We use cookies to ensure you get the best experience on our website
Domovská stránka Prehľadávať Pomoc
Registrovať Prihlásiť sa
0ct0pu5
/
squirrelmail
1
0
Fork 0
Súbory Issues 0 Pull requesty 0 Wiki
Strom: 0084fb6502
Branche Tagy
squirrelmail
/
functions
/
global.php

global.php 12 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * global.php
    5. 

  5.  *
    6. 

  6.  * This includes code to update < 4.1.0 globals to the newer format
    7. 

  7.  * It also has some session register functions that work across various
    8. 

  8.  * php versions.
    9. 

  9.  *
    10. 

  10.  * @copyright &copy; 1999-2006 The SquirrelMail Project Team
    11. 

  11.  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
    12. 

  12.  * @version $Id$
    13. 

  13.  * @package squirrelmail
    14. 

  14.  */
    15. 

  15. 

  16. /**
    17. 

  17.  */
    18. 

  18. define('SQ_INORDER',0);
    19. 

  19. define('SQ_GET',1);
    20. 

  20. define('SQ_POST',2);
    21. 

  21. define('SQ_SESSION',3);
    22. 

  22. define('SQ_COOKIE',4);
    23. 

  23. define('SQ_SERVER',5);
    24. 

  24. define('SQ_FORM',6);
    25. 

  25. 

  26. /**
    27. 

  27.  * returns true if current php version is at mimimum a.b.c
    28. 

  28.  *
    29. 

  29.  * Called: check_php_version(4,1)
    30. 

  30.  * @param int a major version number
    31. 

  31.  * @param int b minor version number
    32. 

  32.  * @param int c release number
    33. 

  33.  * @return bool
    34. 

  34.  */
    35. 

  35. function check_php_version ($a = '0', $b = '0', $c = '0')
    36. 

  36. {
    37. 

  37.     return version_compare ( PHP_VERSION, "$a.$b.$c", 'ge' );
    38. 

  38. }
    39. 

  39. 

  40. /**
    41. 

  41.  * returns true if the current internal SM version is at minimum a.b.c
    42. 

  42.  * These are plain integer comparisons, as our internal version is
    43. 

  43.  * constructed by us, as an array of 3 ints.
    44. 

  44.  *
    45. 

  45.  * Called: check_sm_version(1,3,3)
    46. 

  46.  * @param int a major version number
    47. 

  47.  * @param int b minor version number
    48. 

  48.  * @param int c release number
    49. 

  49.  * @return bool
    50. 

  50.  */
    51. 

  51. function check_sm_version($a = 0, $b = 0, $c = 0)
    52. 

  52. {
    53. 

  53.     global $SQM_INTERNAL_VERSION;
    54. 

  54.     if ( !isset($SQM_INTERNAL_VERSION) ||
    55. 

  55.          $SQM_INTERNAL_VERSION[0] < $a ||
    56. 

  56.          ( $SQM_INTERNAL_VERSION[0] == $a &&
    57. 

  57.            $SQM_INTERNAL_VERSION[1] < $b) ||
    58. 

  58.          ( $SQM_INTERNAL_VERSION[0] == $a &&
    59. 

  59.            $SQM_INTERNAL_VERSION[1] == $b &&
    60. 

  60.            $SQM_INTERNAL_VERSION[2] < $c ) ) {
    61. 

  61.         return FALSE;
    62. 

  62.     }
    63. 

  63.     return TRUE;
    64. 

  64. }
    65. 

  65. 

  66. 

  67. /**
    68. 

  68.  * Recursively strip slashes from the values of an array.
    69. 

  69.  * @param array array the array to strip, passed by reference
    70. 

  70.  * @return void
    71. 

  71.  */
    72. 

  72. function sqstripslashes(&$array) {
    73. 

  73.     if(count($array) > 0) {
    74. 

  74.         foreach ($array as $index=>$value) {
    75. 

