include/init.php

   1 <?php
   2
   3 /**
   4  * init.php -- initialisation file
   5  *
   6  * File should be loaded in every file in src/ or plugins that occupate an entire frame
   7  *
   8  * @copyright 2006-2009 The SquirrelMail Project Team
   9  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  10  * @version $Id$
  11  * @package squirrelmail
  12  */
  13
  14 /**
  15  * This is a development version so in order to track programmer mistakes we
  16  * set the error reporting to E_ALL
  17 FIXME: disabling this for now, because we now have $sm_debug_mode, but the problem with that is that we don't know what it will be until we have loaded the config file, a good 175 lines below after several important files have been included, etc.  For now, we'll trust that developers have turned on E_ALL in php.ini anyway, but this can be uncommented if not.
  18  */
  19 //error_reporting(E_ALL);
  20
  21
  22 /**
  23  * Make sure we have a page name
  24  *
  25  */
  26 if ( !defined('PAGE_NAME') ) define('PAGE_NAME', NULL);
  27
  28
  29 /**
  30  * If register_globals are on, unregister globals.
  31  * Second test covers boolean set as string (php_value register_globals off).
  32  */
  33 if ((bool) ini_get('register_globals') &&
  34     strtolower(ini_get('register_globals'))!='off') {
  35     /**
  36      * Remove all globals that are not reserved by PHP
  37      * 'value' and 'key' are used by foreach. Don't unset them inside foreach.
  38      */
  39     foreach ($GLOBALS as $key => $value) {
  40         switch($key) {
  41         case 'HTTP_POST_VARS':
  42         case '_POST':
  43         case 'HTTP_GET_VARS':
  44         case '_GET':
  45         case 'HTTP_COOKIE_VARS':
  46         case '_COOKIE':
  47         case 'HTTP_SERVER_VARS':
  48         case '_SERVER':
  49         case 'HTTP_ENV_VARS':
  50         case '_ENV':
  51         case 'HTTP_POST_FILES':
  52         case '_FILES':
  53         case '_REQUEST':
  54         case 'HTTP_SESSION_VARS':
  55         case '_SESSION':
  56         case 'GLOBALS':
  57         case 'key':
  58         case 'value':
  59             break;
  60         default:
  61             unset($GLOBALS[$key]);
  62         }
  63     }
  64     // Unset variables used in foreach
  65     unset($GLOBALS['key']);
  66     unset($GLOBALS['value']);
  67 }
  68
  69 /**
  70  * Used as a dummy value, e.g., for passing as an empty
  71  * hook argument (where the value is passed by reference,
  72  * and therefore NULL itself is not acceptable).
  73  */
  74 global $null;
  75 $null = NULL;
  76
  77 /**
  78  * The global $server_os variable will be "windows" if
  79  * we are working in a Windows environment or "*nix"
  80  * otherwise.
  81  */
  82 global $server_os;
  83 if (DIRECTORY_SEPARATOR == '\\') $server_os = 'windows'; else $server_os = '*nix';
  84
  85 /**
  86  * [#1518885] session.use_cookies = off breaks SquirrelMail
  87  *
  88  * When session cookies are not used, all http redirects, meta refreshes,
  89  * src/download.php and javascript URLs are broken. Setting must be set
  90  * before session is started.
  91  */
  92 if (!(bool)ini_get('session.use_cookies') ||
  93     ini_get('session.use_cookies') == 'off') {
  94     ini_set('session.use_cookies','1');
  95 }
  96
  97 /**
  98  * Initialize seed of random number generator.
  99  * We use a number of things to randomize input: current time in ms,
 100  * info about the remote client, info about the current process, the
 101  * randomness of uniqid and stat of the current file.
 102  *
 103  * We seed this here only once per init, not only to save cycles
 104  * but also to make the result of mt_rand more random (it now also
 105  * depends on the number of times mt_rand was called before in this
 106  * execution.
