squirrelmail-webmail  1.4.22
About: SquirrelMail is a standards-based webmail package with strong MIME support, address books, and folder manipulation (written in PHP4).
  Fossies Dox: squirrelmail-webmail-1.4.22.tar.gz  ("inofficial" and yet experimental doxygen-generated source code documentation)  

global.php
Go to the documentation of this file.
1 <?php
2 
15 define('SQ_INORDER',0);
16 define('SQ_GET',1);
17 define('SQ_POST',2);
18 define('SQ_SESSION',3);
19 define('SQ_COOKIE',4);
20 define('SQ_SERVER',5);
21 define('SQ_FORM',6);
22 
31 if ((bool) ini_get('register_globals') &&
32  strtolower(ini_get('register_globals'))!='off') {
37  foreach ($GLOBALS as $key => $value) {
38  switch($key) {
39  case 'HTTP_POST_VARS':
40  case '_POST':
41  case 'HTTP_GET_VARS':
42  case '_GET':
43  case 'HTTP_COOKIE_VARS':
44  case '_COOKIE':
45  case 'HTTP_SERVER_VARS':
46  case '_SERVER':
47  case 'HTTP_ENV_VARS':
48  case '_ENV':
49  case 'HTTP_POST_FILES':
50  case '_FILES':
51  case '_REQUEST':
52  case 'HTTP_SESSION_VARS':
53  case '_SESSION':
54  case 'GLOBALS':
55  case 'key':
56  case 'value':
57  break;
58  default:
59  unset($GLOBALS[$key]);
60  }
61  }
62  // Unset variables used in foreach
63  unset($GLOBALS['key']);
64  unset($GLOBALS['value']);
65 }
66 
72 $php_session_auto_start = ini_get('session.auto_start');
73 if ((bool)$php_session_auto_start && $php_session_auto_start != 'off') {
74  die('SquirrelMail 1.4.x is not compatible with PHP\'s session.auto_start setting. Please disable it at least for the location where SquirrelMail is installed.');
75 }
76 
89 if (isset($_SERVER['PHP_SELF'])) {
90  $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']);
91 }
92 /*
93  * same needed for QUERY_STRING because SquirrelMail
94  * uses it along with PHP_SELF when using location
95  * strings
96  */
97 if (isset($_SERVER['QUERY_STRING'])) {
98  $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']);
99 }
100 /*
101  * same needed for REQUEST_URI because it's used in php_self()
102  */
103 if (isset($_SERVER['REQUEST_URI'])) {
104  $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']);
105 }
106 
113 require_once(SM_PATH . 'functions/strings.php');
114 require_once(SM_PATH . 'config/config.php');
115 
131 global $temporary_plugins;
132 if (isset($temporary_plugins)) {
134 }
135 
140 
142 if(isset($session_name) && $session_name) {
143  ini_set('session.name' , $session_name);
144 } else {
145  ini_set('session.name' , 'SQMSESSID');
146 }
147 
154 ini_set('magic_quotes_runtime','0');
155 
163 if (!(bool)ini_get('session.use_cookies') ||
164  ini_get('session.use_cookies') == 'off') {
165  ini_set('session.use_cookies','1');
166 }
167 
174 
176 
177 /* if running with magic_quotes_gpc then strip the slashes
178  from POST and GET global arrays */
179 
180 if (function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) {
181  sqstripslashes($_GET);
182  sqstripslashes($_POST);
183 }
184 
194 function check_php_version ($a = '0', $b = '0', $c = '0')
195 {
196  global $SQ_PHP_VERSION;
197 
198  if(!isset($SQ_PHP_VERSION))
199  $SQ_PHP_VERSION = substr( str_pad( preg_replace('/\D/','', PHP_VERSION), 3, '0'), 0, 3);
200 
201  return $SQ_PHP_VERSION >= ($a.$b.$c);
202 }
203 
215 function check_sm_version($a = 0, $b = 0, $c = 0)
216 {
217  global $SQM_INTERNAL_VERSION;
218  if ( !isset($SQM_INTERNAL_VERSION) ||
219  $SQM_INTERNAL_VERSION[0] < $a ||
220  ( $SQM_INTERNAL_VERSION[0] == $a &&
221  $SQM_INTERNAL_VERSION[1] < $b) ||
222  ( $SQM_INTERNAL_VERSION[0] == $a &&
223  $SQM_INTERNAL_VERSION[1] == $b &&
