[squirrelmail.git] / functions / global.php

<?php

/**
 * global.php
 *
 * Copyright (c) 1999-2003 The SquirrelMail Project Team
 * Licensed under the GNU GPL. For full terms see the file COPYING.
 *
 * This includes code to update < 4.1.0 globals to the newer format 
 * It also has some session register functions that work across various
 * php versions. 
 *
 * $Id$
 * @package squirrelmail
 */

/** Bring in the config file. */
require_once(SM_PATH . 'config/config.php');

/** set the name of the session cookie */
if(isset($session_name) && $session_name) {  
    ini_set('session.name' , $session_name);  
} else {  
    ini_set('session.name' , 'SQMSESSID');  
}

/** If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
 *  Force magic_quotes_runtime off.
 *  tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
 *  If there's a better place, please let me know.
 */
ini_set('magic_quotes_runtime','0');

/* Since we decided all IMAP servers must implement the UID command as defined in
 * the IMAP RFC, we force $uid_support to be on.
 */

global $uid_support;
$uid_support = true;

sqsession_is_active();

/* convert old-style superglobals to current method
 * this is executed if you are running PHP 4.0.x.
 * it is run via a require_once directive in validate.php 
 * and redirect.php. Patch submitted by Ray Black.
 */ 

if ( !check_php_version(4,1) ) {
  global $_COOKIE, $_ENV, $_FILES, $_GET, $_POST, $_SERVER, $_SESSION;
  global $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_GET_VARS,
         $HTTP_POST_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $PHP_SELF;
  $_COOKIE  =& $HTTP_COOKIE_VARS;
  $_ENV     =& $HTTP_ENV_VARS;
  $_FILES   =& $HTTP_POST_FILES;
  $_GET     =& $HTTP_GET_VARS;
  $_POST    =& $HTTP_POST_VARS;
  $_SERVER  =& $HTTP_SERVER_VARS;
  $_SESSION =& $HTTP_SESSION_VARS;
  if (!isset($PHP_SELF) || empty($PHP_SELF)) {
     $PHP_SELF =  $HTTP_SERVER_VARS['PHP_SELF'];
  }
}

/* if running with magic_quotes_gpc then strip the slashes
   from POST and GET global arrays */

if (get_magic_quotes_gpc()) {
    sqstripslashes($_GET);
    sqstripslashes($_POST);
}

/* strip any tags added to the url from PHP_SELF.
   This fixes hand crafted url XXS expoits for any
   page that uses PHP_SELF as the FORM action */

$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);

/** 
 * returns true if current php version is at mimimum a.b.c 
 * 
 * Called: check_php_version(4,1)
 * @param int a major version number
 * @param int b minor version number
 * @param int c release number
 * @return bool
 */
function check_php_version ($a = '0', $b = '0', $c = '0')             
{
    global $SQ_PHP_VERSION;
 
    if(!isset($SQ_PHP_VERSION))
        $SQ_PHP_VERSION = substr( str_pad( preg_replace('/\D/','', PHP_VERSION), 3, '0'), 0, 3);

    return $SQ_PHP_VERSION >= ($a.$b.$c);
}

/**
 * returns true if the current internal SM version is at minimum a.b.c 
 * These are plain integer comparisons, as our internal version is 
 * constructed by us, as an array of 3 ints.
 *
 * Called: check_sm_version(1,3,3)
 * @param int a major version number
 * @param int b minor version number
 * @param int c release number
 * @return bool
 */
function check_sm_version($a = 0, $b = 0, $c = 0)
{
    global $SQM_INTERNAL_VERSION;
    if ( !isset($SQM_INTERNAL_VERSION) ||
         $SQM_INTERNAL_VERSION[0] < $a ||
	 $SQM_INTERNAL_VERSION[1] < $b ||
	 ( $SQM_INTERNAL_VERSION[1] == $b &&
           $SQM_INTERNAL_VERSION[2] < $c ) ) {
        return FALSE;
    } 
    return TRUE;  
}


