*
* File should be loaded in every file in src/ or plugins that occupate an entire frame
*
- * @copyright © 2006 The SquirrelMail Project Team
+ * @copyright 2006-2017 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
}
$seed .= uniqid(mt_rand(),TRUE);
-$seed .= implode( '', stat( __FILE__) );
+$seed .= implode('', stat( __FILE__));
// mt_srand() uses an integer to seed, so we need to distill our
// very large seed to something useful (without taking a sub-string,
/**
* Set PHP error reporting level based on the SquirrelMail debug mode
+ * E_STRICT = 2048
+ * E_DEPRECATED = 8192
*/
$error_level = 0;
if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE)
$error_level |= E_ERROR;
if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE
|| $sm_debug_mode & SM_DEBUG_MODE_ADVANCED)
- $error_level |= E_ALL;
+ $error_level = ($error_level | E_ALL) & ~2048 & ~8192;
if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
- $error_level |= E_STRICT;
+ $error_level |= 2048 | 8192;
error_reporting($error_level);
+/**
+ * Detect SSL connections
+ */
+$is_secure_connection = is_ssl_secured_connection();
+
+
require(SM_PATH . 'functions/plugin.php');
require(SM_PATH . 'include/languages.php');
require(SM_PATH . 'class/template/Template.class.php');
}
-/* strip any tags added to the url from PHP_SELF.
-This fixes hand crafted url XXS expoits for any
- page that uses PHP_SELF as the FORM action */
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * sm_encode_html_special_chars() is the preferred method.
+ * QUERY_STRING also needs the same treatment since it is
+ * used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using sm_encode_html_special_chars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+ $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+ $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+ $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING']));
$PHP_SELF = php_self();
/**
- * Check if we are logged in
+ * Check if we are logged in and does optional referrer check
*/
require(SM_PATH . 'functions/auth.php');
- if ( !sqsession_is_registered('user_is_logged_in') ) {
+ global $check_referrer, $domain;
+ if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
+ if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
+ if (!empty($check_referrer)) {
+ $ssl_check_referrer = 'https://' . $check_referrer;
+ $check_referrer = 'http://' . $check_referrer;
+ }
+ if (!sqsession_is_registered('user_is_logged_in')
+ || ($check_referrer && !empty($referrer)
+ && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0
+ && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) {
// use $message to indicate what logout text the user
// will see... if 0, typical "You must be logged in"
// if 1, information that the user session was saved
- // and will be resumed after (re)login
+ // and will be resumed after (re)login, if 2, there
+ // seems to have been a XSS or phishing attack (bad
+ // referrer)
//
$message = 0;
if ($session_expired_location == 'compose')
$message = 1;
}
+
+ // was bad referrer the reason we were rejected?
+ //
+ if (sqsession_is_registered('user_is_logged_in')
+ && $check_referrer && !empty($referrer))
+ $message = 2;
+
// signout page will deal with users who aren't logged
// in on its own; don't show error here
//
set_up_language($squirrelmail_language, true);
if (!$message)
logout_error( _("You must be logged in to access this page.") );
- else
+ else if ($message == 1)
logout_error( _("Your session has expired, but will be resumed after logging in again.") );
+ else if ($message == 2)
+ logout_error( _("The current page request appears to have originated from an unrecognized source.") );
exit;
}
$set_up_langage_after_template_setup = TRUE;
$timeZone = getPref($data_dir, $username, 'timezone');
+ global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds;
+ list($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds)
+ = explode('::', date('T::O::Z'));
/* Check to see if we are allowed to set the TZ environment variable.
* We are able to do this if ...
if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
return $javascript_on;
+ //FIXME: this isn't used anywhere else in this function; can we remove it? why is it here?
$user_is_logged_in = FALSE;
if ( $reset || !isset($javascript_setting) )
$javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);
projects / squirrelmail.git / blobdiff