X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=index.php;h=883faa6d659cf321c490d5b3e18d0f2f50d79b25;hb=d832c6b37ce0cba5a2bc015b1c806ba6990c4253;hp=fccfaace7afd597aba1372be6ce8eef53d5124e3;hpb=7cb5c7c1ff91643ee8653fcd8612ef95e5d5a5c7;p=roundcube.git diff --git a/index.php b/index.php index fccfaac..883faa6 100644 --- a/index.php +++ b/index.php @@ -1,371 +1,284 @@ | - +-----------------------------------------------------------------------+ - - $Id: index.php 618 2007-06-13 07:03:59Z thomasb $ + +-------------------------------------------------------------------------+ + | Roundcube Webmail IMAP Client | + | Version 0.5.1 | + | | + | Copyright (C) 2005-2011, Roundcube Dev. - Switzerland | + | | + | This program is free software; you can redistribute it and/or modify | + | it under the terms of the GNU General Public License version 2 | + | as published by the Free Software Foundation. | + | | + | This program is distributed in the hope that it will be useful, | + | but WITHOUT ANY WARRANTY; without even the implied warranty of | + | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | + | GNU General Public License for more details. | + | | + | You should have received a copy of the GNU General Public License along | + | with this program; if not, write to the Free Software Foundation, Inc., | + | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | + | | + +-------------------------------------------------------------------------+ + | Author: Thomas Bruederli | + +-------------------------------------------------------------------------+ + + $Id: index.php 4509 2011-02-09 10:51:50Z thomasb $ */ -// application constants -define('RCMAIL_VERSION', '0.1-rc1'); -define('RCMAIL_CHARSET', 'UTF-8'); -define('JS_OBJECT_NAME', 'rcmail'); +// include environment +require_once 'program/include/iniset.php'; -// define global vars -$OUTPUT_TYPE = 'html'; -$INSTALL_PATH = dirname(__FILE__); -$MAIN_TASKS = array('mail','settings','addressbook','logout'); +// init application, start session, init output class, etc. +$RCMAIL = rcmail::get_instance(); -if (empty($INSTALL_PATH)) - $INSTALL_PATH = './'; -else - $INSTALL_PATH .= '/'; +// turn on output buffering +ob_start(); - -// make sure path_separator is defined -if (!defined('PATH_SEPARATOR')) - define('PATH_SEPARATOR', (eregi('win', PHP_OS) ? ';' : ':')); - - -// RC include folders MUST be included FIRST to avoid other -// possible not compatible libraries (i.e PEAR) to be included -// instead the ones provided by RC -ini_set('include_path', $INSTALL_PATH.PATH_SEPARATOR.$INSTALL_PATH.'program'.PATH_SEPARATOR.$INSTALL_PATH.'program/lib'.PATH_SEPARATOR.ini_get('include_path')); - -ini_set('session.name', 'sessid'); -ini_set('session.use_cookies', 1); -ini_set('session.gc_maxlifetime', 21600); -ini_set('session.gc_divisor', 500); -ini_set('error_reporting', E_ALL&~E_NOTICE); - -// increase maximum execution time for php scripts -// (does not work in safe mode) -if (!ini_get('safe_mode')) @set_time_limit(120); - -// include base files -require_once('include/rcube_shared.inc'); -require_once('include/rcube_imap.inc'); -require_once('include/bugs.inc'); -require_once('include/main.inc'); -require_once('include/cache.inc'); -require_once('PEAR.php'); - - -// set PEAR error handling -// PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE); - - -// catch some url/post parameters -$_task = strip_quotes(get_input_value('_task', RCUBE_INPUT_GPC)); -$_action = strip_quotes(get_input_value('_action', RCUBE_INPUT_GPC)); -$_framed = (!empty($_GET['_framed']) || !empty($_POST['_framed'])); - -// use main task if empty or invalid value -if (empty($_task) || !in_array($_task, $MAIN_TASKS)) - $_task = 'mail'; - - -// set output buffering -if ($_action != 'get' && $_action != 'viewsource') -{ - // use gzip compression if supported - if (function_exists('ob_gzhandler') && ini_get('zlib.output_compression')) - ob_start('ob_gzhandler'); - else - ob_start(); -} - - -// start session with requested task -rcmail_startup($_task); - -// set session related variables -$COMM_PATH = sprintf('./?_task=%s', $_task); -$SESS_HIDDEN_FIELD = ''; - - -// add framed parameter -if ($_framed) -{ - $COMM_PATH .