X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=program%2Finclude%2Fmain.inc;h=30d90993e7b36af08313cd170699da061dee33b7;hb=a2dd2e41259a5e90016efcd7d083020b95e25527;hp=f5c58a4225b6f198241540d8d3ed6ccf7be92b96;hpb=38bb9fc2d3bc5c90338eb7f375f42273b088adcd;p=roundcube.git diff --git a/program/include/main.inc b/program/include/main.inc index f5c58a4..30d9099 100644 --- a/program/include/main.inc +++ b/program/include/main.inc @@ -4,8 +4,8 @@ +-----------------------------------------------------------------------+ | program/include/main.inc | | | - | This file is part of the RoundCube Webmail client | - | Copyright (C) 2005-2007, RoundCube Dev, - Switzerland | + | This file is part of the Roundcube Webmail client | + | Copyright (C) 2005-2011, The Roundcube Dev Team | | Licensed under the GNU GPL | | | | PURPOSE: | @@ -15,13 +15,19 @@ | Author: Thomas Bruederli | +-----------------------------------------------------------------------+ - $Id: main.inc 617 2007-06-13 06:57:22Z thomasb $ + $Id: main.inc 5151 2011-08-31 12:49:44Z alec $ */ -require_once('lib/utf7.inc'); -require_once('include/rcmail_template.inc'); +/** + * Roundcube Webmail common functions + * + * @package Core + * @author Thomas Bruederli + */ +require_once 'utf7.inc'; +require_once INSTALL_PATH . 'program/include/rcube_shared.inc'; // define constannts for input reading define('RCUBE_INPUT_GET', 0x0101); @@ -29,962 +35,505 @@ define('RCUBE_INPUT_POST', 0x0102); define('RCUBE_INPUT_GPC', 0x0103); -// register session and connect to server -function rcmail_startup($task='mail') - { - global $sess_id, $sess_user_lang; - global $CONFIG, $INSTALL_PATH, $BROWSER, $OUTPUT, $_SESSION, $IMAP, $DB; - - // check client - $BROWSER = rcube_browser(); - - // load configuration - $CONFIG = rcmail_load_config(); - - // set session garbage collecting time according to session_lifetime - if (!empty($CONFIG['session_lifetime'])) - ini_set('session.gc_maxlifetime', ($CONFIG['session_lifetime']) * 120); - - // prepare DB connection - require_once('include/rcube_'.(empty($CONFIG['db_backend']) ? 'db' : $CONFIG['db_backend']).'.inc'); - - $DB = new rcube_db($CONFIG['db_dsnw'], $CONFIG['db_dsnr'], $CONFIG['db_persistent']); - $DB->sqlite_initials = $INSTALL_PATH.'SQL/sqlite.initial.sql'; - $DB->db_connect('w'); - - // use database for storing session data - include_once('include/session.inc'); - // init session - session_start(); - $sess_id = session_id(); +/** + * Return correct name for a specific database table + * + * @param string Table name + * @return string Translated table name + */ +function get_table_name($table) + { + global $CONFIG; - // create session and set session vars - if (!isset($_SESSION['auth_time'])) - { - $_SESSION['user_lang'] = rcube_language_prop($CONFIG['locale_string']); - $_SESSION['auth_time'] = time(); - $_SESSION['temp'] = true; - } + // return table name if configured + $config_key = 'db_table_'.$table; - // set session vars global - $sess_user_lang = rcube_language_prop($_SESSION['user_lang']); + if (strlen($CONFIG[$config_key])) + return $CONFIG[$config_key]; + return $table; + } - // overwrite config with user preferences - if (is_array($_SESSION['user_prefs'])) - $CONFIG = array_merge($CONFIG, $_SESSION['user_prefs']); +/** + * Return correct name for a specific database sequence + * (used for Postgres only) + * + * @param string Secuence name + * @return string Translated sequence name + */ +function get_sequence_name($sequence) + { + // return sequence name if configured + $config_key = 'db_sequence_'.$sequence; + $opt = rcmail::get_instance()->config->get($config_key); - // reset some session parameters when changing task - if ($_SESSION['task'] != $task) - unset($_SESSION['page']); + if (!empty($opt)) + return $opt; + + return $sequence; + } - // set current task to session - $_SESSION['task'] = $task; - // create IMAP object - if ($task=='mail') - rcmail_imap_init(); +/** + * Get localized text in the desired language + * It's a global wrapper for rcmail::gettext() + * + * @param mixed Named parameters array or label name + * @param string Domain to search in (e.g. plugin name) + * @return string Localized text + * @see rcmail::gettext() + */ +function rcube_label($p, $domain=null) +{ + return rcmail::get_instance()->gettext($p, $domain); +} - // set localization - if ($CONFIG['locale_string']) - setlocale(LC_ALL, $CONFIG['locale_string']); - else if ($sess_user_lang) - setlocale(LC_ALL, $sess_user_lang); +/** + * Global wrapper of rcmail::text_exists() + * to check whether a text label is defined + * + * @see rcmail::text_exists() + */ +function rcube_label_exists($name, $domain=null) +{ + return rcmail::get_instance()->text_exists($name, $domain); +} - register_shutdown_function('rcmail_shutdown'); +/** + * Overwrite action variable + * + * @param string New action value + */ +function rcmail_overwrite_action($action) + { + $app = rcmail::get_instance(); + $app->action = $action; + $app->output->set_env('action', $action); } -// load roundcube configuration into global var -function rcmail_load_config() - { - global $INSTALL_PATH; - - // load config file - include_once('config/main.inc.php'); - $conf = is_array($rcmail_config) ? $rcmail_config : array(); +/** + * Compose an URL for a specific action + * + * @param string Request action + * @param array More URL parameters + * @param string Request task (omit if the same) + * @return The application URL + */ +function rcmail_url($action, $p=array(), $task=null) +{ + $app = rcmail::get_instance(); + return $app->url((array)$p + array('_action' => $action, 'task' => $task)); +} - // load host-specific configuration - rcmail_load_host_config($conf); - $conf['skin_path'] = $conf['skin_path'] ? unslashify($conf['skin_path']) : 'skins/default'; +/** + * Garbage collector function for temp files. + * Remove temp files older than two days + */ +function rcmail_temp_gc() +{ + $rcmail = rcmail::get_instance(); - // load db conf - include_once('config/db.inc.php'); - $conf = array_merge($conf, $rcmail_config); + $tmp = unslashify($rcmail->config->get('temp_dir')); + $expire = mktime() - 172800; // expire in 48 hours - if (empty($conf['log_dir'])) - $conf['log_dir'] = $INSTALL_PATH.'logs'; - else - $conf['log_dir'] = unslashify($conf['log_dir']); + if ($dir = opendir($tmp)) { + while (($fname = readdir($dir)) !