Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 276 lines (236 sloc) 9.719 kb
4e17e6c Thomas B. Initial revision
thomascube authored
1 <?php
2 /*
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
3 +-------------------------------------------------------------------------+
e019f2d Aleksander Machniak - s/RoundCube/Roundcube/
alecpl authored
4 | Roundcube Webmail IMAP Client |
f5e7b35 Thomas B. Bumbed version; Roundcube development is not Switzerland only
thomascube authored
5 | Version 0.6-svn |
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
6 | |
f5e7b35 Thomas B. Bumbed version; Roundcube development is not Switzerland only
thomascube authored
7 | Copyright (C) 2005-2011, The Roundcube Dev Team |
a6f90e1 Aleksander Machniak -fixed disclaimer
alecpl authored
8 | |
9 | This program is free software; you can redistribute it and/or modify |
10 | it under the terms of the GNU General Public License version 2 |
11 | as published by the Free Software Foundation. |
12 | |
13 | This program is distributed in the hope that it will be useful, |
14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16 | GNU General Public License for more details. |
17 | |
18 | You should have received a copy of the GNU General Public License along |
19 | with this program; if not, write to the Free Software Foundation, Inc., |
20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
21 | |
22 +-------------------------------------------------------------------------+
23 | Author: Thomas Bruederli <roundcube@gmail.com> |
24 +-------------------------------------------------------------------------+
4e17e6c Thomas B. Initial revision
thomascube authored
25
26 $Id$
27
28 */
29
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
30 // include environment
31 require_once 'program/include/iniset.php';
15a9d1c Thomas B. Optimized loading time; added periodic mail check; added EXPUNGE command
thomascube authored
32
48bc52e Aleksander Machniak - Fix imap_init hook broken in r3258 (#1486493)
alecpl authored
33 // init application, start session, init output class, etc.
83a7636 Thomas B. More code cleanup
thomascube authored
34 $RCMAIL = rcmail::get_instance();
35
d51c93b Aleksander Machniak - get rid of some hardcoded action names and move decission about output...
alecpl authored
36 // turn on output buffering
37 ob_start();
2f2f15b Thomas B. Little improvements for message parsing and encoding
thomascube authored
38
8c72e33 Thomas B. Show appropriate error message if config files are missing
thomascube authored
39 // check if config files had errors
40 if ($err_str = $RCMAIL->config->get_error()) {
41 raise_error(array(
42 'code' => 601,
43 'type' => 'php',
44 'message' => $err_str), false, true);
45 }
46
8affba5 Thomas B. Improved error handling in DB connection failure
thomascube authored
47 // check DB connections and exit on failure
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
48 if ($err_str = $DB->is_error()) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
49 raise_error(array(
50 'code' => 603,
51 'type' => 'db',
52 'message' => $err_str), FALSE, TRUE);
53 }
8affba5 Thomas B. Improved error handling in DB connection failure
thomascube authored
54
4e17e6c Thomas B. Initial revision
thomascube authored
55 // error steps
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
56 if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6c Thomas B. Initial revision
thomascube authored
57 raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
58 }
4e17e6c Thomas B. Initial revision
thomascube authored
59
f5d61d8 Thomas B. Revert r3038 and allow to specify the port as value of force_https
thomascube authored
60 // check if https is required (for login) and redirect if necessary
61 if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
62 $https_port = is_bool($force_https) ? 443 : $force_https;
5818e44 Aleksander Machniak - Fix $_SERVER['HTTPS'] check for SSL forcing on IIS (#1486243) + fix po...
alecpl authored
63 if (!rcube_https_check($https_port)) {
76c94b6 Aleksander Machniak - Fix 'force_https' to specified port when URL contains a port number (#...
alecpl authored
64 $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
65 $host .= ($https_port != 443 ? ':' . $https_port : '');
66 header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
f5d61d8 Thomas B. Revert r3038 and allow to specify the port as value of force_https
thomascube authored
67 exit;
68 }
69 }
70
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
71 // trigger startup plugin hook
72 $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
73 $RCMAIL->set_task($startup['task']);
74 $RCMAIL->action = $startup['action'];
75
4e17e6c Thomas B. Initial revision
thomascube authored
76 // try to log in
9b94eb6 Aleksander Machniak - Fix setting task name according to auth state. So, any action before u...
