From 7f62aaefa5d2087591f7b228a019440f165b1e7c Mon Sep 17 00:00:00 2001 From: tokul Date: Thu, 20 Oct 2005 17:48:49 +0000 Subject: [PATCH] rearranging global.php layout: * first list defines, then functions, then run code * move php_self() function from strings.php to global.php in order to provide $PHP_SELF to session functions git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10179 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/global.php | 122 ++++++++++++++++++++++++++---------------- functions/strings.php | 31 +---------- 2 files changed, 78 insertions(+), 75 deletions(-) diff --git a/functions/global.php b/functions/global.php index 72dc1c3d..0f37590d 100644 --- a/functions/global.php +++ b/functions/global.php @@ -13,44 +13,15 @@ * @package squirrelmail */ - -/** set the name of the session cookie */ -if(isset($session_name) && $session_name) { - ini_set('session.name' , $session_name); -} else { - ini_set('session.name' , 'SQMSESSID'); -} - /** - * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways. - * Force magic_quotes_runtime off. - * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this. - * If there's a better place, please let me know. - */ -ini_set('magic_quotes_runtime','0'); - -/* Since we decided all IMAP servers must implement the UID command as defined in - * the IMAP RFC, we force $uid_support to be on. */ - -global $uid_support; -$uid_support = true; - -sqsession_is_active(); - -/* if running with magic_quotes_gpc then strip the slashes - from POST and GET global arrays */ - -if (get_magic_quotes_gpc()) { - sqstripslashes($_GET); - sqstripslashes($_POST); -} - -/* strip any tags added to the url from PHP_SELF. - This fixes hand crafted url XXS expoits for any - page that uses PHP_SELF as the FORM action */ - -$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); +define('SQ_INORDER',0); +define('SQ_GET',1); +define('SQ_POST',2); +define('SQ_SESSION',3); +define('SQ_COOKIE',4); +define('SQ_SERVER',5); +define('SQ_FORM',6); /** * returns true if current php version is at mimimum a.b.c @@ -157,15 +128,6 @@ function sqsession_is_registered ($name) { return $result; } - -define('SQ_INORDER',0); -define('SQ_GET',1); -define('SQ_POST',2); -define('SQ_SESSION',3); -define('SQ_COOKIE',4); -define('SQ_SERVER',5); -define('SQ_FORM',6); - /** * Search for the var $name in $_SESSION, $_POST, $_GET, * $_COOKIE, or $_SERVER and set it in provided var. @@ -294,6 +256,7 @@ function sqsession_start() { $repl = array('', '', ''); $base_uri = preg_replace($dirs, $repl, $PHP_SELF); + session_start(); $sessid = session_id(); // session_starts sets the sessionid cookie buth without the httponly var @@ -337,5 +300,74 @@ function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecur header($sHeader); } + +/** + * php_self + * + * Creates an URL for the page calling this function, using either the PHP global + * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1 + * function was stored in function/strings.php. + * + * @return string the complete url for this page + * @since 1.2.3 + */ +function php_self () { + if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { + return $req_uri; + } + + if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { + + // need to add query string to end of PHP_SELF to match REQUEST_URI + // + if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { + $php_self .= '?' . $query_string; + } + + return $php_self; + } + + return ''; +} + +/** set the name of the session cookie */ +if(isset($session_name) && $session_name) { + ini_set('session.name' , $session_name); +} else { + ini_set('session.name' , 'SQMSESSID'); +} + +/** + * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways. + * Force magic_quotes_runtime off. + * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this. + * If there's a better place, please let me know. + */ +ini_set('magic_quotes_runtime','0'); + +/* Since we decided all IMAP servers must implement the UID command as defined in + * the IMAP RFC, we force $uid_support to be on. + */ + +global $uid_support; +$uid_support = true; + +/* if running with magic_quotes_gpc then strip the slashes + from POST and GET global arrays */ + +if (get_magic_quotes_gpc()) { + sqstripslashes($_GET); + sqstripslashes($_POST); +} + +/* strip any tags added to the url from PHP_SELF. + This fixes hand crafted url XXS expoits for any + page that uses PHP_SELF as the FORM action */ +$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); + +$PHP_SELF = php_self(); + +sqsession_is_active(); + // vim: et ts=4 ?> \ No newline at end of file diff --git a/functions/strings.php b/functions/strings.php index 89dfb5ee..94799a68 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -477,35 +477,6 @@ function readShortMailboxName($haystack, $needle) { return( $elem ); } -/** - * php_self - * - * Creates an URL for the page calling this function, using either the PHP global - * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. - * - * @return string the complete url for this page - * @since 1.2.3 - */ -function php_self () { - if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { - return $req_uri; - } - - if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { - - // need to add query string to end of PHP_SELF to match REQUEST_URI - // - if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { - $php_self .= '?' . $query_string; - } - - return $php_self; - } - - return ''; -} - - /** * get_location * @@ -1323,5 +1294,5 @@ function sq_count8bit($string) { } return $count; } -$PHP_SELF = php_self(); + ?> \ No newline at end of file -- 2.25.1