Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 276 lines (236 sloc) 9.774 kB
4e17e6c @thomascube Initial revision
thomascube authored
1 <?php
2 /*
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
3 +-------------------------------------------------------------------------+
e019f2d @alecpl - s/RoundCube/Roundcube/
alecpl authored
4 | Roundcube Webmail IMAP Client |
4859fed @thomascube Fix unit tests + update version
thomascube authored
5 | Version 0.4-20100807 |
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
6 | |
e019f2d @alecpl - s/RoundCube/Roundcube/
alecpl authored
7 | Copyright (C) 2005-2010, Roundcube Dev. - Switzerland |
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
8 | |
9 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License version 2 |
11 | as published by the Free Software Foundation. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License along |
19 | with this program; if not, write to the Free Software Foundation, Inc., |
20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
21 | |
22 +-------------------------------------------------------------------------+
23 | Author: Thomas Bruederli <roundcube@gmail.com> |
24 +-------------------------------------------------------------------------+
4e17e6c @thomascube Initial revision
thomascube authored
25
26 $Id$
27
28 */
29
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
30 // include environment
31 require_once 'program/include/iniset.php';
15a9d1c @thomascube Optimized loading time; added periodic mail check; added EXPUNGE command
thomascube authored
32
48bc52e @alecpl - Fix imap_init hook broken in r3258 (#1486493)
alecpl authored
33 // init application, start session, init output class, etc.
83a7636 @thomascube More code cleanup
thomascube authored
34 $RCMAIL = rcmail::get_instance();
35
d51c93b @alecpl - get rid of some hardcoded action names and move decission about out…
alecpl authored
36 // turn on output buffering
37 ob_start();
2f2f15b @thomascube Little improvements for message parsing and encoding
thomascube authored
38
8c72e33 @thomascube Show appropriate error message if config files are missing
thomascube authored
39 // check if config files had errors
40 if ($err_str = $RCMAIL->config->get_error()) {
41 raise_error(array(
42 'code' => 601,
43 'type' => 'php',
44 'message' => $err_str), false, true);
45 }
46
8affba5 @thomascube Improved error handling in DB connection failure
thomascube authored
47 // check DB connections and exit on failure
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
48 if ($err_str = $DB->is_error()) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
49 raise_error(array(
50 'code' => 603,
51 'type' => 'db',
52 'message' => $err_str), FALSE, TRUE);
53 }
8affba5 @thomascube Improved error handling in DB connection failure
thomascube authored
54
4e17e6c @thomascube Initial revision
thomascube authored
55 // error steps
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of so…
thomascube authored
56 if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6c @thomascube Initial revision
thomascube authored
57 raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
58 }
4e17e6c @thomascube Initial revision
thomascube authored
59
f5d61d8 @thomascube Revert r3038 and allow to specify the port as value of force_https
thomascube authored
60 // check if https is required (for login) and redirect if necessary
61 if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
62 $https_port = is_bool($force_https) ? 443 : $force_https;
5818e44 @alecpl - Fix $_SERVER['HTTPS'] check for SSL forcing on IIS (#1486243) + fix…
alecpl authored
63 if (!rcube_https_check($https_port)) {
76c94b6 @alecpl - Fix 'force_https' to specified port when URL contains a port number…
alecpl authored
64 $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
65 $host .= ($https_port != 443 ? ':' . $https_port : '');
66 header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
f5d61d8 @thomascube Revert r3038 and allow to specify the port as value of force_https
thomascube authored
67 exit;
68 }
69 }
70
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
71 // trigger startup plugin hook
72 $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
73 $RCMAIL->set_task($startup['task']);
74 $RCMAIL->action = $startup['action'];
75
4e17e6c @thomascube Initial revision
thomascube authored
76 // try to log in
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action befor…
alecpl authored
77 if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
0129d7c @alecpl - Fix authentication when submitting form with existing session (#148…
alecpl authored
78 // purge the session in case of new login when a session already exists
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
79 $RCMAIL->kill_session();
4e17e6c @thomascube Initial revision
thomascube authored
80
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
81 $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
82 'host' => $RCMAIL->autoselect_host(),
83 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
4463648 @thomascube Allow a plugin to disable the cookie check
thomascube authored
84 'cookiecheck' => true,
64608bf @alecpl - Password: Make passwords encoding consistent with core, add 'passwo…
alecpl authored
85 ));
86
87 if (!isset($auth['pass']))
88 $auth['pass'] = get_input_value('_pass', RCUBE_INPUT_POST, true,
89 $RCMAIL->config->get('password_charset', 'ISO-8859-1'));
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
90
4e17e6c @thomascube Initial revision
thomascube authored
91 // check if client supports cookies
4463648 @thomascube Allow a plugin to disable the cookie check
thomascube authored
92 if ($auth['cookiecheck'] && empty($_COOKIE)) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
93 $OUTPUT->show_message("cookiesdisabled", 'warning');
94 }
64608bf @alecpl - Password: Make passwords encoding consistent with core, add 'passwo…
alecpl authored
95 else if ($_SESSION['temp'] && !$auth['abort'] &&
96 !empty($auth['host']) && !empty($auth['user']) &&
97 $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
aad6e2a @thomascube New session authentication, should fix bugs #1483951 and #1484299; te…
thomascube authored
98 // create new session ID
929a508 @alecpl - Improve performance by avoiding unnecessary updates to the session …
alecpl authored
99 $RCMAIL->session->remove('temp');
100 $RCMAIL->session->regenerate_id();
aad6e2a @thomascube New session authentication, should fix bugs #1483951 and #1484299; te…
thomascube authored
101
102 // send auth cookie if necessary
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
103 $RCMAIL->authenticate_session();
aad6e2a @thomascube New session authentication, should fix bugs #1483951 and #1484299; te…
thomascube authored
104
5e0045b Add option to log successful logins.