alecpl authored
77 if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
0129d7c Aleksander Machniak - Fix authentication when submitting form with existing session (#148567...
alecpl authored
78 // purge the session in case of new login when a session already exists
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
79 $RCMAIL->kill_session();
5f560ee Aleksander Machniak - Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
alecpl authored
80
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
81 $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
82 'host' => $RCMAIL->autoselect_host(),
83 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
5f560ee Aleksander Machniak - Plugin API: Add 'pass' argument in 'authenticate' hook (#1487134)
alecpl authored
84 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
85 $RCMAIL->config->get('password_charset', 'ISO-8859-1')),
4463648 Thomas B. Allow a plugin to disable the cookie check
thomascube authored
86 'cookiecheck' => true,
64608bf Aleksander Machniak - Password: Make passwords encoding consistent with core, add 'password_...
alecpl authored
87 ));
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
88
4e17e6c Thomas B. Initial revision
thomascube authored
89 // check if client supports cookies
4463648 Thomas B. Allow a plugin to disable the cookie check
thomascube authored
90 if ($auth['cookiecheck'] && empty($_COOKIE)) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
91 $OUTPUT->show_message("cookiesdisabled", 'warning');
92 }
64608bf Aleksander Machniak - Password: Make passwords encoding consistent with core, add 'password_...
alecpl authored
93 else if ($_SESSION['temp'] && !$auth['abort'] &&
94 !empty($auth['host']) && !empty($auth['user']) &&
95 $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
96 // create new session ID
929a508 Aleksander Machniak - Improve performance by avoiding unnecessary updates to the session tab...
alecpl authored
97 $RCMAIL->session->remove('temp');
98 $RCMAIL->session->regenerate_id();
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
99
100 // send auth cookie if necessary
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
101 $RCMAIL->authenticate_session();
aad6e2a Thomas B. New session authentication, should fix bugs #1483951 and #1484299; testi...
thomascube authored
102
5e0045b Add option to log successful logins.
svncommit authored
103 // log successful login
3544558 Aleksander Machniak - Add HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR to successful logins log (...
alecpl authored
104 rcmail_log_login();
10eedbe Aleksander Machniak - add file/line definitions to raise_error() calls
alecpl authored
105
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
106 // restore original request parameters
88007cf Thomas B. Fix login redirect issues (#1487686)
thomascube authored
107 $query = array();
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
108 if ($url = get_input_value('_url', RCUBE_INPUT_POST))
109 parse_str($url, $query);
110
111 // allow plugins to control the redirect url after login success
88007cf Thomas B. Fix login redirect issues (#1487686)
thomascube authored
112 $redir = $RCMAIL->plugins->exec_hook('login_after', array('_task' => 'mail') + $query);
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
113 unset($redir['abort']);
5e0045b Add option to log successful logins.
svncommit authored
114
4e17e6c Thomas B. Initial revision
thomascube authored
115 // send redirect
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
116 $OUTPUT->redirect($redir);
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
117 }
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
118 else {
6d99f99 Aleksander Machniak - Handle situation when $IMAP object isn't initialized on log in
alecpl authored
119 $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
120
121 $OUTPUT->show_message($error_code < -1 ? 'imaperror' : 'loginfailed', 'warning');
8fcc3e1 Aleksander Machniak - Improved IMAP errors handling
alecpl authored
122 $RCMAIL->plugins->exec_hook('login_failed', array(
6d99f99 Aleksander Machniak - Handle situation when $IMAP object isn't initialized on log in
alecpl authored
123 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
124 $RCMAIL->kill_session();
4e17e6c Thomas B. Initial revision
thomascube authored
125 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
126 }
4e17e6c Thomas B. Initial revision
thomascube authored
127
128 // end session
9b94eb6 Aleksander Machniak - Fix setting task name according to auth state. So, any action before u...
