Happy New Year

[squirrelmail.git] / functions / global.php

diff --git a/functions/global.php b/functions/global.php
index ebcfb98d7aa4260ea44008f43aea5c2270ddf8b9..393069ab128ac2fb9f71d620d185a053cc2a9da2 100644 (file)
--- a/functions/global.php
+++ b/functions/global.php
@@ -7,7 +7,7 @@
  * It also has some session register functions that work across various
  * php versions.
  *
- * @copyright 1999-2009 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -589,6 +589,21 @@ function sqsession_start() {
 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
                      $bSecure=false, $bHttpOnly=true, $bReplace=false) {
  
+    // some environments can get overwhelmed by an excessive
+    // setting of the same cookie over and over (e.g., many
+    // calls to this function via sqsession_is_active() result
+    // in repeated setting of the session cookie when $bReplace
+    // is FALSE, but something odd happens (during login only)
+    // if we change that to default TRUE) ... so we keep our own
+    // naive per-request name/value cache and only set the cookie
+    // if its value is changing (or never seen before)
+    static $cookies = array();
+    if (isset($cookies[$sName]) && $cookies[$sName] === $sValue)
+        return;
+    else
+        $cookies[$sName] = $sValue;
+
+
     // if we have a secure connection then limit the cookies to https only.
     global $is_secure_connection;
     if ($sName && $is_secure_connection)
@@ -670,49 +685,56 @@ if (!function_exists('session_regenerate_id')) {
 /**
  * php_self
  *
- * Creates an URL for the page calling this function, using either the PHP global
- * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
- * function was stored in function/strings.php.
+ * Attempts to determine the path and filename and any arguments
+ * for the currently executing script.  This is usually found in
+ * $_SERVER['REQUEST_URI'], but some environments may differ, so 
+ * this function tries to standardize this value.
+ *
+ * Note that before SquirrelMail version 1.5.1, this function was
+ * stored in function/strings.php.
  *
- * @return string the complete url for this page
  * @since 1.2.3
+ * @return string The path, filename and any arguments for the
+ *                current script
  */
-function php_self () {
+function php_self() {
 
-    if (sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER)
-     && !empty($php_self)) {
+    $request_uri = '';
 
-        // need to add query string to end of PHP_SELF to match REQUEST_URI
+    // first try $_SERVER['PHP_SELF'], which seems most reliable
+    // (albeit it usually won't include the query string)
+    //
+    $request_uri = ''; 
+    if (!sqgetGlobalVar('PHP_SELF', $request_uri, SQ_SERVER)
+     || empty($request_uri)) { 
+
+        // well, then let's try $_SERVER['REQUEST_URI']
         //
-        if (sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
-         && !empty($query_string)) {
-            $php_self .= '?' . $query_string;
+        $request_uri = '';
+        if (!sqgetGlobalVar('REQUEST_URI', $request_uri, SQ_SERVER)
+         || empty($request_uri)) { 
+
+            // TODO: anyone have any other ideas?  maybe $_SERVER['SCRIPT_NAME']???
+            //
+            return '';
         }
 
-        return $php_self;
     }
 
-    // some versions of PHP, perhaps specifically in use with lighttpd,
-    // return a blank string for PHP_SELF, so we use REQUEST_URI as a backup:
-    // 
-    else if (sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER)
-          && !empty($req_uri)) {
+    // we may or may not have any query arguments, depending on 
+    // which environment variable was used above, and the PHP
+    // version, etc., so let's check for it now
+    //
+    $query_string = '';
+    if (strpos($request_uri, '?') === FALSE
+     && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
+     && !empty($query_string)) {
 
-        // some versions of PHP (such as 4.4.4) don't include the query
-        // string in REQUEST_URI, but most do... here's a fix for the
-        // odd ones out (assuming QUERY_STRING is reliable in those cases)
-        //
-        if (strpos($req_uri, '?') === FALSE
-         && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER)
-         && !empty($query_string)) {
+        $request_uri .= '?' . $query_string;
+    }   
 
-            $req_uri .= '?' . $query_string;
-        }
-        
-        return $req_uri;
-    }
+    return $request_uri;
 
-    return '';
 }
 
 
@@ -757,8 +779,8 @@ function sm_print_r() {
 
 
 /**
-  * Sanitize a value using htmlspecialchars() or similar, but also
-  * recursively run htmlspecialchars() (or similar) on array keys
+  * Sanitize a value using sm_encode_html_special_chars() or similar, but also
+  * recursively run sm_encode_html_special_chars() (or similar) on array keys
   * and values.
   *
   * If $value is not a string or an array with strings in it,
@@ -804,7 +826,7 @@ function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) {
         if ($quote_style === TRUE)
             return str_replace(array('\'', '"'), array(''', '"'), $value);
         else
-            return htmlspecialchars($value, $quote_style);
+            return sm_encode_html_special_chars($value, $quote_style);
     }
 
     // anything else gets returned with no changes