  75.             if (is_array($array[$index])) {
    76. 

  76.                 sqstripslashes($array[$index]);
    77. 

  77.             }
    78. 

  78.             else {
    79. 

  79.                 $array[$index] = stripslashes($value);
    80. 

  80.             }
    81. 

  81.         }
    82. 

  82.     }
    83. 

  83. }
    84. 

  84. 

  85. /**
    86. 

  86.  * Add a variable to the session.
    87. 

  87.  * @param mixed $var the variable to register
    88. 

  88.  * @param string $name the name to refer to this variable
    89. 

  89.  * @return void
    90. 

  90.  */
    91. 

  91. function sqsession_register ($var, $name) {
    92. 

  92. 

  93.     sqsession_is_active();
    94. 

  94. 

  95.     $_SESSION["$name"] = $var;
    96. 

  96. 

  97.     session_register("$name");
    98. 

  98. }
    99. 

  99. 

  100. /**
    101. 

  101.  * Delete a variable from the session.
    102. 

  102.  * @param string $name the name of the var to delete
    103. 

  103.  * @return void
    104. 

  104.  */
    105. 

  105. function sqsession_unregister ($name) {
    106. 

  106. 

  107.     sqsession_is_active();
    108. 

  108. 

  109.     unset($_SESSION[$name]);
    110. 

  110. 

  111.     session_unregister("$name");
    112. 

  112. }
    113. 

  113. 

  114. /**
    115. 

  115.  * Checks to see if a variable has already been registered
    116. 

  116.  * in the session.
    117. 

  117.  * @param string $name the name of the var to check
    118. 

  118.  * @return bool whether the var has been registered
    119. 

  119.  */
    120. 

  120. function sqsession_is_registered ($name) {
    121. 

  121.     $test_name = &$name;
    122. 

  122.     $result = false;
    123. 

  123. 

  124.     if (isset($_SESSION[$test_name])) {
    125. 

  125.         $result = true;
    126. 

  126.     }
    127. 

  127. 

  128.     return $result;
    129. 

  129. }
    130. 

  130. 

  131. /**
    132. 

  132.  * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER
    133. 

  133.  * and set it in provided var.
    134. 

  134.  *
    135. 

  135.  * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION,
    136. 

  136.  * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and
    137. 

  137.  * $_GET.  Otherwise, use one of the defined constants to look for a var in one
    138. 

  138.  * place specifically.
    139. 

  139.  *
    140. 

  140.  * Note: $search is an int value equal to one of the constants defined above.
    141. 

  141.  *
    142. 

  142.  * Example:
    143. 

  143.  * sqgetGlobalVar('username',$username,SQ_SESSION);
    144. 

  144.  * // No quotes around last param, it's a constant - not a string!
    145. 

  145.  *
    146. 

  146.  * @param string name the name of the var to search
    147. 

  147.  * @param mixed value the variable to return
    148. 

  148.  * @param int search constant defining where to look
    149. 

  149.  * @return bool whether variable is found.
    150. 

  150.  */
    151. 

  151. function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
    152. 

  152. 

  153.     /* NOTE: DO NOT enclose the constants in the switch
    154. 

  154.        statement with quotes. They are constant values,
    155. 

  155.        enclosing them in quotes will cause them to evaluate
    156. 

  156.        as strings. */
    157. 

  157.     switch ($search) {
    158. 

  158.         /* we want the default case to be first here,
    159. 

  159.            so that if a valid value isn't specified,
    160. 

  160.            all three arrays will be searched. */
    161. 

  161.       default:
    162. 

  162.       case SQ_INORDER: // check session, post, get
    163. 

  163.       case SQ_SESSION:
    164. 

  164.         if( isset($_SESSION[$name]) ) {
    165. 

  165.             $value = $_SESSION[$name];
    166. 

  166.             return TRUE;
    167. 

  167.         } elseif ( $search == SQ_SESSION ) {
    168. 

