Improved reading of POST and GET values

.htaccess

@@ -1,4 +1,4 @@
-AddDefaultCharset	UTF-8
+# AddDefaultCharset	UTF-8
 php_flag	display_errors	On
 php_value	upload_max_filesize	2m
 

index.php

@@ -82,23 +82,6 @@
 // PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE);
 
 
-// strip magic quotes from Superglobals...
-if ((bool)get_magic_quotes_gpc())  // by "php Pest"
-  {
-  // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER
-  // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST
-  $fnStripMagicQuotes = create_function(
-        '&$mData, $fnSelf',
-        'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '.
-        '$mData = stripslashes($mData);'
-  );
-
-  // do each set of EGPCSR as you find necessary
-  $fnStripMagicQuotes($_POST, $fnStripMagicQuotes);
-  $fnStripMagicQuotes($_GET, $fnStripMagicQuotes);
-  }
-
-
 // catch some url/post parameters
 $_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth'];
 $_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail');
@@ -144,7 +127,10 @@
     {
     show_message("cookiesdisabled", 'warning');
     }
-  else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host))
+  else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+           rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
+                        get_input_value('_pass', RCUBE_INPUT_POST),
+                        $host))
     {
     // send redirect
     header("Location: $COMM_PATH");

program/include/main.inc

@@ -24,6 +24,12 @@ require_once('lib/utf7.inc');
 require_once('lib/utf8.class.php');
 
 
+// define constannts for input reading
+define('RCUBE_INPUT_GET', 0x0101);
+define('RCUBE_INPUT_POST', 0x0102);
+define('RCUBE_INPUT_GPC', 0x0103);
+
+
 // register session and connect to server
 function rcmail_startup($task='mail')
   {
@@ -376,6 +382,8 @@ function rcmail_login($user, $pass, $host=NULL)
     $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE;
     $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']);
     }
+  else
+    $imap_port = $CONFIG['default_port'];
 
   // query if user already registered
   $sql_result = $DB->query("SELECT user_id, username, language, preferences
@@ -897,6 +905,49 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
   }
 
 
+/**
+ * Read input value and convert it for internal use
+ * Performs stripslashes() and charset conversion if necessary
+ * 
+ * @param  string   Field name to read
+ * @param  int      Source to get value from (GPC)
+ * @param  boolean  Allow HTML tags in field value
+ * @param  string   Charset to convert into
+ * @return string   Field value or NULL if not available
+ */
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+  {
+  global $OUTPUT;
+  $value = NULL;
+
+  if ($source==RCUBE_INPUT_GET && isset($_GET[$fname]))
+    $value = $_GET[$fname];
+  else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname]))
+    $value = $_POST[$fname];
+  else if ($source==RCUBE_INPUT_GPC)
+    {
+    if (isset($_GET[$fname]))
+      $value = $_GET[$fname];
+    else if (isset($_POST[$fname]))
+      $value = $_POST[$fname];
+    else if (isset($_COOKIE[$fname]))
+      $value = $_COOKIE[$fname];
+    }
+
+  // strip slashes if magic_quotes enabled
+  if ((bool)get_magic_quotes_gpc())
+    $value = stripslashes($value);
+
+  // remove HTML tags if not allowed    
+  if (!$allow_html)
+    $value = strip_tags($value);
+
+  // convert to internal charset
+  return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset);
+  }
+
+
+
 
 // ************** template parsing and gui functions **************
 
@@ -1482,7 +1533,7 @@ function rcmail_login_form($attrib)
   $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login'));
 
   $fields = array();
-  $fields['user'] = $input_user->show($_POST['_user']);
+  $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST));
   $fields['pass'] = $input_pass->show();
   $fields['action'] = $input_action->show();
 

program/include/rcube_shared.inc

@@ -108,7 +108,7 @@ class rcube_html_page
 
     // set default page title
     if (!strlen($this->title))
-      $this->title = 'RoundCube|Mail';
+      $this->title = 'RoundCube Mail';
 
     // replace specialchars in content
     $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
@@ -117,7 +117,10 @@ class rcube_html_page
 
     // include meta tag with charset
     if (!empty($this->charset))
-      $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";;
+      {
+      header('Content-Type: text/html; charset='.$this->charset);
+      $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";
+      }
 
