* This code provides various string manipulation functions that are
* used by the rest of the SquirrelMail code.
*
- * @copyright 1999-2018 The SquirrelMail Project Team
+ * @copyright 1999-2020 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
$is_secure_connection, $sq_ignore_http_x_forwarded_headers;
/* Get the path, handle virtual directories */
- if(strpos(php_self(), '?')) {
- $path = substr(php_self(), 0, strpos(php_self(), '?'));
- } else {
- $path = php_self();
- }
- $path = substr($path, 0, strrpos($path, '/'));
+ $path = substr(php_self(FALSE), 0, strrpos(php_self(FALSE), '/'));
// proto+host+port are already set in config:
if ( !empty($config_location_base) ) {
* a more easily digested (readable) format
*
* @param int $bytes the size in bytes
+ * @param int $filesize_divisor the divisor we'll use (OPTIONAL; default 1024)
*
* @return string The size in human readable format
*
* @since 1.0
*
*/
-function show_readable_size($bytes) {
- $bytes /= 1024;
+function show_readable_size($bytes, $filesize_divisor=1024) {
+ $bytes /= $filesize_divisor;
$type = _("KiB");
- if ($bytes / 1024 > 1) {
- $bytes /= 1024;
+ if ($bytes / $filesize_divisor > 1) {
+ $bytes /= $filesize_divisor;
$type = _("MiB");
}
function sm_get_user_security_tokens($purge_old=TRUE)
{
- global $data_dir, $username, $max_token_age_days;
+ global $data_dir, $username, $max_token_age_days,
+ $use_expiring_security_tokens;
$tokens = getPref($data_dir, $username, 'security_tokens', '');
if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens))
/**
* Generates a security token that is then stored in
* the user's preferences with a timestamp for later
- * verification/use.
+ * verification/use (although session-based tokens
+ * are not stored in user preferences).
+ *
+ * NOTE: By default SquirrelMail will use a single session-based
+ * token, but if desired, user tokens can have expiration
+ * dates associated with them and become invalid even during
+ * the same login session. When in that mode, the note
+ * immediately below applies, otherwise it is irrelevant.
+ * To enable that mode, the administrator must add the
+ * following to config/config_local.php:
+ * $use_expiring_security_tokens = TRUE;
*
* NOTE: The administrator can force SquirrelMail to generate
* a new token every time one is requested (which may increase
function sm_generate_security_token($force_generate_new=FALSE)
{
- global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token;
+ global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token,
+ $use_expiring_security_tokens;
$max_generation_tries = 1000;
+ // if we're using session-based tokens, just return
+ // the same one every time (generate it if it's not there)
+ //
+ if (!$use_expiring_security_tokens)
+ {
+ if (sqgetGlobalVar('sm_security_token', $token, SQ_SESSION))
+ return $token;
+
+ // create new one since there was none in session
+ $token = GenerateRandomString(12, '', 7);
+ sqsession_register($token, 'sm_security_token');
+ return $token;
+ }
+
$tokens = sm_get_user_security_tokens();
if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens))
* overrides that value using $max_token_age_days in
* config/config_local.php
*
+ * Session-based tokens of course are always reused and are
+ * valid for the lifetime of the login session.
+ *
* WARNING: If the administrator has turned the token system
* off by setting $disable_security_tokens to TRUE in
* config/config.php or the configuration tool, this
{
global $data_dir, $username, $max_token_age_days,
+ $use_expiring_security_tokens,
$disable_security_tokens;
// bypass token validation? CAREFUL!
//
if ($disable_security_tokens) return TRUE;
+ // if we're using session-based tokens, just compare
+ // the same one every time
+ //
+ if (!$use_expiring_security_tokens)
+ {
+ if (!sqgetGlobalVar('sm_security_token', $session_token, SQ_SESSION))
+ {
+ if (!$show_error) return FALSE;
+ logout_error(_("Fatal security token error; please log in again"));
+ exit;
+ }
+ if ($token !== $session_token)
+ {
+ if (!$show_error) return FALSE;
+ logout_error(_("The current page request appears to have originated from an untrusted source."));
+ exit;
+ }
+ return TRUE;
+ }
+
// don't purge old tokens here because we already
// do it when generating tokens
//