224  $SQM_INTERNAL_VERSION[2] < $c ) ) {
225  return FALSE;
226  }
227  return TRUE;
228 }
229 
230 
236 function sqstripslashes(&$array) {
237  if(count($array) > 0) {
238  foreach ($array as $index=>$value) {
239  if (is_array($array[$index])) {
240  sqstripslashes($array[$index]);
241  }
242  else {
243  $array[$index] = stripslashes($value);
244  }
245  }
246  }
247 }
248 
275 function sq_call_function_suppress_errors($function, $args=array()) {
276  $display_errors = ini_get('display_errors');
277  ini_set('display_errors', '0');
278  $ret = call_user_func_array($function, $args);
279  ini_set('display_errors', $display_errors);
280  return $ret;
281 }
282 
289 function sqsession_register ($var, $name) {
290 
292 
293  $_SESSION[$name] = $var;
294 }
295 
301 function sqsession_unregister ($name) {
302 
304 
305  unset($_SESSION[$name]);
306 
307  // starts throwing warnings in PHP 5.3.0 and is
308  // removed in PHP 6 and is redundant anyway
309  //session_unregister($name);
310 }
311 
318 function sqsession_is_registered ($name) {
319  $test_name = &$name;
320  return isset($_SESSION[$test_name]);
321 }
322 
344 function sqgetGlobalVar($name, &$value, $search = SQ_INORDER) {
345 
346  /* NOTE: DO NOT enclose the constants in the switch
347  statement with quotes. They are constant values,
348  enclosing them in quotes will cause them to evaluate
349  as strings. */
350  switch ($search) {
351  /* we want the default case to be first here,
352  so that if a valid value isn't specified,
353  all three arrays will be searched. */
354  default:
355  case SQ_INORDER: // check session, post, get
356  case SQ_SESSION:
357  if( isset($_SESSION[$name]) ) {
358  $value = $_SESSION[$name];
359  return TRUE;
360  } elseif ( $search == SQ_SESSION ) {
361  break;
362  }
363  case SQ_FORM: // check post, get
364  case SQ_POST:
365  if( isset($_POST[$name]) ) {
366  $value = $_POST[$name];
367  return TRUE;
368  } elseif ( $search == SQ_POST ) {
369  break;
370  }
371  case SQ_GET:
372  if ( isset($_GET[$name]) ) {
373  $value = $_GET[$name];
374  return TRUE;
375  }
376  /* NO IF HERE. FOR SQ_INORDER CASE, EXIT after GET */
377  break;
378  case SQ_COOKIE:
379  if ( isset($_COOKIE[$name]) ) {
380  $value = $_COOKIE[$name];
381  return TRUE;
382  }
383  break;
384  case SQ_SERVER:
385  if ( isset($_SERVER[$name]) ) {
386  $value = $_SERVER[$name];
387  return TRUE;
388  }
389  break;
390  }
391  /* if not found, return false */
392  return FALSE;
393 }
394 
399 function sqsession_destroy() {
400 
401  /*
402  * php.net says we can kill the cookie by setting just the name:
403  * http://www.php.net/manual/en/function.setcookie.php
404  * maybe this will help fix the session merging again.
405  *
406  * Changed the theory on this to kill the cookies first starting
407  * a new session will provide a new session for all instances of
408  * the browser, we don't want that, as that is what is causing the
409  * merging of sessions.
410  */
411 
412  global $base_uri;
413 
414  if (isset($_COOKIE[session_name()])) {
415  sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
416 
417  /*
418  * Make sure to kill /src and /src/ cookies, just in case there are
419  * some left-over or malicious ones set in user's browser.
420  * NB: Note that an attacker could try to plant a cookie for one
421  * of the /plugins/* directories. Such cookies can block
422  * access to certain plugin pages, but they do not influence
423  * or fixate the $base_uri cookie, so we don't worry about
424  * trying to delete all of them here.