 107  */
 108 $seed = microtime() . $_SERVER['REMOTE_PORT'] . $_SERVER['REMOTE_ADDR'] . getmypid();
 109
 110 if (function_exists('getrusage')) {
 111     /* Avoid warnings with Win32 */
 112     $dat = @getrusage();
 113     if (isset($dat) && is_array($dat)) { $seed .= implode('', $dat); }
 114 }
 115
 116 if(!empty($_SERVER['UNIQUE_ID'])) {
 117     $seed .= $_SERVER['UNIQUE_ID'];
 118 }
 119
 120 $seed .= uniqid(mt_rand(),TRUE);
 121 $seed .= implode('', stat( __FILE__));
 122
 123 // mt_srand() uses an integer to seed, so we need to distill our
 124 // very large seed to something useful (without taking a sub-string,
 125 // the integer conversion of such a large number is always 0 on
 126 // many systems, but strangely, 9 hex numbers - even if larger
 127 // than a signed 32 bit integer - seem to be an acceptable "integer"
 128 // seed (perhaps it is used as unsigned?)...
 129 // we may want to revisit this and always force it to be less than
 130 // 2,147,483,647
 131 //
 132 $seed = hexdec(substr(md5($seed), 0, 9));
 133
 134 // PHP 4.2 and up don't require seeding, but their used seed algorithm
 135 // is of questionable quality, so we keep doing it ourselves. */
 136 mt_srand($seed);
 137
 138 /**
 139  * calculate SM_PATH and calculate the base_uri
 140  * assumptions made: init.php is only called from plugins or from the src dir.
 141  * files in the plugin directory may not be part of a subdirectory called "src"
 142  *
 143  */
 144 if (isset($_SERVER['SCRIPT_NAME'])) {
 145     $a = explode('/', $_SERVER['SCRIPT_NAME']);
 146 } elseif (isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) {
 147     $a = explode('/', $HTTP_SERVER_VARS['SCRIPT_NAME']);
 148 } else {
 149     $error = 'Unable to detect script environment. Please test your PHP '
 150            . 'settings and send your PHP core configuration, $_SERVER and '
 151            . '$HTTP_SERVER_VARS contents to the SquirrelMail developers.';
 152     die($error);
 153 }
 154 $sSM_PATH = '';
 155 for($i = count($a) -2; $i > -1; --$i) {
 156     $sSM_PATH .= '../';
 157     if ($a[$i] === 'src' || $a[$i] === 'plugins') {
 158         break;
 159     }
 160 }
 161
 162 $base_uri = implode('/', array_slice($a, 0, $i)). '/';
 163
 164 define('SM_PATH',$sSM_PATH);
 165 define('SM_BASE_URI', $base_uri);
 166
 167
 168 /**
 169  * global var $bInit is used to check if initialisation took place.
 170  * At this moment it's a workarounf for the include of addrbook_search_html
 171  * inside compose.php. If we found a better way then remove this. Do only use
 172  * this var if you know for sure a page can be called stand alone and be included
 173  * in another file.
 174  */
 175 $bInit = true;
 176
 177 /**
 178  * This theme as a failsafe if no themes were found, or if we error
 179  * out before anything could be initialised.
