projects / squirrelmail.git / blob
? search:


ab30ffaafcdfd664b63419ea4fe5d66468e56903
[squirrelmail.git] / functions / global.php
1 <?php
2
3 /**
4 * global.php
5 *
6 * This includes code to update < 4.1.0 globals to the newer format
7 * It also has some session register functions that work across various
8 * php versions.
9 *
10 * @copyright &copy; 1999-2005 The SquirrelMail Project Team
11 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
12 * @version $Id$
13 * @package squirrelmail
14 */
15
16 /**
17 */
18 define('SQ_INORDER',0);
19 define('SQ_GET',1);
20 define('SQ_POST',2);
21 define('SQ_SESSION',3);
22 define('SQ_COOKIE',4);
23 define('SQ_SERVER',5);
24 define('SQ_FORM',6);
25
26 /**
27 * returns true if current php version is at mimimum a.b.c
28 *
29 * Called: check_php_version(4,1)
30 * @param int a major version number
31 * @param int b minor version number
32 * @param int c release number
33 * @return bool
34 */
35 function check_php_version ($a = '0', $b = '0', $c = '0')
36 {
37 return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' );
38 }
39
40 /**
41 * returns true if the current internal SM version is at minimum a.b.c
42 * These are plain integer comparisons, as our internal version is
43 * constructed by us, as an array of 3 ints.
44 *
45 * Called: check_sm_version(1,3,3)
46 * @param int a major version number
47 * @param int b minor version number
48 * @param int c release number
49 * @return bool
50 */
51 function check_sm_version($a = 0, $b = 0, $c = 0)
52 {
53 global $SQM_INTERNAL_VERSION;
54 if ( !isset($SQM_INTERNAL_VERSION) ||
55 $SQM_INTERNAL_VERSION[0] < $a ||
56 ( $SQM_INTERNAL_VERSION[0] == $a &&
57 $SQM_INTERNAL_VERSION[1] < $b) ||
58 ( $SQM_INTERNAL_VERSION[0] == $a &&
59 $SQM_INTERNAL_VERSION[1] == $b &&
60 $SQM_INTERNAL_VERSION[2] < $c ) ) {
61 return FALSE;
62 }
63 return TRUE;
64 }
65
66
67 /**
68 * Recursively strip slashes from the values of an array.
69 * @param array array the array to strip, passed by reference
70 * @return void
71 */
72 function sqstripslashes(&$array) {
73 if(count($array) > 0) {
74 foreach ($array as $index=>$value) {
75 if (is_array($array[$index])) {
76 sqstripslashes($array[$index]);
77 }
78 else {
79 $array[$index] = stripslashes($value);
80 }
81 }
82 }
83 }
84
85 /**
86 * Add a variable to the session.
87 * @param mixed $var the variable to register
88 * @param string $name the name to refer to this variable
89 * @return void
90 */
91 function sqsession_register ($var, $name) {
92
93 sqsession_is_active();
94
95 $_SESSION["$name"] = $var;
96
97 session_register("$name");
98 }
99
100 /**
101 * Delete a variable from the session.
102 * @param string $name the name of the var to delete
103 * @return void
104 */
105 function sqsession_unregister ($name) {
106
107 sqsession_is_active();
108
109 unset($_SESSION[$name]);
110
111 session_unregister("$name");
112 }
113
114 /**
115 * Checks to see if a variable has already been registered
116 * in the session.
117 * @param string $name the name of the var to check
118 * @return bool whether the var has been registered
119 */
120 function sqsession_is_registered ($name) {
121 $test_name = &$name;
122 $result = false;
123
124 if (isset($_SESSION[$test_name])) {
125 $result = true;
126 }
127
128 return $result;
129 }
130
131 /**
132 * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER
133 * and set it in provided var.
134 *
135 * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION,
136 * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and
137 * $_GET. Otherwise, use one of the defined constants to look for a var in one
138 * place specifically.
139 *
140 * Note: $search is an int value equal to one of the constants defined above.
141 *
142 * Example:
143 * sqgetGlobalVar('username',$username,SQ_SESSION);
144 * // No quotes around last param, it's a constant - not a string!
145 *
146 * @param string name the name of the var to search
147 * @param mixed value the variable to return
148 * @param int search constant defining where to look
149 * @return bool whether variable is found.
150 */
151 function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
152
153 /* NOTE: DO NOT enclose the constants in the switch
154 statement with quotes. They are constant values,
155 enclosing them in quotes will cause them to evaluate
156 as strings. */
157 switch ($search) {
158 /* we want the default case to be first here,
159 so that if a valid value isn't specified,
160 all three arrays will be searched. */
161 default:
162 case SQ_INORDER: // check session, post, get
163 case SQ_SESSION:
164 if( isset($_SESSION[$name]) ) {
165 $value = $_SESSION[$name];
166 return TRUE;
167 } elseif ( $search == SQ_SESSION ) {
168 break;
169 }
170 case SQ_FORM: // check post, get
171 case SQ_POST:
172 if( isset($_POST[$name]) ) {
173 $value = $_POST[$name];
174 return TRUE;
175 } elseif ( $search == SQ_POST ) {
176 break;
177 }
178 case SQ_GET:
179 if ( isset($_GET[$name]) ) {
180 $value = $_GET[$name];
181 return TRUE;
182 }
183 /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
184 break;
185 case SQ_COOKIE:
186 if ( isset($_COOKIE[$name]) ) {
187 $value = $_COOKIE[$name];
188 return TRUE;
189 }
190 break;
191 case SQ_SERVER:
192 if ( isset($_SERVER[$name]) ) {
193 $value = $_SERVER[$name];
194 return TRUE;
195 }
196 break;
197 }
198 /* Nothing found, return FALSE */
199 return FALSE;
200 }
201
202 /**
203 * Deletes an existing session, more advanced than the standard PHP
204 * session_destroy(), it explicitly deletes the cookies and global vars.
