61d9ec71 |
1 | <?php |
2 | |
3 | /** |
0c701a88 |
4 | * global.php |
61d9ec71 |
5 | * |
62f7daa5 |
6 | * This includes code to update < 4.1.0 globals to the newer format |
242342d0 |
7 | * It also has some session register functions that work across various |
62f7daa5 |
8 | * php versions. |
61d9ec71 |
9 | * |
4b4abf93 |
10 | * @copyright © 1999-2005 The SquirrelMail Project Team |
11 | * @license http://opensource.org/licenses/gpl-license.php GNU Public License |
31841a9e |
12 | * @version $Id$ |
d6c32258 |
13 | * @package squirrelmail |
61d9ec71 |
14 | */ |
15 | |
051f6245 |
16 | /** |
2ca4c65a |
17 | */ |
7f62aaef |
18 | define('SQ_INORDER',0); |
19 | define('SQ_GET',1); |
20 | define('SQ_POST',2); |
21 | define('SQ_SESSION',3); |
22 | define('SQ_COOKIE',4); |
23 | define('SQ_SERVER',5); |
24 | define('SQ_FORM',6); |
a32985a5 |
25 | |
62f7daa5 |
26 | /** |
27 | * returns true if current php version is at mimimum a.b.c |
28 | * |
97bdc607 |
29 | * Called: check_php_version(4,1) |
8b096f0a |
30 | * @param int a major version number |
31 | * @param int b minor version number |
32 | * @param int c release number |
33 | * @return bool |
97bdc607 |
34 | */ |
62f7daa5 |
35 | function check_php_version ($a = '0', $b = '0', $c = '0') |
9697c5ab |
36 | { |
5673cabe |
37 | return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' ); |
9697c5ab |
38 | } |
39 | |
97bdc607 |
40 | /** |
62f7daa5 |
41 | * returns true if the current internal SM version is at minimum a.b.c |
42 | * These are plain integer comparisons, as our internal version is |
97bdc607 |
43 | * constructed by us, as an array of 3 ints. |
44 | * |
45 | * Called: check_sm_version(1,3,3) |
8b096f0a |
46 | * @param int a major version number |
47 | * @param int b minor version number |
48 | * @param int c release number |
49 | * @return bool |
97bdc607 |
50 | */ |
51 | function check_sm_version($a = 0, $b = 0, $c = 0) |
52 | { |
53 | global $SQM_INTERNAL_VERSION; |
54 | if ( !isset($SQM_INTERNAL_VERSION) || |
55 | $SQM_INTERNAL_VERSION[0] < $a || |
150c28d6 |
56 | ( $SQM_INTERNAL_VERSION[0] == $a && |
57 | $SQM_INTERNAL_VERSION[1] < $b) || |
58 | ( $SQM_INTERNAL_VERSION[0] == $a && |
59 | $SQM_INTERNAL_VERSION[1] == $b && |
97bdc607 |
60 | $SQM_INTERNAL_VERSION[2] < $c ) ) { |
61 | return FALSE; |
62f7daa5 |
62 | } |
63 | return TRUE; |
97bdc607 |
64 | } |
65 | |
66 | |
8b096f0a |
67 | /** |
68 | * Recursively strip slashes from the values of an array. |
69 | * @param array array the array to strip, passed by reference |
70 | * @return void |
71 | */ |
a32985a5 |
72 | function sqstripslashes(&$array) { |
3aa17cf9 |
73 | if(count($array) > 0) { |
74 | foreach ($array as $index=>$value) { |
75 | if (is_array($array[$index])) { |
76 | sqstripslashes($array[$index]); |
77 | } |
78 | else { |
79 | $array[$index] = stripslashes($value); |
80 | } |
a32985a5 |
81 | } |
82 | } |
83 | } |
84 | |
8b096f0a |
85 | /** |
86 | * Add a variable to the session. |
87 | * @param mixed $var the variable to register |
88 | * @param string $name the name to refer to this variable |
89 | * @return void |
90 | */ |
61d9ec71 |
91 | function sqsession_register ($var, $name) { |
281c3d5b |
92 | |
93 | sqsession_is_active(); |
94 | |
62f7daa5 |
95 | $_SESSION["$name"] = $var; |
96 | |
dcc1cc82 |
97 | session_register("$name"); |
61d9ec71 |
98 | } |
3aa17cf9 |
99 | |
8b096f0a |
100 | /** |
101 | * Delete a variable from the session. |
102 | * @param string $name the name of the var to delete |
103 | * @return void |
104 | */ |
61d9ec71 |
105 | function sqsession_unregister ($name) { |
281c3d5b |
106 | |
107 | sqsession_is_active(); |
108 | |
abd74f7d |
109 | unset($_SESSION[$name]); |
62f7daa5 |
110 | |
dcc1cc82 |
111 | session_unregister("$name"); |
61d9ec71 |
112 | } |
3aa17cf9 |
113 | |
8b096f0a |
114 | /** |
115 | * Checks to see if a variable has already been registered |
116 | * in the session. |
117 | * @param string $name the name of the var to check |
118 | * @return bool whether the var has been registered |
119 | */ |
d7c82551 |
120 | function sqsession_is_registered ($name) { |
121 | $test_name = &$name; |
122 | $result = false; |
62f7daa5 |
123 | |
abd74f7d |
124 | if (isset($_SESSION[$test_name])) { |
125 | $result = true; |
d7c82551 |
126 | } |
62f7daa5 |
127 | |
d7c82551 |
128 | return $result; |
129 | } |
130 | |
4cd8ae7d |
131 | /** |
27d0841c |
