5 年之前 · e2a20add5b
--- a/config/config_local.example.php
+++ b/config/config_local.example.php
@@ -183,4 +183,14 @@
 
				  * can be enabled by adding this here:
			
 
				  * $remove_rcdata_rawtext_tags_and_content = TRUE; 
			
 
				  *
			
 
				+ * $php_self_pattern
			
 
				+ * $php_self_replacement
			
 
				+ * These may be used to modify the value of the global $PHP_SELF
			
 
				+ * variable used throughout the SquirrelMail code (though that
			
 
				+ * variable is used less frequently in version 1.5.x). The
			
 
				+ * pattern should be a full regular expression including the
			
 
				+ * delimiters. This may be helpful when the web server sees
			
 
				+ * traffic from a proxy so the normal $PHP_SELF does not resolve
			
 
				+ * to what it should be for the real client.
			
 
				+ *
			
 
				  */
			
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -433,6 +433,14 @@ Version 1.5.2 - SVN
 
				     [CVE-2019-12970]
			
 
				   - Added SCRAM authentication support (RFC5802) (RFC7677) for IMAP
			
 
				     and SMTP
			
 
				+  - Added the ability to modify of the value of the global $PHP_SELF
			
 
				+    variable used throughout the SquirrelMail code (though less so
			
 
				+    in version 1.5.2).  The administrator may do so by adding the
			
 
				+    configuration settings $php_self_pattern and $php_self_replacement
			
 
				+    to config/config_local.php, where the pattern should be a full
			
 
				+    regular expression including the delimiters. This may be helpful
			
 
				+    when the web server sees traffic from a proxy so the normal
			
 
				+    $PHP_SELF does not resolve to what it should be for the real client.
			
 
				 
			
 
				 Version 1.5.1 (branched on 2006-02-12)
			
 
				 --------------------------------------
			
--- a/functions/global.php
+++ b/functions/global.php
@@ -697,10 +697,12 @@ if (!function_exists('session_regenerate_id')) {
 
				  * @return string The path, filename and any arguments for the
			
 
				  *                current script
			
 
				  */
			
 
				-function php_self() {
			
 
				-
			
 
				-    $request_uri = '';
			
 
				+function php_self($with_query_string=TRUE) {
			
 
				 
			
 
				+    static $request_uri = '';
			
 
				+    if (!empty($request_uri))
			
 
				+        return ($with_query_string ? $request_uri : (strpos($request_uri, '?') !== FALSE ? substr($request_uri, 0, strpos($request_uri, '?')) : $request_uri));
			
 
				+ 
			
 
				     // first try $_SERVER['PHP_SELF'], which seems most reliable
			
 
				     // (albeit it usually won't include the query string)
			
 
				     //
			
@@ -733,7 +735,10 @@ function php_self() {
 
				         $request_uri .= '?' . $query_string;
			
 
				     }   
			
 
				 
			
 
				-    return $request_uri;
			
 
				+    global $php_self_pattern, $php_self_replacement;
			
 
				+    if (!empty($php_self_pattern))
			
 
				+        $request_uri = preg_replace($php_self_pattern, $php_self_replacement, $request_uri);
			
 
				+    return ($with_query_string ? $request_uri : (strpos($request_uri, '?') !== FALSE ? substr($request_uri, 0, strpos($request_uri, '?')) : $request_uri));
			
 
				 
			
 
				 }
			
 
				 
			
--- a/functions/strings.php
+++ b/functions/strings.php
@@ -474,12 +474,7 @@ function get_location () {
 
				            $is_secure_connection, $sq_ignore_http_x_forwarded_headers;
			
 
				 
			
 
				     /* Get the path, handle virtual directories */
			
 
				-    if(strpos(php_self(), '?')) {
			
 
				-        $path = substr(php_self(), 0, strpos(php_self(), '?'));
			
 
				-    } else {
			
 
				-        $path = php_self();
			
 
				-    }
			
 
				-    $path = substr($path, 0, strrpos($path, '/'));
			
 
				+    $path = substr(php_self(FALSE), 0, strrpos(php_self(FALSE), '/'));
			
 
				 
			
 
				     // proto+host+port are already set in config:
			
 
				     if ( !empty($config_location_base) ) {