X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fglobal.php;h=d211773c2e091fe625eff920b0b63367e7ef5512;hp=3e7e0ec4e2b6c5c5162794274f5875a036bbf7a4;hb=475bcb51d681738f4978b47e05d88eb25cba4b1c;hpb=918fcc1d131a60df5ba01212d61d82d753014468 diff --git a/functions/global.php b/functions/global.php index 3e7e0ec4..d211773c 100644 --- a/functions/global.php +++ b/functions/global.php @@ -7,7 +7,7 @@ * It also has some session register functions that work across various * php versions. * - * @copyright © 1999-2006 The SquirrelMail Project Team + * @copyright © 1999-2007 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -83,6 +83,54 @@ function sqstripslashes(&$array) { } } +/** + * Squelch error output to screen (only) for the given function. + * If the SquirrelMail debug mode SM_DEBUG_MODE_ADVANCED is not + * enabled, error output will not go to the log, either. + * + * This provides an alternative to the @ error-suppression + * operator where errors will not be shown in the interface + * but will show up in the server log file (assuming the + * administrator has configured PHP logging). + * + * @since 1.4.12 and 1.5.2 + * + * @param string $function The function to be executed + * @param array $args The arguments to be passed to the function + * (OPTIONAL; default no arguments) + * NOTE: The caller must take extra action if + * the function being called is supposed + * to use any of the parameters by + * reference. In the following example, + * $x is passed by reference and $y is + * passed by value to the "my_func" + * function. + * sq_call_function_suppress_errors('my_func', array(&$x, $y)); + * + * @return mixed The return value, if any, of the function being + * executed will be returned. + * + */ +function sq_call_function_suppress_errors($function, $args=NULL) { + global $sm_debug_mode; + + $display_errors = ini_get('display_errors'); + ini_set('display_errors', '0'); + + // if advanced debug mode isn't enabled, don't log the error, either + // + if (!($sm_debug_mode & SM_DEBUG_MODE_ADVANCED)) + $error_reporting = error_reporting(0); + + $ret = call_user_func_array($function, $args); + + if (!($sm_debug_mode & SM_DEBUG_MODE_ADVANCED)) + error_reporting($error_reporting); + + ini_set('display_errors', $display_errors); + return $ret; +} + /** * Add a variable to the session. * @param mixed $var the variable to register @@ -93,9 +141,7 @@ function sqsession_register ($var, $name) { sqsession_is_active(); - $_SESSION["$name"] = $var; - - session_register("$name"); + $_SESSION[$name] = $var; } /** @@ -129,6 +175,91 @@ function sqsession_is_registered ($name) { return $result; } + +/** + * Retrieves a form variable, from a set of possible similarly named + * form variables, based on finding a different, single field. This + * is intended to allow more than one same-named inputs in a single + *
, where the submit button that is clicked tells us which + * input we should retrieve. An example is if we have: + * + * + * + * and we want to know which one of the select inputs should be + * returned as $startMessage (without the suffix!), this function + * decides by looking for either "form_submit_1" or "form_submit_2" + * (both should not appear). In this example, $name should be + * "startMessage" and $indicator_field should be "form_submit". + * + * NOTE that form widgets must be named with the suffix "_1", "_2", "_3" + * and so on, or this function will not work. + * + * If more than one of the indicator fields is found, the first one + * (numerically) will win. + * + * If an indicator field is found without a matching input ($name) + * field, FALSE is returned. + * + * If no indicator fields are found, a field of $name *without* any + * suffix is searched for (but only if $fallback_no_suffix is TRUE), + * and if not found, FALSE is ultimately returned. + * + * It should also be possible to use the same string for both + * $name and $indicator_field to look for the first possible + * widget with a suffix that can be found (and possibly fallback + * to a widget without a suffix). + * + * @param string name the name of the var to search + * @param mixed value the variable to return + * @param string indicator_field the name of the field upon which to base + * our decision