alecpl authored
129 else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
7ef47e5 Thomas B. Add some arguments to the logout_after hook
thomascube authored
130 $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
131 $OUTPUT->show_message('loggedout');
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
132 $RCMAIL->logout_actions();
133 $RCMAIL->kill_session();
7ef47e5 Thomas B. Add some arguments to the logout_after hook
thomascube authored
134 $RCMAIL->plugins->exec_hook('logout_after', $userdata);
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
135 }
4e17e6c Thomas B. Initial revision
thomascube authored
136
bac7d17 Thomas B. Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
thomascube authored
137 // check session and auth cookie
9b94eb6 Aleksander Machniak - Fix setting task name according to auth state. So, any action before u...
alecpl authored
138 else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
139 if (!$RCMAIL->authenticate_session()) {
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
140 $OUTPUT->show_message('sessionerror', 'error');
1854c45 Thomas B. More code cleanup + oop-ization
thomascube authored
141 $RCMAIL->kill_session();
4e17e6c Thomas B. Initial revision
thomascube authored
142 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
143 }
4e17e6c Thomas B. Initial revision
thomascube authored
144
145 // not logged in -> show login page
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
146 if (empty($RCMAIL->user->ID)) {
83a7636 Thomas B. More code cleanup
thomascube authored
147 if ($OUTPUT->ajax_call)
c719f3c Thomas B. Store compose parameters in session and redirect to a unique URL
thomascube authored
148 $OUTPUT->redirect(array(), 2000);
9b94eb6 Aleksander Machniak - Fix setting task name according to auth state. So, any action before u...
alecpl authored
149
ccc80d1 Aleksander Machniak - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
150 if (!empty($_REQUEST['_framed']))
b571339 Aleksander Machniak - fix last commit
alecpl authored
151 $OUTPUT->command('redirect', '?');
ccc80d1 Aleksander Machniak - Fix login page loading into an iframe when session expires (#1485952)
alecpl authored
152
330127a Thomas B. Disable PHP notices + check for installer script on login page
thomascube authored
153 // check if installer is still active
83a7636 Thomas B. More code cleanup
thomascube authored
154 if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
155 $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
156 html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
e019f2d Aleksander Machniak - s/RoundCube/Roundcube/
alecpl authored
157 html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
158 html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
159 these files may expose sensitive configuration data like server passwords and encryption keys
160 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
161 )
162 );
163 }
249db18 Aleksander Machniak - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
164
bbf15d8 Aleksander Machniak - fixed task setting on login
alecpl authored
165 $OUTPUT->set_env('task', 'login');
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
166 $OUTPUT->send('login');
167 }
249db18 Aleksander Machniak - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
168 // CSRF prevention
169 else {
170 // don't check for valid request tokens in these actions
171 $request_check_whitelist = array('login'=>1, 'spell'=>1);
172
173 // check client X-header to verify request origin
174 if ($OUTPUT->ajax_call) {
175 if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
176 header('HTTP/1.1 404 Not Found');
177 die("Invalid Request");
178 }
179 }
180 // check request token in POST form submissions
181 else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
182 $OUTPUT->show_message('invalidrequest', 'error');
183 $OUTPUT->send($RCMAIL->task);
184 }
185 }
4e17e6c Thomas B. Initial revision
thomascube authored
186
249db18 Aleksander Machniak - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
187 // handle special actions
48aff91 Thomas B. Moved code block to a more appropriate position + codestyle
thomascube authored
188 if ($RCMAIL->action == 'keep-alive') {
189 $OUTPUT->reset();
190 $OUTPUT->send();
191 }
249db18 Aleksander Machniak - Fix "Server Error! (Not Found)" when using utils/save-pref action (#14...
alecpl authored
192 else if ($RCMAIL->action == 'save-pref') {
193 include 'steps/utils/save_pref.inc';
194 }
1cded85 Thomas B. Re-design of caching (new database table added\!); some bugfixes; Postgr...