svncommit authored
105 // log successful login
3544558 @alecpl - Add HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR to successful logins lo…
alecpl authored
106 rcmail_log_login();
10eedbe @alecpl - add file/line definitions to raise_error() calls
alecpl authored
107
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
108 // restore original request parameters
109 $query = array();
110 if ($url = get_input_value('_url', RCUBE_INPUT_POST))
111 parse_str($url, $query);
112
113 // allow plugins to control the redirect url after login success
7481dd9 @alecpl - don't set task for login_after hook
alecpl authored
114 $redir = $RCMAIL->plugins->exec_hook('login_after', $query);
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
115 unset($redir['abort']);
5e0045b Add option to log successful logins.
svncommit authored
116
4e17e6c @thomascube Initial revision
thomascube authored
117 // send redirect
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
118 $OUTPUT->redirect($redir);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
119 }
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
120 else {
7342d7e @alecpl - re-fix r2095
alecpl authored
121 $OUTPUT->show_message($IMAP->error_code < -1 ? 'imaperror' : 'loginfailed', 'warning');
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
122 $RCMAIL->plugins->exec_hook('login_failed', array('code' => $IMAP->error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
123 $RCMAIL->kill_session();
4e17e6c @thomascube Initial revision
thomascube authored
124 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
125 }
4e17e6c @thomascube Initial revision
thomascube authored
126
127 // end session
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action befor…
alecpl authored
128 else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
7ef47e5 @thomascube Add some arguments to the logout_after hook
thomascube authored
129 $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
130 $OUTPUT->show_message('loggedout');
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
131 $RCMAIL->logout_actions();
132 $RCMAIL->kill_session();
7ef47e5 @thomascube Add some arguments to the logout_after hook
thomascube authored
133 $RCMAIL->plugins->exec_hook('logout_after', $userdata);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
134 }
4e17e6c @thomascube Initial revision
thomascube authored
135
bac7d17 @thomascube Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
thomascube authored
136 // check session and auth cookie
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action befor…
alecpl authored
137 else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
138 if (!$RCMAIL->authenticate_session()) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
139 $OUTPUT->show_message('sessionerror', 'error');
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
140 $RCMAIL->kill_session();
4e17e6c @thomascube Initial revision
thomascube authored
141 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
142 }
4e17e6c @thomascube Initial revision
thomascube authored
143
144 // not logged in -> show login page
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of so…
thomascube authored
145 if (empty($RCMAIL->user->ID)) {
83a7636 @thomascube More code cleanup
thomascube authored
146 if ($OUTPUT->ajax_call)
c719f3c @thomascube Store compose parameters in session and redirect to a unique URL
thomascube authored
147 $OUTPUT->redirect(array(), 2000);
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action befor…
alecpl authored
148
ccc80d1 @alecpl - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
149 if (!empty($_REQUEST['_framed']))
b571339 @alecpl - fix last commit
alecpl authored
150 $OUTPUT->command('redirect', '?');
ccc80d1 @alecpl - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
151
330127a @thomascube Disable PHP notices + check for installer script on login page
thomascube authored
152 // check if installer is still active
83a7636 @thomascube More code cleanup
thomascube authored
153 if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
154 $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
155 html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
e019f2d @alecpl - s/RoundCube/Roundcube/
alecpl authored
156 html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
157 html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
158 these files may expose sensitive configuration data like server passwords and encryption keys
159 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
160 )
161 );
162 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (…
alecpl authored
163
bbf15d8 @alecpl - fixed task setting on login
alecpl authored
164 $OUTPUT->set_env('task', 'login');
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
165 $OUTPUT->send('login');
166 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (…
alecpl authored
167 // CSRF prevention
168 else {
169 // don't check for valid request tokens in these actions
170 $request_check_whitelist = array('login'=>1, 'spell'=>1);
171
172 // check client X-header to verify request origin
173 if ($OUTPUT->ajax_call) {
174 if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
175 header('HTTP/1.1 404 Not Found');
176 die("Invalid Request");
177 }
178 }
179 // check request token in POST form submissions
