From: Dragan Dosen Date: Tue, 12 Nov 2013 18:51:26 +0000 (+0100) Subject: Dodan divert za squirrelmail/functions/strings.php zbog problema s PHP/SquirrelMail. X-Git-Tag: v2%1.4.23+2^0 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=commitdiff_plain;h=refs%2Fheads%2Fwheezy;p=squirrelmail-cn.git Dodan divert za squirrelmail/functions/strings.php zbog problema s PHP/SquirrelMail. --- diff --git a/debian/changelog b/debian/changelog index 43072be..8c68ff1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +squirrelmail-cn (2:1.4.23+2) stable; urgency=high + + * Dodan divert za squirrelmail/functions/strings.php zbog problema + s PHP-om i SquirrelMail-om. + + -- Dragan Dosen Tue, 12 Nov 2013 19:07:40 +0100 + squirrelmail-cn (2:1.4.23+1) stable; urgency=low * Prva inacica paketa za Debian wheezy distribuciju. diff --git a/debian/postrm b/debian/postrm index b30cc52..f867340 100644 --- a/debian/postrm +++ b/debian/postrm @@ -2,6 +2,19 @@ set -e +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + dpkg-divert --package squirrelmail-cn --remove --rename \ + --divert /usr/share/squirrelmail/functions/strings.php.squirrelmail \ + /usr/share/squirrelmail/functions/strings.php + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. diff --git a/debian/preinst b/debian/preinst new file mode 100644 index 0000000..cfcffc8 --- /dev/null +++ b/debian/preinst @@ -0,0 +1,35 @@ +#!/bin/sh + +set -e + +# summary of how this script can be called: +# * `install' +# * `install' +# * `upgrade' +# * `abort-upgrade' +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + install|upgrade) + dpkg-divert --package squirrelmail-cn --add --rename \ + --divert /usr/share/squirrelmail/functions/strings.php.squirrelmail \ + /usr/share/squirrelmail/functions/strings.php + ;; + + abort-upgrade) + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/squirrelmail/functions/strings.php b/squirrelmail/functions/strings.php new file mode 100644 index 0000000..c5090d4 --- /dev/null +++ b/squirrelmail/functions/strings.php @@ -0,0 +1,1516 @@ +]*)([^\t >].*)?$/', $line, $regs); + $beginning_spaces = $regs[1]; + if (isset($regs[2])) { + $words = explode(' ', $regs[2]); + } else { + $words = array(); + } + + $i = 0; + $line = $beginning_spaces; + + while ($i < count($words)) { + /* Force one word to be on a line (minimum) */ + $line .= $words[$i]; + $line_len = strlen($beginning_spaces) + sq_strlen($words[$i],$charset) + 2; + if (isset($words[$i + 1])) + $line_len += sq_strlen($words[$i + 1],$charset); + $i ++; + + /* Add more words (as long as they fit) */ + while ($line_len < $wrap && $i < count($words)) { + $line .= ' ' . $words[$i]; + $i++; + if (isset($words[$i])) + $line_len += sq_strlen($words[$i],$charset) + 1; + else + $line_len += 1; + } + + /* Skip spaces if they are the first thing on a continued line */ + while (!isset($words[$i]) && $i < count($words)) { + $i ++; + } + + /* Go to the next line if we have more to process */ + if ($i < count($words)) { + $line .= "\n"; + } + } +} + +/** + * Does the opposite of sqWordWrap() + * @param string body the text to un-wordwrap + * @return void + */ +function sqUnWordWrap(&$body) { + global $squirrelmail_language; + + if ($squirrelmail_language == 'ja_JP') { + return; + } + + $lines = explode("\n", $body); + $body = ''; + $PreviousSpaces = ''; + $cnt = count($lines); + for ($i = 0; $i < $cnt; $i ++) { + preg_match("/^([\t >]*)([^\t >].*)?$/", $lines[$i], $regs); + $CurrentSpaces = $regs[1]; + if (isset($regs[2])) { + $CurrentRest = $regs[2]; + } else { + $CurrentRest = ''; + } + + if ($i == 0) { + $PreviousSpaces = $CurrentSpaces; + $body = $lines[$i]; + } else if (($PreviousSpaces == $CurrentSpaces) /* Do the beginnings match */ + && (strlen($lines[$i - 1]) > 65) /* Over 65 characters long */ + && strlen($CurrentRest)) { /* and there's a line to continue with */ + $body .= ' ' . $CurrentRest; + } else { + $body .= "\n" . $lines[$i]; + $PreviousSpaces = $CurrentSpaces; + } + } + $body .= "\n"; +} + +/** + * Truncates the given string so that it has at + * most $max_chars characters. NOTE that a "character" + * may be a multibyte character, or (optionally), an + * HTML entity, so this function is different than + * using substr() or mb_substr(). + * + * NOTE that if $elipses is given and used, the returned + * number of characters will be $max_chars PLUS the + * length of $elipses + * + * @param string $string The string to truncate + * @param int $max_chars The maximum allowable characters + * @param string $elipses A string that will be added to + * the end of the truncated string + * (ONLY if it is truncated) (OPTIONAL; + * default not used) + * @param boolean $html_entities_as_chars Whether or not to keep + * HTML entities together + * (OPTIONAL; default ignore + * HTML entities) + * + * @return string The truncated string + * + * @since 1.4.20 and 1.5.2 (replaced truncateWithEntities()) + * + */ +function sm_truncate_string($string, $max_chars, $elipses='', + $html_entities_as_chars=FALSE) +{ + + // if the length of the string is less than + // the allowable number of characters, just + // return it as is (even if it