 180  */
 181 $color = array();
 182 $color[0]  = '#DCDCDC';  /* light gray    TitleBar               */
 183 $color[1]  = '#800000';  /* red                                  */
 184 $color[2]  = '#CC0000';  /* light red     Warning/Error Messages */
 185 $color[3]  = '#A0B8C8';  /* green-blue    Left Bar Background    */
 186 $color[4]  = '#FFFFFF';  /* white         Normal Background      */
 187 $color[5]  = '#FFFFCC';  /* light yellow  Table Headers          */
 188 $color[6]  = '#000000';  /* black         Text on left bar       */
 189 $color[7]  = '#0000CC';  /* blue          Links                  */
 190 $color[8]  = '#000000';  /* black         Normal text            */
 191 $color[9]  = '#ABABAB';  /* mid-gray      Darker version of #0   */
 192 $color[10] = '#666666';  /* dark gray     Darker version of #9   */
 193 $color[11] = '#770000';  /* dark red      Special Folders color  */
 194 $color[12] = '#EDEDED';
 195 $color[13] = '#800000';  /* (dark red)    Color for quoted text -- > 1 quote */
 196 $color[14] = '#ff0000';  /* (red)         Color for quoted text -- >> 2 or more */
 197 $color[15] = '#002266';  /* (dark blue)   Unselectable folders */
 198 $color[16] = '#ff9933';  /* (orange)      Highlight color */
 199
 200 require(SM_PATH . 'include/constants.php');
 201 require(SM_PATH . 'functions/global.php');
 202 require(SM_PATH . 'functions/strings.php');
 203 require(SM_PATH . 'functions/arrays.php');
 204 require(SM_PATH . 'functions/files.php');
 205
 206 /* load default configuration */
 207 require(SM_PATH . 'config/config_default.php');
 208 /* reset arrays in default configuration */
 209 $ldap_server = array();
 210 $plugins = array();
 211 $fontsets = array();
 212 $aTemplateSet = array();
 213 $aTemplateSet[0]['ID'] = 'default';
 214 $aTemplateSet[0]['NAME'] = 'Default';
 215
 216 /* load site configuration */
 217 require(SM_PATH . 'config/config.php');
 218 /* load local configuration overrides */
 219 if (file_exists(SM_PATH . 'config/config_local.php')) {
 220     require(SM_PATH . 'config/config_local.php');
 221 }
 222
 223
 224 /**
 225  * Set PHP error reporting level based on the SquirrelMail debug mode
 226  */
 227 $error_level = 0;
 228 if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE)
 229     $error_level |= E_ERROR;
 230 if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE
 231  || $sm_debug_mode & SM_DEBUG_MODE_ADVANCED)
 232     $error_level |= E_ALL;
 233 if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
 234     $error_level |= E_STRICT;
 235 error_reporting($error_level);
 236
 237
 238 /**
 239  * Detect SSL connections
 240  */
 241 $is_secure_connection = is_ssl_secured_connection();
 242
 243
 244 require(SM_PATH . 'functions/plugin.php');
 245 require(SM_PATH . 'include/languages.php');
 246 require(SM_PATH . 'class/template/Template.class.php');
 247 require(SM_PATH . 'class/error.class.php');
 248
 249 /**
 250  * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
 251  * Force magic_quotes_runtime off.
 252  * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
 253  * If there's a better place, please let me know.
 254  */
 255 ini_set('magic_quotes_runtime','0');
 256
 257
 258 /* if running with magic_quotes_gpc then strip the slashes
 259    from POST and GET global arrays */
 260 if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
 261     sqstripslashes($_GET);
 262     sqstripslashes($_POST);
 263 }
 264
 265
 266 /**
 267  * Strip any tags added to the url from PHP_SELF.
 268  * This fixes hand crafted url XXS expoits for any
 269  * page that uses PHP_SELF as the FORM action
 270  * Update: strip_tags() won't catch something like
 271  * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
 272  * or
 273  * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
 274  * because it doesn't bother with broken tags.
 275  * htmlspecialchars() is the preferred method.
 276  * QUERY_STRING also needs the same treatment since it is
 277  * used in php_self().
 278  */
 279 $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
 280 $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
 281
 282 $PHP_SELF = php_self();
 283
 284 /**
 285  * Initialize the session
 286  */
 287
 288 /** set the name of the session cookie */
 289 if (!isset($session_name) || !$session_name) {
 290     $session_name = 'SQMSESSID';
 291 }
 292
 293 /**
 294  * When session.auto_start is On we want to destroy/close the session
 295  */
 296 $sSessionAutostartName = session_name();
 297 $sSessionAutostartID = session_id();
 298 if (!empty($sSessionAutostartID) && $sSessionAutostartName !== $session_name) {
 299     $sCookiePath = ini_get('session.cookie_path');
 300     $sCookieDomain = ini_get('session.cookie_domain');
 301     // reset the cookie
 302     sqsetcookie($sSessionAutostartName,'',1,$sCookiePath,$sCookieDomain);
 303     @session_destroy();
 304     session_write_close();
 305 }
 306
 307 /**
 308  * includes from classes stored in the session
 309  */
 310 require(SM_PATH . 'class/mime.class.php');
 311
 312 ini_set('session.name' , $session_name);
 313 session_set_cookie_params (0, $base_uri);
 314 sqsession_is_active();
 315
 316 /**
 317  * When on login page, have to reset the user session, making
 318  * sure to save session restore data first
 319  */
 320 if (PAGE_NAME == 'login') {
 321     if (!sqGetGlobalVar('session_expired_post', $sep, SQ_SESSION))
 322         $sep = '';
 323     if (!sqGetGlobalVar('session_expired_location', $sel, SQ_SESSION))
 324         $sel = '';
 325     sqsession_destroy();
 326     session_write_close();
 327
 328     /**
 329      * in some rare instances, the session seems to stick
 330      * around even after destroying it (!!), so if it does,
 331      * we'll manually flatten the $_SESSION data
 332      */
 333     if (!empty($_SESSION))
 334         $_SESSION = array();
 335
 336     /**
 337      * Allow administrators to define custom session handlers
 338      * for SquirrelMail without needing to change anything in
 339      * php.ini (application-level).