== false) { + if ($fname{0} == '.') + continue; - // set PHP error logging according to config - if ($conf['debug_level'] & 1) - { - ini_set('log_errors', 1); - ini_set('error_log', $conf['log_dir'].'/errors'); + if (filemtime($tmp.'/'.$fname) < $expire) + @unlink($tmp.'/'.$fname); } - if ($conf['debug_level'] & 4) - ini_set('display_errors', 1); - else - ini_set('display_errors', 0); - return $conf; + closedir($dir); } +} -// load a host-specific config file if configured -function rcmail_load_host_config(&$config) - { - $fname = NULL; - - if (is_array($config['include_host_config'])) - $fname = $config['include_host_config'][$_SERVER['HTTP_HOST']]; - else if (!empty($config['include_host_config'])) - $fname = preg_replace('/[^a-z0-9\.\-_]/i', '', $_SERVER['HTTP_HOST']) . '.inc.php'; - - if ($fname && is_file('config/'.$fname)) - { - include('config/'.$fname); - $config = array_merge($config, $rcmail_config); - } - } +/** + * Garbage collector for cache entries. + * Remove all expired message cache records + * @return void + */ +function rcmail_cache_gc() +{ + $rcmail = rcmail::get_instance(); + $db = $rcmail->get_dbh(); + // get target timestamp + $ts = get_offset_time($rcmail->config->get('message_cache_lifetime', '30d'), -1); -// create authorization hash -function rcmail_auth_hash($sess_id, $ts) - { - global $CONFIG; - - $auth_string = sprintf('rcmail*sess%sR%s*Chk:%s;%s', - $sess_id, - $ts, - $CONFIG['ip_check'] ? $_SERVER['REMOTE_ADDR'] : '***.***.***.***', - $_SERVER['HTTP_USER_AGENT']); - - if (function_exists('sha1')) - return sha1($auth_string); - else - return md5($auth_string); - } + $db->query("DELETE FROM ".get_table_name('messages')." + WHERE created < " . $db->fromunixtime($ts)); + $db->query("DELETE FROM ".get_table_name('cache')." + WHERE created < " . $db->fromunixtime($ts)); +} -// compare the auth hash sent by the client with the local session credentials -function rcmail_authenticate_session() - { - global $CONFIG, $SESS_CLIENT_IP, $SESS_CHANGED; - - // advanced session authentication - if ($CONFIG['double_auth']) - { - $now = time(); - $valid = ($_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['auth_time']) || - $_COOKIE['sessauth'] == rcmail_auth_hash(session_id(), $_SESSION['last_auth'])); - // renew auth cookie every 5 minutes (only for GET requests) - if (!$valid || ($_SERVER['REQUEST_METHOD']!='POST' && $now-$_SESSION['auth_time'] > 300)) - { - $_SESSION['last_auth'] = $_SESSION['auth_time']; - $_SESSION['auth_time'] = $now; - setcookie('sessauth', rcmail_auth_hash(session_id(), $now)); - } - } - else - $valid = $CONFIG['ip_check'] ? $_SERVER['REMOTE_ADDR'] == $SESS_CLIENT_IP : true; - - // check session filetime - if (!empty($CONFIG['session_lifetime']) && isset($SESS_CHANGED) && $SESS_CHANGED + $CONFIG['session_lifetime']*60 < time()) - $valid = false; +/** + * Catch an error and throw an exception. + * + * @param int Level of the error + * @param string Error message + */ +function rcube_error_handler($errno, $errstr) +{ + throw new ErrorException($errstr, 0, $errno); +} - return $valid; - } +/** + * Convert a string from one charset to another. + * Uses mbstring and iconv functions if possible + * + * @param string Input string + * @param string Suspected charset of the input string + * @param string Target charset to convert to; defaults to RCMAIL_CHARSET + * @return string Converted string + */ +function rcube_charset_convert($str, $from, $to=NULL) +{ + static $iconv_options = null; + static $mbstring_loaded = null; + static $mbstring_list = null; + static $conv = null; -// create IMAP object and connect to server -function rcmail_imap_init($connect=FALSE) - { - global $CONFIG, $DB, $IMAP, $OUTPUT; + $error = false; - $IMAP = new rcube_imap($DB); - $IMAP->debug_level = $CONFIG['debug_level']; - $IMAP->skip_deleted = $CONFIG['skip_deleted']; + $to = empty($to) ? strtoupper(RCMAIL_CHARSET) : rcube_parse_charset($to); + $from = rcube_parse_charset($from); + if ($from == $to || empty($str) || empty($from)) + return $str; - // connect with stored session data - if ($connect) - { - if (!($conn = $IMAP->connect($_SESSION['imap_host'], $_SESSION['username'], decrypt_passwd($_SESSION['password']), $_SESSION['imap_port'], $_SESSION['imap_ssl']))) - $OUTPUT->show_message('imaperror', 'error'); - - rcmail_set_imap_prop(); + // convert charset using iconv module + if (function_exists('iconv') && $from != 'UTF7-IMAP' && $to != 'UTF7-IMAP') { + if ($iconv_options === null) { + // ignore characters not available in output charset + $iconv_options = '//IGNORE'; + if (iconv('', $iconv_options, '') === false) { + // iconv implementation does not support options + $iconv_options = ''; + } } - // enable caching of imap data - if ($CONFIG['enable_caching']===TRUE) - $IMAP->set_caching(TRUE); - - // set pagesize from config - if (isset($CONFIG['pagesize'])) - $IMAP->set_pagesize($CONFIG['pagesize']); + // throw an exception if iconv reports an illegal character in input + // it means that input string has been truncated + set_error_handler('rcube_error_handler', E_NOTICE); + try { + $_iconv = iconv($from, $to . $iconv_options, $str); + } catch (ErrorException $e) { + $_iconv = false; + } + restore_error_handler(); + if ($_iconv !== false) { + return $_iconv; + } } + if ($mbstring_loaded === null) + $mbstring_loaded = extension_loaded('mbstring'); -// set root dir and last stored mailbox -// this must be done AFTER connecting to the server -function rcmail_set_imap_prop() - { - global $CONFIG, $IMAP; + // convert charset using mbstring module + if ($mbstring_loaded) { + $aliases['WINDOWS-1257'] = 'ISO-8859-13'; - // set root dir from config - if (!empty($CONFIG['imap_root'])) - $IMAP->set_rootdir($CONFIG['imap_root']); + if ($mbstring_list === null) { + $mbstring_list = mb_list_encodings(); + $mbstring_list = array_map('strtoupper', $mbstring_list); + } - if (is_array($CONFIG['default_imap_folders'])) - $IMAP->set_default_mailboxes($CONFIG['default_imap_folders']); + $mb_from = $aliases[$from] ? $aliases[$from] : $from; + $mb_to = $aliases[$to] ? $aliases[$to] : $to; - if (!empty($_SESSION['mbox'])) - $IMAP->set_mailbox($_SESSION['mbox']); - if (isset($_SESSION['page'])) - $IMAP->set_page($_SESSION['page']); + // return if encoding found, string matches encoding and convert succeeded + if (in_array($mb_from, $mbstring_list) && in_array($mb_to, $mbstring_list)) { + if (mb_check_encoding($str, $mb_from) && ($out = mb_convert_encoding($str, $mb_to, $mb_from))) + return $out; + } } + // convert charset using bundled classes/functions + if ($to == 'UTF-8') { + if ($from == 'UTF7-IMAP') { + if ($_str = utf7_to_utf8($str)) + return $_str; + } + else if ($from == 'UTF-7') { + if ($_str = rcube_utf7_to_utf8($str)) + return $_str; + } + else if (($from == 'ISO-8859-1') && function_exists('utf8_encode')) { + return utf8_encode($str); + } + else if (class_exists('utf8')) { + if (!