thomascube authored
195
4e17e6c Thomas B. Initial revision
thomascube authored
196
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
197 // map task/action to a certain include file
198 $action_map = array(
199 'mail' => array(
200 'preview' => 'show.inc',
201 'print' => 'show.inc',
202 'moveto' => 'move_del.inc',
203 'delete' => 'move_del.inc',
204 'send' => 'sendmail.inc',
205 'expunge' => 'folders.inc',
206 'purge' => 'folders.inc',
133bb07 Aleksander Machniak - performance: skip imap connection for attachments actions
alecpl authored
207 'remove-attachment' => 'attachments.inc',
208 'display-attachment' => 'attachments.inc',
209 'upload' => 'attachments.inc',
c0297f4 Thomas B. Asynchronously expand contact groups + skip count queries in autocomplet...
thomascube authored
210 'group-expand' => 'autocomplete.inc',
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
211 ),
4e17e6c Thomas B. Initial revision
thomascube authored
212
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
213 'addressbook' => array(
214 'add' => 'edit.inc',
3baa72a Thomas B. Implement group renaming/deleting + use more consistent names for comman...
thomascube authored
215 'group-create' => 'groups.inc',
216 'group-rename' => 'groups.inc',
217 'group-delete' => 'groups.inc',
aa12df2 Thomas B. Add server-side plugin hooks to address group functions + better action ...
thomascube authored
218 'group-addmembers' => 'groups.inc',
219 'group-delmembers' => 'groups.inc',
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
220 ),
af3c045 Aleksander Machniak - New Folder Manager UI
alecpl authored
221
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
222 'settings' => array(
af3c045 Aleksander Machniak - New Folder Manager UI
alecpl authored
223 'folders' => 'folders.inc',
224 'rename-folder' => 'folders.inc',
225 'delete-folder' => 'folders.inc',
226 'subscribe' => 'folders.inc',
227 'unsubscribe' => 'folders.inc',
228 'purge' => 'folders.inc',
229 'folder-size' => 'folders.inc',
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
230 'add-identity' => 'edit_identity.inc',
231 )
232 );
233
234 // include task specific functions
564a2ba Aleksander Machniak - Help plugin
alecpl authored
235 if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
236 include_once($incfile);
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
237
238 // allow 5 "redirects" to another action
239 $redirects = 0; $incstep = null;
240 while ($redirects < 5) {
241 $stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ?
242 $action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc';
05a631a Thomas B. Allow plugins to register their own tasks
thomascube authored
243
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
244 // execute a plugin action
05a631a Thomas B. Allow plugins to register their own tasks
thomascube authored
245 if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
246 $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
247 break;
248 }
249 else if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea0 Thomas B. Merged branch devel-api (from r2208 to r2387) back into trunk (omitting ...
thomascube authored
250 $RCMAIL->plugins->exec_action($RCMAIL->action);
251 break;
252 }
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
253 // try to include the step file
564a2ba Aleksander Machniak - Help plugin
alecpl authored
254 else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) {
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
255 include($incfile);
256 $redirects++;
257 }
258 else {
259 break;
260 }
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
261 }
4e17e6c Thomas B. Initial revision
thomascube authored
262
263
6ea6c9b Thomas B. Simplify step inclusion in controller (index.php)
thomascube authored
264 // parse main template (default)
197601e Thomas B. Next step: introduce the application class 'rcmail' and get rid of some ...
thomascube authored
265 $OUTPUT->send($RCMAIL->task);
539cd47 Thomas B. Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
266
4e17e6c Thomas B. Initial revision
thomascube authored
267
539cd47 Thomas B. Fix for URL injection vulnerability (Bug #1307966)
thomascube authored
268 // if we arrive here, something went wrong
f115416 Thomas B. Merged branch devel-addressbook from r443 back to trunk
thomascube authored
269 raise_error(array(
270 'code' => 404,
271 'type' => 'php',
272 'line' => __LINE__,
273 'file' => __FILE__,
47124c2 Thomas B. Changed codebase to PHP5 with autoloader + added some new classes from t...
thomascube authored
274 'message' => "Invalid request"), true, true);
b25dfd0 Aleksander Machniak - removed PHP closing tag
alecpl authored
275
Something went wrong with that request. Please try again.