $trash_folder)) );
}
/**
* Detects if mailbox is a Sent folder or subfolder of Sent
* @param string $box mailbox name
+ * @param boolean $include_subs (since 1.5.2) if true, subfolders of system
+ * folders are special. if false, subfolders are not special mailboxes.
* @return bool whether this is a Sent folder
* @since 1.4.0
*/
-function isSentMailbox($box) {
+function isSentMailbox($box,$include_subs=true) {
global $sent_folder, $move_to_sent;
return $move_to_sent && $sent_folder &&
- ( $box == $sent_folder || isBoxBelow($box, $sent_folder) );
+ ( $box == $sent_folder ||
+ ($include_subs && isBoxBelow($box, $sent_folder)) );
}
/**
* Detects if mailbox is a Drafts folder or subfolder of Drafts
* @param string $box mailbox name
+ * @param boolean $include_subs (since 1.5.2) if true, subfolders of system
+ * folders are special. if false, subfolders are not special mailboxes.
* @return bool whether this is a Draft folder
* @since 1.4.0
*/
-function isDraftMailbox($box) {
+function isDraftMailbox($box,$include_subs=true) {
global $draft_folder, $save_as_draft;
return $save_as_draft &&
- ( $box == $draft_folder || isBoxBelow($box, $draft_folder) );
+ ( $box == $draft_folder ||
+ ($include_subs && isBoxBelow($box, $draft_folder)) );
}
/**
@@ -350,8 +364,27 @@ function sqimap_mailbox_select ($imap_stream, $mailbox) {
if ($mailbox == 'None') {
return;
}
+
// cleanup $mailbox in order to prevent IMAP injection attacks
$mailbox = str_replace(array("\r","\n"), array("",""),$mailbox);
+
+ /**
+ * Default UW IMAP server configuration allows to access other files
+ * on server. $imap_server_type is not checked because interface can
+ * be used with 'other' or any other server type setting. $mailbox
+ * variable can be modified in any script that uses variable from GET
+ * or POST. This code blocks all standard SquirrelMail IMAP API requests
+ * that use mailbox with full path (/etc/passwd) or with ../ characters
+ * in path (../../etc/passwd)
+ */
+ if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') {
+ global $oTemplate;
+ error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox)));
+ sqimap_logout($imap_stream);
+ $oTemplate->display('footer.tpl');
+ die();
+ }
+
$read = sqimap_run_command($imap_stream, 'SELECT ' . sqimap_encode_mailbox_name($mailbox),
true, $response, $message);
$result = array();
@@ -637,26 +670,13 @@ function sqimap_mailbox_parse ($line) {
}
/**
- * Returns list of options (to be echoed into select statement
- * based on available mailboxes and separators
- * Caller should surround options with and
- * any formatting.
- * @param stream $imap_stream imap connection resource to query for mailboxes
- * @param array $show_selected array containing list of mailboxes to pre-select (0 if none)
- * @param array $folder_skip array of folders to keep out of option list (compared in lower)
- * @param $boxes list of already fetched boxes (for places like folder panel, where
- * you know these options will be shown 3 times in a row.. (most often unset).
- * @param string $flag (since 1.4.1) flag to check for in mailbox flags, used to filter out mailboxes.
- * 'noselect' by default to remove unselectable mailboxes.
- * 'noinferiors' used to filter out folders that can not contain subfolders.
- * NULL to avoid flag check entirely.
- * NOTE: noselect and noiferiors are used internally. The IMAP representation is
- * \NoSelect and \NoInferiors
- * @param boolean $use_long_format (since 1.4.1) override folder display preference and always show full folder name.
- * @return string html formated mailbox selection options
- * @since 1.3.2
+ * Returns an array of mailboxes available. Separated from sqimap_mailbox_option_list()
+ * below for template development.
+ *
+ * @author Steve Brown
+ * @since 1.5.2
*/
-function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_skip = 0, $boxes = 0,
+function sqimap_mailbox_option_array($imap_stream, $folder_skip = 0, $boxes = 0,
$flag = 'noselect', $use_long_format = false ) {
global $username, $data_dir, $translate_special_folders, $sent_folder,
$trash_folder, $draft_folder;
@@ -674,6 +694,7 @@ function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_sk
$boxes = sqimap_mailbox_list($imap_stream);
}
+ $a = array();
foreach ($boxes as $boxes_part) {
if ($flag == NULL || (is_array($boxes_part['flags'])
&& !in_array($flag, $boxes_part['flags']))) {
@@ -731,14 +752,58 @@ function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_sk
break;
}
}
- if ($show_selected != 0 && in_array($lowerbox, $show_selected) ) {
- $mbox_options .= '' . "\n";
- } else {
- $mbox_options .= '' . "\n";
+
+ $a[htmlspecialchars($box)] = $box2;
+ }
+ }
+
+ return $a;
+}
+
+/**
+ * Returns list of options (to be echoed into select statement
+ * based on available mailboxes and separators
+ * Caller should surround options with and
+ * any formatting.
+ * @param stream $imap_stream imap connection resource to query for mailboxes
+ * @param array $show_selected array containing list of mailboxes to pre-select (0 if none)
+ * @param array $folder_skip array of folders to keep out of option list (compared in lower)
+ * @param $boxes list of already fetched boxes (for places like folder panel, where
+ * you know these options will be shown 3 times in a row.. (most often unset).
+ * @param string $flag (since 1.4.1) flag to check for in mailbox flags, used to filter out mailboxes.
+ * 'noselect' by default to remove unselectable mailboxes.
+ * 'noinferiors' used to filter out folders that can not contain subfolders.
+ * NULL to avoid flag check entirely.
+ * NOTE: noselect and noiferiors are used internally. The IMAP representation is
+ * \NoSelect and \NoInferiors
+ * @param boolean $use_long_format (since 1.4.1) override folder display preference and always show full folder name.
+ * @return string html formated mailbox selection options
+ * @since 1.3.2
+ */
+function sqimap_mailbox_option_list($imap_stream, $show_selected = 0, $folder_skip = 0, $boxes = 0,
+ $flag = 'noselect', $use_long_format = false ) {
+ global $username, $data_dir, $translate_special_folders, $sent_folder,
+ $trash_folder, $draft_folder;
+
+ $boxes = sqimap_mailbox_option_array($imap_stream, $folder_skip, $boxes, $flag, $use_long_format);
+
+ $str = '';
+ foreach ($boxes as $value=>$option) {
+ $lowerbox = strtolower(htmlspecialchars($value));
+ $sel = false;
+ if ($show_selected != 0) {
+ reset($show_selected);
+ while (!$sel && (list($x, $val) = each($show_selected))) {
+ if (strtolower($value) == strtolower(htmlspecialchars($val))) {
+ $sel = true;
+ }
}
}
+
+ $str .= '\n";
}
- return $mbox_options;
+
+ return $str;
}
/**