425  */
426  sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src');
427  sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src/');
428  }
429 
430  if (isset($_COOKIE['key'])) sqsetcookie('key', 'SQMTRASH', 1, $base_uri);
431 
432  /* Make sure new session id is generated on subsequent session_start() */
433  unset($_COOKIE[session_name()]);
434  unset($_GET[session_name()]);
435  unset($_POST[session_name()]);
436 
437  $sessid = session_id();
438  if (!empty( $sessid )) {
439  $_SESSION = array();
440  @session_destroy();
441  }
442 
443 }
444 
453  sqsession_start();
454 }
455 
469 function sqsession_start() {
470  global $base_uri;
471 
472  session_set_cookie_params (0, $base_uri);
473  @session_start();
474  // could be: sq_call_function_suppress_errors('session_start');
475  $session_id = session_id();
476 
477  // session_starts sets the sessionid cookie but without the httponly var
478  // setting the cookie again sets the httponly cookie attribute
479  //
480  // need to check if headers have been sent, since sqsession_is_active()
481  // has become just a passthru to this function, so the sqsetcookie()
482  // below is called every time, even after headers have already been sent
483  //
484  if (!headers_sent())
485  sqsetcookie(session_name(),$session_id,false,$base_uri);
486 }
487 
509 function sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="",
510  $bSecure=false, $bHttpOnly=true, $bReplace=false) {
511 
512  // if we have a secure connection then limit the cookies to https only.
513  global $is_secure_connection;
514  if ($sName && $is_secure_connection)
515  $bSecure = true;
516 
517  // admin config can override the restriction of secure-only cookies
518  //
519  // (we have to check if the value is set and default it to true if
520  // not because when upgrading without re-running conf.pl, it will
521  // not be found in config/config.php and thusly evaluate to false,
522  // but we want to default people who upgrade to true due to security
523  // implications of setting this to false)
524  //
525  global $only_secure_cookies;
526  if (!isset($only_secure_cookies)) $only_secure_cookies = true;
527  if (!$only_secure_cookies)
528  $bSecure = false;
529 
530  if (false && check_php_version(5,2)) {
531  // php 5 supports the httponly attribute in setcookie, but because setcookie seems a bit
532  // broken we use the header function for php 5.2 as well. We might change that later.
533  //setcookie($sName,$sValue,(int) $iExpire,$sPath,$sDomain,$bSecure,$bHttpOnly);
534  } else {
535  if (!empty($sDomain)) {
536  // Fix the domain to accept domains with and without 'www.'.
537  if (strtolower(substr($sDomain, 0, 4)) == 'www.') $sDomain = substr($sDomain, 4);
538  $sDomain = '.' . $sDomain;
539 
540  // Remove port information.
541  $Port = strpos($sDomain, ':');
542  if ($Port !== false) $sDomain = substr($sDomain, 0, $Port);
543  }
544  if (!$sValue) $sValue = 'deleted';
545  header('Set-Cookie: ' . rawurlencode($sName) . '=' . rawurlencode($sValue)
546  . (empty($iExpire) ? '' : '; expires=' . gmdate('D, d-M-Y H:i:s', $iExpire) . ' GMT')
547  . (empty($sPath) ? '' : '; path=' . $sPath)
548  . (empty($sDomain) ? '' : '; domain=' . $sDomain)
549  . (!$bSecure ? '' : '; secure')
550  . (!$bHttpOnly ? '' : '; HttpOnly'), $bReplace);
551  }
552 }
553 
585 {
586  global $sq_ignore_http_x_forwarded_headers, $sq_https_port;
587  $https_env_var = getenv('HTTPS');
588  if ($sq_ignore_http_x_forwarded_headers
589  || !sqgetGlobalVar('HTTP_X_FORWARDED_PROTO', $forwarded_proto, SQ_SERVER))