 
     // definition of the code to be placed in the document header and footer

program/steps/addressbook/ldapsearchform.inc

@@ -255,7 +255,7 @@ function get_form_tags($attrib)
     $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
     $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
 
-    if ($_GET['_framed'] || $_POST['_framed'])
+    if ($_framed)
       $hiddenfields->add(array('name' => '_framed', 'value' => 1));
 
     $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';

program/steps/addressbook/save.inc

@@ -23,7 +23,7 @@
 if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
   {
   show_message('formincomplete', 'warning');
-  rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+  rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
   return;
   }
 
@@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email');
 $contacts_table = get_table_name('contacts');
 
 // update an existing contact
-if ($_POST['_cid'])
+if (!empty($_POST['_cid']))
   {
   $a_write_sql = array();
 
@@ -44,7 +44,7 @@ if ($_POST['_cid'])
 
     $a_write_sql[] = sprintf("%s=%s",
                              $DB->quoteIdentifier($col),
-                             $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+                             $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
     }
 
   if (sizeof($a_write_sql))
@@ -65,7 +65,7 @@ if ($_POST['_cid'])
     $_action = 'show';
     show_message('successfullysaved', 'confirmation');    
 
-    if ($_POST['_framed'])
+    if ($_framed)
       {
       // define list of cols to be displayed
       $a_show_cols = array('name', 'email');
@@ -115,20 +115,20 @@ else
   if (isset($_GET['_emails']) && isset($_GET['_names']))
     {
     $sql   .= "AND email IN (";
-    $emails = explode(',', $_GET['_emails']);
-    $names  = explode(',', $_GET['_names']);
+    $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
+    $names  = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
     $count  = count($emails);
     $n = 0;
     foreach ($emails as $email)
       {
       $end  = (++$n == $count) ? '' : ',';
-      $sql .= $DB->quote(strip_tags($email)) . $end;
+      $sql .= $DB->quote($email) . $end;
       }
     $sql .= ")";
     $ldap_form = true; 
     }
   else if (isset($_POST['_email'])) 
-    $sql  .= "AND email = " . $DB->quote(strip_tags($_POST['_email']));
+    $sql  .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));
 
   $sql_result = $DB->query($sql);
 
@@ -151,9 +151,9 @@ else
     foreach ($emails as $email) 
       {
       $DB->query("INSERT INTO $contacts_table 
-                 (user_id, name, email)
-                 VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . 
-                                      $DB->quote(strip_tags($email)) . ")");
+                 (user_id, name, email
+                 VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," . 
+                                      $DB->quote($email) . ")");
       $insert_id[] = $DB->insert_id();
       }
     }
@@ -166,7 +166,7 @@ else
         continue;
 
       $a_insert_cols[] = $col;
-      $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+      $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
       }
 
     if (sizeof($a_insert_cols))
@@ -187,7 +187,7 @@ else
       $_action = 'show';
       $_GET['_cid'] = $insert_id;
 
-      if ($_POST['_framed'])
+      if ($_framed)
         {
         // add contact row or jump to the page where it should appear
         $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);

program/steps/mail/addcontact.inc

@@ -21,9 +21,9 @@
 
 $REMOTE_REQUEST = TRUE;
 
-if ($_GET['_address'])
+if (!empty($_GET['_address']))
   {
-  $contact_arr = $IMAP->decode_address_list($_GET['_address']);
+  $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET));
   if (sizeof($contact_arr))
     {
     $contact = $contact_arr[1];

program/steps/mail/compose.inc

@@ -142,7 +142,7 @@ function rcmail_compose_headers($attrib)
 
 
   if ($fname && !empty($_POST[$fname]))
-    $fvalue = $_POST[$fname];
+    $fvalue = get_input_value($fname, RCUBE_INPUT_POST);
   else if ($header && is_object($REPLY_MESSAGE['headers']))
     {
     // get recipent address(es) out of the message headers
@@ -309,7 +309,7 @@ function rcmail_compose_body($attrib)
 
   // use posted message body
   if (!empty($_POST['_message']))
-    $body = stripslashes($_POST['_message']);
+    $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE);
 