$conv) + $conv = new utf8($from); + else + $conv->loadCharset($from); -// do these things on script shutdown -function rcmail_shutdown() - { - global $IMAP; - - if (is_object($IMAP)) - { - $IMAP->close(); - $IMAP->write_cache(); + if($_str = $conv->strToUtf8($str)) + return $_str; } - - // before closing the database connection, write session data - session_write_close(); + $error = true; } - -// destroy session data and remove cookie -function rcmail_kill_session() - { - // save user preferences - $a_user_prefs = $_SESSION['user_prefs']; - if (!is_array($a_user_prefs)) - $a_user_prefs = array(); - - if ((isset($_SESSION['sort_col']) && $_SESSION['sort_col']!=$a_user_prefs['message_sort_col']) || - (isset($_SESSION['sort_order']) && $_SESSION['sort_order']!=$a_user_prefs['message_sort_order'])) - { - $a_user_prefs['message_sort_col'] = $_SESSION['sort_col']; - $a_user_prefs['message_sort_order'] = $_SESSION['sort_order']; - rcmail_save_user_prefs($a_user_prefs); + // encode string for output + if ($from == 'UTF-8') { + // @TODO: we need a function for UTF-7 (RFC2152) conversion + if ($to == 'UTF7-IMAP' || $to == 'UTF-7') { + if ($_str = utf8_to_utf7($str)) + return $_str; } + else if ($to == 'ISO-8859-1' && function_exists('utf8_decode')) { + return utf8_decode($str); + } + else if (class_exists('utf8')) { + if (!$conv) + $conv = new utf8($to); + else + $conv->loadCharset($from); - $_SESSION = array('user_lang' => $GLOBALS['sess_user_lang'], 'auth_time' => time(), 'temp' => true); - setcookie('sessauth', '-del-', time()-60); + if ($_str = $conv->strToUtf8($str)) + return $_str; + } + $error = true; } + // return UTF-8 or original string + return $str; +} -// return correct name for a specific database table -function get_table_name($table) - { - global $CONFIG; - - // return table name if configured - $config_key = 'db_table_'.$table; - if (strlen($CONFIG[$config_key])) - return $CONFIG[$config_key]; - - return $table; +/** + * Parse and validate charset name string (see #1485758). + * Sometimes charset string is malformed, there are also charset aliases + * but we need strict names for charset conversion (specially utf8 class) + * + * @param string Input charset name + * @return string The validated charset name + */ +function rcube_parse_charset($input) +{ + static $charsets = array(); + $charset = strtoupper($input); + + if (isset($charsets[$input])) + return $charsets[$input]; + + $charset = preg_replace(array( + '/^[^0-9A-Z]+/', // e.g. _ISO-8859-JP$SIO + '/\$.*$/', // e.g. _ISO-8859-JP$SIO + '/UNICODE-1-1-*/', // RFC1641/1642 + '/^X-/', // X- prefix (e.g. X-ROMAN8 => ROMAN8) + ), '', $charset); + + if ($charset == 'BINARY') + return $charsets[$input] = null; + + # Aliases: some of them from HTML5 spec. + $aliases = array( + 'USASCII' => 'WINDOWS-1252', + 'ANSIX31101983' => 'WINDOWS-1252', + 'ANSIX341968' => 'WINDOWS-1252', + 'UNKNOWN8BIT' => 'ISO-8859-15', + 'UNKNOWN' => 'ISO-8859-15', + 'USERDEFINED' => 'ISO-8859-15', + 'KSC56011987' => 'EUC-KR', + 'GB2312' => 'GBK', + 'GB231280' => 'GBK', + 'UNICODE' => 'UTF-8', + 'UTF7IMAP' => 'UTF7-IMAP', + 'TIS620' => 'WINDOWS-874', + 'ISO88599' => 'WINDOWS-1254', + 'ISO885911' => 'WINDOWS-874', + 'MACROMAN' => 'MACINTOSH', + '77' => 'MAC', + '128' => 'SHIFT-JIS', + '129' => 'CP949', + '130' => 'CP1361', + '134' => 'GBK', + '136' => 'BIG5', + '161' => 'WINDOWS-1253', + '162' => 'WINDOWS-1254', + '163' => 'WINDOWS-1258', + '177' => 'WINDOWS-1255', + '178' => 'WINDOWS-1256', + '186' => 'WINDOWS-1257', + '204' => 'WINDOWS-1251', + '222' => 'WINDOWS-874', + '238' => 'WINDOWS-1250', + 'MS950' => 'CP950', + 'WINDOWS949' => 'UHC', + ); + + // allow A-Z and 0-9 only + $str = preg_replace('/[^A-Z0-9]/', '', $charset); + + if (isset($aliases[$str])) + $result = $aliases[$str]; + // UTF + else if (preg_match('/U[A-Z][A-Z](7|8|16|32)(BE|LE)*/', $str, $m)) + $result = 'UTF-' . $m[1] . $m[2]; + // ISO-8859 + else if (preg_match('/ISO8859([0-9]{0,2})/', $str, $m)) { + $iso = 'ISO-8859-' . ($m[1] ? $m[1] : 1); + // some clients sends windows-1252 text as latin1, + // it is safe to use windows-1252 for all latin1 + $result = $iso == 'ISO-8859-1' ? 'WINDOWS-1252' : $iso; } - - -// return correct name for a specific database sequence -// (used for Postres only) -function get_sequence_name($sequence) - { - global $CONFIG; - - // return table name if configured - $config_key = 'db_sequence_'.$sequence; - - if (strlen($CONFIG[$config_key])) - return $CONFIG[$config_key]; - - return $table; + // handle broken charset names e.g. WINDOWS-1250HTTP-EQUIVCONTENT-TYPE + else if (preg_match('/(WIN|WINDOWS)([0-9]+)/', $str, $m)) { + $result = 'WINDOWS-' . $m[2]; } - - -// check the given string and returns language properties -function rcube_language_prop($lang, $prop='lang') - { - global $INSTALL_PATH; - static $rcube_languages, $rcube_language_aliases, $rcube_charsets; - - if (empty($rcube_languages)) - @include($INSTALL_PATH.'program/localization/index.inc'); - - // check if we have an alias for that language - if (!isset($rcube_languages[$lang]) && isset($rcube_language_aliases[$lang])) - $lang = $rcube_language_aliases[$lang]; - - // try the first two chars - if (!isset($rcube_languages[$lang]) && strlen($lang)>2) - { - $lang = substr($lang, 0, 2); - $lang = rcube_language_prop($lang); + // LATIN + else if (preg_match('/LATIN(.*)/', $str, $m)) { + $aliases = array('2' => 2, '3' => 3, '4' => 4, '5' => 9, '6' => 10, + '7' => 13, '8' => 14, '9' => 15, '10' => 16, + 'ARABIC' => 6, 'CYRILLIC' => 5, 'GREEK' => 7, 'GREEK1' => 7, 'HEBREW' => 8); + + // some clients sends windows-1252 text as latin1, + // it is safe to use windows-1252 for all latin1 + if ($m[1] == 1) { + $result = 'WINDOWS-1252'; + } + // if iconv is not supported we need ISO labels, it's also safe for iconv + else if (!empty($aliases[$m[1]])) { + $result = 'ISO-8859-'.