upon (see above) + * @param int search constant defining where to look + * @param bool fallback_no_suffix whether or not to look for $name with + * no suffix when nothing else is found + * @param mixed default the value to assign to $value when nothing is found + * @param int typecast force variable to be cast to given type (please + * use SQ_TYPE_XXX constants or set to FALSE (default) + * to leave variable type unmolested) + * + * @return bool whether variable is found. + */ +function sqGetGlobalVarMultiple($name, &$value, $indicator_field, + $search = SQ_INORDER, + $fallback_no_suffix=TRUE, $default=NULL, + $typecast=FALSE) { + + // Set arbitrary max limit -- should be much lower except on the + // search results page, if there are many (50 or more?) mailboxes + // shown, this may not be high enough. Is there some way we should + // automate this value? + // + $max_form_search = 100; + + for ($i = 1; $i <= $max_form_search; $i++) { + if (sqGetGlobalVar($indicator_field . '_' . $i, $temp, $search)) { + return sqGetGlobalVar($name . '_' . $i, $value, $search, $default, $typecast); + } + } + + + // no indicator field found; just try without suffix if allowed + // + if ($fallback_no_suffix) { + return sqGetGlobalVar($name, $value, $search, $default, $typecast); + } + + + // no dice, set default and return FALSE + // + if (!is_null($default)) { + $value = $default; + } + return FALSE; + +} + + /** * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER * and set it in provided var. @@ -147,9 +278,11 @@ function sqsession_is_registered ($name) { * @param string name the name of the var to search * @param mixed value the variable to return * @param int search constant defining where to look + * @param mixed default the value to assign to $value when nothing is found * @param int typecast force variable to be cast to given type (please * use SQ_TYPE_XXX constants or set to FALSE (default) * to leave variable type unmolested) + * * @return bool whether variable is found. */ function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $typecast = false) { @@ -215,15 +348,78 @@ function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $ return $result; } +/** + * Get an immutable copy of a configuration variable if SquirrelMail + * is in "secured configuration" mode. This guarantees the caller + * gets a copy of the requested value as it is set in the main + * application configuration (including config_local overrides), and + * not what it might be after possibly having been modified by some + * other code (usually a plugin overriding configuration values for + * one reason or another). + * + * WARNING: Please use this function as little as possible, because + * every time it is called, it forcibly reloads the main configuration + * file(s). + * + * Caller beware that this function will do nothing if SquirrelMail + * is not in "secured configuration" mode per the $secured_config + * setting. + * + * @param string $var_name The name of the desired variable + * + * @return mixed The desired value + * + * @since 1.5.2 + * + */ +function get_secured_config_value($var_name) { + + static $return_values = array(); + + // if we can avoid it, return values that have + // already been retrieved (so we don't have to + // include the config file yet again) + // + if (isset($return_values[$var_name])) { + return $return_values[$var_name]; + } + + + // load site configuration + // + require(SM_PATH . 'config/config.php'); + + // load local configuration overrides + // + if (file_exists(SM_PATH . 'config/config_local.php')) { + require(SM_PATH . 'config/config_local.php'); + } + + // if SM isn't in "secured configuration" mode, + // just return the desired value from the global scope + // + if (!