X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fimap_general.php;h=3b355f9e2c2dd5226fff9cd4fd3580f843890fce;hp=6011497ebb5f151bd77b3276f29709b365138d70;hb=HEAD;hpb=935d09e135efa05b02313fea08794139c8963ec7 diff --git a/functions/imap_general.php b/functions/imap_general.php index 6011497e..3b355f9e 100755 --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -5,7 +5,7 @@ * * This implements all functions that do general IMAP functions. * - * @copyright © 1999-2007 The SquirrelMail Project Team + * @copyright 1999-2022 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -60,11 +60,14 @@ function sqimap_run_command_list ($imap_stream, $query, $handle_errors, &$respon $message = $message[$tag]; $response = $response[$tag]; return $read[$tag]; +//FIXME: obey $handle_errors below! } else { global $squirrelmail_language, $color; set_up_language($squirrelmail_language); +//FIXME: NO HTML IN CORE! $string = "\n" . _("ERROR: No available IMAP stream.") . +//FIXME: NO HTML IN CORE! "\n"; error_box($string); return false; @@ -106,15 +109,33 @@ function sqimap_run_command ($imap_stream, $query, $handle_errors, &$response, $message = $message[$tag]; if (!empty($read[$tag])) { + /* sqimap_read_data should be called for one response + but since it just calls sqimap_retrieve_imap_response + which handles multiple responses we need to check for + that and merge the $read[$tag] array IF they are + separated and IF it was a FETCH response. */ + + if (isset($read[$tag][1]) && is_array($read[$tag][1]) && isset($read[$tag][1][0]) + && preg_match('/^\* \d+ FETCH/', $read[$tag][1][0])) { + $result = array(); + foreach($read[$tag] as $index => $value) { + $result = array_merge($result, $read[$tag]["$index"]); + } + return $result; + } + return $read[$tag][0]; } else { return $read[$tag]; } +//FIXME: obey $handle_errors below! } else { global $squirrelmail_language, $color; set_up_language($squirrelmail_language); +//FIXME: NO HTML IN CORE! $string = "\n" . _("ERROR: No available IMAP stream.") . +//FIXME: NO HTML IN CORE! "\n"; error_box($string); return false; @@ -316,8 +337,10 @@ function sqimap_read_data_list($imap_stream, $tag, $handle_errors, &$response, &$message, $query = '') { global $color, $oTemplate, $squirrelmail_language; set_up_language($squirrelmail_language); +//FIXME: NO HTML IN CORE! $string = "\n" . _("ERROR: Bad function call.") . +//FIXME: NO HTML IN CORE! "
\n" . _("Reason:") . ' '. 'There is a plugin installed which make use of the
' . @@ -325,7 +348,8 @@ function sqimap_read_data_list($imap_stream, $tag, $handle_errors, 'Please adapt the installed plugin and let it use
'. 'sqimap_run_command or sqimap_run_command_list instead

'. 'The following query was issued:
'. - htmlspecialchars($query) . '
' . "
\n"; +//FIXME: NO HTML IN CORE! + sm_encode_html_special_chars($query) . '
' . "
\n"; error_box($string); $oTemplate->display('footer.tpl'); exit; @@ -346,16 +370,18 @@ function sqimap_error_box($title, $query = '', $message_title = '', $message = ' global $color, $squirrelmail_language; set_up_language($squirrelmail_language); +//FIXME: NO HTML IN CORE! $string = "\n" . $title . "
\n"; $cmd = explode(' ',$query); $cmd= strtolower($cmd[0]); if ($query != '' && $cmd != 'login') - $string .= _("Query:") . ' ' . htmlspecialchars($query) . '
'; + $string .= _("Query:") . ' ' . sm_encode_html_special_chars($query) . '
'; if ($message_title != '') $string .= $message_title; if ($message != '') - $string .= htmlspecialchars($message); + $string .= sm_encode_html_special_chars($message); +//FIXME: NO HTML IN CORE! $string .= "
\n"; if ($link != '') $string .= $link; @@ -384,7 +410,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, $read = ''; if (!is_array($message)) $message = array(); if (!is_array($response)) $response = array(); - $aResponse = ''; + $aResponse = array(); $resultlist = array(); $data = array(); $sCommand = ''; @@ -396,7 +422,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, $read = sqimap_fgets($imap_stream); $i = 0; while ($read) { - $char = $read{0}; + $char = $read[0]; switch ($char) { case '+': @@ -404,7 +430,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, $read = sqimap_fgets($imap_stream); break; - case $tag{0}: + case $tag[0]: { /* get the command */ $arg = ''; @@ -452,7 +478,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, break 2; /* switch while */ } break; - } // end case $tag{0} + } // end case $tag[0] case '*': { @@ -504,11 +530,11 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, break 4; /* while while switch while */ } /* check for next untagged reponse and break */ - if ($read{0} == '*') break 2; + if ($read[0] == '*') break 2; $s = substr($read,-3); } while ($s === "}\r\n" || $read_literal); $s = substr($read,-3); - } while ($read{0} !