contains any + // HTML entities, that would just make the + // actual length even smaller) + // + $actual_strlen = sq_strlen($string, 'auto'); + if ($max_chars <= 0 || $actual_strlen <= $max_chars) + return $string; + + + // if needed, count the number of HTML entities in + // the string up to the maximum character limit, + // pushing that limit up for each entity found + // + $adjusted_max_chars = $max_chars; + if ($html_entities_as_chars) + { + + // $loop_count is needed to prevent an endless loop + // which is caused by buggy mbstring versions that + // return 0 (zero) instead of FALSE in some rare + // cases. Thanks, PHP. + // see: http://bugs.php.net/bug.php?id=52731 + // also: tracker $3053349 + // + $loop_count = 0; + $entity_pos = $entity_end_pos = -1; + while ($entity_end_pos + 1 < $actual_strlen + && ($entity_pos = sq_strpos($string, '&', $entity_end_pos + 1)) !== FALSE + && ($entity_end_pos = sq_strpos($string, ';', $entity_pos)) !== FALSE + && $entity_pos <= $adjusted_max_chars + && $loop_count++ < $max_chars) + { + $adjusted_max_chars += $entity_end_pos - $entity_pos; + } + + + // this isn't necessary because sq_substr() would figure this + // out anyway, but we can avoid a sq_substr() call and we + // know that we don't have to add an elipses (this is now + // an accurate comparison, since $adjusted_max_chars, like + // $actual_strlen, does not take into account HTML entities) + // + if ($actual_strlen <= $adjusted_max_chars) + return $string; + + } + + + // get the truncated string + // + $truncated_string = sq_substr($string, 0, $adjusted_max_chars); + + + // return with added elipses + // + return $truncated_string . $elipses; + +} + +/** + * If $haystack is a full mailbox name and $needle is the mailbox + * separator character, returns the last part of the mailbox name. + * + * @param string haystack full mailbox name to search + * @param string needle the mailbox separator character + * @return string the last part of the mailbox name + */ +function readShortMailboxName($haystack, $needle) { + + if ($needle == '') { + $elem = $haystack; + } else { + $parts = explode($needle, $haystack); + $elem = array_pop($parts); + while ($elem == '' && count($parts)) { + $elem = array_pop($parts); + } + } + return( $elem ); +} + +/** + * php_self + * + * Attempts to determine the path and filename and any arguments + * for the currently executing script. This is usually found in + * $_SERVER['REQUEST_URI'], but some environments may differ, so + * this function tries to standardize this value. + * + * @since 1.2.3 + * @return string The path, filename and any arguments for the + * current script + */ +function php_self() { + + $request_uri = ''; + + // first try $_SERVER['PHP_SELF'], which seems most reliable + // (albeit it usually won't include the query string) + // + $request_uri = ''; + if (!sqgetGlobalVar('PHP_SELF', $request_uri, SQ_SERVER) + || empty($request_uri)) { + + // well, then let's try $_SERVER['REQUEST_URI'] + // + $request_uri = ''; + if (!sqgetGlobalVar('REQUEST_URI', $request_uri, SQ_SERVER) + || empty($request_uri)) { + + // TODO: anyone have any other ideas? maybe $_SERVER['SCRIPT_NAME']??? + // + return ''; + } + + } + + // we may or may not have any query arguments, depending on + // which environment variable was used above, and the PHP + // version, etc., so let's check for it now + // + $query_string = ''; + if (strpos($request_uri, '?') === FALSE + && sqgetGlobalVar('QUERY_STRING', $query_string, SQ_SERVER) + && !empty($query_string)) { + + $request_uri .= '?' . $query_string; + } + + return $request_uri; + +} + + +/** + * Find out where squirrelmail lives and try to be smart about it. + * The only problem would be when squirrelmail lives in directories + * called "src", "functions", or "plugins", but people who do that need + * to be beaten with a steel pipe anyway. + * + * @return string the base uri of squirrelmail installation. + */ +function sqm_baseuri(){ + global $base_uri, $PHP_SELF; + /** + * If it is in the session, just return it. + */ + if (sqgetGlobalVar('base_uri',$base_uri,SQ_SESSION)){ + return $base_uri; + } + $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|'); + $repl = array('', '', ''); + $base_uri = preg_replace($dirs, $repl, $PHP_SELF); + return $base_uri; +} + +/** + * get_location + * + * Determines the location to forward to, relative to your server. + * This is used in HTTP Location: redirects. + * If set, it uses $config_location_base as the first part of the URL, + * specifically, the protocol, hostname and port parts. The path is + * always autodetected. + * + * @return string the base url for this SquirrelMail installation + */ +function get_location () { + + global $imap_server_type, $config_location_base, + $is_secure_connection, $sq_ignore_http_x_forwarded_headers; + + /* Get the path, handle virtual directories */ + if(strpos(php_self(), '?')) { + $path = substr(php_self(), 0, strpos(php_self(), '?')); + } else { + $path = php_self(); + } + $path = substr($path, 0, strrpos($path, '/')); + + // proto+host+port are already set in config: + if ( !empty($config_location_base) ) { + // register