$secured_config) { + global $$var_name; + $return_values[$var_name] = $$var_name; + return $$var_name; + } + + // else we return what we got from the config file + // + $return_values[$var_name] = $$var_name; + return $$var_name; + +} + /** * Deletes an existing session, more advanced than the standard PHP * session_destroy(), it explicitly deletes the cookies and global vars. * * WARNING: Older PHP versions have some issues with session management. - * See http://bugs.php.net/11643 (warning, spammed bug tracker) and + * See http://bugs.php.net/11643 (warning, spammed bug tracker) and * http://bugs.php.net/13834. SID constant is not destroyed in PHP 4.1.2, - * 4.2.3 and maybe other versions. If you restart session after session - * is destroyed, affected PHP versions produce PHP notice. Bug should + * 4.2.3 and maybe other versions. If you restart session after session + * is destroyed, affected PHP versions produce PHP notice. Bug should * be fixed only in 4.3.0 */ function sqsession_destroy() { @@ -239,11 +435,10 @@ function sqsession_destroy() { * merging of sessions. */ - global $base_uri; + global $base_uri, $_COOKIE, $_SESSION; - if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri); - if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri); - if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri); + if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','SQMTRASH',1,$base_uri); $sessid = session_id(); if (!empty( $sessid )) { @@ -257,33 +452,46 @@ function sqsession_destroy() { * start a session up. php.net doesn't tell you that $_SESSION * (even though autoglobal), is not created unless a session is * started, unlike $_POST, $_GET and such + * Update: (see #1685031) the session ID is left over after the + * session is closed in some PHP setups; this function just becomes + * a passthru to sqsession_start(), but leaving old code in for + * edification. */ function sqsession_is_active() { - $sessid = session_id(); - if ( empty( $sessid ) ) { + //$sessid = session_id(); + //if ( empty( $sessid ) ) { sqsession_start(); - } + //} } /** * Function to start the session and store the cookie with the session_id as * HttpOnly cookie which means that the cookie isn't accessible by javascript * (IE6 only) + * Note that as sqsession_is_active() no longer discriminates as to when + * it calls this function, session_start() has to have E_NOTICE suppression + * (thus the @ sign). */ function sqsession_start() { global $base_uri; - session_start(); + sq_call_function_suppress_errors('session_start'); + // was: @session_start(); $session_id = session_id(); - // session_starts sets the sessionid cookie buth without the httponly var + // session_starts sets the sessionid cookie but without the httponly var // setting the cookie again sets the httponly cookie attribute - - // disable, @see sqsetcookie and php 5.1.2 - // sqsetcookie(session_name(),session_id(),false,$base_uri); + // + // need to check if headers have been sent, since sqsession_is_active() + // has become just a passthru to this function, so the sqsetcookie() + // below is called every time, even after headers have already been sent + // + if (!headers_sent()) + sqsetcookie(session_name(),$session_id,false,$base_uri); } + /** * Set a cookie * @param string $sName The name of the cookie. @@ -295,61 +503,39 @@ function sqsession_start() { * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only) * @return void */ -function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true,$bFlush=false) { - static $sCookieCache; - if (!isset($sCache)) { - $sCache = ''; - } - /** - * We have to send all cookies with one header call otherwise we loose cookies. - * In order to achieve that the sqsetcookieflush function calls this function with $bFlush = true. - * If that happens we send the cookie header. - */ - if ($bFlush) { - // header($sCookieCache); - return; +function sqsetcookie($sName,$sValue='deleted',$iExpire=0,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) { + // if we have a secure connection then limit the cookies to https only. + if ($sName && isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']) { + $bSecure = true; } - if (!$sName) return; - - // php 5.1.2 and 4.4.2 do not allow to send multiple headers at once. - // Because that's the only way to get this thing working we fallback to - // setcookie until we solved this - if ($iExpire===false) $iExpire = 0; - setcookie($sName, $sValue, $iExpire, $sPath); - return; - - $sHeader = "Set-Cookie: $sName=$sValue"; - if ($sPath) { - $sHeader .= "; path=$sPath"; - } - if ($iExpire !== false) { - $sHeader .= "; Max-Age=$iExpire"; - // php uses Expire header, also add the expire header - $sHeader .= "; expires=". gmdate('D, d-M-Y H:i:s T',$iExpire); - } - if ($sDomain) { - $sHeader .