X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fglobal.php;h=103dd9e55fd2f8441c737f403aaa64abe52812b8;hp=5c9f497f9ee08c0f092232717ac371053dcfacc8;hb=353d074afac6827c90f4bb03e846c5e453d3b5b1;hpb=d0e7f324898b4eaf7786c1c4cadcc12e97e2756f diff --git a/functions/global.php b/functions/global.php index 5c9f497f..103dd9e5 100644 --- a/functions/global.php +++ b/functions/global.php @@ -7,7 +7,7 @@ * It also has some session register functions that work across various * php versions. * - * @copyright 1999-2009 The SquirrelMail Project Team + * @copyright 1999-2018 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -589,6 +589,21 @@ function sqsession_start() { function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="", $bSecure=false, $bHttpOnly=true, $bReplace=false) { + // some environments can get overwhelmed by an excessive + // setting of the same cookie over and over (e.g., many + // calls to this function via sqsession_is_active() result + // in repeated setting of the session cookie when $bReplace + // is FALSE, but something odd happens (during login only) + // if we change that to default TRUE) ... so we keep our own + // naive per-request name/value cache and only set the cookie + // if its value is changing (or never seen before) + static $cookies = array(); + if (isset($cookies[$sName]) && $cookies[$sName] === $sValue) + return; + else + $cookies[$sName] = $sValue; + + // if we have a secure connection then limit the cookies to https only. global $is_secure_connection; if ($sName && $is_secure_connection) @@ -670,32 +685,56 @@ if (!function_exists('session_regenerate_id')) { /** * php_self * - * Creates an URL for the page calling this function, using either the PHP global - * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1 - * function was stored in function/strings.php. + * Attempts to determine the path and filename and any arguments + * for the currently executing script. This is usually found in + * $_SERVER['REQUEST_URI'], but some environments may differ, so + * this function tries to standardize this value. + * + * Note that before SquirrelMail version 1.5.1, this function was + * stored in function/strings.php. * - * @return string the complete url for this page * @since 1.2.3 + * @return string The path, filename and any arguments for the + * current script */ -function php_self () { - // PHP 4.4.4 apparently gives the wrong value here - missing the query string - // this code is commented out in the 1.4.x code, so we'll do the same here - //if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) { - // return $req_uri; - //} +function php_self() { - if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) { + $request_uri = ''; - // need to add query string to end of PHP_SELF to match REQUEST_URI - // - if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) { - $php_self .= '?' . $query_string; - } + // first try $_SERVER['PHP_SELF'], which seems most reliable + // (albeit it usually won't include the query string) + // + $request_uri = ''; + if (!sqgetGlobalVar('PHP_SELF', $request_uri, SQ_SERVER) + || empty($request_uri)) { + + // well, then let's try $_SERVER['REQUEST_URI'] + // + $request_uri = ''; + if (!sqgetGlobalVar('REQUEST_URI', $request_uri, SQ_SERVER) + || empty($request_uri)) { + + // TODO: anyone have any other ideas? maybe $_SERVER['SCRIPT_NAME']??? + // + return ''; + } - return $php_self; } - return ''; + // we may or may not have any query arguments, depending on + // which environment variable was used above, and the PHP + // version, etc., so let's check for it now + // + $query_string = ''; + if (strpos($request_uri, '?') === FALSE + && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) + && !empty($query_string)) { + + $request_uri .= '?' . $query_string; + } + + return $request_uri; + } @@ -740,8 +779,8 @@ function sm_print_r() { /** - * Sanitize a value using htmlspecialchars() or similar, but also - * recursively run htmlspecialchars() (or similar) on array keys + * Sanitize a value using sm_encode_html_special_chars() or similar, but also + * recursively run sm_encode_html_special_chars() (or similar) on array keys * and values. * * If $value is not a string or an array with strings in it, @@ -787,7 +826,7 @@ function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) { if ($quote_style === TRUE) return str_replace(array('\'', '"'), array(''', '"'), $value); else - return htmlspecialchars($value, $quote_style); + return sm_encode_html_special_chars($value, $quote_style); } // anything else gets returned with no changes