X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=include%2Finit.php;h=5efd61eaf946cb2c9eb24d33466cd190bc2ccdd5;hp=166967aa9fe3ae1ce1a9ce4479ca67eb74b86741;hb=6d9f22dba5d50ff55b8d6811412feedd3e534acf;hpb=79dd8c728f29d35dc3f971cd936e164927002bde
diff --git a/include/init.php b/include/init.php
index 166967aa..5efd61ea 100644
--- a/include/init.php
+++ b/include/init.php
@@ -5,7 +5,7 @@
*
* File should be loaded in every file in src/ or plugins that occupate an entire frame
*
- * @copyright © 2006 The SquirrelMail Project Team
+ * @copyright 2006-2010 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
@@ -19,7 +19,6 @@ FIXME: disabling this for now, because we now have $sm_debug_mode, but the probl
//error_reporting(E_ALL);
-
/**
* Make sure we have a page name
*
@@ -75,6 +74,14 @@ if ((bool) ini_get('register_globals') &&
global $null;
$null = NULL;
+/**
+ * The global $server_os variable will be "windows" if
+ * we are working in a Windows environment or "*nix"
+ * otherwise.
+ */
+global $server_os;
+if (DIRECTORY_SEPARATOR == '\\') $server_os = 'windows'; else $server_os = '*nix';
+
/**
* [#1518885] session.use_cookies = off breaks SquirrelMail
*
@@ -111,11 +118,22 @@ if(!empty($_SERVER['UNIQUE_ID'])) {
}
$seed .= uniqid(mt_rand(),TRUE);
-$seed .= implode( '', stat( __FILE__) );
+$seed .= implode('', stat( __FILE__));
+
+// mt_srand() uses an integer to seed, so we need to distill our
+// very large seed to something useful (without taking a sub-string,
+// the integer conversion of such a large number is always 0 on
+// many systems, but strangely, 9 hex numbers - even if larger
+// than a signed 32 bit integer - seem to be an acceptable "integer"
+// seed (perhaps it is used as unsigned?)...
+// we may want to revisit this and always force it to be less than
+// 2,147,483,647
+//
+$seed = hexdec(substr(md5($seed), 0, 9));
-/** PHP 4.2 and up don't require seeding, but their used seed algorithm
- * is of questionable quality, so we keep doing it ourselves. */
-mt_srand(hexdec(md5($seed)));
+// PHP 4.2 and up don't require seeding, but their used seed algorithm
+// is of questionable quality, so we keep doing it ourselves. */
+mt_srand($seed);
/**
* calculate SM_PATH and calculate the base_uri
@@ -183,6 +201,7 @@ require(SM_PATH . 'include/constants.php');
require(SM_PATH . 'functions/global.php');
require(SM_PATH . 'functions/strings.php');
require(SM_PATH . 'functions/arrays.php');
+require(SM_PATH . 'functions/files.php');
/* load default configuration */
require(SM_PATH . 'config/config_default.php');
@@ -216,6 +235,12 @@ if ($sm_debug_mode & SM_DEBUG_MODE_STRICT)
error_reporting($error_level);
+/**
+ * Detect SSL connections
+ */
+$is_secure_connection = is_ssl_secured_connection();
+
+
require(SM_PATH . 'functions/plugin.php');
require(SM_PATH . 'include/languages.php');
require(SM_PATH . 'class/template/Template.class.php');
@@ -238,10 +263,29 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
}
-/* strip any tags added to the url from PHP_SELF.
-This fixes hand crafted url XXS expoits for any
- page that uses PHP_SELF as the FORM action */
-$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
+/**
+ * Strip any tags added to the url from PHP_SELF.
+ * This fixes hand crafted url XXS expoits for any
+ * page that uses PHP_SELF as the FORM action
+ * Update: strip_tags() won't catch something like
+ * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx=">
+ * or
+ * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
+ * because it doesn't bother with broken tags.
+ * htmlspecialchars() is the preferred method.
+ * QUERY_STRING also needs the same treatment since it is
+ * used in php_self().
+ * Update again: the encoding of ampersands that occurs
+ * using htmlspecialchars() corrupts the query strings
+ * in normal URIs, so we have to let those through.
+FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
+ */
+if (isset($_SERVER['REQUEST_URI']))
+ $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI']));
+if (isset($_SERVER['PHP_SELF']))
+ $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF']));
+if (isset($_SERVER['QUERY_STRING']))
+ $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING']));
$PHP_SELF = php_self();
@@ -258,12 +302,12 @@ if (!isset($session_name) || !$session_name) {
* When session.auto_start is On we want to destroy/close the session
*/
$sSessionAutostartName = session_name();
-$sCookiePath = null;
-if (isset($sSessionAutostartName) && $sSessionAutostartName !== $session_name) {
+$sSessionAutostartID = session_id();
+if (!empty($sSessionAutostartID) && $sSessionAutostartName !== $session_name) {
$sCookiePath = ini_get('session.cookie_path');
$sCookieDomain = ini_get('session.cookie_domain');
// reset the cookie
- setcookie($sSessionAutostartName,'',time() - 604800,$sCookiePath,$sCookieDomain);
+ sqsetcookie($sSessionAutostartName,'',1,$sCookiePath,$sCookieDomain);
@session_destroy();
session_write_close();
}
@@ -369,7 +413,7 @@ require(SM_PATH . 'functions/prefs.php');
* the current user is NOT that user, turn them
* back on
*/
-sqgetGlobalVar('username',$username,SQ_SESSION);
+sqgetGlobalVar('username', $username, SQ_SESSION);
if ($disable_plugins && !empty($disable_plugins_user)
&& $username != $disable_plugins_user) {
$disable_plugins = false;
@@ -447,10 +491,24 @@ if (! sqgetGlobalVar('squirrelmail_language',$squirrelmail_language,SQ_COOKIE))
}
+/**
+ * In some cases, buffering all output allows more complex functionality,
+ * especially for plugins that want to add headers on hooks that are beyond
+ * the point of output having been sent to the browser otherwise.
+ *
+ * Note that we don't turn this on any earlier since we want to allow plugins
+ * to turn it on themselves via a configuration override on the prefs_backend
+ * hook.
+ *
+ */
+if ($buffer_output) ob_start(!empty($buffered_output_handler) ? $buffered_output_handler : NULL);
+
+
/**
* Do something special for some pages. This is based on the PAGE_NAME constant
* set at the top of every page.
*/
+$set_up_langage_after_template_setup = FALSE;
switch (PAGE_NAME) {
case 'style':
@@ -500,7 +558,7 @@ switch (PAGE_NAME) {
// reset template file cache
//
$sTemplateID = Template::get_default_template_set();
- Template::cache_template_file_hierarchy(TRUE);
+ Template::cache_template_file_hierarchy($sTemplateID, TRUE);
/**
* Make sure icon variables are setup for the login page.
@@ -513,22 +571,6 @@ switch (PAGE_NAME) {
*/
$icon_theme_path = (!$use_icons || $icon_theme=='none') ? NULL : ($icon_theme == 'template' ? SM_PATH . Template::calculate_template_images_directory($sTemplateID) : $icon_theme);
- /**
- * cleanup old cookies with a cookie path the same as the standard php.ini
- * cookie path. All previous SquirrelMail version used the standard php.ini
- * cookie path for storing the session name. That behaviour changed.
- */
- if ($sCookiePath !== SM_BASE_URI) {
- /**
- * do not delete the standard sessions with session.name is i.e. PHPSESSID
- * because they probably belong to other php apps
- */
- if (ini_get('session.name') !== $sSessionAutostartName) {
- // This does not work. Sometimes the cookie with SQSESSID=deleted and path /
- // is picked up in webmail.php => login will fail
- //sqsetcookie(ini_get('session.name'),'',0,$sCookiePath);
- }
- }
break;
default:
require(SM_PATH . 'functions/display_messages.php' );
@@ -537,16 +579,28 @@ switch (PAGE_NAME) {
/**
- * Check if we are logged in
+ * Check if we are logged in and does optional referrer check
*/
require(SM_PATH . 'functions/auth.php');
- if ( !sqsession_is_registered('user_is_logged_in') ) {
+ global $check_referrer, $domain;
+ if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = '';
+ if ($check_referrer == '###DOMAIN###') $check_referrer = $domain;
+ if (!empty($check_referrer)) {
+ $ssl_check_referrer = 'https://' . $check_referrer;
+ $check_referrer = 'http://' . $check_referrer;
+ }
+ if (!sqsession_is_registered('user_is_logged_in')
+ || ($check_referrer && !empty($referrer)
+ && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0
+ && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) {
// use $message to indicate what logout text the user
// will see... if 0, typical "You must be logged in"
// if 1, information that the user session was saved
- // and will be resumed after (re)login
+ // and will be resumed after (re)login, if 2, there
+ // seems to have been a XSS or phishing attack (bad
+ // referrer)
//
$message = 0;
@@ -563,6 +617,13 @@ switch (PAGE_NAME) {
if ($session_expired_location == 'compose')
$message = 1;
}
+
+ // was bad referrer the reason we were rejected?