   // compose reply-body
   else if (is_array($REPLY_MESSAGE['parts']))
@@ -433,7 +433,7 @@ function rcmail_compose_subject($attrib)
 
   // use subject from post
   if (isset($_POST['_subject']))
-    $subject = stripslashes($_POST['_subject']);
+    $subject = get_input_value('_subject', RCUBE_INPUT_POST);
 
   // create a reply-subject
   else if (isset($REPLY_MESSAGE['subject']))

program/steps/mail/sendmail.inc

@@ -83,7 +83,7 @@ $mailto_regexp = array('/[,;]\s*[\r\n]+/', '/[\r\n]+/', '/[,;]\s*$/m');
 $mailto_replace = array(', ', ', ', '');
 
 // repalce new lines and strip ending ', '
-$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to']));
+$mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset));
 
 // decode address strings
 $to_address_arr = $IMAP->decode_address_list($mailto);
@@ -104,22 +104,22 @@ $headers = array('Date' => date('D, j M Y G:i:s O'),
                  'To'   => rcube_charset_convert($mailto, $input_charset, $message_charset));
 
 // additional recipients
-if ($_POST['_cc'])
-  $headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset);
+if (!empty($_POST['_cc']))
+  $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset));
 
-if ($_POST['_bcc'])
-  $headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset);
+if (!empty($_POST['_bcc']))
+  $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset));
 
-if (strlen($identity_arr['bcc']))
+if (!empty($identity_arr['bcc']))
   $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];
 
 // add subject
-$headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset);
+$headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset));
 
-if (strlen($identity_arr['organization']))
+if (!empty($identity_arr['organization']))
   $headers['Organization'] = $identity_arr['organization'];
 
-if (strlen($identity_arr['reply-to']))
+if (!empty($identity_arr['reply-to']))
   $headers['Reply-To'] = $identity_arr['reply-to'];
 
 if (!empty($_SESSION['compose']['reply_msgid']))
@@ -128,7 +128,7 @@ if (!empty($_SESSION['compose']['reply_msgid']))
 if (!empty($_SESSION['compose']['references']))
   $headers['References'] = $_SESSION['compose']['references'];
 
-if ($_POST['_priority'])
+if (!empty($_POST['_priority']))
   {
   $priority = (int)$_POST['_priority'];
   $a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest');
@@ -141,11 +141,11 @@ if ($_POST['_priority'])
 $headers['Message-ID'] = $message_id;
 $headers['X-Sender'] = $from;
 
-if ($CONFIG['useragent'])
+if (!empty($CONFIG['useragent']))
   $headers['User-Agent'] = $CONFIG['useragent'];
 
 // fetch message body
-$message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset);
+$message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset);
 
 // append generic footer to all messages
 if (!empty($CONFIG['generic_message_footer']))

program/steps/settings/manage_folders.inc

@@ -29,7 +29,7 @@ if ($_action=='subscribe')
   if (strlen($_GET['_mboxes']))
     $IMAP->subscribe(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
     rcube_remote_response('// subscribed');
   }
 
@@ -39,22 +39,22 @@ else if ($_action=='unsubscribe')
   if (strlen($_GET['_mboxes']))
     $IMAP->unsubscribe(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
     rcube_remote_response('// unsubscribed');
   }
 
 // create a new mailbox
 else if ($_action=='create-folder')
   {
-  if (strlen($_GET['_name']))
-    $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE);
+  if (!empty($_GET['_name']))
+    $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE);
 
-  if ($create && $_GET['_remote'])
+  if ($create && $REMOTE_REQUEST)
     {
     $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js'));
     rcube_remote_response($commands);
     }
-  else if (!$create && $_GET['_remote'])
+  else if (!$create && $REMOTE_REQUEST)
     {
     $commands = show_message('errorsaving', 'error');
     rcube_remote_response($commands);
@@ -69,9 +69,9 @@ else if ($_action=='delete-folder')
   if (strlen($_GET['_mboxes']))
     $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes']));
 
-  if ($_GET['_remote'] && $deleted)
+  if ($REMOTE_REQUEST && $deleted)
     rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js')));
-  else if ($_GET['_remote'])
+  else if ($REMOTE_REQUEST)
     {
     $commands = show_message('errorsaving', 'error');
     rcube_remote_response($commands);