it in the session just in case some plugin depends on this + sqsession_register($config_location_base . $path, 'sq_base_url'); + return $config_location_base . $path ; + } + // we computed it before, get it from the session: + if ( sqgetGlobalVar('sq_base_url', $full_url, SQ_SESSION) ) { + return $full_url . $path; + } + // else: autodetect + + /* Check if this is a HTTPS or regular HTTP request. */ + $proto = 'http://'; + if ($is_secure_connection) + $proto = 'https://'; + + /* Get the hostname from the Host header or server config. */ + if ($sq_ignore_http_x_forwarded_headers + || !sqgetGlobalVar('HTTP_X_FORWARDED_HOST', $host, SQ_SERVER) + || empty($host)) { + if ( !sqgetGlobalVar('HTTP_HOST', $host, SQ_SERVER) || empty($host) ) { + if ( !sqgetGlobalVar('SERVER_NAME', $host, SQ_SERVER) || empty($host) ) { + $host = ''; + } + } + } + + $port = ''; + if (strpos($host, ':') === FALSE) { + // Note: HTTP_X_FORWARDED_PROTO could be sent from the client and + // therefore possibly spoofed/hackable - for now, the + // administrator can tell SM to ignore this value by setting + // $sq_ignore_http_x_forwarded_headers to boolean TRUE in + // config/config_local.php, but in the future we may + // want to default this to TRUE and make administrators + // who use proxy systems turn it off (see 1.5.2+). + global $sq_ignore_http_x_forwarded_headers; + if ($sq_ignore_http_x_forwarded_headers + || !sqgetGlobalVar('HTTP_X_FORWARDED_PROTO', $forwarded_proto, SQ_SERVER)) + $forwarded_proto = ''; + if (sqgetGlobalVar('SERVER_PORT', $server_port, SQ_SERVER)) { + if (($server_port != 80 && $proto == 'http://') || + ($server_port != 443 && $proto == 'https://' && + strcasecmp($forwarded_proto, 'https') !== 0)) { + $port = sprintf(':%d', $server_port); + } + } + } + + /* this is a workaround for the weird macosx caching that + causes Apache to return 16080 as the port number, which causes + SM to bail */ + + if ($imap_server_type == 'macosx' && $port == ':16080') { + $port = ''; + } + + /* Fallback is to omit the server name and use a relative */ + /* URI, although this is not RFC 2616 compliant. */ + $full_url = ($host ? $proto . $host . $port : ''); + sqsession_register($full_url, 'sq_base_url'); + return $full_url . $path; +} + + +/** + * Encrypts password + * + * These functions are used to encrypt the password before it is + * stored in a cookie. The encryption key is generated by + * OneTimePadCreate(); + * + * @param string string the (password)string to encrypt + * @param string epad the encryption key + * @return string the base64-encoded encrypted password + */ +function OneTimePadEncrypt ($string, $epad) { + $pad = base64_decode($epad); + + if (strlen($pad)>0) { + // make sure that pad is longer than string + while (strlen($string)>strlen($pad)) { + $pad.=$pad; + } + } else { + // FIXME: what should we do when $epad is not base64 encoded or empty. + } + + $encrypted = ''; + for ($i = 0; $i < strlen ($string); $i++) { + $encrypted .= chr (ord($string[$i]) ^ ord($pad[$i])); + } + + return base64_encode($encrypted); +} + +/** + * Decrypts a password from the cookie + * + * Decrypts a password from the cookie, encrypted by OneTimePadEncrypt. + * This uses the encryption key that is stored in the session. + * + * @param string string the string to decrypt + * @param string epad the encryption key from the session + * @return string the decrypted password + */ +function OneTimePadDecrypt ($string, $epad) { + $pad = base64_decode($epad); + + if (strlen($pad)>0) { + // make sure that pad is longer than string + while (strlen($string)>strlen($pad)) { + $pad.=$pad; + } + } else { + // FIXME: what should we do when $epad is not base64 encoded or empty. + } + + $encrypted = base64_decode ($string); + $decrypted = ''; + for ($i = 0; $i < strlen ($encrypted); $i++) { + $decrypted .= chr (ord($encrypted[$i]) ^ ord($pad[$i])); + } + + return $decrypted; +} + + +/** + * Randomizes the mt_rand() function. + * + * Toss this in strings or integers and it will seed the generator + * appropriately. With strings, it is better to get them long. + * Use md5() to lengthen smaller strings. + * + * @param mixed val a value to seed the random number generator + * @return void + */ +function sq_mt_seed($Val) { + /* if mt_getrandmax() does not return a 2^n - 1 number, + this might not work well. This uses $Max as a bitmask. */ + $Max = mt_getrandmax(); + + if (! is_int($Val)) { + $Val = crc32($Val); + } + + if ($Val < 0) { + $Val *= -1; + } + + if ($Val == 0) { + return; + } + + mt_srand(($Val ^ mt_rand(0, $Max)) & $Max); +} + + +/** + * Init random number generator + * + * This function initializes the random number generator fairly well. + * It also only initializes it once, so you don't accidentally get + * the same 'random' numbers twice in one session. + * + * @return void + */ +function sq_mt_randomize() { + static $randomized; + + if ($randomized) { + return; + } + + /* Global. */ + sqgetGlobalVar('REMOTE_PORT', $remote_port, SQ_SERVER); + sqgetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER); + sq_mt_seed((int)((double) microtime() * 1000000)); + sq_mt_seed(md5($remote_port . $remote_addr . getmypid())); + + /* getrusage */ + if (function_exists('getrusage')) { + /* Avoid warnings with Win32 */ + $dat = @getrusage(); + if (isset($dat) && is_array($dat)) { + $Str = ''; + foreach ($dat as $k => $v) + { + $Str .