= '&_framed=1'; - $SESS_HIDDEN_FIELD .= "\n".''; +// check if config files had errors +if ($err_str = $RCMAIL->config->get_error()) { + raise_error(array( + 'code' => 601, + 'type' => 'php', + 'message' => $err_str), false, true); } - -// init necessary objects for GUI -rcmail_load_gui(); - - // check DB connections and exit on failure -if ($err_str = $DB->is_error()) -{ +if ($err_str = $DB->is_error()) { raise_error(array( 'code' => 603, 'type' => 'db', 'message' => $err_str), FALSE, TRUE); } - // error steps -if ($_action=='error' && !empty($_GET['_code'])) +if ($RCMAIL->action=='error' && !empty($_GET['_code'])) { raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE); +} +// check if https is required (for login) and redirect if necessary +if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) { + $https_port = is_bool($force_https) ? 443 : $force_https; + if (!rcube_https_check($https_port)) { + $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']); + $host .= ($https_port != 443 ? ':' . $https_port : ''); + header('Location: https://' . $host . $_SERVER['REQUEST_URI']); + exit; + } +} + +// trigger startup plugin hook +$startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action)); +$RCMAIL->set_task($startup['task']); +$RCMAIL->action = $startup['action']; // try to log in -if ($_action=='login' && $_task=='mail') -{ - $host = rcmail_autoselect_host(); - +if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { + $request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login'); + + // purge the session in case of new login when a session already exists + $RCMAIL->kill_session(); + + $auth = $RCMAIL->plugins->exec_hook('authenticate', array( + 'host' => $RCMAIL->autoselect_host(), + 'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)), + 'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, + $RCMAIL->config->get('password_charset', 'ISO-8859-1')), + 'cookiecheck' => true, + 'valid' => $request_valid, + )); + // check if client supports cookies - if (empty($_COOKIE)) - { + if ($auth['cookiecheck'] && empty($_COOKIE)) { $OUTPUT->show_message("cookiesdisabled", 'warning'); } - else if ($_SESSION['temp'] && !empty($_POST['_user']) && isset($_POST['_pass']) && - rcmail_login(get_input_value('_user', RCUBE_INPUT_POST), - get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'), $host)) - { + else if ($auth['valid'] && !$auth['abort'] && + !empty($auth['host']) && !empty($auth['user']) && + $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) { // create new session ID - unset($_SESSION['temp']); - sess_regenerate_id(); + $RCMAIL->session->remove('temp'); + $RCMAIL->session->regenerate_id(); // send auth cookie if necessary - rcmail_authenticate_session(); + $RCMAIL->authenticate_session(); + + // log successful login + rcmail_log_login(); + + // restore original request parameters + $query = array(); + if ($url = get_input_value('_url', RCUBE_INPUT_POST)) { + parse_str($url, $query); + + // prevent endless looping on login page + if ($query['_task'] == 'login') + unset($query['_task']); + } + + // allow plugins to control the redirect url after login success + $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail')); + unset($redir['abort']); // send redirect - header("Location: $COMM_PATH"); - exit; + $OUTPUT->redirect($redir); } - else - { - $OUTPUT->show_message("loginfailed", 'warning'); - $_SESSION['user_id'] = ''; + else { + $error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1; + + $OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning'); + $RCMAIL->plugins->exec_hook('login_failed', array( + 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'])); + $RCMAIL->kill_session(); } } -// end session -else if (($_task=='logout' || $_action=='logout') && isset($_SESSION['user_id'])) -{ +// end session (after optional referer check) +else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') || rcube_check_referer())) { + $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language); $OUTPUT->show_message('loggedout'); - rcmail_kill_session(); + $RCMAIL->logout_actions(); + $RCMAIL->kill_session(); + $RCMAIL->plugins->exec_hook('logout_after', $userdata); } // check session and auth cookie -else if ($_action != 'login' && $_SESSION['user_id'] && $_action != 'send') -{ - if (!rcmail_authenticate_session()) - { +else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') { + if (!