X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=include%2Finit.php;h=2e88d7776f7a2b9be08d402191318f3bdcef442b;hp=b5176403c9159a018d91d698be7e79d3bf8b4ac2;hb=ceacdb3c87567ed38856c7d60ff3d862ae2cb4db;hpb=775a1f52b3e6224cba9fe8f32c9ff0527c6076e7

diff --git a/include/init.php b/include/init.php
index b5176403..2e88d777 100644
--- a/include/init.php
+++ b/include/init.php
@@ -5,7 +5,7 @@
  *
  * File should be loaded in every file in src/ or plugins that occupate an entire frame
  *
- * @copyright &copy; 2006 The SquirrelMail Project Team
+ * @copyright 2006-2011 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
  * @package squirrelmail
@@ -74,6 +74,14 @@ if ((bool) ini_get('register_globals') &&
 global $null;
 $null = NULL;
 
+/**
+ * The global $server_os variable will be "windows" if
+ * we are working in a Windows environment or "*nix"
+ * otherwise.
+ */
+global $server_os;
+if (DIRECTORY_SEPARATOR == '\\') $server_os = 'windows'; else $server_os = '*nix';
+
 /**
  * [#1518885] session.use_cookies = off breaks SquirrelMail
  *
@@ -110,11 +118,22 @@ if(!empty($_SERVER['UNIQUE_ID'])) {
 }
 
 $seed .= uniqid(mt_rand(),TRUE);
-$seed .= implode( '', stat( __FILE__) );
+$seed .= implode('', stat( __FILE__));
+
+// mt_srand() uses an integer to seed, so we need to distill our
+// very large seed to something useful (without taking a sub-string,
+// the integer conversion of such a large number is always 0 on
+// many systems, but strangely, 9 hex numbers - even if larger
+// than a signed 32 bit integer - seem to be an acceptable "integer"
+// seed (perhaps it is used as unsigned?)...
+// we may want to revisit this and always force it to be less than
+// 2,147,483,647
+//
+$seed = hexdec(substr(md5($seed), 0, 9));
 
-/** PHP 4.2 and up don't require seeding, but their used seed algorithm
- *  is of questionable quality, so we keep doing it ourselves. */
-mt_srand(hexdec(md5($seed)));
+// PHP 4.2 and up don't require seeding, but their used seed algorithm
+// is of questionable quality, so we keep doing it ourselves. */
+mt_srand($seed);
 
 /**
  * calculate SM_PATH and calculate the base_uri
@@ -182,6 +201,7 @@ require(SM_PATH . 'include/constants.php');
 require(SM_PATH . 'functions/global.php');
 require(SM_PATH . 'functions/strings.php');
 require(SM_PATH . 'functions/arrays.php');
+require(SM_PATH . 'functions/files.php');
 
 /* load default configuration */
 require(SM_PATH . 'config/config_default.php');
@@ -215,6 +235,12 @@ if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
 error_reporting($error_level);
 
 
+/** 
+ * Detect SSL connections
+ */
+$is_secure_connection = is_ssl_secured_connection();
+ 
+
 require(SM_PATH . 'functions/plugin.php');
 require(SM_PATH . 'include/languages.php');
 require(SM_PATH . 'class/template/Template.class.php');
@@ -237,10 +263,29 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
 }
 
 
-/* strip any tags added to the url from PHP_SELF.
-This fixes hand crafted url XXS expoits for any
-   page that uses PHP_SELF as the FORM action */
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * htmlspecialchars() is the preferred method.
+ * QUERY_STRING also needs the same treatment since it is
+ * used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+    $_SERVER['REQUEST_URI'] = str_replace('&amp;', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+    $_SERVER['PHP_SELF'] = str_replace('&amp;', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+    $_SERVER['QUERY_STRING'] = str_replace('&amp;', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
 
 $PHP_SELF = php_self();
 
@@ -534,16 +579,28 @@ switch (PAGE_NAME) {
 
 
         /**
-         * Check if we are logged in
+         * Check if we are logged in and does optional referrer check
          */
         require(SM_PATH . 'functions/auth.php');
 
-        if ( !sqsession_is_registered('user_is_logged_in') ) {
+        global $check_referrer, $domain;
+        if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
+        if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
+        if (!empty($check_referrer)) {
+            $ssl_check_referrer = 'https://' . $check_referrer;
+            $check_referrer = 'http://' . $check_referrer;
+        }
+        if (!sqsession_is_registered('user_is_logged_in')
+         || ($check_referrer && !empty($referrer)
+          && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0
+          && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) {
 
             // use $message to indicate what logout text the user
             // will see... if 0, typical "You must be logged in"
             // if 1, information that the user session was saved
-            // and will be resumed after (re)login
+            // and will be resumed after (re)login, if 2, there
+            // seems to have been a XSS or phishing attack (bad
+            // referrer)
             //
             $message = 0;
 
@@ -560,6 +617,13 @@ switch (PAGE_NAME) {
                 if ($session_expired_location == 'compose')
                     $message = 1;
             }
+
+            // was bad referrer the reason we were rejected?
+            //
+            if (sqsession_is_registered('user_is_logged_in')
+             && $check_referrer && !empty($referrer))
+                $message = 2;
+
             // signout page will deal with users who aren't logged
             // in on its own; don't show error here
             //
@@ -585,8 +649,10 @@ switch (PAGE_NAME) {
             set_up_language($squirrelmail_language, true);
             if (!$message)
                 logout_error( _("You must be logged in to access this page.") );
-            else
+            else if ($message == 1)
                 logout_error( _("Your session has expired, but will be resumed after logging in again.") );
+            else if ($message == 2)
+                logout_error( _("The current page request appears to have originated from an unrecognized source.") );
             exit;
         }
 
@@ -765,6 +831,7 @@ function checkForJavascript($reset = FALSE) {
   if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
     return $javascript_on;
 
+  //FIXME: this isn't used anywhere else in this function; can we remove it?  why is it here?
   $user_is_logged_in = FALSE;
   if ( $reset || !isset($javascript_setting) )
     $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);
