X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=functions%2Fstrings.php;h=3bcdacabca617b6d9d7d2e2d0d77ed3e0cac2810;hb=8ed1923822b383ddb338e9eef75bb7f110cc47b4;hp=123fab84ed5fb4dbfc9d6e439d87a25168ac2cfc;hpb=2f3be4069177a9a93c490f94c5b665268c61e2e8;p=squirrelmail.git diff --git a/functions/strings.php b/functions/strings.php index 123fab84..3bcdacab 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -6,7 +6,7 @@ * This code provides various string manipulation functions that are * used by the rest of the SquirrelMail code. * - * @copyright 1999-2010 The SquirrelMail Project Team + * @copyright 1999-2019 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -731,7 +731,7 @@ function GenerateRandomString($size, $chars, $flags = 0) { * @since 1.0.3 */ function quoteimap($str) { - return preg_replace("/([\"\\\\])/", "\\\\$1", $str); + return str_replace(array('\\', '"'), array('\\\\', '\\"'), $str); } /** @@ -1481,7 +1481,7 @@ function sm_truncate_string($string, $max_chars, $elipses='', * list ("old" is 2 days or * older unless the administrator * overrides that value using - * $max_security_token_age in + * $max_token_age_days in * config/config_local.php) * (OPTIONAL; default is to always * purge old tokens) @@ -1494,7 +1494,8 @@ function sm_truncate_string($string, $max_chars, $elipses='', function sm_get_user_security_tokens($purge_old=TRUE) { - global $data_dir, $username, $max_token_age_days; + global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens; $tokens = getPref($data_dir, $username, 'security_tokens', ''); if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) @@ -1521,7 +1522,26 @@ function sm_get_user_security_tokens($purge_old=TRUE) /** * Generates a security token that is then stored in * the user's preferences with a timestamp for later - * verification/use. + * verification/use (although session-based tokens + * are not stored in user preferences). + * + * NOTE: By default SquirrelMail will use a single session-based + * token, but if desired, user tokens can have expiration + * dates associated with them and become invalid even during + * the same login session. When in that mode, the note + * immediately below applies, otherwise it is irrelevant. + * To enable that mode, the administrator must add the + * following to config/config_local.php: + * $use_expiring_security_tokens = TRUE; + * + * NOTE: The administrator can force SquirrelMail to generate + * a new token every time one is requested (which may increase + * obscurity through token randomness at the cost of some + * performance) by adding the following to + * config/config_local.php: $do_not_use_single_token = TRUE; + * Otherwise, only one token will be generated per user which + * will change only after it expires or is used outside of the + * validity period specified when calling sm_validate_security_token() * * WARNING: If the administrator has turned the token system * off by setting $disable_security_tokens to TRUE in @@ -1530,19 +1550,42 @@ function sm_get_user_security_tokens($purge_old=TRUE) * preferences (but it will still generate and return * a random string). * + * @param boolean $force_generate_new When TRUE, a new token will + * always be created even if current + * configuration dictates otherwise + * (OPTIONAL; default FALSE) + * * @return string A security token * * @since 1.4.19 and 1.5.2 * */ -function sm_generate_security_token() +function sm_generate_security_token($force_generate_new=FALSE) { - global $data_dir, $username, $disable_security_tokens; + global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token, + $use_expiring_security_tokens; $max_generation_tries = 1000; + // if we're using session-based tokens, just return + // the same one every time (generate it if it's not there) + // + if (!$use_expiring_security_tokens) + { + if (sqgetGlobalVar('sm_security_token', $token, SQ_SESSION)) + return $token; + + // create new one since there was none in session + $token = GenerateRandomString(12, '', 7); + sqsession_register($token, 'sm_security_token'); + return $token; + } + $tokens = sm_get_user_security_tokens(); + if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens)) + return key($tokens); + $new_token = GenerateRandomString(12, '', 7); $count = 0; while (isset($tokens[$new_token])) @@ -1573,9 +1616,12 @@ function sm_generate_security_token() * is too old but otherwise valid, it will still be rejected. * * "Too old" is 2 days or older unless the administrator - * overrides that value using $max_security_token_age in + * overrides that value using $max_token_age_days in * config/config_local.php * + * Session-based tokens of course are always reused and are + * valid for the lifetime of the login session. + * * WARNING: If the administrator has turned the token system * off by setting $disable_security_tokens to TRUE in * config/config.php or the configuration tool, this @@ -1584,10 +1630,16 @@ function sm_generate_security_token() * @param string $token The token to validate * @param int $validity_period The number of seconds tokens are valid * for (set to zero to remove valid tokens - * after only one use; use 3600 to allow - * tokens to be reused for an hour) - * (OPTIONAL; default is to only allow tokens - * to be used once) + * after only one use; set to -1 to allow + * indefinite re-use (but still subject to + * $max_token_age_days - see elsewhere); + * use 3600 to allow tokens to be reused for + * an hour) (OPTIONAL; default is to only + * allow tokens to be used once) + * NOTE this is unrelated to $max_token_age_days + * or rather is an additional time constraint on + * tokens that allows them to be re-used (or not) + * within a more narrow timeframe * @param boolean $show_error Indicates that if the token is not * valid, this function should display * a generic error, log the user out @@ -1604,12 +1656,33 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS { global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens, $disable_security_tokens; // bypass token validation? CAREFUL! // if ($disable_security_tokens) return TRUE; + // if we're using session-based tokens, just compare + // the same one every time + // + if (!$use_expiring_security_tokens) + { + if (!sqgetGlobalVar('sm_security_token', $session_token, SQ_SESSION)) + { + if (!$show_error) return FALSE; + logout_error(_("Fatal security token error; please log in again")); + exit; + } + if ($token !== $session_token) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + return TRUE; + } + // don't purge old tokens here because we already // do it when generating tokens // @@ -1628,9 +1701,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS $timestamp = $tokens[$token]; // whether valid or not, we want to remove it from - // user prefs if it's old enough + // user prefs if it's old enough (unless requested to + // bypass this (in which case $validity_period is -1)) // - if ($timestamp < $now - $validity_period) + if ($validity_period >= 0 + && $timestamp < $now - $validity_period) { unset($tokens[$token]); setPref($data_dir, $username, 'security_tokens', serialize($tokens)); @@ -1653,3 +1728,43 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS } +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT, ENT_COMPAT | ENT_SUBSTITUTE for PHP >=5.4) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + + if (check_php_version(5, 2, 3)) { + // Replace invalid characters with a symbol instead of returning + // empty string for the entire to be encoded string. + if (check_php_version(5, 4, 0) && $flags == ENT_COMPAT) { + $flags = $flags | ENT_SUBSTITUTE; + } + return htmlspecialchars($string, $flags, $encoding, $double_encode); + } + + return htmlspecialchars($string, $flags, $encoding); +} +