if ($s === "}\r\n") {
$j = strrpos($read,'{');
$iLit = substr($read,$j+1,-3);
- $data[] = $read;
- $sLiteral = fread($imap_stream,$iLit);
- if ($sLiteral === false) { /* error */
- $read = false;
- break 3; /* while switch while */
+ // check for numeric value to avoid that untagged responses like:
+ // * OK [PARSE] Unexpected characters at end of address: {SET:debug=51}
+ // will trigger literal fetching ({SET:debug=51} !== int )
+ if (is_numeric($iLit)) {
+ $data[] = $read;
+ $sLiteral = fread($imap_stream,$iLit);
+ if ($sLiteral === false) { /* error */
+ $read = false;
+ break 3; /* while switch while */
+ }
+ $data[] = $sLiteral;
+ $data[] = sqimap_fgets($imap_stream);
+ } else {
+ $data[] = $read;
}
- $data[] = $sLiteral;
- $data[] = sqimap_fgets($imap_stream);
} else {
$data[] = $read;
}
/**
* Logs the user into the IMAP server. If $hide is set, no error messages
- * will be displayed. This function returns the IMAP connection handle.
+ * will be displayed (if set to 1, just exits, if set to 2, returns FALSE).
+ * This function returns the IMAP connection handle.
* @param string $username user name
- * @param string $password password encrypted with onetimepad. Since 1.5.2
- * function can use internal password functions, if parameter is set to
- * boolean false.
+ * @param string $password password encrypted with onetimepad. Since 1.5.2
+ * function can use internal password functions, if parameter is set to
+ * boolean false.
* @param string $imap_server_address address of imap server
* @param integer $imap_port port of imap server
- * @param boolean $hide controls display connection errors
- * @return stream
+ * @param int $hide controls display connection errors:
+ * 0 = do not hide
+ * 1 = show no errors (just exit)
+ * 2 = show no errors (return FALSE)
+ * 3 = show no errors (return error string)
+ * @return mixed The IMAP connection stream, or if the connection fails,
+ * FALSE if $hide is set to 2 or an error string if $hide
+ * is set to 3.
*/
function sqimap_login ($username, $password, $imap_server_address, $imap_port, $hide) {
global $color, $squirrelmail_language, $onetimepad, $use_imap_tls,
$imap_auth_mech, $sqimap_capabilities;
+ // Note/TODO: This hack grabs the $authz argument from the session. In the short future,
+ // a new argument in function sqimap_login() will be used instead.
+ $authz = '';
+ global $authz;
+ sqgetglobalvar('authz' , $authz , SQ_SESSION);
+
+ if(!empty($authz)) {
+ /* authz plugin - specific:
+ * Get proxy login parameters from authz plugin configuration. If they
+ * exist, they will override the current ones.
+ * This is useful if we want to use different SASL authentication mechanism
+ * and/or different TLS settings for proxy logins. */
+ global $authz_imap_auth_mech, $authz_use_imap_tls, $authz_imapPort_tls;
+ $imap_auth_mech = !empty($authz_imap_auth_mech) ? strtolower($authz_imap_auth_mech) : $imap_auth_mech;
+ $use_imap_tls = !empty($authz_use_imap_tls)? $authz_use_imap_tls : $use_imap_tls;
+ $imap_port = !empty($authz_use_imap_tls)? $authz_imapPort_tls : $imap_port;
+
+ if($imap_auth_mech == 'login' || $imap_auth_mech == 'cram-md5') {
+ logout_error("Misconfigured Plugin (authz or equivalent):<br/>".
+ "The LOGIN and CRAM-MD5 authentication mechanisms cannot be used when attempting proxy login.");
+ exit;
+ }
+ }
+
/* get imap login password */
if ($password===false) {
/* standard functions */
// Got a challenge back
$challenge=$response[1];
if ($imap_auth_mech == 'digest-md5') {
- $reply = digest_md5_response($username,$password,$challenge,'imap',$host);
+ $reply = digest_md5_response($username,$password,$challenge,'imap',$host,$authz);
} elseif ($imap_auth_mech == 'cram-md5') {
$reply = cram_md5_response($username,$password,$challenge);
}
$read = sqimap_run_command ($imap_stream, $query, false, $response, $message);
} elseif ($imap_auth_mech == 'plain') {
/***
- * SASL PLAIN
- *
- * RFC 2595 Chapter 6
- *
- * The mechanism consists of a single message from the client to the
- * server. The client sends the authorization identity (identity to
- * login as), followed by a US-ASCII NUL character, followed by the
- * authentication identity (identity whose password will be used),
- * followed by a US-ASCII NUL character, followed by the clear-text
- * password. The client may leave the authorization identity empty to
- * indicate that it is the same as the authentication identity.
+ * SASL PLAIN, RFC 4616 (updates 2595)
*
- **/
+ * The mechanism consists of a single message, a string of [UTF-8]
+ * encoded [Unicode] characters, from the client to the server. The
+ * client presents the authorization identity (identity to act as),
+ * followed by a NUL (U+0000) character, followed by the authentication
+ * identity (identity whose password will be used), followed by a NUL
+ * (U+0000) character, followed by the clear-text password. As with
+ * other SASL mechanisms, the client does not provide an authorization
+ * identity when it wishes the server to derive an identity from the
+ * credentials and use that as the authorization identity.
