Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 262 lines (217 sloc) 9.115 kb
4e17e6c Thomas B. Initial revision
thomascube authored
1 <?php
2 /*
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
3 +-------------------------------------------------------------------------+
4 | RoundCube Webmail IMAP Client |
5499336 Thomas B. Use global request tokens and automatically protect all POST requests
thomascube authored
5 | Version 0.3-20090721 |
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
6 | |
cbbef37 Till! * bumping up copyright (happy new year ;-))
till authored
7 | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland |
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
8 | |
9 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License version 2 |
11 | as published by the Free Software Foundation. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License along |
19 | with this program; if not, write to the Free Software Foundation, Inc., |
20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
21 | |
22 +-------------------------------------------------------------------------+
23 | Author: Thomas Bruederli <roundcube@gmail.com> |
24 +-------------------------------------------------------------------------+
4e17e6c Thomas B. Initial revision
thomascube authored
25
26 $Id$
27
28 */
29
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
30 // include environment
31 require_once 'program/include/iniset.php';
15a9d1c Thomas B. Optimized loading time; added periodic mail check; added EXPUNGE command
thomascube authored
32
83a7636 Thomas B. More code cleanup
thomascube authored
33 // init application and start session with requested task
34 $RCMAIL = rcmail::get_instance();
35
36 // init output class
37 $OUTPUT = !empty($_REQUEST['_remote']) ? $RCMAIL->init_json() : $RCMAIL->load_gui(!empty($_REQUEST['_framed']));
38
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
39 // init plugin API
40 $RCMAIL->plugins->init();
41
d51c93b Aleksander Machniak - get rid of some hardcoded action names and move decission about output...
alecpl authored
42 // turn on output buffering
43 ob_start();
2f2f15b Thomas B. Little improvements for message parsing and encoding
thomascube authored
44
8c72e33 Thomas B. Show appropriate error message if config files are missing
thomascube authored
45 // check if config files had errors
46 if ($err_str = $RCMAIL->config->get_error()) {
47 raise_error(array(
48 'code' => 601,
49 'type' => 'php',
50 'message' => $err_str), false, true);
51 }
52
8affba5 Thomas B. Improved error handling in DB connection failure
thomascube authored
53 // check DB connections and exit on failure
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
54 if ($err_str = $DB->is_error()) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
55 raise_error(array(
56 'code' => 603,
57 'type' => 'db',
58 'message' => $err_str), FALSE, TRUE);
59 }
8affba5 Thomas B. Improved error handling in DB connection failure
thomascube authored
60
4e17e6c Thomas B. Initial revision
thomascube authored
61 // error steps
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
62 if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6c Thomas B. Initial revision
thomascube authored
63 raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
64 }
4e17e6c Thomas B. Initial revision
thomascube authored
65
e48a10a Thomas B. Add option to enforce https connections
thomascube authored
66 // check if https is required (for login) and redirect if necessary
67 if ($RCMAIL->config->get('force_https', false) && empty($_SESSION['user_id']) && !(isset($_SERVER['HTTPS']) || $_SERVER['SERVER_PORT'] == 443)) {
68 header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
69 exit;
70 }
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
71
72 // trigger startup plugin hook
73 $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
74 $RCMAIL->set_task($startup['task']);
75 $RCMAIL->action = $startup['action'];
76
77
4e17e6c Thomas B. Initial revision
thomascube authored
78 // try to log in
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
79 if ($RCMAIL->action=='login' && $RCMAIL->task=='mail') {
0129d7c Aleksander Machniak - Fix authentication when submitting form with existing session (#148567...
alecpl authored
80 // purge the session in case of new login when a session already exists
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
81 $RCMAIL->kill_session();
4e17e6c Thomas B. Initial revision
thomascube authored
82
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
83 $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
84 'host' => $RCMAIL->autoselect_host(),
85 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
86 )) + array('pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'));
87
4e17e6c Thomas B. Initial revision
thomascube authored
88 // check if client supports cookies
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
89 if (empty($_COOKIE)) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
90 $OUTPUT->show_message("cookiesdisabled", 'warning');
91 }
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
92 else if ($_SESSION['temp'] && !empty($auth['user']) && !empty($auth['host']) && isset($auth['pass']) &&
93 $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
94 // create new session ID
f22c2ce Really, really logout (fixes r2467).
