From 253ca97e54d037d73ff542a68be8c37c89814085 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Thu, 29 Mar 2007 21:03:53 +0000 Subject: [PATCH] Handle change of behavior with session ID being left after session close (see #1685031) git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@12353 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/global.php | 72 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 68 insertions(+), 4 deletions(-) diff --git a/functions/global.php b/functions/global.php index 5fe112a4..10a861ee 100644 --- a/functions/global.php +++ b/functions/global.php @@ -342,23 +342,30 @@ function sqsession_destroy() { * start a session up. php.net doesn't tell you that $_SESSION * (even though autoglobal), is not created unless a session is * started, unlike $_POST, $_GET and such + * Update: (see #1685031) the session ID is left over after the + * session is closed in some PHP setups; this function just becomes + * a passthru to sqsession_start(), but leaving old code in for + * edification. */ function sqsession_is_active() { - $sessid = session_id(); - if ( empty( $sessid ) ) { + //$sessid = session_id(); + //if ( empty( $sessid ) ) { sqsession_start(); - } + //} } /** * Function to start the session and store the cookie with the session_id as * HttpOnly cookie which means that the cookie isn't accessible by javascript * (IE6 only) + * Note that as sqsession_is_active() no longer discriminates as to when + * it calls this function, session_start() has to have E_NOTICE suppression + * (thus the @ sign). */ function sqsession_start() { global $base_uri; - session_start(); + @session_start(); $session_id = session_id(); // session_starts sets the sessionid cookie buth without the httponly var @@ -638,3 +645,60 @@ function sm_print_r() { print htmlentities($buffer); print ''; } + +/** + * Sanitize a value using htmlspecialchars() or similar, but also + * recursively run htmlspecialchars() (or similar) on array keys + * and values. + * + * If $value is not a string or an array with strings in it, + * the value is returned as is. + * + * @param mixed $value The value to be sanitized. + * @param mixed $quote_style Either boolean or an integer. If it + * is an integer, it must be the PHP + * constant indicating if/how to escape + * quotes: ENT_QUOTES, ENT_COMPAT, or + * ENT_NOQUOTES. If it is a boolean value, + * it must be TRUE and thus indicates + * that the only sanitizing to be done + * herein is to replace single and double + * quotes with ' and ", no other + * changes are made to $value. If it is + * boolean and FALSE, behavior reverts + * to same as if the value was ENT_QUOTES + * (OPTIONAL; default is ENT_QUOTES). + * + * @return mixed The sanitized value. + * + * @since 1.5.2 + * + **/ +function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) { + + if ($quote_style === FALSE) $quote_style = ENT_QUOTES; + + // array? go recursive... + // + if (is_array($value)) { + $return_array = array(); + foreach ($value as $key => $val) { + $return_array[sq_htmlspecialchars($key, $quote_style)] + = sq_htmlspecialchars($val, $quote_style); + } + return $return_array; + + // sanitize strings only + // + } else if (is_string($value)) { + if ($quote_style === TRUE) + return str_replace(array('\'', '"'), array(''', '"'), $value); + else + return htmlspecialchars($value, $quote_style); + } + + // anything else gets returned with no changes + // + return $value; + +} -- 2.25.1