+ //
+ if (sqsession_is_registered('user_is_logged_in')
+ && $check_referrer && !empty($referrer))
+ $message = 2;
+
// signout page will deal with users who aren't logged
// in on its own; don't show error here
//
@@ -576,16 +637,22 @@ switch (PAGE_NAME) {
/*
* $sTemplateID is not initialized when a user is not logged in, so we
* will use the config file defaults here. If the neccesary variables
- * are net set, force a default value.
+ * are not set, force a default value.
*/
- $sTemplateID = Template::get_default_template_set();
+ if (PAGE_NAME == 'squirrelmail_rpc') {
+ $sTemplateID = Template::get_rpc_template_set();
+ } else {
+ $sTemplateID = Template::get_default_template_set();
+ }
$oTemplate = Template::construct_template($sTemplateID);
set_up_language($squirrelmail_language, true);
if (!$message)
logout_error( _("You must be logged in to access this page.") );
- else
+ else if ($message == 1)
logout_error( _("Your session has expired, but will be resumed after logging in again.") );
+ else if ($message == 2)
+ logout_error( _("The current page request appears to have originated from an unrecognized source.") );
exit;
}
@@ -609,7 +676,6 @@ switch (PAGE_NAME) {
*/
require(SM_PATH . 'include/load_prefs.php');
-// i do not understand the frames language cookie story
/**
* We'll need this to later have a noframes version
*
@@ -621,20 +687,8 @@ switch (PAGE_NAME) {
if ($my_language != $squirrelmail_language) {
sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
}
-// /dont understand
- /**
- * Set up the language.
- */
- $err=set_up_language(getPref($data_dir, $username, 'language'));
-
- // Japanese translation used without mbstring support
- if ($err==2) {
- $sError = "Your administrator needs to have PHP installed with the multibyte string extension enabled (using configure option --enable-mbstring).
\n"
- . "This system has assumed that you accidently switched to Japanese and has reverted your language preference to English.
\n"
- . "Please refresh this page in order to continue using your webmail.
\n";
- error_box($sError);
- }
+ $set_up_langage_after_template_setup = TRUE;
$timeZone = getPref($data_dir, $username, 'timezone');
@@ -692,7 +746,11 @@ switch (PAGE_NAME) {
* so we shouldn't change it here.
*/
if (!isset($sTemplateID)) {
- $sTemplateID = Template::get_default_template_set();
+ if (PAGE_NAME == 'squirrelmail_rpc') {
+ $sTemplateID = Template::get_rpc_template_set();
+ } else {
+ $sTemplateID = Template::get_default_template_set();
+ }
$icon_theme_path = !$use_icons ? NULL : Template::calculate_template_images_directory($sTemplateID);
}
@@ -718,11 +776,34 @@ foreach ($always_include as $var) {
$nbsp = $oTemplate->fetch('non_breaking_space.tpl');
$br = $oTemplate->fetch('line_break.tpl');
+
+/**
+ * Set up the language.
+ *
+ * This code block corresponds to the *default* block of the switch
+ * statement above, but the language cannot be set up until after the
+ * template is instantiated, so we set $set_up_langage_after_template_setup
+ * above and do the linguistic stuff now.
+ */
+if ($set_up_langage_after_template_setup) {
+ $err=set_up_language(getPref($data_dir, $username, 'language'));
+
+ // Japanese translation used without mbstring support
+ if ($err==2) {
+ $sError = "Your administrator needs to have PHP installed with the multibyte string extension enabled (using configure option --enable-mbstring).
\n"
+ . "This system has assumed that you accidently switched to Japanese and has reverted your language preference to English.
\n"
+ . "Please refresh this page in order to continue using your webmail.
\n";
+ error_box($sError);
+ }
+}
+
+
/**
* Initialize our custom error handler object
*/
$oErrorHandler = new ErrorHandler($oTemplate,'error_message.tpl');
+
/**
* Activate custom error handling
*/
@@ -750,6 +831,7 @@ function checkForJavascript($reset = FALSE) {
if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
return $javascript_on;
+ //FIXME: this isn't used anywhere else in this function; can we remove it? why is it here?
$user_is_logged_in = FALSE;
if ( $reset || !isset($javascript_setting) )
$javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);