  168.             break;
    169. 

  169.         }
    170. 

  170.       case SQ_FORM:   // check post, get
    171. 

  171.       case SQ_POST:
    172. 

  172.         if( isset($_POST[$name]) ) {
    173. 

  173.             $value = $_POST[$name];
    174. 

  174.             return TRUE;
    175. 

  175.         } elseif ( $search == SQ_POST ) {
    176. 

  176.           break;
    177. 

  177.         }
    178. 

  178.       case SQ_GET:
    179. 

  179.         if ( isset($_GET[$name]) ) {
    180. 

  180.             $value = $_GET[$name];
    181. 

  181.             return TRUE;
    182. 

  182.         }
    183. 

  183.         /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
    184. 

  184.         break;
    185. 

  185.       case SQ_COOKIE:
    186. 

  186.         if ( isset($_COOKIE[$name]) ) {
    187. 

  187.             $value = $_COOKIE[$name];
    188. 

  188.             return TRUE;
    189. 

  189.         }
    190. 

  190.         break;
    191. 

  191.       case SQ_SERVER:
    192. 

  192.         if ( isset($_SERVER[$name]) ) {
    193. 

  193.             $value = $_SERVER[$name];
    194. 

  194.             return TRUE;
    195. 

  195.         }
    196. 

  196.         break;
    197. 

  197.     }
    198. 

  198.     /* Nothing found, return FALSE */
    199. 

  199.     return FALSE;
    200. 

  200. }
    201. 

  201. 

  202. /**
    203. 

  203.  * Deletes an existing session, more advanced than the standard PHP
    204. 

  204.  * session_destroy(), it explicitly deletes the cookies and global vars.
    205. 

  205.  */
    206. 

  206. function sqsession_destroy() {
    207. 

  207. 

  208.     /*
    209. 

  209.      * php.net says we can kill the cookie by setting just the name:
    210. 

  210.      * http://www.php.net/manual/en/function.setcookie.php
    211. 

  211.      * maybe this will help fix the session merging again.
    212. 

  212.      *
    213. 

  213.      * Changed the theory on this to kill the cookies first starting
    214. 

  214.      * a new session will provide a new session for all instances of
    215. 

  215.      * the browser, we don't want that, as that is what is causing the
    216. 

  216.      * merging of sessions.
    217. 

  217.      */
    218. 

  218. 

  219.     global $base_uri;
    220. 

  220. 

  221.     if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
    222. 

  222.     if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
    223. 

  223.     if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
    224. 

  224. 

  225.     $sessid = session_id();
    226. 

  226.     if (!empty( $sessid )) {
    227. 

  227.         $_SESSION = array();
    228. 

  228.         @session_destroy();
    229. 

  229.     }
    230. 

  230. 

  231. }
    232. 

  232. 

  233. /**
    234. 

  234.  * Function to verify a session has been started.  If it hasn't
    235. 

  235.  * start a session up.  php.net doesn't tell you that $_SESSION
    236. 

  236.  * (even though autoglobal), is not created unless a session is
    237. 

  237.  * started, unlike $_POST, $_GET and such
    238. 

  238.  */
    239. 

  239. function sqsession_is_active() {
    240. 

  240.     $sessid = session_id();
    241. 

  241.     if ( empty( $sessid ) ) {
    242. 

  242.         sqsession_start();
    243. 

  243.     }
    244. 

  244. }
    245. 

  245. 

  246. /**
    247. 

  247.  * Function to start the session and store the cookie with the session_id as
    248. 

  248.  * HttpOnly cookie which means that the cookie isn't accessible by javascript
    249. 

  249.  * (IE6 only)
    250. 

  250.  */
    251. 

  251. function sqsession_start() {
    252. 

  252.     global $PHP_SELF;
    253. 

  253. 

  254.     $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
    255. 

  255.     $repl = array('', '', '');
    256. 