$aliases[$m[1]]; + } + // iconv requires convertion of e.g. LATIN-1 to LATIN1 + else { + $result = $str; } - - if (!isset($rcube_languages[$lang])) - $lang = 'en_US'; - - // language has special charset configured - if (isset($rcube_charsets[$lang])) - $charset = $rcube_charsets[$lang]; - else - $charset = 'UTF-8'; - - - if ($prop=='charset') - return $charset; - else - return $lang; - } - - -// init output object for GUI and add common scripts -function rcmail_load_gui() - { - global $CONFIG, $OUTPUT, $sess_user_lang; - - // init output page - $OUTPUT = new rcmail_template($CONFIG, $GLOBALS['_task']); - $OUTPUT->set_env('comm_path', $GLOBALS['COMM_PATH']); - - if (is_array($CONFIG['javascript_config'])) - { - foreach ($CONFIG['javascript_config'] as $js_config_var) - $OUTPUT->set_env($js_config_var, $CONFIG[$js_config_var]); } - - if (!empty($GLOBALS['_framed'])) - $OUTPUT->set_env('framed', true); - - // set locale setting - rcmail_set_locale($sess_user_lang); - - // set user-selected charset - if (!empty($CONFIG['charset'])) - $OUTPUT->set_charset($CONFIG['charset']); - - // register common UI objects - $OUTPUT->add_handlers(array( - 'loginform' => 'rcmail_login_form', - 'username' => 'rcmail_current_username', - 'message' => 'rcmail_message_container', - 'charsetselector' => 'rcmail_charset_selector', - )); - - // add some basic label to client - if (!$OUTPUT->ajax_call) - rcube_add_label('loading'); + else { + $result = $charset; } + $charsets[$input] = $result; -// set localization charset based on the given language -function rcmail_set_locale($lang) - { - global $OUTPUT, $MBSTRING; - static $s_mbstring_loaded = NULL; - - // settings for mbstring module (by Tadashi Jokagi) - if (is_null($s_mbstring_loaded)) - $MBSTRING = $s_mbstring_loaded = extension_loaded("mbstring"); - else - $MBSTRING = $s_mbstring_loaded = FALSE; - - if ($MBSTRING) - mb_internal_encoding(RCMAIL_CHARSET); - - $OUTPUT->set_charset(rcube_language_prop($lang, 'charset')); - } + return $result; +} -// auto-select IMAP host based on the posted login information -function rcmail_autoselect_host() +/** + * Converts string from standard UTF-7 (RFC 2152) to UTF-8. + * + * @param string Input string + * @return string The converted string + */ +function rcube_utf7_to_utf8($str) +{ + $Index_64 = array( + 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, + 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0, + 0,0,0,0, 0,0,0,0, 0,0,0,1, 0,0,0,0, + 1,1,1,1, 1,1,1,1, 1,1,0,0, 0,0,0,0, + 0,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, + 1,1,1,1, 1,1,1,1, 1,1,1,0, 0,0,0,0, + 0,1,1,1, 1,1,1,1, 1,1,1,1, 1,1,1,1, + 1,1,1,1, 1,1,1,1, 1,1,1,0, 0,0,0,0, + ); + + $u7len = strlen($str); + $str = strval($str); + $res = ''; + + for ($i=0; $u7len > 0; $i++, $u7len--) { - global $CONFIG; - - $host = isset($_POST['_host']) ? get_input_value('_host', RCUBE_INPUT_POST) : $CONFIG['default_host']; - if (is_array($host)) + $u7 = $str[$i]; + if ($u7 == '+') { - list($user, $domain) = explode('@', get_input_value('_user', RCUBE_INPUT_POST)); - if (!empty($domain)) - { - foreach ($host as $imap_host => $mail_domains) - if (is_array($mail_domains) && in_array($domain, $mail_domains)) - { - $host = $imap_host; - break; - } - } + $i++; + $u7len--; + $ch = ''; - // take the first entry if $host is still an array - if (is_array($host)) - $host = array_shift($host); - } - - return $host; - } + for (; $u7len > 0; $i++, $u7len--) + { + $u7 = $str[$i]; + if (!$Index_64[ord($u7)]) + break; -// perfom login to the IMAP server and to the webmail service -function rcmail_login($user, $pass, $host=NULL) - { - global $CONFIG, $IMAP, $DB, $sess_user_lang; - $user_id = NULL; - - if (!$host) - $host = $CONFIG['default_host']; + $ch .= $u7; + } - // Validate that selected host is in the list of configured hosts - if (is_array($CONFIG['default_host'])) - { - $allowed = FALSE; - foreach ($CONFIG['default_host'] as $key => $host_allowed) - { - if (!is_numeric($key)) - $host_allowed = $key; - if ($host == $host_allowed) - { - $allowed = TRUE; - break; - } + if ($ch == '') { + if ($u7 == '-') + $res .= '+'; + continue; } - if (!$allowed) - return FALSE; - } - else if (!empty($CONFIG['default_host']) && $host != $CONFIG['default_host']) - return FALSE; - // parse $host URL - $a_host = parse_url($host); - if ($a_host['host']) - { - $host = $a_host['host']; - $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE; - $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']); + $res .= rcube_utf16_to_utf8(base64_decode($ch)); } - else - $imap_port = $CONFIG['default_port']; - - - /* Modify username with domain if required - Inspired by Marco - */ - // Check if we need to add domain - if (!empty($CONFIG['username_domain']) && !strstr($user, '@')) + else { - if (is_array($CONFIG['username_domain']) && isset($CONFIG['username_domain'][$host])) - $user .= '@'.$CONFIG['username_domain'][$host]; - else if (is_string($CONFIG['username_domain'])) - $user .= '@'.$CONFIG['username_domain']; + $res .= $u7; } + } + return $res; +} - // query if user already registered - $sql_result = $DB->query("SELECT user_id, username, language, preferences - FROM ".get_table_name('users')." - WHERE mail_host=? AND (username=? OR alias=?)", - $host, - $user, - $user); - - // user already registered -> overwrite username - if ($sql_arr = $DB->fetch_assoc($sql_result)) - { - $user_id = $sql_arr['user_id']; - $user = $sql_arr['username']; +/** + * Converts string from UTF-16 to UTF-8 (helper for utf-7 to utf-8 conversion) + * + * @param string Input string + * @return string The converted string + */ +function rcube_utf16_to_utf8($str) +{ + $len = strlen($str); + $dec = ''; + + for ($i = 0; $i < $len; $i += 2) { + $c = ord($str[$i]) << 8 | ord($str[$i + 1]); + if ($c >= 0x0001 && $c <= 0x007F) { + $dec .= chr($c); + } else if ($c > 0x07FF) { + $dec .= chr(0xE0 | (($c >> 12) & 0x0F)); + $dec .= chr(0x80 | (($c >> 6) & 0x3F)); + $dec .= chr(0x80 | (($c >> 0) & 0x3F)); + } else { + $dec .= chr(0xC0 | (($c >> 6) & 0x1F)); + $dec .