/**
 * Recursively strip slashes from the values of an array.
 * @param array array the array to strip, passed by reference
 * @return void
 */
function sqstripslashes(&$array) {
    if(count($array) > 0) {
        foreach ($array as $index=>$value) {
            if (is_array($array[$index])) {
                sqstripslashes($array[$index]);
            }
            else {
                $array[$index] = stripslashes($value);
            }
        }
    }
}

/**
 * Add a variable to the session.
 * @param mixed $var the variable to register
 * @param string $name the name to refer to this variable
 * @return void
 */
function sqsession_register ($var, $name) {

    sqsession_is_active();

    if ( !check_php_version(4,1) ) {
        global $HTTP_SESSION_VARS;
        $HTTP_SESSION_VARS[$name] = $var;
    }
    else {
        $_SESSION["$name"] = $var; 
    }
    session_register("$name");
}

/**
 * Delete a variable from the session.
 * @param string $name the name of the var to delete
 * @return void
 */
function sqsession_unregister ($name) {

    sqsession_is_active();

    if ( !check_php_version(4,1) ) {
        global $HTTP_SESSION_VARS;
        unset($HTTP_SESSION_VARS[$name]);
    }
    else {
        unset($_SESSION[$name]);
    }
    session_unregister("$name");
}

/**
 * Checks to see if a variable has already been registered
 * in the session.
 * @param string $name the name of the var to check
 * @return bool whether the var has been registered
 */
function sqsession_is_registered ($name) {
    $test_name = &$name;
    $result = false;
    if ( !check_php_version(4,1) ) {
        global $HTTP_SESSION_VARS;
        if (isset($HTTP_SESSION_VARS[$test_name])) {
            $result = true;
        }
    }
    else {
        if (isset($_SESSION[$test_name])) {
            $result = true;
        }
    }
    return $result;
}


define('SQ_INORDER',0);
define('SQ_GET',1);
define('SQ_POST',2);
define('SQ_SESSION',3);
define('SQ_COOKIE',4);
define('SQ_SERVER',5);
define('SQ_FORM',6);

/**
 * Search for the var $name in $_SESSION, $_POST, $_GET,
 * $_COOKIE, or $_SERVER and set it in provided var. 
 *
 * If $search is not provided,  or == SQ_INORDER, it will search
 * $_SESSION, then $_POST, then $_GET. Otherwise,
 * use one of the defined constants to look for 
 * a var in one place specifically.
 *
 * Note: $search is an int value equal to one of the 
 * constants defined above.
 *
 * example:
 *    sqgetGlobalVar('username',$username,SQ_SESSION);
 *  -- no quotes around last param!
 *
 * @param string name the name of the var to search
 * @param mixed value the variable to return
 * @param int search constant defining where to look
 * @return bool whether variable is found.
 */
function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {

    if ( !check_php_version(4,1) ) {
        global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, 
               $HTTP_SERVER_VARS, $HTTP_SESSION_VARS;

        $_COOKIE  =& $HTTP_COOKIE_VARS;
        $_GET     =& $HTTP_GET_VARS;
        $_POST    =& $HTTP_POST_VARS;
        $_SERVER  =& $HTTP_SERVER_VARS;
        $_SESSION =& $HTTP_SESSION_VARS;
    }

    /* NOTE: DO NOT enclose the constants in the switch
       statement with quotes. They are constant values,
       enclosing them in quotes will cause them to evaluate
       as strings. */
    switch ($search) {
        /* we want the default case to be first here,  
	   so that if a valid value isn't specified, 
	   all three arrays will be searched. */
      default:
      case SQ_INORDER: // check session, post, get
      case SQ_SESSION:
        if( isset($_SESSION[$name]) ) {
            $value = $_SESSION[$name];
            return TRUE;
        } elseif ( $search == SQ_SESSION ) {
            break;
        }
      case SQ_FORM:   // check post, get
      case SQ_POST:
        if( isset($_POST[$name]) ) {
            $value = $_POST[$name];
            return TRUE;
        } elseif ( $search == SQ_POST ) {
          break;
        }
      case SQ_GET:
        if ( isset($_GET[$name]) ) {
            $value = $_GET[$name];
            return TRUE;
        } 
        /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
        break;
      case SQ_COOKIE:
        if ( isset($_COOKIE[$name]) ) {
            $value = $_COOKIE[$name];
            return TRUE; 
        }
        break;
      case SQ_SERVER:
        if ( isset($_SERVER[$name]) ) {
            $value = $_SERVER[$name];
            return TRUE;
        }
        break;
    }
    return FALSE;
}

