X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fauth.php;h=d0e1f11bbb5a557183e00f5c9d2896f965455946;hp=24c5e150c16e429ca432303f29f97bbaa9ab58e4;hb=dfc64d149b23ad2e06a10ff4f187ea9ce664bbc9;hpb=80e86e941526449e2b21bc532abb870072e5e083 diff --git a/functions/auth.php b/functions/auth.php index 24c5e150..d0e1f11b 100644 --- a/functions/auth.php +++ b/functions/auth.php @@ -3,33 +3,372 @@ /** * auth.php * - * Copyright (c) 1999-2002 The SquirrelMail Project Team - * Licensed under the GNU GPL. For full terms see the file COPYING. - * * Contains functions used to do authentication. + * + * Dependencies: + * functions/global.php + * functions/strings.php. + * + * @copyright 1999-2019 The SquirrelMail Project Team + * @license http://opensource.org/licenses/gpl-license.php GNU Public License + * @version $Id$ + * @package squirrelmail + */ + + +/** + * Detect whether user is logged in + * + * Function is similar to is_logged_in() function. If user is logged in, function + * returns true. If user is not logged in or session is expired, function saves $_POST + * and PAGE_NAME in session and returns false. POST information is saved in + * 'session_expired_post' variable, PAGE_NAME is saved in 'session_expired_location'. + * + * This function optionally checks the referrer of this page request. If the + * administrator wants to impose a check that the referrer of this page request + * is another page on the same domain (otherwise, the page request is likely + * the result of a XSS or phishing attack), then they need to specify the + * acceptable referrer domain in a variable named $check_referrer in + * config/config.php (or the configuration tool) for which the value is + * usually the same as the $domain setting (for example: + * $check_referrer = 'example.com'; + * However, in some cases (where proxy servers are in use, etc.), the + * acceptable referrer might be different. If $check_referrer is set to + * "###DOMAIN###", then the current value of $domain is used (useful in + * situations where $domain might change at runtime (when using the Login + * Manager plugin to host multiple domains with one SquirrelMail installation, + * for example)): + * $check_referrer = '###DOMAIN###'; + * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed + * by browsers, and some browsers intentionally don't send them, in which + * case SquirrelMail silently ignores referrer checks. * - * $Id$ + * Script that uses this function instead of is_logged_in() function, must handle user + * level messages. + * @return boolean + * @since 1.5.1 */ +function sqauth_is_logged_in() { -require_once( '../functions/page_header.php' ); + global $check_referrer, $domain; + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $plain_check_referrer = 'http://' . $check_referrer; + } + if (sqsession_is_registered('user_is_logged_in') + && (!$check_referrer || empty($referrer) + || ($check_referrer && !empty($referrer) + && (strpos(strtolower($referrer), strtolower($plain_check_referrer)) === 0 + || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) { + return true; + } -function is_logged_in () { - global $squirrelmail_language, $frame_top; + // First we store some information in the new session to prevent + // information-loss. + $session_expired_post = $_POST; + if (defined('PAGE_NAME')) + $session_expired_location = PAGE_NAME; + else + $session_expired_location = ''; - if ( session_is_registered('user_is_logged_in') ) { - return; + if (!sqsession_is_registered('session_expired_post')) { + sqsession_register($session_expired_post,'session_expired_post'); } + if (!sqsession_is_registered('session_expired_location')) { + sqsession_register($session_expired_location,'session_expired_location'); + } + + session_write_close(); - set_up_language($squirrelmail_language, true); + return false; +} + +/** + * Reads and decodes stored user password information + * + * Direct access to password information is deprecated. + * @return string password in plain text + * @since 1.5.1 + */ +function sqauth_read_password() { + global $currentHookName; + if ($currentHookName == 'login_verified') global $key; - displayHtmlHeader( 'SquirrelMail', '', FALSE ); + sqgetGlobalVar('key', $key, SQ_COOKIE); + sqgetGlobalVar('onetimepad', $onetimepad,SQ_SESSION); - echo "
\n" . - '