= chr(0x80 | (($c >> 0) & 0x3F)); } + } + return $dec; +} - // try to resolve email address from virtuser table - if (!empty($CONFIG['virtuser_file']) && strstr($user, '@')) - $user = rcmail_email2user($user); +/** + * Replacing specials characters to a specific encoding type + * + * @param string Input string + * @param string Encoding type: text|html|xml|js|url + * @param string Replace mode for tags: show|replace|remove + * @param boolean Convert newlines + * @return string The quoted string + */ +function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) + { + static $html_encode_arr = false; + static $js_rep_table = false; + static $xml_rep_table = false; - // exit if IMAP login failed - if (!($imap_login = $IMAP->connect($host, $user, $pass, $imap_port, $imap_ssl))) - return FALSE; + if (!$enctype) + $enctype = $OUTPUT->type; - // user already registered - if ($user_id && !empty($sql_arr)) + // encode for HTML output + if ($enctype=='html') { - // get user prefs - if (strlen($sql_arr['preferences'])) + if (!$html_encode_arr) { - $user_prefs = unserialize($sql_arr['preferences']); - $_SESSION['user_prefs'] = $user_prefs; - array_merge($CONFIG, $user_prefs); - } - - - // set user specific language - if (strlen($sql_arr['language'])) - $sess_user_lang = $_SESSION['user_lang'] = $sql_arr['language']; - - // update user's record - $DB->query("UPDATE ".get_table_name('users')." - SET last_login=".$DB->now()." - WHERE user_id=?", - $user_id); - } - // create new system user - else if ($CONFIG['auto_create_user']) - { - $user_id = rcmail_create_user($user, $host); - } - - if ($user_id) - { - $_SESSION['user_id'] = $user_id; - $_SESSION['imap_host'] = $host; - $_SESSION['imap_port'] = $imap_port; - $_SESSION['imap_ssl'] = $imap_ssl; - $_SESSION['username'] = $user; - $_SESSION['user_lang'] = $sess_user_lang; - $_SESSION['password'] = encrypt_passwd($pass); - $_SESSION['login_time'] = mktime(); - - // force reloading complete list of subscribed mailboxes - rcmail_set_imap_prop(); - $IMAP->clear_cache('mailboxes'); - $IMAP->create_default_folders(); - - return TRUE; - } - - return FALSE; - } - - -// create new entry in users and identities table -function rcmail_create_user($user, $host) - { - global $DB, $CONFIG, $IMAP; - - $user_email = ''; - - // try to resolve user in virtusertable - if (!empty($CONFIG['virtuser_file']) && strstr($user, '@')==FALSE) - $user_email = rcmail_user2email($user); - - $DB->query("INSERT INTO ".get_table_name('users')." - (created, last_login, username, mail_host, alias, language) - VALUES (".$DB->now().", ".$DB->now().", ?, ?, ?, ?)", - strip_newlines($user), - strip_newlines($host), - strip_newlines($user_email), - $_SESSION['user_lang']); - - if ($user_id = $DB->insert_id(get_sequence_name('users'))) - { - $mail_domain = rcmail_mail_domain($host); - - if ($user_email=='') - $user_email = strstr($user, '@') ? $user : sprintf('%s@%s', $user, $mail_domain); - - $user_name = $user!=$user_email ? $user : ''; - - // try to resolve the e-mail address from the virtuser table - if (!empty($CONFIG['virtuser_query']) && - ($sql_result = $DB->query(preg_replace('/%u/', $user, $CONFIG['virtuser_query']))) && - ($DB->num_rows()>0)) - while ($sql_arr = $DB->fetch_array($sql_result)) - { - $DB->query("INSERT INTO ".get_table_name('identities')." - (user_id, del, standard, name, email) - VALUES (?, 0, 1, ?, ?)", - $user_id, - strip_newlines($user_name), - preg_replace('/^@/', $user . '@', $sql_arr[0])); - } - else - { - // also create new identity records - $DB->query("INSERT INTO ".get_table_name('identities')." - (user_id, del, standard, name, email) - VALUES (?, 0, 1, ?, ?)", - $user_id, - strip_newlines($user_name), - strip_newlines($user_email)); - } - - // get existing mailboxes - $a_mailboxes = $IMAP->list_mailboxes(); - } - else - { - raise_error(array('code' => 500, - 'type' => 'php', - 'line' => __LINE__, - 'file' => __FILE__, - 'message' => "Failed to create new user"), TRUE, FALSE); - } - - return $user_id; - } - - -// load virtuser table in array -function rcmail_getvirtualfile() - { - global $CONFIG; - if (empty($CONFIG['virtuser_file']) || !is_file($CONFIG['virtuser_file'])) - return FALSE; - - // read file - $a_lines = file($CONFIG['virtuser_file']); - return $a_lines; - } - - -// find matches of the given pattern in virtuser table -function rcmail_findinvirtual($pattern) - { - $result = array(); - $virtual = rcmail_getvirtualfile(); - if ($virtual==FALSE) - return $result; - - // check each line for matches - foreach ($virtual as $line) - { - $line = trim($line); - if (empty($line) || $line{0}=='#') - continue; - - if (eregi($pattern, $line)) - $result[] = $line; - } - - return $result; - } - - -// resolve username with virtuser table -function rcmail_email2user($email) - { - $user = $email; - $r = rcmail_findinvirtual("^$email"); - - for ($i=0; $i0) - { - $user = trim($arr[count($arr)-1]); - break; - } - } - - return $user; - } - - -// resolve e-mail address with virtuser table -function rcmail_user2email($user) - { - $email = ""; - $r = rcmail_findinvirtual("$user$"); - - for ($i=0; $i0) - { - $email = trim($arr[0]); - break; - } - } - - return $email; - } - - -function rcmail_save_user_prefs($a_user_prefs) - { - global $DB, $CONFIG, $sess_user_lang; - - $DB->query("UPDATE ".get_table_name('users')." - SET preferences=?, - language=? - WHERE user_id=?", - serialize($a_user_prefs), - $sess_user_lang, - $_SESSION['user_id']); - - if ($DB->affected_rows()) - { - $_SESSION['user_prefs'] = $a_user_prefs; - $CONFIG = array_merge($CONFIG, $a_user_prefs); - return TRUE; - } - - return FALSE; - } - - -// overwrite action variable -function rcmail_overwrite_action($action) - { - global $OUTPUT; - $GLOBALS['_action'] = $action; - $OUTPUT->set_env('action', $action); - } - - -/** - * Compose an URL for a specific action - * - * @param string Request action - * @param array More URL parameters - * @param string Request task (omit if the same) - * @return The application URL - */ -function rcmail_url($action, $p=array(), $task=null) -{ - global $MAIN_TASKS, $COMM_PATH; - $qstring = ''; - $base = $COMM_PATH; - - if ($task && in_array($task, $MAIN_TASKS)) - $base = ereg_replace('_task=[a-z]+', '_task='.$task, $COMM_PATH); - - if (is_array($p)) - foreach ($p as $key => $val) - $qstring .= '&'.urlencode($key).'='.urlencode($val); - - return $base . ($action ? '&_action='.