205 */
206 function sqsession_destroy() {
207
208 /*
209 * php.net says we can kill the cookie by setting just the name:
210 * http://www.php.net/manual/en/function.setcookie.php
211 * maybe this will help fix the session merging again.
212 *
213 * Changed the theory on this to kill the cookies first starting
214 * a new session will provide a new session for all instances of
215 * the browser, we don't want that, as that is what is causing the
216 * merging of sessions.
217 */
218
219 global $base_uri;
220
221 if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
222 if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
223 if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
224
225 $sessid = session_id();
226 if (!empty( $sessid )) {
227 $_SESSION = array();
228 @session_destroy();
229 }
230
231 }
232
233 /**
234 * Function to verify a session has been started. If it hasn't
235 * start a session up. php.net doesn't tell you that $_SESSION
236 * (even though autoglobal), is not created unless a session is
237 * started, unlike $_POST, $_GET and such
238 */
239 function sqsession_is_active() {
240 $sessid = session_id();
241 if ( empty( $sessid ) ) {
242 sqsession_start();
243 }
244 }
245
246 /**
247 * Function to start the session and store the cookie with the session_id as
248 * HttpOnly cookie which means that the cookie isn't accessible by javascript
249 * (IE6 only)
250 */
251 function sqsession_start() {
252 global $PHP_SELF;
253
254 $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
255 $repl = array('', '', '');
256 $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
257
258
259 session_start();
260 $sessid = session_id();
261 // session_starts sets the sessionid cookie buth without the httponly var
262 // setting the cookie again sets the httponly cookie attribute
263 sqsetcookie(session_name(),$sessid,false,$base_uri);
264 }
265
266
267 /**
268 * Set a cookie
269 * @param string $sName The name of the cookie.
270 * @param string $sValue The value of the cookie.
271 * @param int $iExpire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
272 * @param string $sPath The path on the server in which the cookie will be available on.
273 * @param string $sDomain The domain that the cookie is available.
274 * @param boolean $bSecure Indicates that the cookie should only be transmitted over a secure HTTPS connection.
275 * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
276 * @return void
277 */
278 function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
279 $sHeader = "Set-Cookie: $sName=$sValue";
280 if ($sPath) {
281 $sHeader .= "; path=$sPath";
282 }
283 if ($iExpire !== false) {
284 $sHeader .= "; Max-Age=$iExpire";
285 // php uses Expire header, also add the expire header
286 if ($iExpire === 0) {
287 $sHeader .= "; expires=". date("r",time() - 3600);
288 } else {
289 $sHeader .= "; expires=". date("r",$iExpire);
290 }
291 }
292 if ($sDomain) {
293 $sHeader .= "; Domain=$sDomain";
294 }
295 if ($bSecure) {
296 $sHeader .= "; Secure";
297 }
298 if ($bHttpOnly) {
299 $sHeader .= "; HttpOnly";
300 }
301 // $sHeader .= "; Version=1";
302
303 header($sHeader);
304 }
305
306 /**
307 * php_self
308 *
309 * Creates an URL for the page calling this function, using either the PHP global
310 * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
311 * function was stored in function/strings.php.
312 *
313 * @return string the complete url for this page
314 * @since 1.2.3
315 */
316 function php_self () {
317 if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) {
318 return $req_uri;
319 }
320
321 if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) {
322
323 // need to add query string to end of PHP_SELF to match REQUEST_URI
324 //
325 if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) {
326 $php_self .= '?' . $query_string;
327 }
328
329 return $php_self;
330 }
331
332 return '';
333 }
334
335 /** set the name of the session cookie */
336 if(isset($session_name) && $session_name) {
337 ini_set('session.name' , $session_name);
338 } else {
339 ini_set('session.name' , 'SQMSESSID');
340 }
341
342 /**
343 * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
344 * Force magic_quotes_runtime off.
345 * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
346 * If there's a better place, please let me know.
347 */
348 ini_set('magic_quotes_runtime','0');
349
350 /* Since we decided all IMAP servers must implement the UID command as defined in
351 * the IMAP RFC, we force $uid_support to be on.
352 */
353
354 global $uid_support;
355 $uid_support = true;
356
357 /* if running with magic_quotes_gpc then strip the slashes
358 from POST and GET global arrays */
359 if (get_magic_quotes_gpc()) {
360 sqstripslashes($_GET);
361 sqstripslashes($_POST);
362 }
363
364 /**
365 * If register_globals are on, unregister all globals from $_GET, $_POST,
366 * and $_COOKIE. Before 4.3.0 $_FILES globals are unregistered too. Code
367 * requires PHP 4.1.0 or newer.
368 */
369 if ((bool) @ini_get('register_globals')) {
370 foreach ($_REQUEST as $key => $value) {
371 unset($GLOBALS[$key]);
372 }
373 }
374
375 /* strip any tags added to the url from PHP_SELF.
376 This fixes hand crafted url XXS expoits for any
377 page that uses PHP_SELF as the FORM action */
378 $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
379
380 $PHP_SELF = php_self();
381
382 sqsession_is_active();
383
384 ?>
Unnamed repository; edit this file 'description' to name the repository.