X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=include%2Finit.php;h=94a1ba3f4515f276799f04f40f16ae46b89d799d;hp=9f17708eb87466feed7f59a8d9bb792a6d78f988;hb=HEAD;hpb=8f557b942c5a3fb6663c349f4cc7d4a1c8aa4504 diff --git a/include/init.php b/include/init.php index 9f17708e..94a1ba3f 100644 --- a/include/init.php +++ b/include/init.php @@ -5,7 +5,7 @@ * * File should be loaded in every file in src/ or plugins that occupate an entire frame * - * @copyright © 2006 The SquirrelMail Project Team + * @copyright 2006-2022 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -118,7 +118,7 @@ if(!empty($_SERVER['UNIQUE_ID'])) { } $seed .= uniqid(mt_rand(),TRUE); -$seed .= implode( '', stat( __FILE__) ); +$seed .= implode('', stat( __FILE__)); // mt_srand() uses an integer to seed, so we need to distill our // very large seed to something useful (without taking a sub-string, @@ -223,15 +223,17 @@ if (file_exists(SM_PATH . 'config/config_local.php')) { /** * Set PHP error reporting level based on the SquirrelMail debug mode + * E_STRICT = 2048 + * E_DEPRECATED = 8192 */ $error_level = 0; if ($sm_debug_mode & SM_DEBUG_MODE_SIMPLE) $error_level |= E_ERROR; if ($sm_debug_mode & SM_DEBUG_MODE_MODERATE || $sm_debug_mode & SM_DEBUG_MODE_ADVANCED) - $error_level |= E_ALL; + $error_level = ($error_level | E_ALL) & ~2048 & ~8192; if ($sm_debug_mode & SM_DEBUG_MODE_STRICT) - $error_level |= E_STRICT; + $error_level |= 2048 | 8192; error_reporting($error_level); @@ -263,10 +265,29 @@ if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) { } -/* strip any tags added to the url from PHP_SELF. -This fixes hand crafted url XXS expoits for any - page that uses PHP_SELF as the FORM action */ -$_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); +/** + * Strip any tags added to the url from PHP_SELF. + * This fixes hand crafted url XXS expoits for any + * page that uses PHP_SELF as the FORM action + * Update: strip_tags() won't catch something like + * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="> + * or + * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E + * because it doesn't bother with broken tags. + * sm_encode_html_special_chars() is the preferred method. + * QUERY_STRING also needs the same treatment since it is + * used in php_self(). + * Update again: the encoding of ampersands that occurs + * using sm_encode_html_special_chars() corrupts the query strings + * in normal URIs, so we have to let those through. +FIXME: will the de-sanitizing of ampersands create any security/XSS problems? + */ +if (isset($_SERVER['REQUEST_URI'])) + $_SERVER['REQUEST_URI'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['REQUEST_URI'])); +if (isset($_SERVER['PHP_SELF'])) + $_SERVER['PHP_SELF'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['PHP_SELF'])); +if (isset($_SERVER['QUERY_STRING'])) + $_SERVER['QUERY_STRING'] = str_replace('&', '&', sm_encode_html_special_chars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); @@ -560,16 +581,28 @@ switch (PAGE_NAME) { /** - * Check if we are logged in + * Check if we are logged in and does optional referrer check */ require(SM_PATH . 'functions/auth.php'); - if ( !sqsession_is_registered('user_is_logged_in') ) { + global $check_referrer, $domain; + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $check_referrer = 'http://' . $check_referrer; + } + if (!sqsession_is_registered('user_is_logged_in') + || ($check_referrer && !empty($referrer) + && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0 + && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) { // use $message to indicate what logout text the user // will see... if 0, typical "You must be logged in" // if 1, information that the user session was saved - // and will be resumed after (re)login + // and will be resumed after (re)login, if 2, there + // seems to have been a XSS or phishing attack (bad + // referrer) // $message = 0; @@ -586,6 +619,13 @@ switch (PAGE_NAME) { if ($session_expired_location == 'compose') $message = 1; } + + // was bad referrer the reason we were rejected? + // + if (sqsession_is_registered('user_is_logged_in') + && $check_referrer && !empty($referrer)) + $message = 2; + // signout page will deal with users who aren't logged // in on its own; don't show error here // @@ -611,8 +651,10 @@ switch (PAGE_NAME) { set_up_language($squirrelmail_language, true); if (!$message) logout_error( _("You must be logged in to access this page.") ); - else + else if ($message == 1) logout_error( _("Your session has expired, but will be resumed after logging in again.") ); + else if ($message == 2) + logout_error( _("The current page request appears to have originated from an unrecognized source.") ); exit; } @@ -651,6 +693,9 @@ switch (PAGE_NAME) { $set_up_langage_after_template_setup = TRUE; $timeZone = getPref($data_dir, $username, 'timezone'); + global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds; + list($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds) + = explode('::', date('T::O::Z')); /* Check to see if we are allowed to set the TZ environment variable. * We are able to do this if ... @@ -791,6 +836,7 @@ function checkForJavascript($reset = FALSE) { if ( !$reset && sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) ) return $javascript_on; + //FIXME: this isn't used anywhere else in this function; can we remove it? why is it here? $user_is_logged_in = FALSE; if ( $reset || !isset($javascript_setting) ) $javascript_setting = getPref($data_dir, $username, 'javascript_setting', SMPREF_JS_AUTODETECT);