= $k . $v; + } + sq_mt_seed(md5($Str)); + } + } + + if(sqgetGlobalVar('UNIQUE_ID', $unique_id, SQ_SERVER)) { + sq_mt_seed(md5($unique_id)); + } + + $randomized = 1; +} + +/** + * Creates encryption key + * + * Creates an encryption key for encrypting the password stored in the cookie. + * The encryption key itself is stored in the session. + * + * @param int length optional, length of the string to generate + * @return string the encryption key + */ +function OneTimePadCreate ($length=100) { + sq_mt_randomize(); + + $pad = ''; + for ($i = 0; $i < $length; $i++) { + $pad .= chr(mt_rand(0,255)); + } + + return base64_encode($pad); +} + +/** + * Returns a string showing the size of the message/attachment. + * + * @param int bytes the filesize in bytes + * @return string the filesize in human readable format + */ +function show_readable_size($bytes) { + $bytes /= 1024; + $type = 'k'; + + if ($bytes / 1024 > 1) { + $bytes /= 1024; + $type = 'M'; + } + + if ($bytes < 10) { + $bytes *= 10; + settype($bytes, 'integer'); + $bytes /= 10; + } else { + settype($bytes, 'integer'); + } + + return $bytes . ' ' . $type . ''; +} + +/** + * Generates a random string from the caracter set you pass in + * + * @param int size the size of the string to generate + * @param string chars a string containing the characters to use + * @param int flags a flag to add a specific set to the characters to use: + * Flags: + * 1 = add lowercase a-z to $chars + * 2 = add uppercase A-Z to $chars + * 4 = add numbers 0-9 to $chars + * @return string the random string + */ +function GenerateRandomString($size, $chars, $flags = 0) { + if ($flags & 0x1) { + $chars .= 'abcdefghijklmnopqrstuvwxyz'; + } + if ($flags & 0x2) { + $chars .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + } + if ($flags & 0x4) { + $chars .= '0123456789'; + } + + if (($size < 1) || (strlen($chars) < 1)) { + return ''; + } + + sq_mt_randomize(); /* Initialize the random number generator */ + + $String = ''; + $j = strlen( $chars ) - 1; + while (strlen($String) < $size) { + $String .= $chars{mt_rand(0, $j)}; + } + + return $String; +} + +/** + * Escapes special characters for use in IMAP commands. + * + * @param string the string to escape + * @return string the escaped string + */ +function quoteimap($str) { + // FIXME use this performance improvement (not changing because this is STABLE branch): return str_replace(array('\\', '"'), array('\\\\', '\\"'), $str); + return preg_replace("/([\"\\\\])/", "\\\\$1", $str); +} + +/** + * Trims array + * + * Trims every element in the array, ie. remove the first char of each element + * Obsolete: will probably removed soon + * @param array array the array to trim + * @obsolete + */ +function TrimArray(&$array) { + foreach ($array as $k => $v) { + global $$k; + if (is_array($$k)) { + foreach ($$k as $k2 => $v2) { + $$k[$k2] = substr($v2, 1); + } + } else { + $$k = substr($v, 1); + } + + /* Re-assign back to array. */ + $array[$k] = $$k; + } +} + +/** + * Removes slashes from every element in the array + */ +function RemoveSlashes(&$array) { + foreach ($array as $k => $v) { + global $$k; + if (is_array($$k)) { + foreach ($$k as $k2 => $v2) { + $newArray[stripslashes($k2)] = stripslashes($v2); + } + $$k = $newArray; + } else { + $$k = stripslashes($v); + } + + /* Re-assign back to the array. */ + $array[$k] = $$k; + } +} + +/** + * Create compose link + * + * Returns a link to the compose-page, taking in consideration + * the compose_in_new and javascript settings. + * @param string url the URL to the compose page + * @param string text the link text, default "Compose" + * @return string a link to the compose page + */ +function makeComposeLink($url, $text = null, $target='') +{ + global $compose_new_win,$javascript_on; + + if(!$text) { + $text = _("Compose"); + } + + + // if not using "compose in new window", make + // regular link and be done with it + if($compose_new_win != '1') { + return makeInternalLink($url, $text, $target); + } + + + // build the compose in new window link... + + + // if javascript is on, use onClick event to handle it + if($javascript_on) { + sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); + return ''. $text.''; + } + + + // otherwise, just open new window using regular HTML + return makeInternalLink($url, $text, '_blank'); + +} + +/** + * Print variable + * + * sm_print_r($some_variable, [$some_other_variable [, ...]]); + * + * Debugging function - does the same as print_r, but makes sure special + * characters are converted to htmlentities first. This will allow + * values like to be displayed. + * The output is wrapped in <
> and <
> tags. + * + * @return void + */ +function sm_print_r() { + ob_start(); // Buffer output + foreach(func_get_args() as $var) { + print_r($var); + echo "\n"; + } + $buffer = ob_get_contents(); // Grab the print_r output + ob_end_clean(); // Silently discard the output & stop buffering + print '
