diff options
| -rw-r--r-- | .htaccess | 2 | ||||
| -rw-r--r-- | index.php | 22 | ||||
| -rw-r--r-- | program/include/main.inc | 53 | ||||
| -rw-r--r-- | program/include/rcube_shared.inc | 7 | ||||
| -rw-r--r-- | program/steps/addressbook/ldapsearchform.inc | 2 | ||||
| -rw-r--r-- | program/steps/addressbook/save.inc | 26 | ||||
| -rw-r--r-- | program/steps/mail/addcontact.inc | 4 | ||||
| -rw-r--r-- | program/steps/mail/compose.inc | 6 | ||||
| -rw-r--r-- | program/steps/mail/sendmail.inc | 24 | ||||
| -rw-r--r-- | program/steps/settings/manage_folders.inc | 16 | ||||
| -rw-r--r-- | program/steps/settings/save_identity.inc | 5 |
11 files changed, 104 insertions, 63 deletions
@@ -1,4 +1,4 @@ -AddDefaultCharset UTF-8 +# AddDefaultCharset UTF-8 php_flag display_errors On php_value upload_max_filesize 2m @@ -82,23 +82,6 @@ require_once('PEAR.php'); // PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE); -// strip magic quotes from Superglobals... -if ((bool)get_magic_quotes_gpc()) // by "php Pest" - { - // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER - // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST - $fnStripMagicQuotes = create_function( - '&$mData, $fnSelf', - 'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '. - '$mData = stripslashes($mData);' - ); - - // do each set of EGPCSR as you find necessary - $fnStripMagicQuotes($_POST, $fnStripMagicQuotes); - $fnStripMagicQuotes($_GET, $fnStripMagicQuotes); - } - - // catch some url/post parameters $_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth']; $_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail'); @@ -144,7 +127,10 @@ if ($_action=='login' && $_task=='mail') { show_message("cookiesdisabled", 'warning'); } - else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host)) + else if (isset($_POST['_user']) && isset($_POST['_pass']) && + rcmail_login(get_input_value('_user', RCUBE_INPUT_POST), + get_input_value('_pass', RCUBE_INPUT_POST), + $host)) { // send redirect header("Location: $COMM_PATH"); diff --git a/program/include/main.inc b/program/include/main.inc index 3a15bfd17..515de03b9 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -24,6 +24,12 @@ require_once('lib/utf7.inc'); require_once('lib/utf8.class.php'); +// define constannts for input reading +define('RCUBE_INPUT_GET', 0x0101); +define('RCUBE_INPUT_POST', 0x0102); +define('RCUBE_INPUT_GPC', 0x0103); + + // register session and connect to server function rcmail_startup($task='mail') { @@ -376,6 +382,8 @@ function rcmail_login($user, $pass, $host=NULL) $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE; $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']); } + else + $imap_port = $CONFIG['default_port']; // query if user already registered $sql_result = $DB->query("SELECT user_id, username, language, preferences @@ -897,6 +905,49 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) } +/** + * Read input value and convert it for internal use + * Performs stripslashes() and charset conversion if necessary + * + * @param string Field name to read + * @param int Source to get value from (GPC) + * @param boolean Allow HTML tags in field value + * @param string Charset to convert into + * @return string Field value or NULL if not available + */ +function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) + { + global $OUTPUT; + $value = NULL; + + if ($source==RCUBE_INPUT_GET && isset($_GET[$fname])) + $value = $_GET[$fname]; + else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname])) + $value = $_POST[$fname]; + else if ($source==RCUBE_INPUT_GPC) + { + if (isset($_GET[$fname])) + $value = $_GET[$fname]; + else if (isset($_POST[$fname])) + $value = $_POST[$fname]; + else if (isset($_COOKIE[$fname])) + $value = $_COOKIE[$fname]; + } + + // strip slashes if magic_quotes enabled + if ((bool)get_magic_quotes_gpc()) + $value = stripslashes($value); + + // remove HTML tags if not allowed + if (!$allow_html) + $value = strip_tags($value); + + // convert to internal charset + return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset); + } + + + // ************** template parsing and gui functions ************** @@ -1482,7 +1533,7 @@ function rcmail_login_form($attrib) $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login')); $fields = array(); - $fields['user'] = $input_user->show($_POST['_user']); + $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST)); $fields['pass'] = $input_pass->show(); $fields['action'] = $input_action->show(); diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc index da5665199..77753f5b4 100644 --- a/program/include/rcube_shared.inc +++ b/program/include/rcube_shared.inc @@ -108,7 +108,7 @@ class rcube_html_page // set default page title if (!strlen($this->title)) - $this->title = 'RoundCube|Mail'; + $this->title = 'RoundCube Mail'; // replace specialchars in content $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE); @@ -117,7 +117,10 @@ class rcube_html_page // include meta tag with charset if (!empty($this->charset)) - $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";; + { + header('Content-Type: text/html; charset='.