  256.     $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
    257. 

  257. 

  258. 

  259.     session_start();
    260. 

  260.     $sessid = session_id();
    261. 

  261.     // session_starts sets the sessionid cookie buth without the httponly var
    262. 

  262.     // setting the cookie again sets the httponly cookie attribute
    263. 

  263.     sqsetcookie(session_name(),$sessid,false,$base_uri);
    264. 

  264. }
    265. 

  265. 

  266. 

  267. /**
    268. 

  268.  * Set a cookie
    269. 

  269.  * @param string  $sName     The name of the cookie.
    270. 

  270.  * @param string  $sValue    The value of the cookie.
    271. 

  271.  * @param int     $iExpire   The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
    272. 

  272.  * @param string  $sPath     The path on the server in which the cookie will be available on.
    273. 

  273.  * @param string  $sDomain   The domain that the cookie is available.
    274. 

  274.  * @param boolean $bSecure   Indicates that the cookie should only be transmitted over a secure HTTPS connection.
    275. 

  275.  * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
    276. 

  276.  * @return void
    277. 

  277.  */
    278. 

  278. function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
    279. 

  279.     $sHeader = "Set-Cookie: $sName=$sValue";
    280. 

  280.     if ($sPath) {
    281. 

  281.         $sHeader .= "; path=$sPath";
    282. 

  282.     }
    283. 

  283.     if ($iExpire !== false) {
    284. 

  284.         $sHeader .= "; Max-Age=$iExpire";
    285. 

  285.         // php uses Expire header, also add the expire header
    286. 

  286.         $sHeader .= "; expires=". gmdate('D, d-M-Y H:i:s T',$iExpire);
    287. 

  287.     }
    288. 

  288.     if ($sDomain) {
    289. 

  289.         $sHeader .= "; Domain=$sDomain";
    290. 

  290.     }
    291. 

  291.     if ($bSecure) {
    292. 

  292.         $sHeader .= "; Secure";
    293. 

  293.     }
    294. 

  294.     if ($bHttpOnly) {
    295. 

  295.         $sHeader .= "; HttpOnly";
    296. 

  296.     }
    297. 

  297.     // $sHeader .= "; Version=1";
    298. 

  298. 

  299.     header($sHeader);
    300. 

  300. }
    301. 

  301. 

  302. /**
    303. 

  303.  * php_self
    304. 

  304.  *
    305. 

  305.  * Creates an URL for the page calling this function, using either the PHP global
    306. 

  306.  * REQUEST_URI, or the PHP global PHP_SELF with QUERY_STRING added. Before 1.5.1
    307. 

  307.  * function was stored in function/strings.php.
    308. 

  308.  *
    309. 

  309.  * @return string the complete url for this page
    310. 

  310.  * @since 1.2.3
    311. 

  311.  */
    312. 

  312. function php_self () {
    313. 

  313.     if ( sqgetGlobalVar('REQUEST_URI', $req_uri, SQ_SERVER) && !empty($req_uri) ) {
    314. 

  314.       return $req_uri;
    315. 

  315.     }
    316. 

  316. 

  317.     if ( sqgetGlobalVar('PHP_SELF', $php_self, SQ_SERVER) && !empty($php_self) ) {
    318. 

  318. 

  319.       // need to add query string to end of PHP_SELF to match REQUEST_URI
    320. 

  320.       //
    321. 

  321.       if ( sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) && !empty($query_string) ) {
    322. 

  322.          $php_self .= '?' . $query_string;
    323. 

  323.       }
    324. 

  324. 

  325.       return $php_self;
    326. 

  326.     }
    327. 

  327. 

  328.     return '';
    329. 

  329. }
    330. 

  330. 

  331. /** set the name of the session cookie */
    332. 

  332. if(isset($session_name) && $session_name) {
    333. 

  333.     ini_set('session.name' , $session_name);
    334. 

  334. } else {
    335. 