 340      *
 341      * In config_local.php, admin needs to put:
 342      *
 343      *     $custom_session_handlers = array(
 344      *         'my_open_handler',
 345      *         'my_close_handler',
 346      *         'my_read_handler',
 347      *         'my_write_handler',
 348      *         'my_destroy_handler',
 349      *         'my_gc_handler',
 350      *     );
 351      *     session_module_name('user');
 352      *     session_set_save_handler(
 353      *         $custom_session_handlers[0],
 354      *         $custom_session_handlers[1],
 355      *         $custom_session_handlers[2],
 356      *         $custom_session_handlers[3],
 357      *         $custom_session_handlers[4],
 358      *         $custom_session_handlers[5]
 359      *     );
 360      *
 361      * We need to replicate that code once here because PHP has
 362      * long had a bug that resets the session handler mechanism
 363      * when the session data is also destroyed.  Because of this
 364      * bug, even administrators who define custom session handlers
 365      * via a PHP pre-load defined in php.ini (auto_prepend_file)
 366      * will still need to define the $custom_session_handlers array
 367      * in config_local.php.
 368      */
 369     global $custom_session_handlers;
 370     if (!empty($custom_session_handlers)) {
 371         $open    = $custom_session_handlers[0];
 372         $close   = $custom_session_handlers[1];
 373         $read    = $custom_session_handlers[2];
 374         $write   = $custom_session_handlers[3];
 375         $destroy = $custom_session_handlers[4];
 376         $gc      = $custom_session_handlers[5];
 377         session_module_name('user');
 378         session_set_save_handler($open, $close, $read, $write, $destroy, $gc);
 379     }
 380
 381     sqsession_is_active();
 382     session_regenerate_id();
 383
 384     // put session restore data back into session if necessary
 385     if (!empty($sel)) {
 386         sqsession_register($sel, 'session_expired_location');
 387         if (!empty($sep))
 388             sqsession_register($sep, 'session_expired_post');
 389     }
 390 }
 391
 392 /**
 393  * SquirrelMail internal version number -- DO NOT CHANGE
 394  * $sm_internal_version = array (release, major, minor)
 395  */
 396 $SQM_INTERNAL_VERSION = explode('.', SM_VERSION, 3);
 397 $SQM_INTERNAL_VERSION[2] = intval($SQM_INTERNAL_VERSION[2]);
 398
 399
 400 /* load prefs system; even when user not logged in, should be OK to do this here */
 401 require(SM_PATH . 'functions/prefs.php');
 402
 403
 404 /* if plugins are disabled only for one user and
 405  * the current user is NOT that user, turn them
 406  * back on
 407  */
 408 sqgetGlobalVar('username', $username, SQ_SESSION);
 409 if ($disable_plugins && !empty($disable_plugins_user)
 410  && $username != $disable_plugins_user) {
 411     $disable_plugins = false;
 412 }
 413
 414
 415 /* remove all plugins if they are disabled */
 416 if ($disable_plugins) {
 417    $plugins = array();
 418 }
 419
 420
 421 /**
 422  * Include Compatibility plugin if available.
 423  */
 424 if (!$disable_plugins && file_exists(SM_PATH . 'plugins/compatibility/functions.php'))
 425     include_once(SM_PATH . 'plugins/compatibility/functions.php');
 426
 427
 428 /**
 429  * MAIN PLUGIN LOADING CODE HERE
 430  * On init, we no longer need to load all plugin setup files.
