X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=functions%2Fstrings.php;h=c2a33e07accbd63cff647da18b81c78461a735ec;hp=fcc61b92db4eee298c8a5331a225bf9b662c1296;hb=14095490f3fb6743e538dd464ec217f583a04568;hpb=ae5dddc065f9501f267c4edaf68a066835da915f diff --git a/functions/strings.php b/functions/strings.php index fcc61b92..c2a33e07 100644 --- a/functions/strings.php +++ b/functions/strings.php @@ -6,7 +6,7 @@ * This code provides various string manipulation functions that are * used by the rest of the SquirrelMail code. * - * @copyright 1999-2011 The SquirrelMail Project Team + * @copyright 1999-2021 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -136,7 +136,7 @@ function &sqBodyWrap (&$body, $wrap) { // (i.e. try to preserve original paragraph breaks) // unless they occur at the very beginning of the text if ((sq_substr($body,$pos,1) == "\n" ) && (sq_strlen($outString) != 0)) { - $outStringLast = $outString{sq_strlen($outString) - 1}; + $outStringLast = $outString[sq_strlen($outString) - 1]; if ($outStringLast != "\n") { $outString .= "\n"; } @@ -227,7 +227,7 @@ function &sqBodyWrap (&$body, $wrap) { /* $ldnspacecnt = 0; if ($mypos == $nextNewline+1) { - while (($mypos < $length) && ($body{$mypos} == ' ')) { + while (($mypos < $length) && ($body[$mypos] == ' ')) { $ldnspacecnt++; } } @@ -236,9 +236,9 @@ function &sqBodyWrap (&$body, $wrap) { $firstword = sq_substr($body,$mypos,sq_strpos($body,' ',$mypos) - $mypos); //if ($dowrap || $ldnspacecnt > 1 || ($firstword && ( if (!$smartwrap || $firstword && ( - $firstword{0} == '-' || - $firstword{0} == '+' || - $firstword{0} == '*' || + $firstword[0] == '-' || + $firstword[0] == '+' || + $firstword[0] == '*' || sq_substr($firstword,0,1) == sq_strtoupper(sq_substr($firstword,0,1)) || strpos($firstword,':'))) { $outString .= sq_substr($body,$pos,($lastRealChar - $pos+1)); @@ -474,12 +474,7 @@ function get_location () { $is_secure_connection, $sq_ignore_http_x_forwarded_headers; /* Get the path, handle virtual directories */ - if(strpos(php_self(), '?')) { - $path = substr(php_self(), 0, strpos(php_self(), '?')); - } else { - $path = php_self(); - } - $path = substr($path, 0, strrpos($path, '/')); + $path = substr(php_self(FALSE), 0, strrpos(php_self(FALSE), '/')); // proto+host+port are already set in config: if ( !empty($config_location_base) ) { @@ -659,18 +654,19 @@ function OneTimePadCreate ($length=100) { * a more easily digested (readable) format * * @param int $bytes the size in bytes + * @param int $filesize_divisor the divisor we'll use (OPTIONAL; default 1024) * * @return string The size in human readable format * * @since 1.0 * */ -function show_readable_size($bytes) { - $bytes /= 1024; +function show_readable_size($bytes, $filesize_divisor=1024) { + $bytes /= $filesize_divisor; $type = _("KiB"); - if ($bytes / 1024 > 1) { - $bytes /= 1024; + if ($bytes / $filesize_divisor > 1) { + $bytes /= $filesize_divisor; $type = _("MiB"); } @@ -717,7 +713,7 @@ function GenerateRandomString($size, $chars, $flags = 0) { $String = ''; $j = strlen( $chars ) - 1; while (strlen($String) < $size) { - $String .= $chars{mt_rand(0, $j)}; + $String .= $chars[mt_rand(0, $j)]; } return $String; @@ -731,7 +727,7 @@ function GenerateRandomString($size, $chars, $flags = 0) { * @since 1.0.3 */ function quoteimap($str) { - return preg_replace("/([\"\\\\])/", "\\\\$1", $str); + return str_replace(array('\\', '"'), array('\\\\', '\\"'), $str); } /** @@ -1481,7 +1477,7 @@ function sm_truncate_string($string, $max_chars, $elipses='', * list ("old" is 2 days or * older unless the administrator * overrides that value using - * $max_security_token_age in + * $max_token_age_days in * config/config_local.php) * (OPTIONAL; default is to always * purge old tokens) @@ -1494,7 +1490,8 @@ function sm_truncate_string($string, $max_chars, $elipses='', function sm_get_user_security_tokens($purge_old=TRUE) { - global $data_dir, $username, $max_token_age_days; + global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens; $tokens = getPref($data_dir, $username, 'security_tokens', ''); if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) @@ -1521,7 +1518,26 @@ function sm_get_user_security_tokens($purge_old=TRUE) /** * Generates a security token that is then stored in * the user's preferences with a timestamp for later - * verification/use. + * verification/use (although session-based tokens + * are not stored in user preferences). + * + * NOTE: By default SquirrelMail will use a single session-based + * token, but if desired, user tokens can have expiration + * dates associated with them and become invalid even during + * the same login session. When in that mode, the note + * immediately below applies, otherwise it is irrelevant. + * To enable that mode, the administrator must add the + * following to config/config_local.php: + * $use_expiring_security_tokens = TRUE; + * + * NOTE: The administrator can force SquirrelMail to generate + * a new token every time one is requested (which may increase + * obscurity through token randomness at the cost of some + * performance) by adding the following to + * config/config_local.php: $do_not_use_single_token = TRUE; + * Otherwise, only one token will be generated per user which + * will change only after it expires or is used outside of the + * validity period specified when calling sm_validate_security_token() * * WARNING: If the administrator has turned the token system * off by setting $disable_security_tokens to TRUE in @@ -1530,19 +1546,42 @@ function sm_get_user_security_tokens($purge_old=TRUE) * preferences (but it will still generate and return * a random string). * + * @param boolean $force_generate_new When TRUE, a new token will + * always be created even if current + * configuration dictates otherwise + * (OPTIONAL; default FALSE) + * * @return string A security token * * @since 1.4.19 and 1.5.2 * */ -function sm_generate_security_token() +function sm_generate_security_token($force_generate_new=FALSE) { - global $data_dir, $username, $disable_security_tokens; + global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token, + $use_expiring_security_tokens; $max_generation_tries = 1000; + // if we're using session-based tokens, just return + // the same one every time (generate it if it's not there) + // + if (!$use_expiring_security_tokens) + { + if (sqgetGlobalVar('sm_security_token', $token, SQ_SESSION)) + return $token; + + // create new one since there was none in session + $token = GenerateRandomString(12, '', 7); + sqsession_register($token, 'sm_security_token'); + return $token; + } + $tokens = sm_get_user_security_tokens(); + if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens)) + return key($tokens); + $new_token = GenerateRandomString(12, '', 7); $count = 0; while (isset($tokens[$new_token])) @@ -1573,9 +1612,12 @@ function sm_generate_security_token() * is too old but otherwise valid, it will still be rejected. * * "Too old" is 2 days or older unless the administrator - * overrides that value using $max_security_token_age in + * overrides that value using $max_token_age_days in * config/config_local.php * + * Session-based tokens of course are always reused and are + * valid for the lifetime of the login session. + * * WARNING: If the administrator has turned the token system * off by setting $disable_security_tokens to TRUE in * config/config.php or the configuration tool, this @@ -1584,10 +1626,16 @@ function sm_generate_security_token() * @param string $token The token to validate * @param int $validity_period The number of seconds tokens are valid * for (set to zero to remove valid tokens - * after only one use; use 3600 to allow - * tokens to be reused for an hour) - * (OPTIONAL; default is to only allow tokens - * to be used once) + * after only one use; set to -1 to allow + * indefinite re-use (but still subject to + * $max_token_age_days - see elsewhere); + * use 3600 to allow tokens to be reused for + * an hour) (OPTIONAL; default is to only + * allow tokens to be used once) + * NOTE this is unrelated to $max_token_age_days + * or rather is an additional time constraint on + * tokens that allows them to be re-used (or not) + * within a more narrow timeframe * @param boolean $show_error Indicates that if the token is not * valid, this function should display * a generic error, log the user out @@ -1604,12 +1652,33 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS { global $data_dir, $username, $max_token_age_days, + $use_expiring_security_tokens, $disable_security_tokens; // bypass token validation? CAREFUL! // if ($disable_security_tokens) return TRUE; + // if we're using session-based tokens, just compare + // the same one every time + // + if (!$use_expiring_security_tokens) + { + if (!sqgetGlobalVar('sm_security_token', $session_token, SQ_SESSION)) + { + if (!$show_error) return FALSE; + logout_error(_("Fatal security token error; please log in again")); + exit; + } + if ($token !== $session_token) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + return TRUE; + } + // don't purge old tokens here because we already // do it when generating tokens // @@ -1628,9 +1697,11 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS $timestamp = $tokens[$token]; // whether valid or not, we want to remove it from - // user prefs if it's old enough + // user prefs if it's old enough (unless requested to + // bypass this (in which case $validity_period is -1)) // - if ($timestamp < $now - $validity_period) + if ($validity_period >= 0 + && $timestamp < $now - $validity_period) { unset($tokens[$token]); setPref($data_dir, $username, 'security_tokens', serialize($tokens)); @@ -1653,3 +1724,43 @@ function sm_validate_security_token($token, $validity_period=0, $show_error=FALS } +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT, ENT_COMPAT | ENT_SUBSTITUTE for PHP >=5.4) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + + if (check_php_version(5, 2, 3)) { + // Replace invalid characters with a symbol instead of returning + // empty string for the entire to be encoded string. + if (check_php_version(5, 4, 0) && $flags == ENT_COMPAT) { + $flags = $flags | ENT_SUBSTITUTE; + } + return htmlspecialchars($string, $flags, $encoding, $double_encode); + } + + return htmlspecialchars($string, $flags, $encoding); +} +