+ */
$tag=sqimap_session_id(false);
$sasl = (isset($sqimap_capabilities['SASL-IR']) && $sqimap_capabilities['SASL-IR']) ? true : false;
- $auth = base64_encode("$username\0$username\0$password");
+ if(!empty($authz)) {
+ $auth = base64_encode("$username\0$authz\0$password");
+ } else {
+ $auth = base64_encode("$username\0$username\0$password");
+ }
if ($sasl) {
// IMAP Extension for SASL Initial Client Response
// <draft-siemborski-imap-sasl-initial-response-01b.txt>
$results=explode(" ",$read,3);
$response=$results[1];
$message=$results[2];
+
} else {
$response="BAD";
$message="Internal SquirrelMail error - unknown IMAP authentication method chosen. Please contact the developers.";
/* If the connection was not successful, lets see why */
if ($response != 'OK') {
- if (!$hide) {
+ if (!$hide || $hide == 3) {
+//FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here
if ($response != 'NO') {
/* "BAD" and anything else gets reported here. */
$message = htmlspecialchars($message);
set_up_language($squirrelmail_language, true);
if ($response == 'BAD') {
+ if ($hide == 3) return sprintf(_("Bad request: %s"), $message);
$string = sprintf (_("Bad request: %s")."<br />\r\n", $message);
} else {
+ if ($hide == 3) return sprintf(_("Unknown error: %s"), $message);
$string = sprintf (_("Unknown error: %s") . "<br />\n", $message);
}
if (isset($read) && is_array($read)) {
set_up_language($squirrelmail_language, true);
sqsession_destroy();
- sqsetcookieflush();
+
/* terminate the session nicely */
sqimap_logout($imap_stream);
+ if ($hide == 3) return _("Unknown user or password incorrect.");
logout_error( _("Unknown user or password incorrect.") );
exit;
}
} else {
+ if ($hide == 2) return FALSE;
exit;
}
}
* OS: According to rfc2342 response from NAMESPACE command is:
* OS: * NAMESPACE (PERSONAL NAMESPACES) (OTHER_USERS NAMESPACE) (SHARED NAMESPACES)
* OS: We want to lookup all personal NAMESPACES...
+ *
+ * TODO: remove this in favour of the information from sqimap_get_namespace()
*/
$read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b);
if (eregi('\\* NAMESPACE +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL)', $read[0], $data)) {
return $sqimap_delimiter;
}
+/**
+ * Retrieves the namespaces from the IMAP server.
+ * NAMESPACE is an IMAP extension defined in RFC 2342.
+ *
+ * @param stream $imap_stream
+ * @return array
+ */
+function sqimap_get_namespace($imap_stream) {
+ $read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b);
+ return sqimap_parse_namespace($read[0]);
+}
+
+/**
+ * Parses a NAMESPACE response and returns an array with the available
+ * personal, users and shared namespaces.
+ *
+ * @param string $input
+ * @return array The returned array has the following format:
+ * <pre>
+ * array(
+ * 'personal' => array(
+ * 0 => array('prefix'=>'INBOX.','delimiter' =>'.'),
+ * 1 => ...
+ * ),
+ * 'users' => array(..
+ * ),
+ * 'shared' => array( ..
+ * )
+ * )
+ * </pre>
+ * Note that if a namespace is not defined in the server, then the corresponding
+ * array will be empty.
+ */
+function sqimap_parse_namespace(&$input) {
+ $ns_strings = array(1=>'personal', 2=>'users', 3=>'shared');
+ $namespace = array();
+
+ if(ereg('NAMESPACE (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL)', $input, $regs) !== false) {
+ for($i=1; $i<=3; $i++) {
+ if($regs[$i] == 'NIL') {
+ $namespace[$ns_strings[$i]] = array();
+ } else {
+ // Pop-out the first ( and last ) for easier parsing
+ $ns = substr($regs[$i], 1, sizeof($regs[$i])-2);
+ if($c = preg_match_all('/\((?:(.*?)\s*?)\)/', $ns, $regs2)) {
+ $namespace[$ns_strings[$i]] = array();
+ for($j=0; $j<sizeof($regs2[1]); $j++) {
+ preg_match('/"(.*)"\s+("(.*)"|NIL)/', $regs2[1][$j], $regs3);
+ $namespace[$ns_strings[$i]][$j]['prefix'] = $regs3[1];
+ if($regs3[2] == 'NIL') {
+ $namespace[$ns_strings[$i]][$j]['delimiter'] = null;
+ } else {
+ // $regs[3] is $regs[2] without the quotes
+ $namespace[$ns_strings[$i]][$j]['delimiter'] = $regs3[3];
+ }
+ unset($regs3);
+ }
+ }
+ unset($ns);
+ }
+ }
+ }
+ return($namespace);
+}
+
/**
* This encodes a mailbox name for use in IMAP commands.
* @param string $what the mailbox to encode
if (!empty($hook_status)) {
$hook_status['MAILBOX']=$mailbox;
$hook_status['CALLER']='sqimap_status_messages';
- do_hook_function('folder_status',$hook_status);
+ do_hook('folder_status', $hook_status);
}
return $status;
}
projects / squirrelmail.git / blobdiff