 431  * Now, we load the statically generated hook registrations here
 432  * and let the hook calls include only the plugins needed.
 433  */
 434 $squirrelmail_plugin_hooks = array();
 435 if (!$disable_plugins && file_exists(SM_PATH . 'config/plugin_hooks.php')) {
 436 //FIXME: if we keep the plugin hooks array static like this, it seems like we should also keep the template files list in a static file too (when a new user session is started or the template set is changed, the code will dynamically iterate through the directory heirarchy of the template directory and catalog all the template files therein (and store the "catalog" in PHP session) -- instead, we could do that once at config-time and keep that static so SM can just include the file just like the line below)
 437     require(SM_PATH . 'config/plugin_hooks.php');
 438 }
 439
 440
 441 /**
 442  * Plugin authors note that the "config_override" hook used to be
 443  * executed here, but please adapt your plugin to use this "prefs_backend"
 444  * hook instead, making sure that it does NOT return anything, since
 445  * doing so will interfere with proper prefs system functionality.
 446  * Of course, otherwise, this hook may be used to do any configuration
 447  * overrides as needed, as well as set up a custom preferences backend.
 448  */
 449 $prefs_backend = do_hook('prefs_backend', $null);
 450 if (isset($prefs_backend) && !empty($prefs_backend) && file_exists(SM_PATH . $prefs_backend)) {
 451     require(SM_PATH . $prefs_backend);
 452 } elseif (isset($prefs_dsn) && !empty($prefs_dsn)) {
 453     require(SM_PATH . 'functions/db_prefs.php');
 454 } else {
 455     require(SM_PATH . 'functions/file_prefs.php');
 456 }
 457
 458
 459
 460 /**
 461  * DISABLED.
 462  * Remove globalized session data in rg=on setups
 463  *
 464  * Code can be utilized when session is started, but data is not loaded.
 465  * We have already loaded configuration and other important vars. Can't
 466  * clean session globals here, beside, the cleanout of globals at the
 467  * top of this file will have removed anything this code would find anyway.
 468 if ((bool) @ini_get('register_globals') &&
 469     strtolower(ini_get('register_globals'))!='off') {
 470     foreach ($_SESSION as $key => $value) {
 471         unset($GLOBALS[$key]);
 472     }
 473 }
 474 */
 475
 476 sqsession_register(SM_BASE_URI,'base_uri');
 477
 478 /**
 479  * Retrieve the language cookie
 480  */
 481 if (! sqgetGlobalVar('squirrelmail_language',$squirrelmail_language,SQ_COOKIE)) {
 482     $squirrelmail_language = '';
 483 }
 484
 485
 486 /**
 487  * In some cases, buffering all output allows more complex functionality,
 488  * especially for plugins that want to add headers on hooks that are beyond
 489  * the point of output having been sent to the browser otherwise.
 490  *
 491  * Note that we don't turn this on any earlier since we want to allow plugins
 492  * to turn it on themselves via a configuration override on the prefs_backend
 493  * hook.
 494  *
 495  */
 496 if ($buffer_output) ob_start(!empty($buffered_output_handler) ? $buffered_output_handler : NULL);
 497
 498
 499 /**
 500  * Do something special for some pages. This is based on the PAGE_NAME constant
 501  * set at the top of every page.
 502  */
 503 $set_up_langage_after_template_setup = FALSE;
 504 switch (PAGE_NAME) {
 505     case 'style':
 506
 507         // need to get the right template set up
 508         //
 509         sqGetGlobalVar('templateid', $templateid, SQ_GET);
 510
 511         // sanitize just in case...
 512         //
 513         $templateid = preg_replace('/(\.\.\/){1,}/', '', $templateid);
 514
 515         // make sure given template actually is available
 516         //
 517         $found_templateset = false;
 518         for ($i = 0; $i < count($aTemplateSet); ++$i) {
 519             if ($aTemplateSet[$i]['ID'] == $templateid) {
 520                 $found_templateset = true;
 521                 break;
 522             }
 523         }
 524
 525 // FIXME: do we need/want to check here for actual (physical) presence of template sets?
