Imported Upstream version 0.5.1

[roundcube.git] / program / include / main.inc

diff --git a/program/include/main.inc b/program/include/main.inc
index 982352c5de20969d28ef42807695fcc6afbb97d7..d02dca5e2d67db6d3c26f030c8b9da568fdc2b32 100644 (file)
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -15,7 +15,7 @@
  | Author: Thomas Bruederli <roundcube@gmail.com>                        |
  +-----------------------------------------------------------------------+
 
- $Id: main.inc 4334 2010-12-10 11:08:22Z alec $
+ $Id: main.inc 4509 2011-02-09 10:51:50Z thomasb $
 
 */
 
@@ -858,8 +858,8 @@ function rcmail_mod_css_styles($source, $container_id)
   $replacements = new rcube_string_replacer;
 
   // ignore the whole block if evil styles are detected
-  $stripped = preg_replace('/[^a-z\(:]/', '', rcmail_xss_entity_decode($source));
-  if (preg_match('/expression|behavior|url\(|import/', $stripped))
+  $stripped = preg_replace('/[^a-z\(:;]/', '', rcmail_xss_entity_decode($source));
+  if (preg_match('/expression|behavior|url\(|import[^a]/', $stripped))
     return '/* evil! */';
 
   // remove css comments (sometimes used for some ugly hacks)
@@ -1220,6 +1220,19 @@ function rcmail_remote_ip()
 }
 
 
+/**
+ * Check whether the HTTP referer matches the current request
+ *
+ * @return boolean True if referer is the same host+path, false if not
+ */
+function rcube_check_referer()
+{
+  $uri = parse_url($_SERVER['REQUEST_URI']);
+  $referer = parse_url(rc_request_header('Referer'));
+  return $referer['host'] == rc_request_header('Host') && $referer['path'] == $uri['path'];
+}
+
+
 /**
  * @access private
  * @return mixed
@@ -1768,16 +1781,17 @@ function rcube_sess_unset($var_name=null)
  * Replaces hostname variables
  *
  * @param string $name Hostname
+ * @param string $host Optional IMAP hostname
  * @return string
  */
-function rcube_parse_host($name)
+function rcube_parse_host($name, $host='')
 {
   // %n - host
   $n = preg_replace('/:\d+$/', '', $_SERVER['SERVER_NAME']);
   // %d - domain name without first part, e.g. %d=mail.domain.tld, %m=domain.tld
   $d = preg_replace('/^[^\.]+\./', '', $n);
   // %h - IMAP host
-  $h = $_SESSION['imap_host'];
+  $h = $_SESSION['imap_host'] ? $_SESSION['imap_host'] : $host;
   // %z - IMAP domain without first part, e.g. %h=imap.domain.tld, %z=domain.tld
   $z = preg_replace('/^[^\.]+\./', '', $h);
 
@@ -1859,6 +1873,39 @@ function check_email($email, $dns_check=true)
   return false;
 }
 
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_ascii($str)
+{
+  return rcube_idn_convert($str, true);
+}
+
+/*
+ * Idn_to_ascii wrapper.
+ * Intl/Idn modules version of this function doesn't work with e-mail address
+ */
+function rcube_idn_to_utf8($str)
+{
+  return rcube_idn_convert($str, false);
+}
+
+function rcube_idn_convert($input, $is_utf=false)
+{
+  if ($at = strpos($input, '@')) {
+    $user   = substr($input, 0, $at);
+    $domain = substr($input, $at+1);
+  }
+  else {
+    $domain = $input;
+  }
+
+  $domain = $is_utf ? idn_to_ascii($domain) : idn_to_utf8($domain);
+
+  return $at ? $user . '@' . $domain : $domain;
+}
+
 
 /**
  * Helper class to turn relative urls into absolute ones