svncommit authored
95 rcube_sess_unset('temp');
2e3ce3e Thomas B. Add rcube name prefixes + codestyle
thomascube authored
96 rcube_sess_regenerate_id();
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
97
98 // send auth cookie if necessary
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
99 $RCMAIL->authenticate_session();
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
100
5e0045b Add option to log successful logins.
svncommit authored
101 // log successful login
c8a21d6 Thomas B. Killed one more global var + log logins to a separate file (not console)
thomascube authored
102 if ($RCMAIL->config->get('log_logins')) {
103 write_log('userlogins', sprintf('Successful login for %s (id %d) from %s',
104 $RCMAIL->user->get_username(),
105 $RCMAIL->user->ID,
106 $_SERVER['REMOTE_ADDR']));
107 }
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
108
109 // restore original request parameters
110 $query = array();
111 if ($url = get_input_value('_url', RCUBE_INPUT_POST))
112 parse_str($url, $query);
113
114 // allow plugins to control the redirect url after login success
115 $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('task' => $RCMAIL->task));
116 unset($redir['abort']);
5e0045b Add option to log successful logins.
svncommit authored
117
4e17e6c Thomas B. Initial revision
thomascube authored
118 // send redirect
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
119 $OUTPUT->redirect($redir);
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
120 }
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
121 else {
7342d7e Aleksander Machniak - re-fix r2095
alecpl authored
122 $OUTPUT->show_message($IMAP->error_code < -1 ? 'imaperror' : 'loginfailed', 'warning');
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
123 $RCMAIL->plugins->exec_hook('login_failed', array('code' => $IMAP->error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
124 $RCMAIL->kill_session();
4e17e6c Thomas B. Initial revision
thomascube authored
125 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
126 }
4e17e6c Thomas B. Initial revision
thomascube authored
127
128 // end session
3a2b270 Aleksander Machniak - always call logout action as task (#1485919)
alecpl authored
129 else if ($RCMAIL->task=='logout' && isset($_SESSION['user_id'])) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
130 $OUTPUT->show_message('loggedout');
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
131 $RCMAIL->logout_actions();
132 $RCMAIL->kill_session();
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
133 }
4e17e6c Thomas B. Initial revision
thomascube authored
134
bac7d17 Thomas B. Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
thomascube authored
135 // check session and auth cookie
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
136 else if ($RCMAIL->action != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
137 if (!$RCMAIL->authenticate_session()) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
138 $OUTPUT->show_message('sessionerror', 'error');
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
139 $RCMAIL->kill_session();
4e17e6c Thomas B. Initial revision
thomascube authored
140 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
141 }
4e17e6c Thomas B. Initial revision
thomascube authored
142
143
719a257 Thomas B. Some bugfixes, security issues + minor improvements
thomascube authored
144 // check client X-header to verify request origin
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
145 if ($OUTPUT->ajax_call) {
5499336 Thomas B. Use global request tokens and automatically protect all POST requests
thomascube authored
146 if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token()) {
719a257 Thomas B. Some bugfixes, security issues + minor improvements
thomascube authored
147 header('HTTP/1.1 404 Not Found');
148 die("Invalid Request");
149 }
150 }
5499336 Thomas B. Use global request tokens and automatically protect all POST requests
thomascube authored
151 // check request token in POST form submissions
152 else if (!empty($_POST) && !$RCMAIL->check_request()) {
153 $OUTPUT->show_message('invalidrequest', 'error');
154 $OUTPUT->send($RCMAIL->task);
155 }
719a257 Thomas B. Some bugfixes, security issues + minor improvements
thomascube authored
156
4e17e6c Thomas B. Initial revision
thomascube authored
157
158 // not logged in -> show login page
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
159 if (empty($RCMAIL->user->ID)) {
83a7636 Thomas B. More code cleanup
thomascube authored
160
161 if ($OUTPUT->ajax_call)
c719f3c Thomas B. Store compose parameters in session and redirect to a unique URL
thomascube authored
162 $OUTPUT->redirect(array(), 2000);
83a7636 Thomas B. More code cleanup
thomascube authored
163
330127a Thomas B. Disable PHP notices + check for installer script on login page
thomascube authored
164 // check if installer is still active
83a7636 Thomas B. More code cleanup
thomascube authored
165 if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
166 $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
167 html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
168 html::p(null, "The install script of your RoundCube installation is still stored in its default location!") .