= "; Domain=$sDomain"; - } - // TODO: IE for Mac (5.2) thinks that semicolon is part of cookie domain - if ($bSecure) { - $sHeader .= "; Secure"; - } - if ($bHttpOnly) { - $sHeader .= "; HttpOnly"; - } - // $sHeader .= "; Version=1"; - $sCookieCache .= $sHeader ."\r\n"; - //header($sHeader."\r\n"); -} -/** - * Send the cookie header - * - * Cookies set with sqsetcookie will bet set after a sqsetcookieflush call. - * @return void - */ -function sqsetcookieflush() { - sqsetcookie('','','','','','','',true); + // admin config can override the restriction of secure-only cookies + global $only_secure_cookies; + if (!$only_secure_cookies) + $bSecure = false; + + if (false && check_php_version(5,2)) { + // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit + // broken we use the header function for php 5.2 as well. We might change that later. + //setcookie($sName,$sValue,(int) $iExpire,$sPath,$sDomain,$bSecure,$bHttpOnly); + } else { + if (!empty($sDomain)) { + // Fix the domain to accept domains with and without 'www.'. + if (strtolower(substr($sDomain, 0, 4)) == 'www.') $sDomain = substr($sDomain, 4); + $sDomain = '.' . $sDomain; + + // Remove port information. + $Port = strpos($sDomain, ':'); + if ($Port !== false) $sDomain = substr($sDomain, 0, $Port); + } + if (!$sValue) $sValue = 'deleted'; + header('Set-Cookie: ' . rawurlencode($sName) . '=' . rawurlencode($sValue) + . (empty($iExpire) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s', $iExpire) . ' GMT') + . (empty($sPath) ? '' : '; path=' . $sPath) + . (empty($sDomain) ? '' : '; domain=' . $sDomain) + . (!$bSecure ? '' : '; secure') + . (!$bHttpOnly ? '' : '; HttpOnly'), false); + } } /** @@ -429,3 +615,238 @@ function php_self () { return ''; } + + +/** + * Find files and/or directories in a given directory optionally + * limited to only those with the given file extension. If the + * directory is not found or cannot be opened, no error is generated; + * only an empty file list is returned. +FIXME: do we WANT to throw an error or a notice or... or return FALSE? + * + * @param string $directory_path The path (relative or absolute) + * to the desired directory. + * @param mixed $extension The file extension filter - either + * an array of desired extension(s), + * or a comma-separated list of same + * (optional; default is to return + * all files (dirs). + * @param boolean $return_filenames_only When TRUE, only file/dir names + * are returned, otherwise the + * $directory_path string is + * prepended to each file/dir in + * the returned list (optional; + * default is filename/dirname only) + * @param boolean $include_directories When TRUE, directories are + * included (optional; default + * DO include directories). + * @param boolean $directories_only When TRUE, ONLY directories + * are included (optional; default + * is to include files too). + * @param boolean $separate_files_and_directories When TRUE, files and + * directories are returned + * in separate lists, so + * the return value is + * formatted as a two-element + * array with the two keys + * "FILES" and "DIRECTORIES", + * where corresponding values + * are lists of either all + * files or all directories + * (optional; default do not + * split up return array). + * @param boolean $only_sm When TRUE, a security check will + * limit directory access to only + * paths within the SquirrelMail + * installation currently being used + * (optional; default TRUE) + * + * @return array The requested file/directory list(s). + * + * @since 1.5.2 + * + */ +function list_files($directory_path, $extensions='', $return_filenames_only=TRUE, + $include_directories=TRUE, $directories_only=FALSE, + $separate_files_and_directories=FALSE, $only_sm=TRUE) { + + $files = array(); + $directories = array(); + + + // make sure requested path is under SM_PATH if needed + // + if ($only_sm) { + if (strpos(realpath($directory_path), realpath(SM_PATH)) !== 0) { + //plain_error_message(_("Illegal filesystem access was requested")); + echo _("Illegal filesystem access was requested"); + exit; + } + } + + + // validate given directory + // + if (empty($directory_path) + || !is_dir($directory_path) + || !