X-Git-Url: https://vcs.fsf.org/?p=squirrelmail.git;a=blobdiff_plain;f=src%2Fsearch.php;h=eb23f6867543e6f6efa6c0a3ebf073391072d8fa;hp=5622b460a7856703266479cb3556e10a062e7635;hb=f197ec8835b64975ff47dc6cd86dae75605baebf;hpb=6e515418431c0a99f10705da21366fe7093f95b6 diff --git a/src/search.php b/src/search.php index 5622b460..eb23f686 100644 --- a/src/search.php +++ b/src/search.php @@ -8,7 +8,7 @@ * Subfolder search idea from Patch #806075 by Thomas Pohl xraven at users.sourceforge.net. Thanks Thomas! * * @author Alex Lemaresquier - Brainstorm - * @copyright © 1999-2006 The SquirrelMail Project Team + * @copyright 1999-2016 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id$ * @package squirrelmail @@ -17,6 +17,9 @@ * @todo explain why references are used in function calls */ +/** This is the search page */ +define('PAGE_NAME', 'search'); + /** * Include the SquirrelMail initialization file. */ @@ -28,9 +31,10 @@ require_once(SM_PATH . 'functions/imap_asearch.php'); require_once(SM_PATH . 'functions/imap_messages.php'); require_once(SM_PATH . 'functions/imap_general.php'); require_once(SM_PATH . 'functions/mime.php'); -require_once(SM_PATH . 'functions/mailbox_display.php'); //getButton() +require_once(SM_PATH . 'functions/mailbox_display.php'); //sqm_api_mailbox_select require_once(SM_PATH . 'functions/forms.php'); require_once(SM_PATH . 'functions/date.php'); +require_once(SM_PATH . 'functions/compose.php'); /** Prefs array ordinals. Must match $recent_prefkeys and $saved_prefkeys */ @@ -576,7 +580,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno $cur_mailbox = 'INBOX'; $biop = asearch_nz($biop_array[$crit_num]); if (($query_display == '') || ($cur_mailbox != $last_mailbox)) { - $mailbox_display = ' ' . htmlspecialchars(asearch_get_mailbox_display($cur_mailbox)) . ''; + $mailbox_display = ' ' . sm_encode_html_special_chars(asearch_get_mailbox_display($cur_mailbox)) . ''; if ($query_display == '') $biop_display = _("In"); else @@ -602,7 +606,7 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno if ($what_type == 'adate') $what_display = asearch_get_date_display($what); else - $what_display = htmlspecialchars($what); + $what_display = sm_encode_html_special_chars($what); $what_display = ' ' . $what_display . ''; } } @@ -621,26 +625,6 @@ function asearch_get_query_display(&$color, &$mailbox_array, &$biop_array, &$uno return $query_display; } -/** - * Creates button - * - * @deprecated see form functions available in 1.5.1 and 1.4.3. - * @param string $type - * @param string $name - * @param string $value - * @param string $js - * @param bool $enabled - */ -function getButton($type, $name, $value, $js = '', $enabled = TRUE) { - $disabled = ( $enabled ? '' : 'disabled ' ); - $js = ( $js ? $js.' ' : '' ); - return ''; -} - /** * Print a whole query array, recent or saved * @@ -690,13 +674,13 @@ function asearch_print_query_array(&$boxes, &$query_array, &$query_keys, &$actio $oTemplate->assign('expand_collapse_toggle', '../src/search.php?'.$show_pref.'='.($show_flag==1 ? 0 : 1)); $oTemplate->assign('query_list', $a); - $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&rownum='); - $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&rownum='); - $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&rownum='); + $oTemplate->assign('save_recent', '../src/search.php?submit=save_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_recent', '../src/search.php?submit=search_recent&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('forget_recent', '../src/search.php?submit=forget_recent&smtoken=' . sm_generate_security_token() . '&rownum='); - $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&rownum='); - $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&rownum='); - $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&rownum='); + $oTemplate->assign('edit_saved', '../src/search.php?submit=edit_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('do_saved', '../src/search.php?submit=search_saved&smtoken=' . sm_generate_security_token() . '&rownum='); + $oTemplate->assign('delete_saved', '../src/search.php?submit=delete_saved&smtoken=' . sm_generate_security_token() . '&rownum='); $oTemplate->display('search_list.tpl'); } @@ -798,7 +782,7 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra # Build the mailbox array $a = array(); if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) { - $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox)); + $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox)); } $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']'; $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL)); @@ -822,7 +806,8 @@ function asearch_print_form($imapConnection, &$boxes, $mailbox_array, $biop_arra $oTemplate->assign('criteria', $c); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search_advanced.tpl'); echo "