  335.     ini_set('session.name' , 'SQMSESSID');
    336. 

  336. }
    337. 

  337. 

  338. /**
    339. 

  339.  * If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
    340. 

  340.  * Force magic_quotes_runtime off.
    341. 

  341.  * tassium@squirrelmail.org - I put it here in the hopes that all SM code includes this.
    342. 

  342.  * If there's a better place, please let me know.
    343. 

  343.  */
    344. 

  344. ini_set('magic_quotes_runtime','0');
    345. 

  345. 

  346. /* Since we decided all IMAP servers must implement the UID command as defined in
    347. 

  347.  * the IMAP RFC, we force $uid_support to be on.
    348. 

  348.  */
    349. 

  349. 

  350. global $uid_support;
    351. 

  351. $uid_support = true;
    352. 

  352. 

  353. /* if running with magic_quotes_gpc then strip the slashes
    354. 

  354.    from POST and GET global arrays */
    355. 

  355. if (get_magic_quotes_gpc()) {
    356. 

  356.     sqstripslashes($_GET);
    357. 

  357.     sqstripslashes($_POST);
    358. 

  358. }
    359. 

  359. 

  360. /**
    361. 

  361.  * If register_globals are on, unregister globals.
    362. 

  362.  * Code requires PHP 4.1.0 or newer.
    363. 

  363.  */
    364. 

  364. if ((bool) @ini_get('register_globals')) {
    365. 

  365.     /**
    366. 

  366.      * Remove all globals from $_GET, $_POST, and $_COOKIE.
    367. 

  367.      */
    368. 

  368.     foreach ($_REQUEST as $key => $value) {
    369. 

  369.         unset($GLOBALS[$key]);
    370. 

  370.     }
    371. 

  371.     /**
    372. 

  372.      * Remove globalized $_FILES variables
    373. 

  373.      * Before 4.3.0 $_FILES are included in $_REQUEST.
    374. 

  374.      * Unglobalize them in separate call in order to remove dependency
    375. 

  375.      * on PHP version.
    376. 

  376.      */
    377. 

  377.     foreach ($_FILES as $key => $value) {
    378. 

  378.         unset($GLOBALS[$key]);
    379. 

  379.         // there are three undocumented $_FILES globals.
    380. 

  380.         unset($GLOBALS[$key.'_type']);
    381. 

  381.         unset($GLOBALS[$key.'_name']);
    382. 

  382.         unset($GLOBALS[$key.'_size']);
    383. 

  383.     }
    384. 

  384.     /**
    385. 

  385.      * Remove globalized environment variables.
    386. 

  386.      */
    387. 

  387.     foreach ($_ENV as $key => $value) {
    388. 

  388.         unset($GLOBALS[$key]);
    389. 

  389.     }
    390. 

  390.     /**
    391. 

  391.      * Remove globalized server variables.
    392. 

  392.      */
    393. 

  393.     foreach ($_SERVER as $key => $value) {
    394. 

  394.         unset($GLOBALS[$key]);
    395. 

  395.     }
    396. 

  396. }
    397. 

  397. 

  398. /* strip any tags added to the url from PHP_SELF.
    399. 

  399.    This fixes hand crafted url XXS expoits for any
    400. 

  400.    page that uses PHP_SELF as the FORM action */
    401. 

  401. $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);
    402. 

  402. 

  403. $PHP_SELF = php_self();
    404. 

  404. 

  405. sqsession_is_active();
    406. 

  406. 

  407. /**
    408. 

  408.  * Remove globalized session data in rg=on setups
    409. 

  409.  */
    410. 

  410. if ((bool) @ini_get('register_globals')) {
    411. 

  411.     foreach ($_SESSION as $key => $value) {
    412. 

  412.         unset($GLOBALS[$key]);
    413. 

  413.     }
    414. 

  414. }
    415. 

  415. 

  416. ?>
    417.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5