$action : '') . $qstring; -} - - -// @deprecated -function show_message($message, $type='notice', $vars=NULL) - { - global $OUTPUT; - $OUTPUT->show_message($message, $type, $vars); - } - - -// encrypt IMAP password using DES encryption -function encrypt_passwd($pass) - { - $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, ""); - $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); - mcrypt_generic_init($td, get_des_key(), $iv); - $cypher = mcrypt_generic($td, $pass); - mcrypt_generic_deinit($td); - mcrypt_module_close($td); - return base64_encode($cypher); - } - - -// decrypt IMAP password using DES encryption -function decrypt_passwd($cypher) - { - $td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_ECB, ""); - $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); - mcrypt_generic_init($td, get_des_key(), $iv); - $pass = mdecrypt_generic($td, base64_decode($cypher)); - mcrypt_generic_deinit($td); - mcrypt_module_close($td); - return preg_replace('/\x00/', '', $pass); - } - - -// return a 24 byte key for the DES encryption -function get_des_key() - { - $key = !empty($GLOBALS['CONFIG']['des_key']) ? $GLOBALS['CONFIG']['des_key'] : 'rcmail?24BitPwDkeyF**ECB'; - $len = strlen($key); - - // make sure the key is exactly 24 chars long - if ($len<24) - $key .= str_repeat('_', 24-$len); - else if ($len>24) - substr($key, 0, 24); - - return $key; - } - - -// read directory program/localization/ and return a list of available languages -function rcube_list_languages() - { - global $CONFIG, $INSTALL_PATH; - static $sa_languages = array(); - - if (!sizeof($sa_languages)) - { - @include($INSTALL_PATH.'program/localization/index.inc'); - - if ($dh = @opendir($INSTALL_PATH.'program/localization')) - { - while (($name = readdir($dh)) !== false) - { - if ($name{0}=='.' || !is_dir($INSTALL_PATH.'program/localization/'.$name)) - continue; - - if ($label = $rcube_languages[$name]) - $sa_languages[$name] = $label ? $label : $name; - } - closedir($dh); - } - } - return $sa_languages; - } - - -// add a localized label to the client environment -function rcube_add_label() - { - global $OUTPUT; - - $arg_list = func_get_args(); - foreach ($arg_list as $i => $name) - $OUTPUT->command('add_label', $name, rcube_label($name)); - } - - -// remove temp files older than two day -function rcmail_temp_gc() - { - $tmp = unslashify($CONFIG['temp_dir']); - $expire = mktime() - 172800; // expire in 48 hours - - if ($dir = opendir($tmp)) - { - while (($fname = readdir($dir)) !== false) - { - if ($fname{0} == '.') - continue; - - if (filemtime($tmp.'/'.$fname) < $expire) - @unlink($tmp.'/'.$fname); - } - - closedir($dir); - } - } - - -// remove all expired message cache records -function rcmail_message_cache_gc() - { - global $DB, $CONFIG; - - // no cache lifetime configured - if (empty($CONFIG['message_cache_lifetime'])) - return; - - // get target timestamp - $ts = get_offset_time($CONFIG['message_cache_lifetime'], -1); - - $DB->query("DELETE FROM ".get_table_name('messages')." - WHERE created < ".$DB->fromunixtime($ts)); - } - - -/** - * Convert a string from one charset to another. - * Uses mbstring and iconv functions if possible - * - * @param string Input string - * @param string Suspected charset of the input string - * @param string Target charset to convert to; defaults to RCMAIL_CHARSET - * @return Converted string - */ -function rcube_charset_convert($str, $from, $to=NULL) - { - global $MBSTRING; - - $from = strtoupper($from); - $to = $to==NULL ? strtoupper(RCMAIL_CHARSET) : strtoupper($to); - - if ($from==$to || $str=='' || empty($from)) - return $str; - - // convert charset using mbstring module - if ($MBSTRING) - { - $to = $to=="UTF-7" ? "UTF7-IMAP" : $to; - $from = $from=="UTF-7" ? "UTF7-IMAP": $from; - - // return if convert succeeded - if (($out = mb_convert_encoding($str, $to, $from)) != '') - return $out; - } - - // convert charset using iconv module - if (function_exists('iconv') && $from!='UTF-7' && $to!='UTF-7') - return iconv($from, $to, $str); - - // convert string to UTF-8 - if ($from=='UTF-7') - $str = utf7_to_utf8($str); - else if (($from=='ISO-8859-1') && function_exists('utf8_encode')) - $str = utf8_encode($str); - - // encode string for output - if ($to=='UTF-7') - return utf8_to_utf7($str); - else if ($to=='ISO-8859-1' && function_exists('utf8_decode')) - return utf8_decode($str); - - // return UTF-8 string - return $str; - } - - -/** - * Replacing specials characters to a specific encoding type - * - * @param string Input string - * @param string Encoding type: text|html|xml|js|url - * @param string Replace mode for tags: show|replace|remove - * @param boolean Convert newlines - * @return The quoted string - */ -function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) - { - global $OUTPUT_TYPE, $OUTPUT; - static $html_encode_arr, $js_rep_table, $xml_rep_table; - - if (!$enctype) - $enctype = $GLOBALS['OUTPUT_TYPE']; - - // convert nbsps back to normal spaces if not html - if ($enctype!='html') - $str = str_replace(chr(160), ' ', $str); - - // encode for plaintext - if ($enctype=='text') - return str_replace("\r\n", "\n", $mode=='remove' ? strip_tags($str) : $str); - - // encode for HTML output - if ($enctype=='html') - { - if (!$html_encode_arr) - { - $html_encode_arr = get_html_translation_table(HTML_SPECIALCHARS); + $html_encode_arr = get_html_translation_table(HTML_SPECIALCHARS); unset($html_encode_arr['?']); } @@ -1001,54 +550,58 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE) } else if ($mode=='remove') $str = strip_tags($str); - + + $out = strtr($str, $encode_arr); + // avoid douple quotation of & - $out = preg_replace('/&([a-z]{2,5}|#[0-9]{2,4});/', '&\\1;', strtr($str, $encode_arr)); - + $out = preg_replace('/&([A-Za-z]{2,6}|#[0-9]{2,4});/', '&\\1;', $out); + return $newlines ? nl2br($out) : $out; } - if ($enctype=='url') - return rawurlencode($str); - // if the replace tables for XML and JS are not yet defined - if (!$js_rep_table) + if ($js_rep_table===false) { $js_rep_table = $xml_rep_table = array(); $xml_rep_table['&'] = '&'; for ($c=160; $c<256; $c++) // can be increased to support more charsets - { - $hex = dechex($c); - $xml_rep_table[Chr($c)] = "&#$c;"; - - if ($OUTPUT->get_charset()=='ISO-8859-1') - $js_rep_table[Chr($c)] = sprintf("\u%s%s", str_repeat('0', 4-strlen($hex)), $hex); - } + $xml_rep_table[chr($c)] = "&#$c;"; $xml_rep_table['"'] = '"'; + $js_rep_table['"'] = '\\"'; + $js_rep_table["'"] = "\\'"; + $js_rep_table["\\"] = "\\\\"; + // Unicode line and paragraph separators (#1486310) + $js_rep_table[chr(hexdec(E2)).chr(hexdec(80)).chr(hexdec(A8))] = '