$RCMAIL->authenticate_session()) { $OUTPUT->show_message('sessionerror', 'error'); - rcmail_kill_session(); + $RCMAIL->kill_session(); } } - -// log in to imap server -if (!empty($_SESSION['user_id']) && $_task=='mail') -{ - $conn = $IMAP->connect($_SESSION['imap_host'], $_SESSION['username'], decrypt_passwd($_SESSION['password']), $_SESSION['imap_port'], $_SESSION['imap_ssl']); - if (!$conn) - { - $OUTPUT->show_message('imaperror', 'error'); - $_SESSION['user_id'] = ''; - } - else - rcmail_set_imap_prop(); -} - - -// not logged in -> set task to 'login -if (empty($_SESSION['user_id'])) -{ +// not logged in -> show login page +if (empty($RCMAIL->user->ID)) { if ($OUTPUT->ajax_call) - $OUTPUT->remote_response("setTimeout(\"location.href='\"+this.env.comm_path+\"'\", 2000);"); - - $_task = 'login'; -} - - - -// set task and action to client -$OUTPUT->set_env('task', $_task); -if (!empty($_action)) - $OUTPUT->set_env('action', $_action); - - + $OUTPUT->redirect(array(), 2000); + + if (!empty($_REQUEST['_framed'])) + $OUTPUT->command('redirect', '?'); + + // check if installer is still active + if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) { + $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"), + html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . + html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . + html::p(null, "Please remove the whole installer folder from the Roundcube directory because . + these files may expose sensitive configuration data like server passwords and encryption keys + to the public. Make sure you cannot access the installer script from your browser.") + ) + ); + } -// not logged in -> show login page -if (!$_SESSION['user_id']) -{ - $OUTPUT->task = 'login'; + $RCMAIL->set_task('login'); $OUTPUT->send('login'); - exit; } +// CSRF prevention +else { + // don't check for valid request tokens in these actions + $request_check_whitelist = array('login'=>1, 'spell'=>1); + + // check client X-header to verify request origin + if ($OUTPUT->ajax_call) { + if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) { + header('HTTP/1.1 404 Not Found'); + die("Invalid Request"); + } + } + // check request token in POST form submissions + else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) { + $OUTPUT->show_message('invalidrequest', 'error'); + $OUTPUT->send($RCMAIL->task); + } - -// handle keep-alive signal -if ($_action=='keep-alive') -{ - $OUTPUT->reset(); - $OUTPUT->send(''); - exit; + // check referer if configured + if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) { + raise_error(array( + 'code' => 403, + 'type' => 'php', + 'message' => "Referer check failed"), true, true); + } } -// include task specific files -if ($_task=='mail') -{ - include_once('program/steps/mail/func.inc'); - - if ($_action=='show' || $_action=='preview' || $_action=='print') - include('program/steps/mail/show.inc'); - - if ($_action=='get') - include('program/steps/mail/get.inc'); - - if ($_action=='moveto' || $_action=='delete') - include('program/steps/mail/move_del.inc'); - - if ($_action=='mark') - include('program/steps/mail/mark.inc'); - - if ($_action=='viewsource') - include('program/steps/mail/viewsource.inc'); - - if ($_action=='send') - include('program/steps/mail/sendmail.inc'); - - if ($_action=='upload') - include('program/steps/mail/upload.inc'); - - if ($_action=='compose' || $_action=='remove-attachment') - include('program/steps/mail/compose.inc'); - - if ($_action=='addcontact') - include('program/steps/mail/addcontact.inc'); - - if ($_action=='expunge' || $_action=='purge') - include('program/steps/mail/folders.inc'); - - if ($_action=='check-recent') - include('program/steps/mail/check_recent.inc'); - - if ($_action=='getunread') - include('program/steps/mail/getunread.inc'); - - if ($_action=='list' && isset($_REQUEST['_remote'])) - include('program/steps/mail/list.inc'); - - if ($_action=='search') - include('program/steps/mail/search.inc'); - - if ($_action=='spell') - include('program/steps/mail/spell.inc'); - - if ($_action=='rss') - include('program/steps/mail/rss.inc'); - - if ($_action=='quotadisplay') - include('program/steps/mail/quotadisplay.inc'); - - - // make sure the message count is refreshed - $IMAP->messagecount($_SESSION['mbox'], 'ALL', TRUE); +// handle special actions +if ($RCMAIL->action == 'keep-alive') { + $OUTPUT->reset(); + $OUTPUT->send(); } - - -// include task specific files -if ($_task=='addressbook') -{ - include_once('program/steps/addressbook/func.inc'); - - if ($_action=='save') - include('program/steps/addressbook/save.inc'); - - if ($_action=='edit' || $_action=='add') - include('program/steps/addressbook/edit.inc'); - - if ($_action=='delete') - include('program/steps/addressbook/delete.inc'); - - if ($_action=='show') - include('program/steps/addressbook/show.inc'); - - if ($_action=='list' && $_REQUEST['_remote']) - include('program/steps/addressbook/list.inc'); - - if ($_action=='search') - include('program/steps/addressbook/search.inc'); - - if ($_action=='copy') - include('program/steps/addressbook/copy.inc'); - - if ($_action=='mailto') - include('program/steps/addressbook/mailto.inc'); +else if ($RCMAIL->action == 'save-pref') { + include 'steps/utils/save_pref.inc'; } -// include task specific files -if ($_task=='settings') -{ - include_once('program/steps/settings/func.inc'); - - if ($_action=='save-identity') - include('program/steps/settings/save_identity.inc'); - - if ($_action=='add-identity' || $_action=='edit-identity') - include('program/steps/settings/edit_identity.inc'); - - if ($_action=='delete-identity') - include('program/steps/settings/delete_identity.inc'); +// map task/action to a certain include file +$action_map = array( + 'mail' => array( + 'preview' => 'show.inc', + 'print' => 'show.inc', + 'moveto' => 'move_del.inc', + 'delete' => 'move_del.inc', + 'send' => 'sendmail.inc', + 'expunge' => 'folders.inc', + 'purge' => 'folders.inc', + 'remove-attachment' => 'attachments.inc', + 'display-attachment' => 'attachments.inc', + 'upload' => 'attachments.inc', + 'group-expand' => 'autocomplete.inc', + ), - if ($_action=='identities') - include('program/steps/settings/identities.inc'); - - if ($_action=='save-prefs') - include('program/steps/settings/save_prefs.inc'); - - if ($_action=='folders' || $_action=='subscribe' || $_action=='unsubscribe' || - $_action=='create-folder' || $_action=='rename-folder' || $_action=='delete-folder') - include('program/steps/settings/manage_folders.inc'); - + 'addressbook' => array( + 'add' => 'edit.inc', + 'group-create' => 'groups.inc', + 'group-rename' => 'groups.inc', + 'group-delete' => 'groups.inc', + 'group-addmembers' => 'groups.inc', + 'group-delmembers' => 'groups.inc', + ), + + 'settings' => array( + 'folders' => 'folders.inc', + 'rename-folder' => 'folders.inc', + 'delete-folder' => 'folders.inc', + 'subscribe' => 'folders.inc', + 'unsubscribe' => 'folders.inc', + 'purge' => 'folders.inc', + 'folder-size' => 'folders.inc', + 'add-identity' => 'edit_identity.inc', + ) +); + +// include task specific functions +if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc')) + include_once($incfile); + +// allow 5 "redirects" to another action +$redirects = 0; $incstep = null; +while ($redirects < 5) { + $stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ? + $action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc'; + + // execute a plugin action + if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) { + $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action); + break; + } + else if (preg_match('/^plugin\./', $RCMAIL->action)) { + $RCMAIL->plugins->exec_action($RCMAIL->action); + break; + } + // try to include the step file + else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) { + include($incfile); + $redirects++; + } + else { + break; + } } -// parse main template -$OUTPUT->send($_task); +// parse main template (default) +$OUTPUT->send($RCMAIL->task); // if we arrive here, something went wrong @@ -374,6 +287,5 @@ raise_error(array( 'type' => 'php', 'line' => __LINE__, 'file' => __FILE__, - 'message' => "Invalid request"), TRUE, TRUE); - -?> + 'message' => "Invalid request"), true, true); +