/**
 * Deletes an existing session, more advanced than the standard PHP
 * session_destroy(), it explicitly deletes the cookies and global vars.
 */
function sqsession_destroy() {

    /*
     * php.net says we can kill the cookie by setting just the name:
     * http://www.php.net/manual/en/function.setcookie.php
     * maybe this will help fix the session merging again.
     *
     * Changed the theory on this to kill the cookies first starting
     * a new session will provide a new session for all instances of
     * the browser, we don't want that, as that is what is causing the
     * merging of sessions.
     */

    global $base_uri;

    if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 5, $base_uri);
    if (isset($_COOKIE['username'])) setcookie('username','',time() - 5,$base_uri);
    if (isset($_COOKIE['key'])) setcookie('key','',time() - 5,$base_uri);

    $sessid = session_id();
    if (!empty( $sessid )) {
        if ( !check_php_version(4,1) ) {
            global $HTTP_SESSION_VARS;
            $HTTP_SESSION_VARS = array();
        } else {
            $_SESSION = array();
        }
        @session_destroy();
    }

}

/**
 * Function to verify a session has been started.  If it hasn't
 * start a session up.  php.net doesn't tell you that $_SESSION
 * (even though autoglobal), is not created unless a session is
 * started, unlike $_POST, $_GET and such
 */

function sqsession_is_active() {

    $sessid = session_id();
    if ( empty( $sessid ) ) {
        session_start();
    }
}