\n"; } @@ -856,7 +841,7 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio # Build the mailbox array $a = array(); if (($mailbox != 'All Folders') && (!asearch_mailbox_exists($mailbox, $boxes))) { - $a[$mailbox] = '[' . _("Missing") . '] ' . htmlspecialchars(asearch_get_mailbox_display($mailbox)); + $a[$mailbox] = '[' . _("Missing") . '] ' . sm_encode_html_special_chars(asearch_get_mailbox_display($mailbox)); } $a['All Folders'] = '[' . asearch_get_mailbox_display('All Folders') . ']'; $a = array_merge($a, sqimap_mailbox_option_array($imapConnection, 0, $boxes, NULL)); @@ -877,12 +862,13 @@ function asearch_print_form_basic($imapConnection, &$boxes, $mailbox_array, $bio $oTemplate->assign('unary_options', $imap_asearch_unops); $oTemplate->assign('where_options', $imap_asearch_options); - $oTemplate->assign('mailbox_sel', strtolower(htmlspecialchars($mailbox))); + $oTemplate->assign('mailbox_sel', strtolower(sm_encode_html_special_chars($mailbox))); $oTemplate->assign('unary_sel', $unop); $oTemplate->assign('where_sel', $where); $oTemplate->assign('what_val', $what); - echo '
' . "\n"; + echo '' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search.tpl'); echo "
\n"; } @@ -907,10 +893,17 @@ function sqimap_asearch_get_selectable_unformatted_mailboxes(&$boxes) /* ------------------------ main ------------------------ */ /* get globals we will need */ +sqgetGlobalVar('smtoken', $submitted_token, SQ_FORM, ''); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); -if ( sqgetGlobalVar('checkall', $temp, SQ_GET) ) { - $checkall = (int) $temp; +if (!sqgetGlobalVar('checkall',$checkall,SQ_GET)) { + $checkall = false; +} + +if (!sqgetGlobalVar('preselected', $preselected, SQ_GET) || !is_array($preselected)) { + $preselected = array(); +} else { + $preselected = array_keys($preselected); } /** @@ -991,6 +984,7 @@ if ($search_advanced) { * @global string $submit */ $searchpressed = false; +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['submit'])) { $submit = strip_tags($_GET['submit']); } @@ -998,9 +992,17 @@ if (isset($_GET['submit'])) { /** Searched mailboxes * @global array $mailbox_array */ -if (isset($_GET['mailbox'])) { - $mailbox_array = $_GET['mailbox']; - $targetmailbox = $_GET['mailbox']; +/* when using compact paginator, mailbox might be indicated in $startMessage, so look for it now ($startMessage is then processed farther below) */ +$mailbox = ''; +$startMessage = ''; +if (sqGetGlobalVarMultiple('startMessage', $temp, 'paginator_submit', SQ_FORM)) { + if (strstr($temp, '_')) list($startMessage, $mailbox) = explode('_', $temp); + else $startMessage = $temp; +} +if (empty($mailbox)) sqGetGlobalVar('mailbox', $mailbox, SQ_GET, ''); +if (!empty($mailbox)) { + $mailbox_array = $mailbox; + $targetmailbox = $mailbox; if (!is_array($mailbox_array)) { $mailbox_array = array($mailbox_array); } @@ -1029,6 +1031,7 @@ $aConfig = array( /** Binary operators * @global array $biop_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['biop'])) { $biop_array = $_GET['biop']; if (!is_array($biop_array)) @@ -1039,6 +1042,7 @@ if (isset($_GET['biop'])) { /** Unary operators * @global array $unop_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['unop'])) { $unop_array = $_GET['unop']; if (!is_array($unop_array)) @@ -1049,6 +1053,7 @@ if (isset($_GET['unop'])) { /** Where to search * @global array $where_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['where'])) { $where_array = $_GET['where']; if (!is_array($where_array)) { @@ -1060,6 +1065,7 @@ if (isset($_GET['where'])) { /** What to search * @global array $what_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['what'])) { $what_array = $_GET['what']; if (!is_array($what_array)) { @@ -1071,6 +1077,7 @@ if (isset($_GET['what'])) { /** Whether to exclude this criteria from search * @global array $exclude_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['exclude'])) { $exclude_array = $_GET['exclude']; } else { @@ -1079,6 +1086,7 @@ if (isset($_GET['exclude'])) { /** Search within subfolders * @global array $sub_array */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['sub'])) { $sub_array = $_GET['sub']; } else { @@ -1086,6 +1094,7 @@ if (isset($_GET['sub'])) { } /** Row number used by recent and saved stuff */ +//FIXME: Why is there so much access to $_GET in this file? What's wrong with sqGetGlobalVar? if (isset($_GET['rownum'])) { $submit_rownum = strip_tags($_GET['rownum']); } @@ -1096,8 +1105,9 @@ if (sqgetGlobalVar('srt', $temp, SQ_GET)) { asearch_edit_last(1); // asearch_push_recent($mailbox_array, $biop_array, $unop_array, $where_array, $what_array, $exclude_array, $sub_array); } -if (sqgetGlobalVar('startMessage', $temp, SQ_GET)) { - $startMessage = (int) $temp; +/* already retrieved startMessage above */ +if (!empty($startMessage)) { + $startMessage = (int) $startMessage; asearch_edit_last(1); // asearch_push_recent($mailbox_array, $biop_array, $unop_array, $where_array, $what_array, $exclude_array, $sub_array); } @@ -1172,6 +1182,10 @@ if ((empty($submit)) && (!empty($where_array))) { if (!isset($submit)) { $submit = ''; } else { + + // first validate security token + sm_validate_security_token($submitted_token, -1, TRUE); + switch ($submit) { case $search_button_text: if (asearch_check_query($where_array, $what_array, $exclude_array) == '') { @@ -1307,14 +1321,15 @@ if ($search_advanced) { uasort($imap_asearch_options, 'asearch_unhtml_strcoll'); /* open IMAP connection */ -$imapConnection = sqimap_login($username, false, $imapServerAddress, $imapPort, 0); +global $imap_stream_options; // in case not defined in config +$imapConnection = sqimap_login($username, false, $imapServerAddress, $imapPort, 0, $imap_stream_options); /* get mailboxes once here */ $boxes = sqimap_mailbox_list($imapConnection); /* ensure we have a valid default mailbox name */ $mailbox = asearch_nz($mailbox_array[0]); -if (($mailbox == '') || ($mailbox == 'None')) //Workaround for sm quirk IMHO (what if I really have a mailbox called None?) +if ($mailbox == '') $mailbox = $boxes[0]['unformatted']; //Usually INBOX ;) @@ -1367,16 +1382,20 @@ if (isset($aMailbox['FORWARD_SESSION'])) { $compose_height = '550'; } // do not use &, it will break the query string and $session will not be detected!!! - $comp_uri = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $comp_uri = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); displayPageHeader($color, $mailbox, "comp_in_new('$comp_uri', $compose_width, $compose_height);", false); } else { // save mailboxstate sqsession_register($aMailbox,'aLastSelectedMailbox'); session_write_close(); // we have to redirect to the compose page - $location = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - '&session='.$aMailbox['FORWARD_SESSION']; + $location = $base_uri . 'src/compose.php?mailbox='. urlencode($mailbox) + . '&session='.$aMailbox['FORWARD_SESSION']['SESSION_NUMBER'] + . '&smaction=forward_as_attachment' + . '&fwduid=' . implode('_', $aMailbox['FORWARD_SESSION']['UIDS']); header("Location: $location"); exit; } @@ -1586,7 +1605,7 @@ if ($submit == $search_button_text) { */ if ($aMailbox['EXISTS'] > 0) { if ($iError) { - // TODO + // TODO: Implement an error handler in the search page. echo "ERROR occured, errorhandler will be implemented very soon"; } else { foreach ($aTemplate as $k => $v) { @@ -1600,13 +1619,14 @@ if ($submit == $search_button_text) { $mailbox_display = imap_utf7_decode_local($mbx); } - $oTemplate->assign('mailbox_name', htmlspecialchars($mailbox_display)); + $oTemplate->assign('mailbox_name', sm_encode_html_special_chars($mailbox_display)); $oTemplate->display('search_result_mailbox.tpl'); $oTemplate->assign('page_selector', $page_selector); $oTemplate->assign('page_selector_max', $page_selector_max); $oTemplate->assign('compact_paginator', $compact_paginator); - $oTemplate->assign('javascript_on', $javascript_on); + $oTemplate->assign('javascript_on', checkForJavascript()); + $oTemplate->assign('base_uri', sqm_baseuri()); $oTemplate->assign('enablesort', (isset($aProps['config']['enablesort'])) ? $aProps['config']['enablesort'] : false); $oTemplate->assign('icon_theme_path', $icon_theme_path); $oTemplate->assign('use_icons', (isset($use_icons)) ? $use_icons : false); @@ -1614,6 +1634,15 @@ if ($submit == $search_button_text) { $oTemplate->assign('alt_index_colors', isset($alt_index_colors) ? $alt_index_colors: false); $oTemplate->assign('color', $color); $oTemplate->assign('align', $align); + $oTemplate->assign('checkall', $checkall); + $oTemplate->assign('preselected', $preselected); + + global $show_personal_names; + $oTemplate->assign('show_personal_names', $show_personal_names); + + global $accesskey_mailbox_toggle_selected, $accesskey_mailbox_thread; + $oTemplate->assign('accesskey_mailbox_toggle_selected', $accesskey_mailbox_toggle_selected); + $oTemplate->assign('accesskey_mailbox_thread', $accesskey_mailbox_thread); $oTemplate->display('message_list.tpl'); } @@ -1635,4 +1664,3 @@ sqimap_logout($imapConnection); $oTemplate->display('footer.tpl'); sqsession_register($mailbox_cache,'mailbox_cache'); -?>