($DIR = opendir($directory_path))) { + return $files; + } + + + // ensure extensions is an array and is properly formatted + // + if (!empty($extensions)) { + if (!is_array($extensions)) + $extensions = explode(',', $extensions); + $temp_extensions = array(); + foreach ($extensions as $ext) + $temp_extensions[] = '.' . trim(trim($ext), '.'); + $extensions = $temp_extensions; + } else $extensions = array(); + + + $directory_path = rtrim($directory_path, '/'); + + + // parse through the files + // + while (($file = readdir($DIR)) !== false) { + + if ($file == '.' || $file == '..') continue; + + if (!empty($extensions)) + foreach ($extensions as $ext) + if (strrpos($file, $ext) !== (strlen($file) - strlen($ext))) + continue 2; + + // only use is_dir() if we really need to (be as efficient as possible) + // + $is_dir = FALSE; + if (!$include_directories || $directories_only + || $separate_files_and_directories) { + if (is_dir($directory_path . '/' . $file)) { + if (!$include_directories) continue; + $is_dir = TRUE; + $directories[] = ($return_filenames_only + ? $file + : $directory_path . '/' . $file); + } + if ($directories_only) continue; + } + + if (!$separate_files_and_directories + || ($separate_files_and_directories && !$is_dir)) { + $files[] = ($return_filenames_only + ? $file + : $directory_path . '/' . $file); + } + + } + closedir($DIR); + + + if ($directories_only) return $directories; + if ($separate_files_and_directories) return array('FILES' => $files, + 'DIRECTORIES' => $directories); + return $files; + +} + + +/** + * Print variable + * + * sm_print_r($some_variable, [$some_other_variable [, ...]]); + * + * Debugging function - does the same as print_r, but makes sure special + * characters are converted to htmlentities first. This will allow + * values like to be displayed. + * The output is wrapped in <
> and <
> tags. + * Since 1.4.2 accepts unlimited number of arguments. + * @since 1.4.1 + * @return void + */ +function sm_print_r() { + ob_start(); // Buffer output + foreach(func_get_args() as $var) { + print_r($var); + echo "\n"; + // php has get_class_methods function that can print class methods + if (is_object($var)) { + // get class methods if $var is object + $aMethods=get_class_methods(get_class($var)); + // make sure that $aMethods is array and array is not empty + if (is_array($aMethods) && $aMethods!=array()) { + echo "Object methods:\n"; + foreach($aMethods as $method) { + echo '* ' . $method . "\n"; + } + } + echo "\n"; + } + } + $buffer = ob_get_contents(); // Grab the print_r output + ob_end_clean(); // Silently discard the output & stop buffering + print '
';
+    print htmlentities($buffer);
+    print '
'; +} + + +/** + * Sanitize a value using htmlspecialchars() or similar, but also + * recursively run htmlspecialchars() (or similar) on array keys + * and values. + * + * If $value is not a string or an array with strings in it, + * the value is returned as is. + * + * @param mixed $value The value to be sanitized. + * @param mixed $quote_style Either boolean or an integer. If it + * is an integer, it must be the PHP + * constant indicating if/how to escape + * quotes: ENT_QUOTES, ENT_COMPAT, or + * ENT_NOQUOTES. If it is a boolean value, + * it must be TRUE and thus indicates + * that the only sanitizing to be done + * herein is to replace single and double + * quotes with ' and ", no other + * changes are made to $value. If it is + * boolean and FALSE, behavior reverts + * to same as if the value was ENT_QUOTES + * (OPTIONAL; default is ENT_QUOTES). + * + * @return mixed The sanitized value. + * + * @since 1.5.2 + * + **/ +function sq_htmlspecialchars($value, $quote_style=ENT_QUOTES) { + + if ($quote_style === FALSE) $quote_style = ENT_QUOTES; + + // array? go recursive... + // + if (is_array($value)) { + $return_array = array(); + foreach ($value as $key => $val) { + $return_array[sq_htmlspecialchars($key, $quote_style)] + = sq_htmlspecialchars($val, $quote_style); + } + return $return_array; + + // sanitize strings only + // + } else if (is_string($value)) { + if ($quote_style === TRUE) + return str_replace(array('\'', '"'), array(''', '"'), $value); + else + return htmlspecialchars($value, $quote_style); + } + + // anything else gets returned with no changes + // + return $value; + +}