== '*' && + } while ($read[0] !== '*' && substr($read,0,strlen($tag)) !== $tag); $resultlist[] = $fetch_data; /* release not neaded data */ @@ -540,7 +566,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, $read = sqimap_fgets($imap_stream); if ($read === false) { break 3; /* while switch while */ - } else if ($read{0} == '*') { + } else if ($read[0] == '*') { break; } $s = substr($read,-3); @@ -561,6 +587,7 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, $query = ''; } sqimap_error_box(_("ERROR: IMAP server closed the connection."), $query, _("Server responded:"),$sResponse); +//FIXME: NO HTML IN CORE! echo ''; exit; } else if ($handle_errors) { @@ -589,20 +616,34 @@ function sqimap_retrieve_imap_response($imap_stream, $tag, $handle_errors, case 'NO': /* ignore this error from M$ exchange, it is not fatal (aka bug) */ if (strstr($message[$tag], 'command resulted in') === false) { + sqsession_register('NO', 'IMAP_FATAL_ERROR_TYPE'); + sqsession_register($query, 'IMAP_FATAL_ERROR_QUERY'); + sqsession_register($message[$tag], 'IMAP_FATAL_ERROR_MESSAGE'); sqimap_error_box(_("ERROR: Could not complete request."), $query, _("Reason Given:") . ' ', $message[$tag]); echo ''; exit; } break; case 'BAD': + sqsession_register('BAD', 'IMAP_FATAL_ERROR_TYPE'); + sqsession_register($query, 'IMAP_FATAL_ERROR_QUERY'); + sqsession_register($message[$tag], 'IMAP_FATAL_ERROR_MESSAGE'); sqimap_error_box(_("ERROR: Bad or malformed request."), $query, _("Server responded:") . ' ', $message[$tag]); +//FIXME: NO HTML IN CORE! echo ''; exit; case 'BYE': + sqsession_register('BYE', 'IMAP_FATAL_ERROR_TYPE'); + sqsession_register($query, 'IMAP_FATAL_ERROR_QUERY'); + sqsession_register($message[$tag], 'IMAP_FATAL_ERROR_MESSAGE'); sqimap_error_box(_("ERROR: IMAP server closed the connection."), $query, _("Server responded:") . ' ', $message[$tag]); +//FIXME: NO HTML IN CORE! echo ''; exit; default: + sqsession_register('UNKNOWN', 'IMAP_FATAL_ERROR_TYPE'); + sqsession_register($query, 'IMAP_FATAL_ERROR_QUERY'); + sqsession_register($message[$tag], 'IMAP_FATAL_ERROR_MESSAGE'); sqimap_error_box(_("ERROR: Unknown IMAP response."), $query, _("Server responded:") . ' ', $message[$tag]); /* the error is displayed but because we don't know the reponse we return the result anyway */ @@ -641,10 +682,12 @@ function sqimap_read_data ($imap_stream, $tag_uid, $handle_errors, * @param int port port number to connect to * @param integer $tls whether to use plain text(0), TLS(1) or STARTTLS(2) when connecting. * Argument was boolean before 1.5.1. + * @param array $stream_options Stream context options, see config_local.php + * for more details (OPTIONAL) * @return imap-stream resource identifier * @since 1.5.0 (usable only in 1.5.1 or later) */ -function sqimap_create_stream($server,$port,$tls=0) { +function sqimap_create_stream($server,$port,$tls=0,$stream_options=array()) { global $squirrelmail_language; if (strstr($server,':') && ! preg_match("/^\[.*\]$/",$server)) { @@ -652,10 +695,23 @@ function sqimap_create_stream($server,$port,$tls=0) { $server = '['.$server.']'; } + // NB: Using "ssl://" ensures the highest possible TLS version + // will be negotiated with the server (whereas "tls://" only + // uses TLS version 1.0) + // if ($tls == 1) { if ((check_php_version(4,3)) and (extension_loaded('openssl'))) { - /* Use TLS by prefixing "tls://" to the hostname */ - $server = 'tls://' . $server; + if (function_exists('stream_socket_client')) { + $server_address = 'ssl://' . $server . ':' . $port; + $ssl_context = @stream_context_create($stream_options); + $connect_timeout = ini_get('default_socket_timeout'); + // null timeout is broken + if ($connect_timeout == 0) + $connect_timeout = 15; + $imap_stream = @stream_socket_client($server_address, $error_number, $error_string, $connect_timeout, STREAM_CLIENT_CONNECT, $ssl_context); + } else { + $imap_stream = @fsockopen('ssl://' . $server, $port, $error_number, $error_string, 15); + } } else { require_once(SM_PATH . 