?>
Commit	Line	Data
61d9ec71	1	<?php
	2
	3	/**
0c701a88	4	* global.php
61d9ec71	5	*
76911253	6	* Copyright (c) 1999-2003 The SquirrelMail Project Team
61d9ec71	7	* Licensed under the GNU GPL. For full terms see the file COPYING.
	8	*
	9	* This includes code to update < 4.1.0 globals to the newer format
242342d0	10	* It also has some session register functions that work across various
61d9ec71	11	* php versions.
61d9ec71	12	*
242342d0	13	* $Id$
d6c32258	14	* @package squirrelmail
61d9ec71	15	*/
61d9ec71	16
d6c32258	17	/** Bring in the config file. */
ebabf3f5	18	require_once(SM_PATH . 'config/config.php');
ebabf3f5	19
d6c32258	20	/** set the name of the session cookie */
ebabf3f5	21	if(isset($session_name) && $session_name) {
	22	ini_set('session.name' , $session_name);
	23	} else {
	24	ini_set('session.name' , 'SQMSESSID');
	25	}
	26
d6c32258	27	/** If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
	28	* Force magic_quotes_runtime off.
	29	* tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
	30	* If there's a better place, please let me know.
388c855c	31	*/
5f660901	32	ini_set('magic_quotes_runtime','0');
61d9ec71	33
0c701a88	34	/* Since we decided all IMAP servers must implement the UID command as defined in
	35	* the IMAP RFC, we force $uid_support to be on.
	36	*/
	37
	38	global $uid_support;
	39	$uid_support = true;
	40
d416901b	41	sqsession_is_active();
d416901b	42
61d9ec71	43	/* convert old-style superglobals to current method
	44	* this is executed if you are running PHP 4.0.x.
	45	* it is run via a require_once directive in validate.php
	46	* and redirect.php. Patch submitted by Ray Black.
	47	*/
	48
9697c5ab	49	if ( !check_php_version(4,1) ) {
61d9ec71	50	global $_COOKIE, $_ENV, $_FILES, $_GET, $_POST, $_SERVER, $_SESSION;
61d9ec71	51	global $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_GET_VARS,
cc407257	52	$HTTP_POST_VARS, $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $PHP_SELF;
61d9ec71	53	$_COOKIE =& $HTTP_COOKIE_VARS;
	54	$_ENV =& $HTTP_ENV_VARS;
	55	$_FILES =& $HTTP_POST_FILES;
	56	$_GET =& $HTTP_GET_VARS;
	57	$_POST =& $HTTP_POST_VARS;
	58	$_SERVER =& $HTTP_SERVER_VARS;
	59	$_SESSION =& $HTTP_SESSION_VARS;
cc407257	60	if (!isset($PHP_SELF) \|\| empty($PHP_SELF)) {
	61	$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
	62	}
61d9ec71	63	}
61d9ec71	64
180239ca	65	/* if running with magic_quotes_gpc then strip the slashes
a32985a5	66	from POST and GET global arrays */
	67
	68	if (get_magic_quotes_gpc()) {
180239ca	69	sqstripslashes($_GET);
180239ca	70	sqstripslashes($_POST);
a32985a5	71	}
	72
	73	/* strip any tags added to the url from PHP_SELF.
	74	This fixes hand crafted url XXS expoits for any
	75	page that uses PHP_SELF as the FORM action */
	76
388c855c	77	$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
a32985a5	78
97bdc607	79	/**
	80	* returns true if current php version is at mimimum a.b.c
	81	*
	82	* Called: check_php_version(4,1)
8b096f0a	83	* @param int a major version number
	84	* @param int b minor version number
	85	* @param int c release number
	86	* @return bool
97bdc607	87	*/
9697c5ab	88	function check_php_version ($a = '0', $b = '0', $c = '0')
9697c5ab	89	{
3aa17cf9	90	global $SQ_PHP_VERSION;
97bdc607	91
3aa17cf9	92	if(!isset($SQ_PHP_VERSION))
5123154f	93	$SQ_PHP_VERSION = substr( str_pad( preg_replace('/\D/','', PHP_VERSION), 3, '0'), 0, 3);
9697c5ab	94
3aa17cf9	95	return $SQ_PHP_VERSION >= ($a.$b.$c);
9697c5ab	96	}
9697c5ab	97
97bdc607	98	/**
	99	* returns true if the current internal SM version is at minimum a.b.c
	100	* These are plain integer comparisons, as our internal version is
	101	* constructed by us, as an array of 3 ints.
	102	*
	103	* Called: check_sm_version(1,3,3)