';
+    print htmlentities($buffer);
+    print '
'; +} + +/** + * version of fwrite which checks for failure + */ +function sq_fwrite($fp, $string) { + // write to file + $count = @fwrite($fp,$string); + // the number of bytes written should be the length of the string + if($count != strlen($string)) { + return FALSE; + } + + return $count; +} +/** + * Tests if string contains 8bit symbols. + * + * If charset is not set, function defaults to default_charset. + * $default_charset global must be set correctly if $charset is + * not used. + * @param string $string tested string + * @param string $charset charset used in a string + * @return bool true if 8bit symbols are detected + * @since 1.5.1 and 1.4.4 + */ +function sq_is8bit($string,$charset='') { + global $default_charset; + + if ($charset=='') $charset=$default_charset; + + /** + * Don't use \240 in ranges. Sometimes RH 7.2 doesn't like it. + * Don't use \200-\237 for iso-8859-x charsets. This ranges + * stores control symbols in those charsets. + * Use preg_match instead of ereg in order to avoid problems + * with mbstring overloading + */ + if (preg_match("/^iso-8859/i",$charset)) { + $needle='/\240|[\241-\377]/'; + } else { + $needle='/[\200-\237]|\240|[\241-\377]/'; + } + return preg_match("$needle",$string); +} + +/** + * Function returns number of characters in string. + * + * Returned number might be different from number of bytes in string, + * if $charset is multibyte charset. Detection depends on mbstring + * functions. If mbstring does not support tested multibyte charset, + * vanilla string length function is used. + * @param string $str string + * @param string $charset charset + * @since 1.5.1 and 1.4.6 + * @return integer number of characters in string + */ +function sq_strlen($string, $charset=NULL){ + + // NULL charset? Just use strlen() + // + if (is_null($charset)) + return strlen($string); + + + // use current character set? + // + if ($charset == 'auto') + { +//FIXME: this may or may not be better as a session value instead of a global one + global $sq_string_func_auto_charset; + if (!isset($sq_string_func_auto_charset)) + { + global $default_charset, $squirrelmail_language; + set_my_charset(); + $sq_string_func_auto_charset = $default_charset; + if ($squirrelmail_language == 'ja_JP') $sq_string_func_auto_charset = 'euc-jp'; + } + $charset = $sq_string_func_auto_charset; + } + + + // standardize character set name + // + $charset = strtolower($charset); + + +/* ===== FIXME: this list is not used in 1.5.x, but if we need it, unless this differs between all our string function wrappers, we should store this info in the session + // only use mbstring with the following character sets + // + $sq_strlen_mb_charsets = array( + 'utf-8', + 'big5', + 'gb2312', + 'gb18030', + 'euc-jp', + 'euc-cn', + 'euc-tw', + 'euc-kr' + ); + + + // now we can use mb_strlen() if needed + // + if (in_array($charset, $sq_strlen_mb_charsets) + && in_array($charset, sq_mb_list_encodings())) +===== */ +//FIXME: is there any reason why this cannot be a static global array used by all string wrapper functions? + if (in_array($charset, sq_mb_list_encodings())) + return mb_strlen($string, $charset); + + + // else use normal strlen() + // + return strlen($string); + +} + +/** + * This is a replacement for PHP's strpos() that is + * multibyte-aware. + * + * @param string $haystack The string to search within + * @param string $needle The substring to search for + * @param int $offset The offset from the beginning of $haystack + * from which to start searching + * (OPTIONAL; default none) + * @param string $charset The charset of the given string. A value of NULL + * here will force the use of PHP's standard strpos(). + * (OPTIONAL; default is "auto", which indicates that + * the user's current charset should be used). + * + * @return mixed The integer offset of the next $needle in $haystack, + * if found, or FALSE if not found + * + */ +function sq_strpos($haystack, $needle, $offset=0, $charset='auto') +{ + + // NULL charset? Just use strpos() + // + if (is_null($charset)) + return strpos($haystack, $needle, $offset); + + + // use current character set? + // + if ($charset == 'auto') + { +//FIXME: this may or may not be better as a session value instead of a global one + global $sq_string_func_auto_charset; + if (!isset($sq_string_func_auto_charset)) + { + global $default_charset, $squirrelmail_language; + set_my_charset(); + $sq_string_func_auto_charset = $default_charset; + if ($squirrelmail_language == 'ja_JP') $sq_string_func_auto_charset = 'euc-jp'; + } + $charset = $sq_string_func_auto_charset; + } + + + // standardize character set name + // + $charset = strtolower($charset); + + +/* ===== FIXME: this list is not used in 1.5.x, but if we need it, unless this differs between all our string function wrappers, we should store this info in the session + // only use mbstring with the following character sets + // + $sq_strpos_mb_charsets = array( + 'utf-8', + 'big5', + 'gb2312', + 'gb18030', + 'euc-jp', + 'euc-cn', + 'euc-tw', + 'euc-kr' + ); + + + // now