 526         // selected template not available, fall back to default template
 527         //
 528         if (!$found_templateset) {
 529             $sTemplateID = Template::get_default_template_set();
 530         } else {
 531             $sTemplateID = $templateid;
 532         }
 533
 534         session_write_close();
 535         break;
 536
 537     case 'mailto':
 538         // nothing to do
 539         break;
 540
 541     case 'redirect':
 542         require(SM_PATH . 'functions/auth.php');
 543         //nobreak;
 544
 545     case 'login':
 546         require(SM_PATH . 'functions/display_messages.php' );
 547         require(SM_PATH . 'functions/page_header.php');
 548         require(SM_PATH . 'functions/html.php');
 549
 550         // reset template file cache
 551         //
 552         $sTemplateID = Template::get_default_template_set();
 553         Template::cache_template_file_hierarchy($sTemplateID, TRUE);
 554
 555         /**
 556          * Make sure icon variables are setup for the login page.
 557          */
 558         $icon_theme = $icon_themes[$icon_theme_def]['PATH'];
 559         /*
 560          * NOTE: The $icon_theme_path var should contain the path to the icon
 561          *       theme to use.  If the admin has disabled icons, or the user has
 562          *       set the icon theme to "None," no icons will be used.
 563          */
 564         $icon_theme_path = (!$use_icons || $icon_theme=='none') ? NULL : ($icon_theme == 'template' ? SM_PATH . Template::calculate_template_images_directory($sTemplateID) : $icon_theme);
 565
 566         break;
 567     default:
 568         require(SM_PATH . 'functions/display_messages.php' );
 569         require(SM_PATH . 'functions/page_header.php');
 570         require(SM_PATH . 'functions/html.php');
 571
 572
 573         /**
 574          * Check if we are logged in and does optional referrer check
 575          */
 576         require(SM_PATH . 'functions/auth.php');
 577
 578         global $check_referrer, $domain;
 579         if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
 580         if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
 581         if (!empty($check_referrer)) {
 582             $ssl_check_referrer = 'https://' . $check_referrer;
 583             $check_referrer = 'http://' . $check_referrer;
 584         }
 585         if (!sqsession_is_registered('user_is_logged_in')
 586          || ($check_referrer && !empty($referrer)
 587           && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0
 588           && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) {
 589
 590             // use $message to indicate what logout text the user
 591             // will see... if 0, typical "You must be logged in"
 592             // if 1, information that the user session was saved
 593             // and will be resumed after (re)login, if 2, there
 594             // seems to have been a XSS or phishing attack (bad
 595             // referrer)
 596             //
 597             $message = 0;
 598
 599             //  First we store some information in the new session to prevent
 600             //  information-loss.
 601             //
 602             $session_expired_post = $_POST;
 603             $session_expired_location = PAGE_NAME;
 604             if (!sqsession_is_registered('session_expired_post')) {
 605                 sqsession_register($session_expired_post,'session_expired_post');
 606             }
 607             if (!sqsession_is_registered('session_expired_location')) {
 608                 sqsession_register($session_expired_location,'session_expired_location');
 609                 if ($session_expired_location == 'compose')
 610                     $message = 1;
 611             }
 612
 613             // was bad referrer the reason we were rejected?
 614             //
 615             if (sqsession_is_registered('user_is_logged_in')
 616              && $check_referrer && !empty($referrer))
 617                 $message = 2;
 618
 619             // signout page will deal with users who aren't logged
 620             // in on its own; don't show error here
 621             //
 622             if ( PAGE_NAME == 'signout' ) {
 623                 return;
 624             }
 625
 626             /**
 627              * Initialize the template object (logout_error uses it)
 628              */
 629             /*
 630              * $sTemplateID is not initialized when a user is not logged in, so we
 631              * will use the config file defaults here.  If the neccesary variables
 632              * are not set, force a default value.