'; + $js_rep_table[chr(hexdec(E2)).chr(hexdec(80)).chr(hexdec(A9))] = '
'; } + // encode for javascript use + if ($enctype=='js') + return preg_replace(array("/\r?\n/", "/\r/", '/<\\//'), array('\n', '\n', '<\\/'), strtr($str, $js_rep_table)); + + // encode for plaintext + if ($enctype=='text') + return str_replace("\r\n", "\n", $mode=='remove' ? strip_tags($str) : $str); + + if ($enctype=='url') + return rawurlencode($str); + // encode for XML if ($enctype=='xml') return strtr($str, $xml_rep_table); - // encode for javascript use - if ($enctype=='js') - { - if ($OUTPUT->get_charset()!='UTF-8') - $str = rcube_charset_convert($str, RCMAIL_CHARSET, $OUTPUT->get_charset()); - - return preg_replace(array("/\r?\n/", "/\r/"), array('\n', '\n'), addslashes(strtr($str, $js_rep_table))); - } - // no encoding given -> return original string return $str; } /** - * Quote a given string. Alias function for rep_specialchars_output - * @see rep_specialchars_output + * Quote a given string. + * Shortcut function for rep_specialchars_output + * + * @return string HTML-quoted string + * @see rep_specialchars_output() */ function Q($str, $mode='strict', $newlines=TRUE) { @@ -1056,8 +609,11 @@ function Q($str, $mode='strict', $newlines=TRUE) } /** - * Quote a given string. Alias function for rep_specialchars_output - * @see rep_specialchars_output + * Quote a given string for javascript output. + * Shortcut function for rep_specialchars_output + * + * @return string JS-quoted string + * @see rep_specialchars_output() */ function JQ($str) { @@ -1076,8 +632,7 @@ function JQ($str) * @return string Field value or NULL if not available */ function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) - { - global $OUTPUT; +{ $value = NULL; if ($source==RCUBE_INPUT_GET && isset($_GET[$fname])) @@ -1093,120 +648,168 @@ function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL) else if (isset($_COOKIE[$fname])) $value = $_COOKIE[$fname]; } - - // strip slashes if magic_quotes enabled - if ((bool)get_magic_quotes_gpc()) - $value = stripslashes($value); - // remove HTML tags if not allowed - if (!$allow_html) - $value = strip_tags($value); - - // convert to internal charset - if (is_object($OUTPUT)) - return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset); - else - return $value; - } + return parse_input_value($value, $allow_html, $charset); +} /** - * Remove single and double quotes from given string + * Parse/validate input value. See get_input_value() + * Performs stripslashes() and charset conversion if necessary + * + * @param string Input value + * @param boolean Allow HTML tags in field value + * @param string Charset to convert into + * @return string Parsed value */ -function strip_quotes($str) +function parse_input_value($value, $allow_html=FALSE, $charset=NULL) { - return preg_replace('/[\'"]/', '', $str); + global $OUTPUT; + + if (empty($value)) + return $value; + + if (is_array($value)) { + foreach ($value as $idx => $val) + $value[$idx] = parse_input_value($val, $allow_html, $charset); + return $value; + } + + // strip single quotes if magic_quotes_sybase is enabled + if (ini_get('magic_quotes_sybase')) + $value = str_replace("''", "'", $value); + // strip slashes if magic_quotes enabled + else if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) + $value = stripslashes($value); + + // remove HTML tags if not allowed + if (!$allow_html) + $value = strip_tags($value); + + // convert to internal charset + if (is_object($OUTPUT) && $charset) + return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset); + else + return $value; } /** - * Remove new lines characters from given string + * Convert array of request parameters (prefixed with _) + * to a regular array with non-prefixed keys. + * + * @param int Source to get value from (GPC) + * @return array Hash array with all request parameters */ -function strip_newlines($str) +function request2param($mode = RCUBE_INPUT_GPC) { - return preg_replace('/[\r\n]/', '', $str); + $out = array(); + $src = $mode == RCUBE_INPUT_GET ? $_GET : ($mode == RCUBE_INPUT_POST ? $_POST : $_REQUEST); + foreach ($src as $key => $value) { + $fname = $key[0] == '_' ? substr($key, 1) : $key; + $out[$fname] = get_input_value($key, $mode); + } + + return $out; } +/** + * Remove all non-ascii and non-word chars + * except ., -, _ + */ +function asciiwords($str, $css_id = false, $replace_with = '') +{ + $allowed = 'a-z0-9\_\-' . (!$css_id ? '\.' : ''); + return preg_replace("/[^$allowed]/i", $replace_with, $str); +} -// return boolean if a specific template exists -function template_exists($name) - { - global $CONFIG; - $skin_path = $CONFIG['skin_path']; - - // check template file - return is_file("$skin_path/templates/$name.html"); - } +/** + * Convert the given string into a valid HTML identifier + * Same functionality as done in app.js with this.identifier_expr + * + */ +function html_identifier($str) +{ + return asciiwords($str, true, '_'); +} +/** + * Remove single and double quotes from given string + * + * @param string Input value + * @return string Dequoted string + */ +function strip_quotes($str) +{ + return str_replace(array("'", '"'), '', $str); +} -// Wrapper for rcmail_template::parse() -// @deprecated -function parse_template($name='main', $exit=true) - { - $GLOBALS['OUTPUT']->parse($name, $exit); - } +/** + * Remove new lines characters from given string + * + * @param string Input value + * @return string Stripped string + */ +function strip_newlines($str) +{ + return preg_replace('/[\r\n]/', '', $str); +} +/** + * Create a HTML table based on the given data + * + * @param array Named table attributes + * @param mixed Table row data. Either a two-dimensional array or a valid SQL result set + * @param array List of cols to show + * @param string Name of the identifier col + * @return string HTML table code + */ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) { - global $DB; + global $RCMAIL; - // allow the following attributes to be added to the tag - $attrib_str = create_attrib_string($attrib, array('style', 'class', 'id', 'cellpadding', 'cellspacing', 'border', 'summary')); - - $table = '\n"; + $table = new html_table(/*array('cols' => count($a_show_cols))*/); - // add table title - $table .