132 | * Search for the var $name in $_SESSION, $_POST, $_GET, |
62f7daa5 |
133 | * $_COOKIE, or $_SERVER and set it in provided var. |
d1975c5b |
134 | * |
4cd8ae7d |
135 | * If $search is not provided, or == SQ_INORDER, it will search |
136 | * $_SESSION, then $_POST, then $_GET. Otherwise, |
62f7daa5 |
137 | * use one of the defined constants to look for |
4cd8ae7d |
138 | * a var in one place specifically. |
d1975c5b |
139 | * |
62f7daa5 |
140 | * Note: $search is an int value equal to one of the |
d1975c5b |
141 | * constants defined above. |
142 | * |
143 | * example: |
144 | * sqgetGlobalVar('username',$username,SQ_SESSION); |
145 | * -- no quotes around last param! |
146 | * |
8b096f0a |
147 | * @param string name the name of the var to search |
148 | * @param mixed value the variable to return |
149 | * @param int search constant defining where to look |
150 | * @return bool whether variable is found. |
4cd8ae7d |
151 | */ |
152 | function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) { |
f79c19a4 |
153 | |
d1975c5b |
154 | /* NOTE: DO NOT enclose the constants in the switch |
155 | statement with quotes. They are constant values, |
156 | enclosing them in quotes will cause them to evaluate |
157 | as strings. */ |
4cd8ae7d |
158 | switch ($search) { |
62f7daa5 |
159 | /* we want the default case to be first here, |
051f6245 |
160 | so that if a valid value isn't specified, |
161 | all three arrays will be searched. */ |
d1975c5b |
162 | default: |
d9ad2525 |
163 | case SQ_INORDER: // check session, post, get |
d1975c5b |
164 | case SQ_SESSION: |
165 | if( isset($_SESSION[$name]) ) { |
4cd8ae7d |
166 | $value = $_SESSION[$name]; |
d1975c5b |
167 | return TRUE; |
168 | } elseif ( $search == SQ_SESSION ) { |
169 | break; |
170 | } |
d9ad2525 |
171 | case SQ_FORM: // check post, get |
d1975c5b |
172 | case SQ_POST: |
173 | if( isset($_POST[$name]) ) { |
4cd8ae7d |
174 | $value = $_POST[$name]; |
d1975c5b |
175 | return TRUE; |
176 | } elseif ( $search == SQ_POST ) { |
27d0841c |
177 | break; |
d1975c5b |
178 | } |
179 | case SQ_GET: |
180 | if ( isset($_GET[$name]) ) { |
181 | $value = $_GET[$name]; |
182 | return TRUE; |
62f7daa5 |
183 | } |
d1975c5b |
184 | /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */ |
185 | break; |
186 | case SQ_COOKIE: |
187 | if ( isset($_COOKIE[$name]) ) { |
188 | $value = $_COOKIE[$name]; |
62f7daa5 |
189 | return TRUE; |
d1975c5b |
190 | } |
191 | break; |
192 | case SQ_SERVER: |
d1975c5b |
193 | if ( isset($_SERVER[$name]) ) { |
194 | $value = $_SERVER[$name]; |
195 | return TRUE; |
196 | } |
197 | break; |
4cd8ae7d |
198 | } |
511f5c33 |
199 | /* Nothing found, return FALSE */ |
4cd8ae7d |
200 | return FALSE; |
201 | } |
202 | |
8b096f0a |
203 | /** |
204 | * Deletes an existing session, more advanced than the standard PHP |
205 | * session_destroy(), it explicitly deletes the cookies and global vars. |
206 | */ |
513db22c |
207 | function sqsession_destroy() { |
242342d0 |
208 | |
281c3d5b |
209 | /* |
210 | * php.net says we can kill the cookie by setting just the name: |
211 | * http://www.php.net/manual/en/function.setcookie.php |
212 | * maybe this will help fix the session merging again. |
213 | * |
214 | * Changed the theory on this to kill the cookies first starting |
215 | * a new session will provide a new session for all instances of |
216 | * the browser, we don't want that, as that is what is causing the |
217 | * merging of sessions. |
218 | */ |
242342d0 |
219 | |
f9902ccb |
220 | global $base_uri; |
f31687f6 |
221 | |
3a1de9f1 |
222 | if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri); |
223 | if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri); |
224 | if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri); |
281c3d5b |
225 | |
226 | $sessid = session_id(); |
227 | if (!empty( $sessid )) { |
abd74f7d |
228 | $_SESSION = array(); |
21e18f59 |
229 | @session_destroy(); |
242342d0 |
230 | } |
231 | |
281c3d5b |
232 | } |
242342d0 |
233 | |
8b096f0a |
234 | /** |
281c3d5b |
235 | * Function to verify a session has been started. If it hasn't |
236 | * start a session up. php.net doesn't tell you that $_SESSION |
237 | * (even though autoglobal), is not created unless a session is |
238 | * started, unlike $_POST, $_GET and such |
239 | */ |
281c3d5b |
240 | function sqsession_is_active() { |
281c3d5b |
241 | $sessid = session_id(); |
242 | if ( empty( $sessid ) ) { |