590  $forwarded_proto = '';
591  if (empty($sq_https_port)) // won't work with port 0 (zero)
592  $sq_https_port = 443;
593  if ((isset($https_env_var) && strcasecmp($https_env_var, 'on') === 0)
594  || (sqgetGlobalVar('HTTPS', $https, SQ_SERVER) && !empty($https)
595  && strcasecmp($https, 'off') !== 0)
596  || (strcasecmp($forwarded_proto, 'https') === 0)
597  || (sqgetGlobalVar('SERVER_PORT', $server_port, SQ_SERVER)
598  && $server_port == $sq_https_port))
599  return TRUE;
600  return FALSE;
601 }
602 
614 function file_has_long_lines($filename, $max_length) {
615 
616  $FILE = @fopen($filename, 'rb');
617 
618  if ($FILE) {
619  while (!feof($FILE)) {
620  $buffer = fgets($FILE, 4096);
621  if (strlen($buffer) > $max_length) {
622  fclose($FILE);
623  return TRUE;
624  }
625  }
626  fclose($FILE);
627  }
628 
629  return FALSE;
630 }
631 
SQ_INORDER
const SQ_INORDER
Definition: global.php:15
elseif
if(! sqgetGlobalVar('sound', $sound, SQ_GET)) elseif($sound=='(none)')
Definition: testsound.php:25
sqgetGlobalVar
sqgetGlobalVar($name, &$value, $search=SQ_INORDER)
Definition: global.php:344
$ret
$ret
Definition: webmail.php:172
SQ_SESSION
const SQ_SESSION
Definition: global.php:18
sqm_baseuri
sqm_baseuri()
Definition: strings.php:315
sqsession_destroy
sqsession_destroy()
Definition: global.php:399
$plugins
global $plugins
Definition: plugin.php:196
$php_session_auto_start
if((bool) ini_get('register_globals') &&strtolower(ini_get('register_globals'))!='off') $php_session_auto_start
Definition: global.php:72
sqsession_is_registered
sqsession_is_registered($name)
Definition: global.php:318
$SQM_INTERNAL_VERSION
global $SQM_INTERNAL_VERSION
Definition: strings.php:25
file_has_long_lines
file_has_long_lines($filename, $max_length)
Definition: global.php:614
sq_call_function_suppress_errors
sq_call_function_suppress_errors($function, $args=array())
Definition: global.php:275
SQ_GET
const SQ_GET
Definition: global.php:16
check_php_version
if(function_exists('get_magic_quotes_gpc') && @get_magic_quotes_gpc()) check_php_version($a='0', $b='0', $c='0')
Definition: global.php:194
sqsetcookie
sqsetcookie($sName, $sValue='deleted', $iExpire=0, $sPath="", $sDomain="", $bSecure=false, $bHttpOnly=true, $bReplace=false)
Definition: global.php:509
SQ_SERVER
const SQ_SERVER
Definition: global.php:20
SQ_POST
const SQ_POST
Definition: global.php:17
is_ssl_secured_connection
is_ssl_secured_connection()
Definition: global.php:584
$filename
if(isset($override_type0)) if(isset($override_type1)) $filename
Definition: download.php:97
SM_PATH
const SM_PATH
Definition: decrypt_headers.php:16
$temporary_plugins
global $temporary_plugins
Definition: global.php:114
sqsession_register
sqsession_register($var, $name)
Definition: global.php:289
check_sm_version
check_sm_version($a=0, $b=0, $c=0)
Definition: global.php:215
$base_uri
if(!(bool) ini_get('session.use_cookies')||ini_get('session.use_cookies')=='off') $base_uri
Definition: global.php:173
sqsession_start
sqsession_start()
Definition: global.php:469
$session_name
$session_name
Definition: config_default.php:651
SQ_FORM
const SQ_FORM
Definition: global.php:21
SQ_COOKIE
const SQ_COOKIE
Definition: global.php:19
sqsession_is_active
sqsession_is_active()
Definition: global.php:452
sqsession_unregister
sqsession_unregister($name)
Definition: global.php:301
sqstripslashes
sqstripslashes(&$array)
Definition: global.php:236
$is_secure_connection
if(isset($temporary_plugins)) $is_secure_connection
Definition: global.php:139