Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 256 lines (217 sloc) 9.303 kb
4e17e6c @thomascube Initial revision
thomascube authored
1 <?php
2 /*
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
3 +-------------------------------------------------------------------------+
e019f2d @alecpl - s/RoundCube/Roundcube/
alecpl authored
4 | Roundcube Webmail IMAP Client |
f5e7b35 @thomascube Bumbed version; Roundcube development is not Switzerland only
thomascube authored
5 | Version 0.6-svn |
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
6 | |
f5e7b35 @thomascube Bumbed version; Roundcube development is not Switzerland only
thomascube authored
7 | Copyright (C) 2005-2011, The Roundcube Dev Team |
a6f90e1 @alecpl -fixed disclaimer
alecpl authored
8 | |
9 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License version 2 |
11 | as published by the Free Software Foundation. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License along |
19 | with this program; if not, write to the Free Software Foundation, Inc., |
20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
21 | |
22 +-------------------------------------------------------------------------+
23 | Author: Thomas Bruederli <roundcube@gmail.com> |
24 +-------------------------------------------------------------------------+
4e17e6c @thomascube Initial revision
thomascube authored
25
26 $Id$
27
28 */
29
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
30 // include environment
31 require_once 'program/include/iniset.php';
15a9d1c @thomascube Optimized loading time; added periodic mail check; added EXPUNGE command
thomascube authored
32
48bc52e @alecpl - Fix imap_init hook broken in r3258 (#1486493)
alecpl authored
33 // init application, start session, init output class, etc.
83a7636 @thomascube More code cleanup
thomascube authored
34 $RCMAIL = rcmail::get_instance();
35
d51c93b @alecpl - get rid of some hardcoded action names and move decission about output...
alecpl authored
36 // turn on output buffering
37 ob_start();
2f2f15b @thomascube Little improvements for message parsing and encoding
thomascube authored
38
8c72e33 @thomascube Show appropriate error message if config files are missing
thomascube authored
39 // check if config files had errors
40 if ($err_str = $RCMAIL->config->get_error()) {
41 raise_error(array(
42 'code' => 601,
43 'type' => 'php',
44 'message' => $err_str), false, true);
45 }
46
8affba5 @thomascube Improved error handling in DB connection failure
thomascube authored
47 // check DB connections and exit on failure
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
48 if ($err_str = $DB->is_error()) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
49 raise_error(array(
50 'code' => 603,
51 'type' => 'db',
52 'message' => $err_str), FALSE, TRUE);
53 }
8affba5 @thomascube Improved error handling in DB connection failure
thomascube authored
54
4e17e6c @thomascube Initial revision
thomascube authored
55 // error steps
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
56 if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6c @thomascube Initial revision
thomascube authored
57 raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
58 }
4e17e6c @thomascube Initial revision
thomascube authored
59
f5d61d8 @thomascube Revert r3038 and allow to specify the port as value of force_https
thomascube authored
60 // check if https is required (for login) and redirect if necessary
61 if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
62 $https_port = is_bool($force_https) ? 443 : $force_https;
5818e44 @alecpl - Fix $_SERVER['HTTPS'] check for SSL forcing on IIS (#1486243) + fix po...
alecpl authored
63 if (!rcube_https_check($https_port)) {
76c94b6 @alecpl - Fix 'force_https' to specified port when URL contains a port number (#...
alecpl authored
64 $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
65 $host .= ($https_port != 443 ? ':' . $https_port : '');
66 header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
f5d61d8 @thomascube Revert r3038 and allow to specify the port as value of force_https
thomascube authored
67 exit;
68 }
69 }
70
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
71 // trigger startup plugin hook
72 $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
73 $RCMAIL->set_task($startup['task']);
74 $RCMAIL->action = $startup['action'];
75
4e17e6c @thomascube Initial revision
thomascube authored
76 // try to log in
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action before u...
alecpl authored
77 if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
784a425 @thomascube protect login form submission from CSRF using a request token
thomascube authored
78 $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
79
0129d7c @alecpl - Fix authentication when submitting form with existing session (#148567...
alecpl authored
80 // purge the session in case of new login when a session already exists
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
81 $RCMAIL->kill_session();
5f560ee @alecpl - Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
alecpl authored
82
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
83 $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
84 'host' => $RCMAIL->autoselect_host(),
85 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
5f560ee @alecpl - Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
alecpl authored
86 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
87 $RCMAIL->config->get('password_charset', 'ISO-8859-1')),
4463648 @thomascube Allow a plugin to disable the cookie check
thomascube authored
88 'cookiecheck' => true,
784a425 @thomascube protect login form submission from CSRF using a request token
thomascube authored
89 'valid' => $request_valid,
64608bf @alecpl - Password: Make passwords encoding consistent with core, add 'password_...