8b096f0a	104	* @param int a major version number
	105	* @param int b minor version number
	106	* @param int c release number
	107	* @return bool
97bdc607	108	*/
	109	function check_sm_version($a = 0, $b = 0, $c = 0)
	110	{
	111	global $SQM_INTERNAL_VERSION;
	112	if ( !isset($SQM_INTERNAL_VERSION) \|\|
	113	$SQM_INTERNAL_VERSION[0] < $a \|\|
	114	$SQM_INTERNAL_VERSION[1] < $b \|\|
	115	( $SQM_INTERNAL_VERSION[1] == $b &&
	116	$SQM_INTERNAL_VERSION[2] < $c ) ) {
	117	return FALSE;
	118	}
	119	return TRUE;
	120	}
	121
	122
8b096f0a	123	/**
	124	* Recursively strip slashes from the values of an array.
	125	* @param array array the array to strip, passed by reference
	126	* @return void
	127	*/
a32985a5	128	function sqstripslashes(&$array) {
3aa17cf9	129	if(count($array) > 0) {
	130	foreach ($array as $index=>$value) {
	131	if (is_array($array[$index])) {
	132	sqstripslashes($array[$index]);
	133	}
	134	else {
	135	$array[$index] = stripslashes($value);
	136	}
a32985a5	137	}
	138	}
	139	}
	140
8b096f0a	141	/**
	142	* Add a variable to the session.
	143	* @param mixed $var the variable to register
	144	* @param string $name the name to refer to this variable
	145	* @return void
	146	*/
61d9ec71	147	function sqsession_register ($var, $name) {
281c3d5b	148
	149	sqsession_is_active();
	150
9697c5ab	151	if ( !check_php_version(4,1) ) {
61d9ec71	152	global $HTTP_SESSION_VARS;
9697c5ab	153	$HTTP_SESSION_VARS[$name] = $var;
61d9ec71	154	}
61d9ec71	155	else {
d7c82551	156	$_SESSION["$name"] = $var;
61d9ec71	157	}
dcc1cc82	158	session_register("$name");
61d9ec71	159	}
3aa17cf9	160
8b096f0a	161	/**
	162	* Delete a variable from the session.
	163	* @param string $name the name of the var to delete
	164	* @return void
	165	*/
61d9ec71	166	function sqsession_unregister ($name) {
281c3d5b	167
	168	sqsession_is_active();
	169
9697c5ab	170	if ( !check_php_version(4,1) ) {
d7c82551	171	global $HTTP_SESSION_VARS;
9697c5ab	172	unset($HTTP_SESSION_VARS[$name]);
61d9ec71	173	}
61d9ec71	174	else {
9697c5ab	175	unset($_SESSION[$name]);
61d9ec71	176	}
dcc1cc82	177	session_unregister("$name");
61d9ec71	178	}
3aa17cf9	179
8b096f0a	180	/**
	181	* Checks to see if a variable has already been registered
	182	* in the session.
	183	* @param string $name the name of the var to check
	184	* @return bool whether the var has been registered
	185	*/
d7c82551	186	function sqsession_is_registered ($name) {
	187	$test_name = &$name;
	188	$result = false;
9697c5ab	189	if ( !check_php_version(4,1) ) {
d7c82551	190	global $HTTP_SESSION_VARS;
	191	if (isset($HTTP_SESSION_VARS[$test_name])) {
	192	$result = true;
	193	}
	194	}
	195	else {
	196	if (isset($_SESSION[$test_name])) {
	197	$result = true;
	198	}
	199	}
	200	return $result;
	201	}
	202
61d9ec71	203
4cd8ae7d	204	define('SQ_INORDER',0);
	205	define('SQ_GET',1);
	206	define('SQ_POST',2);
	207	define('SQ_SESSION',3);
27d0841c	208	define('SQ_COOKIE',4);
27d0841c	209	define('SQ_SERVER',5);
d9ad2525	210	define('SQ_FORM',6);
4cd8ae7d	211
4cd8ae7d	212	/**
27d0841c	213	* Search for the var $name in $_SESSION, $_POST, $_GET,
27d0841c	214	* $_COOKIE, or $_SERVER and set it in provided var.
d1975c5b	215	*
4cd8ae7d	216	* If $search is not provided, or == SQ_INORDER, it will search
	217	* $_SESSION, then $_POST, then $_GET. Otherwise,
	218	* use one of the defined constants to look for
	219	* a var in one place specifically.
d1975c5b	220	*
	221	* Note: $search is an int value equal to one of the
	222	* constants defined above.
	223	*
	224	* example:
	225	* sqgetGlobalVar('username',$username,SQ_SESSION);
	226	* -- no quotes around last param!
	227	*
8b096f0a	228	* @param string name the name of the var to search
	229	* @param mixed value the variable to return
