Give back the message object to those who want it

[squirrelmail.git] / include / init.php

diff --git a/include/init.php b/include/init.php
index 047f18771081a8fc8e6f630cb8026999f52e4e7f..eecff42368688d304ca46042147e5cb97fb37ba2 100644 (file)
--- a/include/init.php
+++ b/include/init.php
@@ -5,7 +5,7 @@
  *
  * File should be loaded in every file in src/ or plugins that occupate an entire frame
  *
- * @copyright © 2006 The SquirrelMail Project Team
+ * @copyright 2006-2018 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -118,7 +118,7 @@ if(!empty($_SERVER['UNIQUE_ID'])) {
 }
 
 $seed .= uniqid(mt_rand(),TRUE);
-$seed .= implode( '', stat( __FILE__) );
+$seed .= implode('', stat( __FILE__));
 
 // mt_srand() uses an integer to seed, so we need to distill our
 // very large seed to something useful (without taking a sub-string,
@@ -223,15 +223,17 @@ if (file_exists(SM_PATH . 'config/config_local.php')) {
 
 /**
  * Set PHP error reporting level based on the SquirrelMail debug mode
+ * E_STRICT = 2048
+ * E_DEPRECATED = 8192
  */
 $error_level = 0;
 if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE)
     $error_level |= E_ERROR;
 if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE
  || $sm_debug_mode & SM_DEBUG_MODE_ADVANCED)
-    $error_level |= E_ALL;
+    $error_level = ($error_level | E_ALL) & ~2048 & ~8192;
 if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
-    $error_level |= E_STRICT;
+    $error_level |= 2048 | 8192;
 error_reporting($error_level);
 
 
@@ -272,12 +274,20 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
  * or
  * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
  * because it doesn't bother with broken tags.
- * htmlspecialchars() is the preferred method.
+ * sm_encode_html_special_chars() is the preferred method.
  * QUERY_STRING also needs the same treatment since it is
  * used in php_self().
- */
-$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
-$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
+ * Update again: the encoding of ampersands that occurs
+ * using sm_encode_html_special_chars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+    $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+    $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+    $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();
 
@@ -571,16 +581,28 @@ switch (PAGE_NAME) {
 
 
         /**
-         * Check if we are logged in
+         * Check if we are logged in and does optional referrer check
          */
         require(SM_PATH . 'functions/auth.php');
 
-        if ( !sqsession_is_registered('user_is_logged_in') ) {
+        global $check_referrer, $domain;
+        if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
+        if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
+        if (!empty($check_referrer)) {
+            $ssl_check_referrer = 'https://' . $check_referrer;
+            $check_referrer = 'http://' . $check_referrer;
+        }
+        if (!sqsession_is_registered('user_is_logged_in')
+         || ($check_referrer && !empty($referrer)
+          && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0
+          && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) {
 
             // use $message to indicate what logout text the user
             // will see... if 0, typical "You must be logged in"
             // if 1, information that the user session was saved
-            // and will be resumed after (re)login
+            // and will be resumed after (re)login, if 2, there
+            // seems to have been a XSS or phishing attack (bad
+            // referrer)
             //
             $message = 0;
 
@@ -597,6 +619,13 @@ switch (PAGE_NAME) {
                 if ($session_expired_location == 'compose')
                     $message = 1;
             }
+
+            // was bad referrer the reason we were rejected?
+            //
+            if (sqsession_is_registered('user_is_logged_in')
+             && $check_referrer && !empty($referrer))
+                $message = 2;
+
             // signout page will deal with users who aren't logged
             // in on its own; don't show error here
             //
@@ -622,8 +651,10 @@ switch (PAGE_NAME) {
             set_up_language($squirrelmail_language, true);
             if (!$message)
                 logout_error( _("You must be logged in to access this page.") );
-            else
+            else if ($message == 1)
                 logout_error( _("Your session has expired, but will be resumed after logging in again.") );
+            else if ($message == 2)
+                logout_error( _("The current page request appears to have originated from an unrecognized source.") );
             exit;
         }
 
@@ -662,6 +693,9 @@ switch (PAGE_NAME) {
         $set_up_langage_after_template_setup = TRUE;
 
         $timeZone = getPref($data_dir, $username, 'timezone');
+        global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds;
+        list($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds)
+            = explode('::', date('T::O::Z'));
 
         /* Check to see if we are allowed to set the TZ environment variable.
          * We are able to do this if ...