180 else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
181 $OUTPUT->show_message('invalidrequest', 'error');
182 $OUTPUT->send($RCMAIL->task);
183 }
184 }
4e17e6c @thomascube Initial revision
thomascube authored
185
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (…
alecpl authored
186 // handle special actions
48aff91 @thomascube Moved code block to a more appropriate position + codestyle
thomascube authored
187 if ($RCMAIL->action == 'keep-alive') {
188 $OUTPUT->reset();
189 $OUTPUT->send();
190 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (…
alecpl authored
191 else if ($RCMAIL->action == 'save-pref') {
192 include 'steps/utils/save_pref.inc';
193 }
1cded85 @thomascube Re-design of caching (new database table added\!); some bugfixes; Pos…
thomascube authored
194
4e17e6c @thomascube Initial revision
thomascube authored
195
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
196 // map task/action to a certain include file
197 $action_map = array(
198 'mail' => array(
199 'preview' => 'show.inc',
200 'print' => 'show.inc',
201 'moveto' => 'move_del.inc',
202 'delete' => 'move_del.inc',
203 'send' => 'sendmail.inc',
204 'expunge' => 'folders.inc',
205 'purge' => 'folders.inc',
133bb07 @alecpl - performance: skip imap connection for attachments actions
alecpl authored
206 'remove-attachment' => 'attachments.inc',
207 'display-attachment' => 'attachments.inc',
208 'upload' => 'attachments.inc',
c0297f4 @thomascube Asynchronously expand contact groups + skip count queries in autocomp…
thomascube authored
209 'group-expand' => 'autocomplete.inc',
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
210 ),
4e17e6c @thomascube Initial revision
thomascube authored
211
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
212 'addressbook' => array(
213 'add' => 'edit.inc',
3baa72a @thomascube Implement group renaming/deleting + use more consistent names for com…
thomascube authored
214 'group-create' => 'groups.inc',
215 'group-rename' => 'groups.inc',
216 'group-delete' => 'groups.inc',
aa12df2 @thomascube Add server-side plugin hooks to address group functions + better acti…
thomascube authored
217 'group-addmembers' => 'groups.inc',
218 'group-delmembers' => 'groups.inc',
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
219 ),
4e17e6c @thomascube Initial revision
thomascube authored
220
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
221 'settings' => array(
222 'folders' => 'manage_folders.inc',
223 'create-folder' => 'manage_folders.inc',
224 'rename-folder' => 'manage_folders.inc',
225 'delete-folder' => 'manage_folders.inc',
226 'subscribe' => 'manage_folders.inc',
227 'unsubscribe' => 'manage_folders.inc',
f52c936 @thomascube Merged devel-threads branch (r3066:3364) back into trunk
thomascube authored
228 'enable-threading' => 'manage_folders.inc',
229 'disable-threading' => 'manage_folders.inc',
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
230 'add-identity' => 'edit_identity.inc',
231 )
232 );
233
234 // include task specific functions
564a2ba @alecpl - Help plugin
alecpl authored
235 if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
236 include_once($incfile);
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
237
238 // allow 5 "redirects" to another action
239 $redirects = 0; $incstep = null;
240 while ($redirects < 5) {
241 $stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ?
242 $action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc';
05a631a @thomascube Allow plugins to register their own tasks
thomascube authored
243
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
244 // execute a plugin action
05a631a @thomascube Allow plugins to register their own tasks
thomascube authored
245 if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
246 $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
247 break;
248 }
249 else if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitti…
thomascube authored
250 $RCMAIL->plugins->exec_action($RCMAIL->action);
251 break;
252 }
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
253 // try to include the step file
564a2ba @alecpl - Help plugin
alecpl authored
254 else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) {
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
255 include($incfile);
256 $redirects++;
257 }
258 else {
259 break;
260 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
261 }
4e17e6c @thomascube Initial revision
thomascube authored
262
263
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
264 // parse main template (default)
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of so…
thomascube authored
265 $OUTPUT->send($RCMAIL->task);
539cd47 @thomascube Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
266
4e17e6c @thomascube Initial revision
thomascube authored
267
539cd47 @thomascube Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
268 // if we arrive here, something went wrong
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
269 raise_error(array(
270 'code' => 404,
271 'type' => 'php',
272 'line' => __LINE__,
273 'file' => __FILE__,
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes fro…
thomascube authored
274 'message' => "Invalid request"), true, true);
b25dfd0 @alecpl - removed PHP closing tag
alecpl authored
275
Something went wrong with that request. Please try again.