Using a better domain name.

[squirrelmail.git] / include / init.php

diff --git a/include/init.php b/include/init.php
index 228999ccf25baad06ac12bff0e085db0d753ee1b..047f18771081a8fc8e6f630cb8026999f52e4e7f 100644 (file)
--- a/include/init.php
+++ b/include/init.php
@@ -120,9 +120,20 @@ if(!empty($_SERVER['UNIQUE_ID'])) {
 $seed .= uniqid(mt_rand(),TRUE);
 $seed .= implode( '', stat( __FILE__) );
 
-/** PHP 4.2 and up don't require seeding, but their used seed algorithm
- *  is of questionable quality, so we keep doing it ourselves. */
-mt_srand(hexdec(md5($seed)));
+// mt_srand() uses an integer to seed, so we need to distill our
+// very large seed to something useful (without taking a sub-string,
+// the integer conversion of such a large number is always 0 on
+// many systems, but strangely, 9 hex numbers - even if larger
+// than a signed 32 bit integer - seem to be an acceptable "integer"
+// seed (perhaps it is used as unsigned?)...
+// we may want to revisit this and always force it to be less than
+// 2,147,483,647
+//
+$seed = hexdec(substr(md5($seed), 0, 9));
+
+// PHP 4.2 and up don't require seeding, but their used seed algorithm
+// is of questionable quality, so we keep doing it ourselves. */
+mt_srand($seed);
 
 /**
  * calculate SM_PATH and calculate the base_uri
@@ -190,6 +201,7 @@ require(SM_PATH . 'include/constants.php');
 require(SM_PATH . 'functions/global.php');
 require(SM_PATH . 'functions/strings.php');
 require(SM_PATH . 'functions/arrays.php');
+require(SM_PATH . 'functions/files.php');
 
 /* load default configuration */
 require(SM_PATH . 'config/config_default.php');
@@ -223,6 +235,12 @@ if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
 error_reporting($error_level);
 
 
+/** 
+ * Detect SSL connections
+ */
+$is_secure_connection = is_ssl_secured_connection();
+ 
+
 require(SM_PATH . 'functions/plugin.php');
 require(SM_PATH . 'include/languages.php');
 require(SM_PATH . 'class/template/Template.class.php');
@@ -245,10 +263,21 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
 }
 
 
-/* strip any tags added to the url from PHP_SELF.
-This fixes hand crafted url XXS expoits for any
-   page that uses PHP_SELF as the FORM action */
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * htmlspecialchars() is the preferred method.
+ * QUERY_STRING also needs the same treatment since it is
+ * used in php_self().
+ */
+$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
+$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
 
 $PHP_SELF = php_self();
 
@@ -773,6 +802,7 @@ function checkForJavascript($reset = FALSE) {
   if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
     return $javascript_on;
 
+  //FIXME: this isn't used anywhere else in this function; can we remove it?  why is it here?
   $user_is_logged_in = FALSE;
   if ( $reset || !isset($javascript_setting) )
     $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);