 633              */
 634             if (PAGE_NAME == 'squirrelmail_rpc') {
 635                 $sTemplateID = Template::get_rpc_template_set();
 636             } else {
 637                 $sTemplateID = Template::get_default_template_set();
 638             }
 639             $oTemplate = Template::construct_template($sTemplateID);
 640
 641             set_up_language($squirrelmail_language, true);
 642             if (!$message)
 643                 logout_error( _("You must be logged in to access this page.") );
 644             else if ($message == 1)
 645                 logout_error( _("Your session has expired, but will be resumed after logging in again.") );
 646             else if ($message == 2)
 647                 logout_error( _("The current page request appears to have originated from an unrecognized source.") );
 648             exit;
 649         }
 650
 651         sqgetGlobalVar('authz',$authz,SQ_SESSION);
 652
 653         /**
 654          * Setting the prefs backend
 655          */
 656         sqgetGlobalVar('prefs_cache', $prefs_cache, SQ_SESSION );
 657         sqgetGlobalVar('prefs_are_cached', $prefs_are_cached, SQ_SESSION );
 658
 659         if ( !sqsession_is_registered('prefs_are_cached') ||
 660             !isset( $prefs_cache) ||
 661             !is_array( $prefs_cache)) {
 662             $prefs_are_cached = false;
 663             $prefs_cache = false; //array();
 664         }
 665
 666         /**
 667          * initializing user settings
 668          */
 669         require(SM_PATH . 'include/load_prefs.php');
 670
 671         /**
 672          * We'll need this to later have a noframes version
 673          *
 674          * Check if the user has a language preference, but no cookie.
 675          * Send him a cookie with his language preference, if there is
 676          * such discrepancy.
 677          */
 678          $my_language = getPref($data_dir, $username, 'language');
 679          if ($my_language != $squirrelmail_language) {
 680              sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
 681          }
 682
 683         $set_up_langage_after_template_setup = TRUE;
 684
 685         $timeZone = getPref($data_dir, $username, 'timezone');
 686
 687         /* Check to see if we are allowed to set the TZ environment variable.
 688          * We are able to do this if ...
 689          *   safe_mode is disabled OR
 690          *   safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
 691          *   safe_mode_allowed_env_vars contains TZ
 692          */
 693         $tzChangeAllowed = (!ini_get('safe_mode')) ||
 694                             !strcmp(ini_get('safe_mode_allowed_env_vars'),'') ||
 695                             preg_match('/^([\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars'));
 696
 697         if ( $timeZone != SMPREF_NONE && ($timeZone != "")
 698             && $tzChangeAllowed ) {
 699
 700             // get time zone key, if strict or custom strict timezones are used
 701             if (isset($time_zone_type) &&
 702                 ($time_zone_type == 1 || $time_zone_type == 3)) {
 703                 /* load time zone functions */
 704                 require(SM_PATH . 'include/timezones.php');
 705                 $realTimeZone = sq_get_tz_key($timeZone);
 706             } else {
 707                 $realTimeZone = $timeZone;
 708             }
 709
 710             // set time zone
 711             if ($realTimeZone) {
 712                 putenv("TZ=".$realTimeZone);
 713             }
 714         }
 715
 716         /**
 717          * php 5.1.0 added time zone functions. Set time zone with them in order
 718          * to prevent E_STRICT notices and allow time zone modifications in safe_mode.
 719          */
 720         if (function_exists('date_default_timezone_set')) {
 721             if ($timeZone != SMPREF_NONE && $timeZone != "") {
 722                 date_default_timezone_set($timeZone);
 723             } else {
 724                 // interface runs on server's time zone. Remove php E_STRICT complains
 725                 $default_timezone = @date_default_timezone_get();
 726                 date_default_timezone_set($default_timezone);
 727             }
 728         }
 729         break;
 730 }
 731
 732 /*
 733  * $sTemplateID is not initialized when a user is not logged in, so we
 734  * will use the config file defaults here.  If the neccesary variables
 735  * are not set, force a default value.
 736  *
 737  * If the user is logged in, $sTemplateID will be set in load_prefs.php,
 738  * so we shouldn't change it here.