169 html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the RoundCube directory because .
170 these files may expose sensitive configuration data like server passwords and encryption keys
171 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
172 )
173 );
174 }
330127a Thomas B. Disable PHP notices + check for installer script on login page
thomascube authored
175
bbf15d8 Aleksander Machniak - fixed task setting on login
alecpl authored
176 $OUTPUT->set_env('task', 'login');
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
177 $OUTPUT->send('login');
178 }
4e17e6c Thomas B. Initial revision
thomascube authored
179
180
1cded85 Thomas B. Re-design of caching (new database table added\!); some bugfixes; Postgr...
thomascube authored
181 // handle keep-alive signal
48aff91 Thomas B. Moved code block to a more appropriate position + codestyle
thomascube authored
182 if ($RCMAIL->action == 'keep-alive') {
183 $OUTPUT->reset();
184 $OUTPUT->send();
185 }
186 // save preference value
187 else if ($RCMAIL->action == 'save-pref') {
188 $RCMAIL->user->save_prefs(array(get_input_value('_name', RCUBE_INPUT_POST) => get_input_value('_value', RCUBE_INPUT_POST)));
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
189 $OUTPUT->reset();
83a7636 Thomas B. More code cleanup
thomascube authored
190 $OUTPUT->send();
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
191 }
1cded85 Thomas B. Re-design of caching (new database table added\!); some bugfixes; Postgr...
thomascube authored
192
4e17e6c Thomas B. Initial revision
thomascube authored
193
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
194 // map task/action to a certain include file
195 $action_map = array(
196 'mail' => array(
197 'preview' => 'show.inc',
198 'print' => 'show.inc',
199 'moveto' => 'move_del.inc',
200 'delete' => 'move_del.inc',
201 'send' => 'sendmail.inc',
202 'expunge' => 'folders.inc',
203 'purge' => 'folders.inc',
133bb07 Aleksander Machniak - performance: skip imap connection for attachments actions
alecpl authored
204 'remove-attachment' => 'attachments.inc',
205 'display-attachment' => 'attachments.inc',
206 'upload' => 'attachments.inc',
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
207 ),
4e17e6c Thomas B. Initial revision
thomascube authored
208
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
209 'addressbook' => array(
210 'add' => 'edit.inc',
211 ),
4e17e6c Thomas B. Initial revision
thomascube authored
212
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
213 'settings' => array(
214 'folders' => 'manage_folders.inc',
215 'create-folder' => 'manage_folders.inc',
216 'rename-folder' => 'manage_folders.inc',
217 'delete-folder' => 'manage_folders.inc',
218 'subscribe' => 'manage_folders.inc',
219 'unsubscribe' => 'manage_folders.inc',
220 'add-identity' => 'edit_identity.inc',
221 )
222 );
223
224 // include task specific functions
225 include_once 'program/steps/'.$RCMAIL->task.'/func.inc';
226
227 // allow 5 "redirects" to another action
228 $redirects = 0; $incstep = null;
229 while ($redirects < 5) {
230 $stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ?
231 $action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc';
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
232
233 // execute a plugin action
0ce1198 Aleksander Machniak - use preg functions instead of ereg functions
alecpl authored
234 if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
235 $RCMAIL->plugins->exec_action($RCMAIL->action);
236 break;
237 }
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
238 // try to include the step file
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
239 else if (is_file(($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile))) {
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
240 include($incfile);
241 $redirects++;
242 }
243 else {
244 break;
245 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
246 }
4e17e6c Thomas B. Initial revision
thomascube authored
247
248
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
249 // parse main template (default)
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
250 $OUTPUT->send($RCMAIL->task);
539cd47 Thomas B. Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
251
4e17e6c Thomas B. Initial revision
thomascube authored
252
539cd47 Thomas B. Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
253 // if we arrive here, something went wrong
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
254 raise_error(array(
255 'code' => 404,
256 'type' => 'php',
257 'line' => __LINE__,
258 'file' => __FILE__,
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
259 'message' => "Invalid request"), true, true);
539cd47 Thomas B. Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
260
d1d2c4f adding files and modifications for public ldap search
svncommit authored
261 ?>
Something went wrong with that request. Please try again.