we can use mb_strpos() if needed + // + if (in_array($charset, $sq_strpos_mb_charsets) + && in_array($charset, sq_mb_list_encodings())) +===== */ +//FIXME: is there any reason why this cannot be a static global array used by all string wrapper functions? + if (in_array($charset, sq_mb_list_encodings())) + return mb_strpos($haystack, $needle, $offset, $charset); + + + // else use normal strpos() + // + return strpos($haystack, $needle, $offset); + +} + +/** + * This is a replacement for PHP's substr() that is + * multibyte-aware. + * + * @param string $string The string to operate upon + * @param int $start The offset at which to begin substring extraction + * @param int $length The number of characters after $start to return + * NOTE that if you need to specify a charset but + * want to achieve normal substr() behavior where + * $length is not specified, use NULL (OPTIONAL; + * default from $start to end of string) + * @param string $charset The charset of the given string. A value of NULL + * here will force the use of PHP's standard substr(). + * (OPTIONAL; default is "auto", which indicates that + * the user's current charset should be used). + * + * @return string The desired substring + * + * Of course, you can use more advanced (e.g., negative) values + * for $start and $length as needed - see the PHP manual for more + * information: http://www.php.net/manual/function.substr.php + * + */ +function sq_substr($string, $start, $length=NULL, $charset='auto') +{ + + // if $length is NULL, use the full string length... + // we have to do this to mimick the use of substr() + // where $length is not given + // + if (is_null($length)) + $length = sq_strlen($length, $charset); + + + // NULL charset? Just use substr() + // + if (is_null($charset)) + return substr($string, $start, $length); + + + // use current character set? + // + if ($charset == 'auto') + { +//FIXME: this may or may not be better as a session value instead of a global one + global $sq_string_func_auto_charset; + if (!isset($sq_string_func_auto_charset)) + { + global $default_charset, $squirrelmail_language; + set_my_charset(); + $sq_string_func_auto_charset = $default_charset; + if ($squirrelmail_language == 'ja_JP') $sq_string_func_auto_charset = 'euc-jp'; + } + $charset = $sq_string_func_auto_charset; + } + + + // standardize character set name + // + $charset = strtolower($charset); + + +/* ===== FIXME: this list is not used in 1.5.x, but if we need it, unless this differs between all our string function wrappers, we should store this info in the session + // only use mbstring with the following character sets + // + $sq_substr_mb_charsets = array( + 'utf-8', + 'big5', + 'gb2312', + 'gb18030', + 'euc-jp', + 'euc-cn', + 'euc-tw', + 'euc-kr' + ); + + + // now we can use mb_substr() if needed + // + if (in_array($charset, $sq_substr_mb_charsets) + && in_array($charset, sq_mb_list_encodings())) +===== */ +//FIXME: is there any reason why this cannot be a global array used by all string wrapper functions? + if (in_array($charset, sq_mb_list_encodings())) + return mb_substr($string, $start, $length, $charset); + + + // else use normal substr() + // + return substr($string, $start, $length); + +} + +/** + * This is a replacement for PHP's substr_replace() that is + * multibyte-aware. + * + * @param string $string The string to operate upon + * @param string $replacement The string to be inserted + * @param int $start The offset at which to begin substring replacement + * @param int $length The number of characters after $start to remove + * NOTE that if you need to specify a charset but + * want to achieve normal substr_replace() behavior + * where $length is not specified, use NULL (OPTIONAL; + * default from $start to end of string) + * @param string $charset The charset of the given string. A value of NULL + * here will force the use of PHP's standard substr(). + * (OPTIONAL; default is "auto", which indicates that + * the user's current charset should be used). + * + * @return string The manipulated string + * + * Of course, you can use more advanced (e.g., negative) values + * for $start and $length as needed - see the PHP manual for more + * information: http://www.php.net/manual/function.substr-replace.php + * + */ +function sq_substr_replace($string, $replacement, $start, $length=NULL, + $charset='auto') +{ + + // NULL charset? Just use substr_replace() + // + if (is_null($charset)) + return is_null($length) ? substr_replace($string, $replacement, $start) + : substr_replace($string, $replacement, $start, $length); + + + // use current character set? + // + if ($charset == 'auto') + { +//FIXME: this may or may not be better as a session value instead of a global one + $charset = $auto_charset; + global $sq_string_func_auto_charset; + if (!isset($sq_string_func_auto_charset)) + { + global $default_charset, $squirrelmail_language; + set_my_charset(); + $sq_string_func_auto_charset = $default_charset; + if ($squirrelmail_language == 'ja_JP') $sq_string_func_auto_charset = 'euc-jp'; + } + $charset = $sq_string_func_auto_charset; + } + + + // standardize character set