 739  */
 740 if (!isset($sTemplateID)) {
 741     if (PAGE_NAME == 'squirrelmail_rpc') {
 742         $sTemplateID = Template::get_rpc_template_set();
 743     } else {
 744         $sTemplateID = Template::get_default_template_set();
 745     }
 746     $icon_theme_path = !$use_icons ? NULL : Template::calculate_template_images_directory($sTemplateID);
 747 }
 748
 749 // template object may have already been constructed in load_prefs.php
 750 //
 751 if (empty($oTemplate)) {
 752     $oTemplate = Template::construct_template($sTemplateID);
 753 }
 754
 755 // We want some variables to always be available to the template
 756 //
 757 $oTemplate->assign('javascript_on',
 758     (sqGetGlobalVar('user_is_logged_in', $user_is_logged_in, SQ_SESSION)
 759      ?  checkForJavascript() : 0));
 760 $oTemplate->assign('base_uri', sqm_baseuri());
 761 $always_include = array('sTemplateID', 'icon_theme_path');
 762 foreach ($always_include as $var) {
 763     $oTemplate->assign($var, (isset($$var) ? $$var : NULL));
 764 }
 765
 766 // A few output elements are used often, so just get them once here
 767 //
 768 $nbsp = $oTemplate->fetch('non_breaking_space.tpl');
 769 $br = $oTemplate->fetch('line_break.tpl');
 770
 771
 772 /**
 773  * Set up the language.
 774  *
 775  * This code block corresponds to the *default* block of the switch
 776  * statement above, but the language cannot be set up until after the
 777  * template is instantiated, so we set $set_up_langage_after_template_setup
 778  * above and do the linguistic stuff now.
 779  */
 780 if ($set_up_langage_after_template_setup) {
 781     $err=set_up_language(getPref($data_dir, $username, 'language'));
 782
 783     // Japanese translation used without mbstring support
 784     if ($err==2) {
 785         $sError = "<p>Your administrator needs to have PHP installed with the multibyte string extension enabled (using configure option --enable-mbstring).</p>\n"
 786                 . "<p>This system has assumed that you accidently switched to Japanese and has reverted your language preference to English.</p>\n"
 787                 . "<p>Please refresh this page in order to continue using your webmail.</p>\n";
 788         error_box($sError);
 789     }
 790 }
 791
 792
 793 /**
 794  * Initialize our custom error handler object
 795  */
 796 $oErrorHandler = new ErrorHandler($oTemplate,'error_message.tpl');
 797
 798
 799 /**
 800  * Activate custom error handling
 801  */
 802 if (version_compare(PHP_VERSION, "4.3.0", ">=")) {
 803     $oldErrorHandler = set_error_handler(array($oErrorHandler, 'SquirrelMailErrorhandler'));
 804 } else {
 805     $oldErrorHandler = set_error_handler('SquirrelMailErrorhandler');
 806 }
 807
 808
 809 // ============================================================================
 810 // ================= End of Live Code, Beginning of Functions =================
 811 // ============================================================================
 812
 813
 814 /**
 815  * Javascript support detection function
 816  * @param boolean $reset recheck javascript support if set to true.
 817  * @return integer SMPREF_JS_ON or SMPREF_JS_OFF ({@see include/constants.php})
 818  * @since 1.5.1
 819  */
 820 function checkForJavascript($reset = FALSE) {
 821   global $data_dir, $username, $javascript_on, $javascript_setting;
 822
 823   if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
 824     return $javascript_on;
 825
 826   //FIXME: this isn't used anywhere else in this function; can we remove it?  why is it here?
 827   $user_is_logged_in = FALSE;
 828   if ( $reset || !isset($javascript_setting) )
 829     $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);
 830
 831   if ( !sqGetGlobalVar('new_js_autodetect_results', $js_autodetect_results) &&
 832        !sqGetGlobalVar('js_autodetect_results', $js_autodetect_results) )
 833     $js_autodetect_results = SMPREF_JS_OFF;
 834
 835   if ( $javascript_setting == SMPREF_JS_AUTODETECT )
 836     $javascript_on = $js_autodetect_results;
 837   else
 838     $javascript_on = $javascript_setting;
 839
 840   sqsession_register($javascript_on, 'javascript_on');
 841   return $javascript_on;
 842 }
 843
 844 function sqm_baseuri() {
 845     global $base_uri;
 846     return $base_uri;
 847 }