alecpl authored
90 ));
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
91
4e17e6c @thomascube Initial revision
thomascube authored
92 // check if client supports cookies
4463648 @thomascube Allow a plugin to disable the cookie check
thomascube authored
93 if ($auth['cookiecheck'] && empty($_COOKIE)) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
94 $OUTPUT->show_message("cookiesdisabled", 'warning');
95 }
784a425 @thomascube protect login form submission from CSRF using a request token
thomascube authored
96 else if ($auth['valid'] && !$auth['abort'] &&
64608bf @alecpl - Password: Make passwords encoding consistent with core, add 'password_...
alecpl authored
97 !empty($auth['host']) && !empty($auth['user']) &&
4cfe66f @alecpl - small code cleanup
alecpl authored
98 $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])
99 ) {
100 // create new session ID, don't destroy the current session
c294eaa @alecpl - Performance improvement: Remove redundant DELETE query (for old sessio...
alecpl authored
101 // it was destroyed already by $RCMAIL->kill_session() above
4cfe66f @alecpl - small code cleanup
alecpl authored
102 $RCMAIL->session->remove('temp');
c294eaa @alecpl - Performance improvement: Remove redundant DELETE query (for old sessio...
alecpl authored
103 $RCMAIL->session->regenerate_id(false);
aad6e2a @thomascube New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
104
105 // send auth cookie if necessary
cf2da2f @thomascube Improve session validity check with changing auth cookies; reduce writes...
thomascube authored
106 $RCMAIL->session->set_auth_cookie();
aad6e2a @thomascube New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
107
5e0045b Add option to log successful logins.
svncommit authored
108 // log successful login
3544558 @alecpl - Add HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR to successful logins log (...
alecpl authored
109 rcmail_log_login();
10eedbe @alecpl - add file/line definitions to raise_error() calls
alecpl authored
110
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
111 // restore original request parameters
88007cf @thomascube Fix login redirect issues (#1487686)
thomascube authored
112 $query = array();
32234d7 @thomascube Better fix for login redirect, don't force mail task
thomascube authored
113 if ($url = get_input_value('_url', RCUBE_INPUT_POST)) {
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
114 parse_str($url, $query);
c294eaa @alecpl - Performance improvement: Remove redundant DELETE query (for old sessio...
alecpl authored
115
32234d7 @thomascube Better fix for login redirect, don't force mail task
thomascube authored
116 // prevent endless looping on login page
117 if ($query['_task'] == 'login')
118 unset($query['_task']);
119 }
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
120
121 // allow plugins to control the redirect url after login success
32234d7 @thomascube Better fix for login redirect, don't force mail task
thomascube authored
122 $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
123 unset($redir['abort']);
5e0045b Add option to log successful logins.
svncommit authored
124
4e17e6c @thomascube Initial revision
thomascube authored
125 // send redirect
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
126 $OUTPUT->redirect($redir);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
127 }
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
128 else {
6d99f99 @alecpl - Handle situation when $IMAP object isn't initialized on log in
alecpl authored
129 $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
130
784a425 @thomascube protect login form submission from CSRF using a request token
thomascube authored
131 $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning');
8fcc3e1 @alecpl - Improved IMAP errors handling
alecpl authored
132 $RCMAIL->plugins->exec_hook('login_failed', array(
6d99f99 @alecpl - Handle situation when $IMAP object isn't initialized on log in
alecpl authored
133 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
134 $RCMAIL->kill_session();
4e17e6c @thomascube Initial revision
thomascube authored
135 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
136 }
4e17e6c @thomascube Initial revision
thomascube authored
137
de62f02 @thomascube Also check referer on logout action
thomascube authored
138 // end session (after optional referer check)
139 else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) {
7ef47e5 @thomascube Add some arguments to the logout_after hook
thomascube authored
140 $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
141 $OUTPUT->show_message('loggedout');
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
142 $RCMAIL->logout_actions();
143 $RCMAIL->kill_session();
7ef47e5 @thomascube Add some arguments to the logout_after hook
thomascube authored
144 $RCMAIL->plugins->exec_hook('logout_after', $userdata);
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
145 }
4e17e6c @thomascube Initial revision
thomascube authored
146
bac7d17 @thomascube Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
thomascube authored
147 // check session and auth cookie
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action before u...
alecpl authored
148 else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
cf2da2f @thomascube Improve session validity check with changing auth cookies; reduce writes...