'functions/display_messages.php'); logout_error( sprintf(_("Error connecting to IMAP server: %s."), $server). @@ -665,15 +721,17 @@ function sqimap_create_stream($server,$port,$tls=0) { _("Please contact your system administrator and report this error."), sprintf(_("Error connecting to IMAP server: %s."), $server)); } + } else { + $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15); } - $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15); /* Do some error correction */ if (!$imap_stream) { set_up_language($squirrelmail_language, true); require_once(SM_PATH . 'functions/display_messages.php'); logout_error( sprintf(_("Error connecting to IMAP server: %s."), $server). +//FIXME: NO HTML IN CORE! "
\r\n$error_number : $error_string
\r\n", sprintf(_("Error connecting to IMAP server: %s."), $server) ); exit; @@ -764,13 +822,16 @@ function sqimap_create_stream($server,$port,$tls=0) { * 1 = show no errors (just exit) * 2 = show no errors (return FALSE) * 3 = show no errors (return error string) + * @param array $stream_options Stream context options, see config_local.php + * for more details (OPTIONAL) * @return mixed The IMAP connection stream, or if the connection fails, * FALSE if $hide is set to 2 or an error string if $hide * is set to 3. */ -function sqimap_login ($username, $password, $imap_server_address, $imap_port, $hide) { +function sqimap_login ($username, $password, $imap_server_address, + $imap_port, $hide, $stream_options=array()) { global $color, $squirrelmail_language, $onetimepad, $use_imap_tls, - $imap_auth_mech, $sqimap_capabilities; + $imap_auth_mech, $sqimap_capabilities, $display_imap_login_error; // Note/TODO: This hack grabs the $authz argument from the session. In the short future, // a new argument in function sqimap_login() will be used instead. @@ -816,7 +877,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ $host = $imap_server_address; $imap_server_address = sqimap_get_user_server($imap_server_address, $username); - $imap_stream = sqimap_create_stream($imap_server_address,$imap_port,$use_imap_tls); + $imap_stream = sqimap_create_stream($imap_server_address,$imap_port,$use_imap_tls,$stream_options); if (($imap_auth_mech == 'cram-md5') OR ($imap_auth_mech == 'digest-md5')) { // We're using some sort of authentication OTHER than plain or login @@ -847,6 +908,11 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ $read=sqimap_fgets($imap_stream); } } + // IMAP server might return some untagged info before + // the tagged login command response - skip over that + while ($read[0] === '*') { + $read = sqimap_fgets($imap_stream); + } $results=explode(" ",$read,3); $response=$results[1]; $message=$results[2]; @@ -875,7 +941,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ * credentials and use that as the authorization identity. */ $tag=sqimap_session_id(false); - $sasl = (isset($sqimap_capabilities['SASL-IR']) && $sqimap_capabilities['SASL-IR']) ? true : false; + $sasl = sqimap_capability($imap_stream, 'SASL-IR'); if(!empty($authz)) { $auth = base64_encode("$username\0$authz\0$password"); } else { @@ -896,6 +962,11 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ $read = sqimap_fgets($imap_stream); } } + // IMAP server might return some untagged info before + // the tagged login command response - skip over that + while ($read[0] === '*') { + $read = sqimap_fgets($imap_stream); + } $results=explode(" ",$read,3); $response=$results[1]; $message=$results[2]; @@ -911,7 +982,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ //FIXME: UUURG... We don't want HTML in error messages, should also do html sanitizing of error messages elsewhere; should't assume output is destined for an HTML browser here if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ - $message = htmlspecialchars($message); + $message = sm_encode_html_special_chars($message); set_up_language($squirrelmail_language, true); if ($response == 'BAD') { if ($hide == 3) return sprintf(_("Bad request: %s"), $message); @@ -923,7 +994,7 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ if (isset($read) && is_array($read)) { $string .= '