name + // + $charset = strtolower($charset); + + +/* ===== FIXME: this list is not used in 1.5.x, but if we need it, unless this differs between all our string function wrappers, we should store this info in the session + // only use mbstring with the following character sets + // + $sq_substr_replace_mb_charsets = array( + 'utf-8', + 'big5', + 'gb2312', + 'gb18030', + 'euc-jp', + 'euc-cn', + 'euc-tw', + 'euc-kr' + ); + + + // now we can use our own implementation using + // mb_substr() and mb_strlen() if needed + // + if (in_array($charset, $sq_substr_replace_mb_charsets) + && in_array($charset, sq_mb_list_encodings())) +===== */ +//FIXME: is there any reason why this cannot be a global array used by all string wrapper functions? + if (in_array($charset, sq_mb_list_encodings())) + { + + $string_length = mb_strlen($string, $charset); + + if ($start < 0) + $start = max(0, $string_length + $start); + + else if ($start > $string_length) + $start = $string_length; + + if ($length < 0) + $length = max(0, $string_length - $start + $length); + + else if (is_null($length) || $length > $string_length) + $length = $string_length; + + if ($start + $length > $string_length) + $length = $string_length - $start; + + return mb_substr($string, 0, $start, $charset) + . $replacement + . mb_substr($string, + $start + $length, + $string_length, // FIXME: I can't see why this is needed: - $start - $length, + $charset); + + } + + + // else use normal substr_replace() + // + return is_null($length) ? substr_replace($string, $replacement, $start) + : substr_replace($string, $replacement, $start, $length); + +} + +/** + * Replacement of mb_list_encodings function + * + * This function provides replacement for function that is available only + * in php 5.x. Function does not test all mbstring encodings. Only the ones + * that might be used in SM translations. + * + * Supported strings are stored in session in order to reduce number of + * mb_internal_encoding function calls. + * + * If mb_list_encodings() function is present, code uses it. Main difference + * from original function behaviour - array values are lowercased in order to + * simplify use of returned array in in_array() checks. + * + * If you want to test all mbstring encodings - fill $list_of_encodings + * array. + * @return array list of encodings supported by php mbstring extension + * @since 1.5.1 and 1.4.6 + */ +function sq_mb_list_encodings() { + + // if it's already in the session, don't need to regenerate it + if (sqgetGlobalVar('mb_supported_encodings',$mb_supported_encodings,SQ_SESSION) + && is_array($mb_supported_encodings)) + return $mb_supported_encodings; + + // check if mbstring extension is present + if (! function_exists('mb_internal_encoding')) { + $supported_encodings = array(); + sqsession_register($supported_encodings, 'mb_supported_encodings'); + return $supported_encodings; + } + + // php 5+ function + if (function_exists('mb_list_encodings')) { + $supported_encodings = mb_list_encodings(); + array_walk($supported_encodings, 'sq_lowercase_array_vals'); + sqsession_register($supported_encodings, 'mb_supported_encodings'); + return $supported_encodings; + } + + // save original encoding + $orig_encoding=mb_internal_encoding(); + + $list_of_encoding=array( + 'pass', + 'auto', + 'ascii', + 'jis', + 'utf-8', + 'sjis', + 'euc-jp', + 'iso-8859-1', + 'iso-8859-2', + 'iso-8859-7', + 'iso-8859-9', + 'iso-8859-15', + 'koi8-r', + 'koi8-u', + 'big5', + 'gb2312', + 'gb18030', + 'windows-1251', + 'windows-1255', + 'windows-1256', + 'tis-620', + 'iso-2022-jp', + 'euc-cn', + 'euc-kr', + 'euc-tw', + 'uhc', + 'utf7-imap'); + + $supported_encodings=array(); + + foreach ($list_of_encoding as $encoding) { + // try setting encodings. suppress warning messages + if (@mb_internal_encoding($encoding)) + $supported_encodings[]=$encoding; + } + + // restore original encoding + mb_internal_encoding($orig_encoding); + + // register list in session + sqsession_register($supported_encodings, 'mb_supported_encodings'); + + return $supported_encodings; +} + +/** + * Callback function used to lowercase array values. + * @param string $val array value + * @param mixed $key array key + * @since 1.5.1 and 1.4.6 + */ +function sq_lowercase_array_vals(&$val,$key) { + $val = strtolower($val); +} + +/** + * Callback function to trim whitespace from a value, to be used in array_walk + * @param string $value value to trim + * @since 1.5.2 and 1.4.7 + */ +function sq_trim_value ( &$value ) { + $value = trim($value); +} + +/** + * Gathers the list of secuirty tokens currently + * stored in the user's preferences and optionally + * purges old ones from the list. + * + * @param boolean $purge_old Indicates if old tokens + * should be purged from the + * list ("old" is 2 days or + * older unless the administrator + * overrides that value using + * $max_token_age_days in + * config/config_local.php) + * (OPTIONAL; default is to always + * purge old tokens) + * + * @return array The list of tokens + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_get_user_security_tokens($purge_old=TRUE) +{ + + global $data_dir, $username, $max_token_age_days; + + $tokens = getPref($data_dir, $username, 'security_tokens', ''); + if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) + $tokens = array(); + + // purge old tokens if necessary + // + if ($purge_old) + { + if (empty($max_token_age_days)) $max_token_age_days = 2; + $now = time(); + $discard_token_date = $now - ($max_token_age_days * 86400); + $cleaned_tokens = array(); + foreach ($tokens as $token => $timestamp) + if ($timestamp >= $discard_token_date) + $cleaned_tokens[$token] = $timestamp; + $tokens = $cleaned_tokens; + } + + return $tokens; + +} + +/** + * Generates a security token that is then stored in + * the user's preferences with a timestamp for later + * verification/use. + * + * NOTE: The administrator can force SquirrelMail to generate + * a new token every time one is requested (which may increase + * obscurity through token randomness at the cost of some + * performance) by adding the following to + * config/config_local.php: $do_not_use_single_token = TRUE; + * Otherwise, only one token will be generated per user which + * will change only after it expires or is used outside of the + * validity period specified when calling sm_validate_security_token() + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will not store tokens in the user + * preferences (but it will still generate and return + * a random string). + * + * @param boolean $force_generate_new When TRUE, a new token will + * always be created even if current + * configuration dictates otherwise + * (OPTIONAL; default FALSE) + * + * @return string A security token + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_generate_security_token($force_generate_new=FALSE) +{ + + global $data_dir, $username, $disable_security_tokens, $do_not_use_single_token; + $max_generation_tries = 1000; + + $tokens = sm_get_user_security_tokens(); + + if (!$force_generate_new && !$do_not_use_single_token && !empty($tokens)) + return key($tokens); + + $new_token = GenerateRandomString(12, '', 7); + $count = 0; + while (isset($tokens[$new_token])) + { + $new_token = GenerateRandomString(12, '', 7); + if (++$count > $max_generation_tries) + { + logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team")); + exit; + } + } + + // is the token system enabled? CAREFUL! + // + if (!$disable_security_tokens) + { + $tokens[$new_token] = time(); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + return $new_token; + +} + +/** + * Validates a given security token and optionally remove it + * from the user's preferences if it was valid. If the token + * is too old but otherwise valid, it will still be rejected. + * + * "Too old" is 2 days or older unless the administrator + * overrides that value using $max_token_age_days in + * config/config_local.php + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will always return TRUE. + * + * @param string $token The token to validate + * @param int $validity_period The number of seconds tokens are valid + * for (set to zero to remove valid tokens + * after only one use; use 3600 to allow + * tokens to be reused for an hour) + * (OPTIONAL; default is to only allow tokens + * to be used once) + * NOTE this is unrelated to $max_token_age_days + * or rather is an additional time constraint on + * tokens that allows them to be re-used (or not) + * within a more narrow timeframe + * @param boolean $show_error Indicates that if the token is not + * valid, this function should display + * a generic error, log the user out + * and exit - this function will never + * return in that case. + * (OPTIONAL; default FALSE) + * + * @return boolean TRUE if the token validated; FALSE otherwise + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE) +{ + + global $data_dir, $username, $max_token_age_days, + $disable_security_tokens; + + // bypass token validation? CAREFUL! + // + if ($disable_security_tokens) return TRUE; + + // don't purge old tokens here because we already + // do it when generating tokens + // + $tokens = sm_get_user_security_tokens(FALSE); + + // token not found? + // + if (empty($tokens[$token])) + { + if (!$show_error) return FALSE; + logout_error(_("This page request could not be verified and appears to have expired.")); + exit; + } + + $now = time(); + $timestamp = $tokens[$token]; + + // whether valid or not, we want to remove it from + // user prefs if it's old enough + // + if ($timestamp < $now - $validity_period) + { + unset($tokens[$token]); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + // reject tokens that are too old + // + if (empty($max_token_age_days)) $max_token_age_days = 2; + $old_token_date = $now - ($max_token_age_days * 86400); + if ($timestamp < $old_token_date) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + + // token OK! + // + return TRUE; + +} + +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + + $string = iconv($encoding, 'UTF-8', $string); + if (check_php_version(5, 2, 3)) + $ret = htmlspecialchars($string, $flags, 'UTF-8', $double_encode); + else + $ret = htmlspecialchars($string, $flags, 'UTF-8'); + + return iconv('UTF-8', $encoding, $ret); +} + +$PHP_SELF = php_self();