= "\n"; - - foreach ($a_show_cols as $col) - $table .= '\n"; - - $table .= "\n\n"; + // add table header + if (!$attrib['noheader']) + foreach ($a_show_cols as $col) + $table->add_header($col, Q(rcube_label($col))); $c = 0; if (!is_array($table_data)) + { + $db = $RCMAIL->get_dbh(); + while ($table_data && ($sql_arr = $db->fetch_assoc($table_data))) { - while ($table_data && ($sql_arr = $DB->fetch_assoc($table_data))) - { - $zebra_class = $c%2 ? 'even' : 'odd'; - - $table .= sprintf(''."\n", $sql_arr[$id_col]); + $zebra_class = $c % 2 ? 'even' : 'odd'; + $table->add_row(array('id' => 'rcmrow' . html_identifier($sql_arr[$id_col]), 'class' => $zebra_class)); // format each col foreach ($a_show_cols as $col) - { - $cont = Q($sql_arr[$col]); - $table .= '\n"; - } - - $table .= "\n"; + $table->add($col, Q($sql_arr[$col])); + $c++; - } } + } else - { + { foreach ($table_data as $row_data) - { - $zebra_class = $c%2 ? 'even' : 'odd'; + { + $zebra_class = $c % 2 ? 'even' : 'odd'; + if (!empty($row_data['class'])) + $zebra_class .= ' '.$row_data['class']; - $table .= sprintf(''."\n", $row_data[$id_col]); + $table->add_row(array('id' => 'rcmrow' . html_identifier($row_data[$id_col]), 'class' => $zebra_class)); // format each col foreach ($a_show_cols as $col) - { - $cont = Q($row_data[$col]); - $table .= '\n"; - } - - $table .= "\n"; + $table->add($col, Q(is_array($row_data[$col]) ? $row_data[$col][0] : $row_data[$col])); + $c++; - } } + } - // complete message table - $table .= "
' . Q(rcube_label($col)) . "
' . $cont . "
' . $cont . "
\n"; - - return $table; + return $table->show($attrib); } @@ -1220,52 +823,129 @@ function rcube_table_output($attrib, $table_data, $a_show_cols, $id_col) * @return string HTML field definition */ function rcmail_get_edit_field($col, $value, $attrib, $type='text') - { +{ + static $colcounts = array(); + $fname = '_'.$col; - $attrib['name'] = $fname; + $attrib['name'] = $fname . ($attrib['array'] ? '[]' : ''); + $attrib['class'] = trim($attrib['class'] . ' ff_' . $col); - if ($type=='checkbox') - { + if ($type == 'checkbox') { $attrib['value'] = '1'; - $input = new checkbox($attrib); - } - else if ($type=='textarea') - { + $input = new html_checkbox($attrib); + } + else if ($type == 'textarea') { $attrib['cols'] = $attrib['size']; - $input = new textarea($attrib); - } - else - $input = new textfield($attrib); + $input = new html_textarea($attrib); + } + else if ($type == 'select') { + $input = new html_select($attrib); + $input->add('---', ''); + $input->add(array_values($attrib['options']), array_keys($attrib['options'])); + } + else { + if ($attrib['type'] != 'text' && $attrib['type'] != 'hidden') + $attrib['type'] = 'text'; + $input = new html_inputfield($attrib); + } // use value from post - if (!empty($_POST[$fname])) - $value = $_POST[$fname]; + if (isset($_POST[$fname])) { + $postvalue = get_input_value($fname, RCUBE_INPUT_POST, true); + $value = $attrib['array'] ? $postvalue[intval($colcounts[$col]++)] : $postvalue; + } $out = $input->show($value); - + return $out; - } +} -// return the mail domain configured for the given host -function rcmail_mail_domain($host) +/** + * Replace all css definitions with #container [def] + * and remove css-inlined scripting + * + * @param string CSS source code + * @param string Container ID to use as prefix + * @return string Modified CSS source + */ +function rcmail_mod_css_styles($source, $container_id) { - global $CONFIG; + $last_pos = 0; + $replacements = new rcube_string_replacer; - $domain = $host; - if (is_array($CONFIG['mail_domain'])) - { - if (isset($CONFIG['mail_domain'][$host])) - $domain = $CONFIG['mail_domain'][$host]; - } - else if (!empty($CONFIG['mail_domain'])) - $domain = $CONFIG['mail_domain']; + // ignore the whole block if evil styles are detected + $stripped = preg_replace('/[^a-z\(:;]/', '', rcmail_xss_entity_decode($source)); + if (preg_match('/expression|behavior|url\(|import[^a]/', $stripped)) + return '/* evil! */'; + + // remove css comments (sometimes used for some ugly hacks) + $source = preg_replace('!/\*(.+)\*/!Ums', '', $source); + + // cut out all contents between { and } + while (($pos = strpos($source, '{', $last_pos)) && ($pos2 = strpos($source, '}', $pos))) + { + $key = $replacements->add(substr($source, $pos+1, $pos2-($pos+1))); + $source = substr($source, 0, $pos+1) . $replacements->get_replacement($key) . substr($source, $pos2, strlen($source)-$pos2); + $last_pos = $pos+2; + } - return $domain; + // remove html comments and add #container to each tag selector. + // also replace body definition because we also stripped off the tag + $styles = preg_replace( + array( + '/(^\s*\s*$)/', + '/(^\s*|,\s*|\}\s*)([a-z0-9\._#\*][a-z0-9\.\-_]*)/im', + '/'.preg_quote($container_id, '/').'\s+body/i', + ), + array( + '', + "\\1#$container_id \\2", + $container_id, + ), + $source); + + // put block contents back in + $styles = $replacements->resolve($styles); + + return $styles; } -// compose a valid attribute string for HTML tags +/** + * Decode escaped entities used by known XSS exploits. + * See http://downloads.securityfocus.com/vulnerabilities/exploits/26800.eml for examples + * + * @param string CSS content to decode + * @return string Decoded string + */ +function rcmail_xss_entity_decode($content) +{ + $out = html_entity_decode(html_entity_decode($content)); + $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', 'rcmail_xss_entity_decode_callback', $out); + $out = preg_replace('#/\*.*\*/#Um', '', $out); + return $out; +} + + +/** + * preg_replace_callback callback for rcmail_xss_entity_decode_callback + * + * @param array matches result from preg_replace_callback + * @return string decoded entity + */ +function rcmail_xss_entity_decode_callback($matches) +{ + return chr(hexdec($matches[1])); +} + +/** + * Compose a valid attribute string for HTML tags + * + * @param array Named tag attributes + * @param array List of allowed attributes + * @return string HTML formatted attribute string + */ function create_attrib_string($attrib, $allowed_attribs=array('id', 'class', 'style')) { // allow the following attributes to be added to the