' . _("Read data:") . "
\n"; foreach ($read as $line) { - $string .= htmlspecialchars($line) . "
\n"; + $string .= sm_encode_html_special_chars($line) . "
\n"; } } error_box($string); @@ -945,8 +1016,30 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ /* terminate the session nicely */ sqimap_logout($imap_stream); - if ($hide == 3) return _("Unknown user or password incorrect."); - logout_error( _("Unknown user or password incorrect.") ); + + // determine what error message to use + // + $fail_msg = _("Unknown user or password incorrect."); + if ($display_imap_login_error) { + // See if there is an error message from the server + // Skip any rfc5530 response code: '[something]' at the + // start of the message + if (!empty($message) + && $message[0] == '[' + && ($end = strstr($message, ']')) + && $end != ']') { + $message = substr($end, 1); + } + // Remove surrounding spaces and if there + // is anything left, display that as the + // error message: + $message = trim($message); + if (strlen($message)) + $fail_msg = _($message); + } + + if ($hide == 3) return $fail_msg; + logout_error($fail_msg); exit; } } else { @@ -969,6 +1062,128 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ exit; } + // Run ID command if configured - RFC 2971 + // + // Administrator must declare a configuration variable called + // $imap_id_command_args in config/config_local.php which must + // be an array, where each key is an attibute to be sent in the + // IMAP ID command to the server. Values will be sent as-is + // except if the value is "###REMOTE ADDRESS###" (without quotes) + // in which case the current user's real IP address will be + // substituted. If "###X-FORWARDED-FOR###" is used and a + // "X-FORWARDED-FOR" header is present in the client request, + // the contents of that header are used (careful, this can be + // forged). If "###X-FORWARDED-FOR OR REMOTE ADDRESS###" is + // used, then the "X-FORWARDED-FOR" header is used if it is + // present in the request, otherwise, the client's connecting + // IP address is used. The following attributes will always be + // added unless they are specifically overridden with a blank + // value: + // name, vendor, support-url, version + // A parsed representation of server's response is made available + // to plugins as both a global and session variable named + // "imap_server_id_response" (a simple key/value array) unless + // response parsing is turned off by way of setting a variable + // named $do_not_parse_imap_id_command_response in + // config/config_local.php to TRUE, in which case, the stored + // response will be the unparsed IMAP response. + // + global $imap_id_command_args, $do_not_parse_imap_id_command_response; + if (!empty($imap_id_command_args) && is_array($imap_id_command_args) + && sqimap_capability($imap_stream, 'ID')) { + + static $args = array(); + if (empty($args)) { + if (!isset($imap_id_command_args['name'])) + $imap_id_command_args['name'] = 'SquirrelMail'; + if (!isset($imap_id_command_args['vendor'])) + $imap_id_command_args['vendor'] = 'SquirrelMail Project Team'; + if (!isset($imap_id_command_args['support-url'])) + $imap_id_command_args['support-url'] = 'https://squirrelmail.org'; + if (!isset($imap_id_command_args['version'])) { + $imap_id_command_args['version'] = SM_VERSION; + } + foreach ($imap_id_command_args as $key => $value) { + $key = trim($key); + $value = trim($value); + if ($key === '' || $value === '') + continue; + if ($value === '###REMOTE ADDRESS###' && sqGetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER)) + $value = $remote_addr; + else if ($value === '###X-FORWARDED-FOR###' && sqGetGlobalVar('HTTP_X_FORWARDED_FOR', $remote_addr, SQ_SERVER)) + $value = $remote_addr; + else if ($value === '###X-FORWARDED-FOR OR REMOTE ADDRESS###') { + if (sqGetGlobalVar('HTTP_X_FORWARDED_FOR', $remote_addr, SQ_SERVER)) + $value = $remote_addr; + else if (sqGetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER)) + $value = $remote_addr; + } + else if ($value === '###REMOTE ADDRESS###' && sqGetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER)) { + $value = $remote_addr; + } + $args[] = '"' . str_replace(array('"', '\\'), array('\\"', '\\\\'), $key) + . '" "' . str_replace(array('"', '\\'), array('\\"', '\\\\'), $value) . '"'; + } + } + $read_ary = sqimap_run_command($imap_stream, 'ID (' . implode(' ', $args) . ')', false, $response, $message); + if (!empty($read_ary) && is_array($read_ary)) { + global $imap_server_id_response; + if ($do_not_parse_imap_id_command_response) + $imap_server_id_response = $read_ary; + else + { + $imap_server_id_response = array(); + + // NOTE that this parser ignores closing ) sign, so + // technically some kind of malformed server + // response could cause extra junk to be included here + foreach ($read_ary as $info) + { + $parsed_info = explode('(', $info, 2); + if (!empty($parsed_info[1])) + { + // find opening quote for the next key name + while ($parsed_info = explode('"', $parsed_info[1], 2)) + { + if (empty($parsed_info[1])) + break; + else + { + // find closing quote for the key name + $pos = strpos($parsed_info[1], '"'); + if ($pos === FALSE) + break; + else + { + $key = substr($parsed_info[1], 0, $pos); + $parsed_info[1] = substr($parsed_info[1], $pos + 1); + + // find opening quote for the key's value + $parsed_info = explode('"', $parsed_info[1], 2); + if (empty($parsed_info[1])) + break; + else + { + // find closing quote for the key's value + $pos = strpos($parsed_info[1], '"'); + if ($pos === FALSE) + break; + else + { + $imap_server_id_response[$key] = substr($parsed_info[1], 0, $pos); + $parsed_info[1] = substr($parsed_info[1], $pos + 1); + } + } + } + } + } + } + } + } + sqsession_register($imap_server_id_response, 'imap_server_id_response'); + } + } + return $imap_stream; } @@ -980,8 +1195,10 @@ function sqimap_login ($username, $password, $imap_server_address, $imap_port, $ function sqimap_logout ($imap_stream) { /* Logout is not valid until the server returns 'BYE' * If we don't have an imap_ stream we're already logged out */ - if(isset($imap_stream) && $imap_stream) + if(isset($imap_stream) && $imap_stream) { sqimap_run_command($imap_stream, 'LOGOUT', false, $response, $message); + fclose($imap_stream); + } } /** @@ -1049,7 +1266,7 @@ function sqimap_get_delimiter ($imap_stream = false) { /* Do some caching here */ if (!$sqimap_delimiter) { - if (sqimap_capability($imap_stream, 'NAMESPACE')) { + if (sqimap_capability($imap_stream, 'NAMESPACE') /* * According to something that I can't find, this is supposed to work on all systems * OS: This won't work in Courier IMAP. @@ -1059,22 +1276,21 @@ function sqimap_get_delimiter ($imap_stream = false) { * * TODO: remove this in favour of the information from sqimap_get_namespace() */ - $read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b); - if (eregi('\\* NAMESPACE +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL)', $read[0], $data)) { - if (eregi('^\\( *\\((.*)\\) *\\)', $data[1], $data2)) { - $pn = $data2[1]; - } - $pna = explode(')(', $pn); - while (list($k, $v) = each($pna)) { - $lst = explode('"', $v); - if (isset($lst[3])) { - $pn[$lst[1]] = $lst[3]; - } else { - $pn[$lst[1]] = ''; - } + && ($read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b)) + && preg_match('/\* NAMESPACE +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL)/i', $read[0], $data) + && preg_match('/^\( *\((.*)\) *\)/', $data[1], $data2)) { + $pn = $data2[1]; + $pna = explode(')(', $pn); + $delnew = array(); + foreach ($pna as $v) { + $lst = explode('"', $v); + if (isset($lst[3])) { + $delnew[$lst[1]] = $lst[3]; + } else { + $delnew[$lst[1]] = ''; } } - $sqimap_delimiter = $pn[0]; + $sqimap_delimiter = array_shift($delnew); } else { fputs ($imap_stream, ". LIST \"INBOX\" \"\"\r\n"); $read = sqimap_read_data($imap_stream, '.', true, $a, $b); @@ -1123,13 +1339,13 @@ function sqimap_parse_namespace(&$input) { $ns_strings = array(1=>'personal', 2=>'users', 3=>'shared'); $namespace = array(); - if(ereg('NAMESPACE (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL)', $input, $regs) !== false) { + if (preg_match('/NAMESPACE (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL)/', $input, $regs)) { for($i=1; $i<=3; $i++) { if($regs[$i] == 'NIL') { $namespace[$ns_strings[$i]] = array(); } else { // Pop-out the first ( and last ) for easier parsing - $ns = substr($regs[$i], 1, sizeof($regs[$i])-2); + $ns = substr($regs[$i], 1, -1); if($c = preg_match_all('/\((?:(.*?)\s*?)\)/', $ns, $regs2)) { $namespace[$ns_strings[$i]] = array(); for($j=0; $j