3a1de9f1 |
243 | sqsession_start(); |
281c3d5b |
244 | } |
513db22c |
245 | } |
246 | |
3a1de9f1 |
247 | /** |
248 | * Function to start the session and store the cookie with the session_id as |
249 | * HttpOnly cookie which means that the cookie isn't accessible by javascript |
250 | * (IE6 only) |
251 | */ |
252 | function sqsession_start() { |
253 | global $PHP_SELF; |
254 | |
255 | $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|'); |
256 | $repl = array('', '', ''); |
257 | $base_uri = preg_replace($dirs, $repl, $PHP_SELF); |
258 | |
7f62aaef |
259 | |
3a1de9f1 |
260 | session_start(); |
261 | $sessid = session_id(); |
262 | // session_starts sets the sessionid cookie buth without the httponly var |
263 | // setting the cookie again sets the httponly cookie attribute |
264 | sqsetcookie(session_name(),$sessid,false,$base_uri); |
265 | } |
266 | |
267 | |
268 | /** |
269 | * Set a cookie |
270 | * @param string $sName The name of the cookie. |
271 | * @param string $sValue The value of the cookie. |
272 | * @param int $iExpire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. |
273 | * @param string $sPath The path on the server in which the cookie will be available on. |
274 | * @param string $sDomain The domain that the cookie is available. |
275 | * @param boolean $bSecure Indicates that the cookie should only be transmitted over a secure HTTPS connection. |
276 | * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) |
277 | * @return void |
278 | */ |
279 | function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) { |
280 | $sHeader = "Set-Cookie: $sName=$sValue"; |
281 | if ($sPath) { |
282 | $sHeader .= "; Path=\"$sPath\""; |
283 | } |
284 | if ($iExpire !==false) { |
285 | $sHeader .= "; Max-Age=$iExpire"; |
286 | } |
287 | if ($sPath) { |
288 | $sHeader .= "; Path=$sPath"; |
289 | } |
290 | if ($sDomain) { |
291 | $sHeader .= "; Domain=$sDomain"; |
292 | } |
293 | if ($bSecure) { |
294 | $sHeader .= "; Secure"; |
295 | } |
296 | if ($bHttpOnly) { |
297 | $sHeader .= "; HttpOnly"; |
298 | } |
299 | $sHeader .= "; Version=1"; |
300 | |
301 | header($sHeader); |
302 | } |
7f62aaef |
303 | |
304 | /** |
305 | * php_self |
306 | * |
307 | * Creates an URL for the page calling this function, using either the PHP global |
308 | * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1 |
309 | * function was stored in function/strings.php. |
310 | * |
311 | * @return string the complete url for this page |
312 | * @since 1.2.3 |
313 | */ |
314 | function php_self () { |
315 | if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { |
316 | return $req_uri; |
317 | } |
318 | |
319 | if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { |
320 | |
321 | // need to add query string to end of PHP_SELF to match REQUEST_URI |
322 | // |
323 | if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { |
324 | $php_self .= '?' . $query_string; |
325 | } |
326 | |
327 | return $php_self; |
328 | } |
329 | |
330 | return ''; |
331 | } |
332 | |
333 | /** set the name of the session cookie */ |
334 | if(isset($session_name) && $session_name) { |
335 | ini_set('session.name' , $session_name); |
336 | } else { |
337 | ini_set('session.name' , 'SQMSESSID'); |
338 | } |
339 | |
340 | /** |
341 | * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways. |
342 | * Force magic_quotes_runtime off. |
343 | * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this. |
344 | * If there's a better place, please let me know. |
345 | */ |
346 | ini_set('magic_quotes_runtime','0'); |
347 | |
348 | /* Since we decided all IMAP servers must implement the UID command as defined in |
349 | * the IMAP RFC, we force $uid_support to be on. |
350 | */ |
351 | |
352 | global $uid_support; |
353 | $uid_support = true; |
354 | |
355 | /* if running with magic_quotes_gpc then strip the slashes |
356 | from POST and GET global arrays */ |
357 | |
358 | if (get_magic_quotes_gpc()) { |
359 | sqstripslashes($_GET); |
360 | sqstripslashes($_POST); |
361 | } |
362 | |
363 | /* strip any tags added to the url from PHP_SELF. |
364 | This fixes hand crafted url XXS expoits for any |
365 | page that uses PHP_SELF as the FORM action */ |
366 | $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); |
367 | |
368 | $PHP_SELF = php_self(); |
369 | |
370 | sqsession_is_active(); |
371 | |
5673cabe |
372 | // vim: et ts=4 |
f8a1ed5a |
373 | ?> |