	230	* @param int search constant defining where to look
	231	* @return bool whether variable is found.
4cd8ae7d	232	*/
4cd8ae7d	233	function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
f79c19a4	234
4cd8ae7d	235	if ( !check_php_version(4,1) ) {
f79c19a4	236	global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS,
	237	$HTTP_SERVER_VARS, $HTTP_SESSION_VARS;
	238
	239	$_COOKIE =& $HTTP_COOKIE_VARS;
	240	$_GET =& $HTTP_GET_VARS;
	241	$_POST =& $HTTP_POST_VARS;
	242	$_SERVER =& $HTTP_SERVER_VARS;
	243	$_SESSION =& $HTTP_SESSION_VARS;
4cd8ae7d	244	}
d1975c5b	245
	246	/* NOTE: DO NOT enclose the constants in the switch
	247	statement with quotes. They are constant values,
	248	enclosing them in quotes will cause them to evaluate
	249	as strings. */
4cd8ae7d	250	switch ($search) {
	251	/* we want the default case to be first here,
	252	so that if a valid value isn't specified,
	253	all three arrays will be searched. */
d1975c5b	254	default:
d9ad2525	255	case SQ_INORDER: // check session, post, get
d1975c5b	256	case SQ_SESSION:
d1975c5b	257	if( isset($_SESSION[$name]) ) {
4cd8ae7d	258	$value = $_SESSION[$name];
d1975c5b	259	return TRUE;
	260	} elseif ( $search == SQ_SESSION ) {
	261	break;
	262	}
d9ad2525	263	case SQ_FORM: // check post, get
d1975c5b	264	case SQ_POST:
d1975c5b	265	if( isset($_POST[$name]) ) {
4cd8ae7d	266	$value = $_POST[$name];
d1975c5b	267	return TRUE;
d1975c5b	268	} elseif ( $search == SQ_POST ) {
27d0841c	269	break;
d1975c5b	270	}
	271	case SQ_GET:
	272	if ( isset($_GET[$name]) ) {
	273	$value = $_GET[$name];
	274	return TRUE;
	275	}
	276	/* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
	277	break;
	278	case SQ_COOKIE:
	279	if ( isset($_COOKIE[$name]) ) {
	280	$value = $_COOKIE[$name];
	281	return TRUE;
	282	}
	283	break;
	284	case SQ_SERVER:
d1975c5b	285	if ( isset($_SERVER[$name]) ) {
	286	$value = $_SERVER[$name];
	287	return TRUE;
	288	}
	289	break;
4cd8ae7d	290	}
	291	return FALSE;
	292	}
	293
8b096f0a	294	/**
	295	* Deletes an existing session, more advanced than the standard PHP
	296	* session_destroy(), it explicitly deletes the cookies and global vars.
	297	*/
513db22c	298	function sqsession_destroy() {
242342d0	299
281c3d5b	300	/*
	301	* php.net says we can kill the cookie by setting just the name:
	302	* http://www.php.net/manual/en/function.setcookie.php
	303	* maybe this will help fix the session merging again.
	304	*
	305	* Changed the theory on this to kill the cookies first starting
	306	* a new session will provide a new session for all instances of
	307	* the browser, we don't want that, as that is what is causing the
	308	* merging of sessions.
	309	*/
242342d0	310
f9902ccb	311	global $base_uri;
f31687f6	312
	313	if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 5, $base_uri);
	314	if (isset($_COOKIE['username'])) setcookie('username','',time() - 5,$base_uri);
	315	if (isset($_COOKIE['key'])) setcookie('key','',time() - 5,$base_uri);
281c3d5b	316
	317	$sessid = session_id();
	318	if (!empty( $sessid )) {
	319	if ( !check_php_version(4,1) ) {
	320	global $HTTP_SESSION_VARS;
	321	$HTTP_SESSION_VARS = array();
	322	} else {
	323	$_SESSION = array();
	324	}
21e18f59	325	@session_destroy();
242342d0	326	}
242342d0	327
281c3d5b	328	}
242342d0	329
8b096f0a	330	/**
281c3d5b	331	* Function to verify a session has been started. If it hasn't
	332	* start a session up. php.net doesn't tell you that $_SESSION
	333	* (even though autoglobal), is not created unless a session is
	334	* started, unlike $_POST, $_GET and such
	335	*/
	336
	337	function sqsession_is_active() {
	338
	339	$sessid = session_id();
	340	if ( empty( $sessid ) ) {
	341	session_start();
	342	}
513db22c	343	}
513db22c	344
281c3d5b	345
61d9ec71	346	?>