thomascube authored
149 if (!$RCMAIL->session->check_auth()) {
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
150 $OUTPUT->show_message('sessionerror', 'error');
1854c45 @thomascube More code cleanup + oop-ization
thomascube authored
151 $RCMAIL->kill_session();
4e17e6c @thomascube Initial revision
thomascube authored
152 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
153 }
4e17e6c @thomascube Initial revision
thomascube authored
154
155 // not logged in -> show login page
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
156 if (empty($RCMAIL->user->ID)) {
83a7636 @thomascube More code cleanup
thomascube authored
157 if ($OUTPUT->ajax_call)
c719f3c @thomascube Store compose parameters in session and redirect to a unique URL
thomascube authored
158 $OUTPUT->redirect(array(), 2000);
9b94eb6 @alecpl - Fix setting task name according to auth state. So, any action before u...
alecpl authored
159
ccc80d1 @alecpl - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
160 if (!empty($_REQUEST['_framed']))
b571339 @alecpl - fix last commit
alecpl authored
161 $OUTPUT->command('redirect', '?');
ccc80d1 @alecpl - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
162
330127a @thomascube Disable PHP notices + check for installer script on login page
thomascube authored
163 // check if installer is still active
83a7636 @thomascube More code cleanup
thomascube authored
164 if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
165 $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
166 html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
e019f2d @alecpl - s/RoundCube/Roundcube/
alecpl authored
167 html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
168 html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
169 these files may expose sensitive configuration data like server passwords and encryption keys
170 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
171 )
172 );
173 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
174
784a425 @thomascube protect login form submission from CSRF using a request token
thomascube authored
175 $RCMAIL->set_task('login');
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
176 $OUTPUT->send('login');
177 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
178 // CSRF prevention
179 else {
180 // don't check for valid request tokens in these actions
181 $request_check_whitelist = array('login'=>1, 'spell'=>1);
182
183 // check client X-header to verify request origin
184 if ($OUTPUT->ajax_call) {
185 if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
186 header('HTTP/1.1 404 Not Found');
187 die("Invalid Request");
188 }
189 }
190 // check request token in POST form submissions
191 else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
192 $OUTPUT->show_message('invalidrequest', 'error');
193 $OUTPUT->send($RCMAIL->task);
194 }
a77cf22 @thomascube Add optional referer check to prevent CSRF in GET requests
thomascube authored
195
196 // check referer if configured
197 if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
198 raise_error(array(
199 'code' => 403,
200 'type' => 'php',
201 'message' => "Referer check failed"), true, true);
202 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
203 }
4e17e6c @thomascube Initial revision
thomascube authored
204
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
205 // handle special actions
48aff91 @thomascube Moved code block to a more appropriate position + codestyle
thomascube authored
206 if ($RCMAIL->action == 'keep-alive') {
207 $OUTPUT->reset();
208 $OUTPUT->send();
209 }
249db18 @alecpl - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
210 else if ($RCMAIL->action == 'save-pref') {
211 include 'steps/utils/save_pref.inc';
212 }
1cded85 @thomascube Re-design of caching (new database table added\!); some bugfixes; Postgr...
thomascube authored
213
4e17e6c @thomascube Initial revision
thomascube authored
214
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
215 // include task specific functions
564a2ba @alecpl - Help plugin
alecpl authored
216 if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
217 include_once($incfile);
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
218
219 // allow 5 "redirects" to another action
220 $redirects = 0; $incstep = null;
221 while ($redirects < 5) {
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
222 // execute a plugin action
05a631a @thomascube Allow plugins to register their own tasks
thomascube authored
223 if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
224 $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
225 break;
226 }
227 else if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea0 @thomascube Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
228 $RCMAIL->plugins->exec_action($RCMAIL->action);
229 break;
230 }
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
231 // try to include the step file
68d2d54 @alecpl - Move action files map from index.php to steps' func.inc files
alecpl authored
232 else if (($stepfile = $RCMAIL->get_action_file())
233 && is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)
234 ) {
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
235 include($incfile);
236 $redirects++;
237 }
238 else {
239 break;
240 }
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
241 }
4e17e6c @thomascube Initial revision
thomascube authored
242
243
6ea6c9b @thomascube Simplify step inclusion in controller (index.php)
thomascube authored
244 // parse main template (default)
197601e @thomascube Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
245 $OUTPUT->send($RCMAIL->task);
539cd47 @thomascube Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
246
4e17e6c @thomascube Initial revision
thomascube authored
247
539cd47 @thomascube Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
248 // if we arrive here, something went wrong
f115416 @thomascube Merged branch devel-addressbook from r443 back to trunk
thomascube authored
249 raise_error(array(
250 'code' => 404,
251 'type' => 'php',
252 'line' => __LINE__,
253 'file' => __FILE__,
47124c2 @thomascube Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
254 'message' => "Invalid request"), true, true);
b25dfd0 @alecpl - removed PHP closing tag
alecpl authored
255
Something went wrong with that request. Please try again.