$this->charset); + $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n"; + } // definition of the code to be placed in the document header and footer diff --git a/program/steps/addressbook/ldapsearchform.inc b/program/steps/addressbook/ldapsearchform.inc index 5c04406c5..a4e08dcdc 100644 --- a/program/steps/addressbook/ldapsearchform.inc +++ b/program/steps/addressbook/ldapsearchform.inc @@ -255,7 +255,7 @@ function get_form_tags($attrib) $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task'])); $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch')); - if ($_GET['_framed'] || $_POST['_framed']) + if ($_framed) $hiddenfields->add(array('name' => '_framed', 'value' => 1)); $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : ''; diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc index 32a6243fd..5135e4b04 100644 --- a/program/steps/addressbook/save.inc +++ b/program/steps/addressbook/save.inc @@ -23,7 +23,7 @@ if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed'])) { show_message('formincomplete', 'warning'); - rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add'); + rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show'); return; } @@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email'); $contacts_table = get_table_name('contacts'); // update an existing contact -if ($_POST['_cid']) +if (!empty($_POST['_cid'])) { $a_write_sql = array(); @@ -44,7 +44,7 @@ if ($_POST['_cid']) $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), - $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); + $DB->quote(get_input_value($fname, RCUBE_INPUT_POST))); } if (sizeof($a_write_sql)) @@ -65,7 +65,7 @@ if ($_POST['_cid']) $_action = 'show'; show_message('successfullysaved', 'confirmation'); - if ($_POST['_framed']) + if ($_framed) { // define list of cols to be displayed $a_show_cols = array('name', 'email'); @@ -115,20 +115,20 @@ else if (isset($_GET['_emails']) && isset($_GET['_names'])) { $sql .= "AND email IN ("; - $emails = explode(',', $_GET['_emails']); - $names = explode(',', $_GET['_names']); + $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET)); + $names = explode(',', get_input_value('_names', RCUBE_INPUT_GET)); $count = count($emails); $n = 0; foreach ($emails as $email) { $end = (++$n == $count) ? '' : ','; - $sql .= $DB->quote(strip_tags($email)) . $end; + $sql .= $DB->quote($email) . $end; } $sql .= ")"; $ldap_form = true; } else if (isset($_POST['_email'])) - $sql .= "AND email = " . $DB->quote(strip_tags($_POST['_email'])); + $sql .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST)); $sql_result = $DB->query($sql); @@ -151,9 +151,9 @@ else foreach ($emails as $email) { $DB->query("INSERT INTO $contacts_table - (user_id, name, email) - VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . - $DB->quote(strip_tags($email)) . ")"); + (user_id, name, email + VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," . + $DB->quote($email) . ")"); $insert_id[] = $DB->insert_id(); } } @@ -166,7 +166,7 @@ else continue; $a_insert_cols[] = $col; - $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); + $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)); } if (sizeof($a_insert_cols)) @@ -187,7 +187,7 @@ else $_action = 'show'; $_GET['_cid'] = $insert_id; - if ($_POST['_framed']) + if ($_framed) { // add contact row or jump to the page where it should appear $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME); diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc index b1129ec9d..722b0f287 100644 --- a/program/steps/mail/addcontact.inc +++ b/program/steps/mail/addcontact.inc @@ -21,9 +21,9 @@ $REMOTE_REQUEST = TRUE; -if ($_GET['_address']) +if (!empty($_GET['_address'])) { - $contact_arr = $IMAP->decode_address_list($_GET['_address']); + $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET)); if (sizeof($contact_arr)) { $contact = $contact_arr[1]; diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc index 2241e6b87..58465062f 100644 --- a/program/steps/mail/compose.inc +++ b/program/steps/mail/compose.inc @@ -142,7 +142,7 @@ function rcmail_compose_headers($attrib) if ($fname && !empty($_POST[$fname])) - $fvalue = $_POST[$fname]; + $fvalue = get_input_value($fname, RCUBE_INPUT_POST); else if ($header && is_object($REPLY_MESSAGE['headers'])) { // get recipent address(es) out of the message headers @@ -309,7 +309,7 @@ function rcmail_compose_body($attrib) // use posted message body if (!empty($_POST['_message'])) - $body = stripslashes($_POST['_message']); + $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE); // compose reply-body else if (is_array($REPLY_MESSAGE['parts'])) @@ -433,7 +433,7 @@ function rcmail_compose_subject($attrib) // use subject from post if (isset($_POST['_subject'])) - $subject = stripslashes($_POST['_subject']); + $subject = get_input_value('_subject', RCUBE_INPUT_POST); // create a reply-subject else if (isset($REPLY_MESSAGE['subject'])) diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc index ec0f1166f..70baba039 100644 --- a/program/steps/mail/sendmail.inc +++ b/program/steps/mail/sendmail.inc @@ -83,7 +83,7 @@ $mailto_regexp = array('/[,;]\s*[\r\n]+/', '/[\r\n]+/', '/[,;]\s*$/m'); $mailto_replace = array(', ', ', ', ''); // repalce new lines and strip ending ', ' -$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to'])); +$mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset)); // decode address strings $to_address_arr = $IMAP->decode_address_list($mailto); @@ -104,22 +104,22 @@ $headers = array('Date' => date('D, j M Y G:i:s O'), 'To' => rcube_charset_convert($mailto, $input_charset, $message_charset)); // additional recipients -if ($_POST['_cc']) - $headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset); +if (!empty($_POST['_cc'])) + $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset)); -if ($_POST['_bcc']) - $headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset); +if (!empty($_POST['_bcc'])) + $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset)); -if (strlen($identity_arr['bcc'])) +if (!empty($identity_arr['bcc'])) $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc']; // add subject -$headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset); +$headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset)); -if (strlen($identity_arr['organization'])) +if (!empty($identity_arr['organization'])) $headers['Organization'] = $identity_arr['organization']; -if (strlen($identity_arr['reply-to'])) +if (!empty($identity_arr['reply-to'])) $headers['Reply-To'] = $identity_arr['reply-to']; if (!empty($_SESSION['compose']['reply_msgid'])) @@ -128,7 +128,7 @@ if (!empty($_SESSION['compose']['reply_msgid'])) if (!empty($_SESSION['compose']['references'])) $headers['References'] = $_SESSION['compose']['references']; -if ($_POST['_priority']) +if (!empty($_POST['_priority'])) { $priority = (int)$_POST['_priority']; $a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest'); @@ -141,11 +141,11 @@ if ($_POST['_priority']) $headers['Message-ID'] = $message_id; $headers['X-Sender'] = $from; -if ($CONFIG['useragent']) +if (!empty($CONFIG['useragent'])) $headers['User-Agent'] = $CONFIG['useragent']; // fetch message body -$message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset); +$message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset); // append generic footer to all messages if (!empty($CONFIG['generic_message_footer'])) diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc index 6f49018e7..86b9bb7fe 100644 --- a/program/steps/settings/manage_folders.inc +++ b/program/steps/settings/manage_folders.inc @@ -29,7 +29,7 @@ if ($_action=='subscribe') if (strlen($_GET['_mboxes'])) $IMAP->subscribe(array($_GET['_mboxes'])); - if ($_GET['_remote']) + if ($REMOTE_REQUEST) rcube_remote_response('// subscribed'); } @@ -39,22 +39,22 @@ else if ($_action=='unsubscribe') if (strlen($_GET['_mboxes'])) $IMAP->unsubscribe(array($_GET['_mboxes'])); - if ($_GET['_remote']) + if ($REMOTE_REQUEST) rcube_remote_response('// unsubscribed'); } // create a new mailbox else if ($_action=='create-folder') { - if (strlen($_GET['_name'])) - $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE); + if (!empty($_GET['_name'])) + $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE); - if ($create && $_GET['_remote']) + if ($create && $REMOTE_REQUEST) { $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js')); rcube_remote_response($commands); } - else if (!$create && $_GET['_remote']) + else if (!$create && $REMOTE_REQUEST) { $commands = show_message('errorsaving', 'error'); rcube_remote_response($commands); @@ -69,9 +69,9 @@ else if ($_action=='delete-folder') if (strlen($_GET['_mboxes'])) $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes'])); - if ($_GET['_remote'] && $deleted) + if ($REMOTE_REQUEST && $deleted) rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js'))); - else if ($_GET['_remote']) + else if ($REMOTE_REQUEST) { $commands = show_message('errorsaving', 'error'); rcube_remote_response($commands); diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc index 1bfbf48e6..f5780de4b 100644 --- a/program/steps/settings/save_identity.inc +++ b/program/steps/settings/save_identity.inc @@ -20,6 +20,7 @@ */ $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature'); +$a_html_cols = array('signature'); // check input @@ -44,7 +45,7 @@ if ($_POST['_iid']) $a_write_sql[] = sprintf("%s=%s", $DB->quoteIdentifier($col), - $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); + $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)))); } if (sizeof($a_write_sql)) @@ -99,7 +100,7 @@ else continue; $a_insert_cols[] = $DB->quoteIdentifier($col); - $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); + $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))); } if (sizeof($a_insert_cols)) |