githubFork/roundcubemail.git

thomascube

2011-08-12 3b4dee3735c976d5ecd21430515df014262b8e21

commit \| author \| age
4e17e6	1	<?php
T	2	/*
a6f90e	3	+-------------------------------------------------------------------------+
e019f2	4	\| Roundcube Webmail IMAP Client \|
3b4dee	5	\| Version 0.5.4 \|
a6f90e	6	\| \|
98cb0f	7	\| Copyright (C) 2005-2011, Roundcube Dev. - Switzerland \|
a6f90e	8	\| \|
A	9	\| This program is free software; you can redistribute it and/or modify \|
	10	\| it under the terms of the GNU General Public License version 2 \|
	11	\| as published by the Free Software Foundation. \|
	12	\| \|
	13	\| This program is distributed in the hope that it will be useful, \|
	14	\| but WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \|
	16	\| GNU General Public License for more details. \|
	17	\| \|
	18	\| You should have received a copy of the GNU General Public License along \|
	19	\| with this program; if not, write to the Free Software Foundation, Inc., \|
	20	\| 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. \|
	21	\| \|
	22	+-------------------------------------------------------------------------+
	23	\| Author: Thomas Bruederli <roundcube@gmail.com> \|
	24	+-------------------------------------------------------------------------+
4e17e6	25
T	26	$Id$
	27
	28	*/
15a9d1	29
47124c	30	// include environment
T	31	require_once 'program/include/iniset.php';
15a9d1	32
48bc52	33	// init application, start session, init output class, etc.
83a763	34	$RCMAIL = rcmail::get_instance();
T	35
d51c93	36	// turn on output buffering
A	37	ob_start();
8affba	38
8c72e3	39	// check if config files had errors
T	40	if ($err_str = $RCMAIL->config->get_error()) {
	41	raise_error(array(
	42	'code' => 601,
	43	'type' => 'php',
	44	'message' => $err_str), false, true);
	45	}
	46
8affba	47	// check DB connections and exit on failure
47124c	48	if ($err_str = $DB->is_error()) {
f11541	49	raise_error(array(
T	50	'code' => 603,
	51	'type' => 'db',
	52	'message' => $err_str), FALSE, TRUE);
	53	}
8affba	54
4e17e6	55	// error steps
197601	56	if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6	57	raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c	58	}
570f0b	59
f5d61d	60	// check if https is required (for login) and redirect if necessary
T	61	if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
	62	$https_port = is_bool($force_https) ? 443 : $force_https;
5818e4	63	if (!rcube_https_check($https_port)) {
76c94b	64	$host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
A	65	$host .= ($https_port != 443 ? ':' . $https_port : '');
	66	header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
f5d61d	67	exit;
T	68	}
	69	}
	70
cc97ea	71	// trigger startup plugin hook
T	72	$startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
	73	$RCMAIL->set_task($startup['task']);
	74	$RCMAIL->action = $startup['action'];
	75
4e17e6	76	// try to log in
9b94eb	77	if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
b46e5b	78	$request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
T	79
0129d7	80	// purge the session in case of new login when a session already exists
cc97ea	81	$RCMAIL->kill_session();
5f560e	82
cc97ea	83	$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
T	84	'host' => $RCMAIL->autoselect_host(),
	85	'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
5f560e	86	'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
A	87	$RCMAIL->config->get('password_charset', 'ISO-8859-1')),
446364	88	'cookiecheck' => true,
b46e5b	89	'valid' => $request_valid,
64608b	90	));
cc97ea	91
4e17e6	92	// check if client supports cookies
446364	93	if ($auth['cookiecheck'] && empty($_COOKIE)) {
f11541	94	$OUTPUT->show_message("cookiesdisabled", 'warning');
T	95	}
b46e5b	96	else if ($auth['valid'] && !$auth['abort'] &&
64608b	97	!empty($auth['host']) && !empty($auth['user']) &&
5228a5	98	$RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])
A	99	) {
	100	// create new session ID, don't destroy the current session
	101	// it was destroyed already by $RCMAIL->kill_session() above
929a50	102	$RCMAIL->session->remove('temp');
5228a5	103	$RCMAIL->session->regenerate_id(false);
aad6e2	104
T	105	// send auth cookie if necessary
1854c4	106	$RCMAIL->authenticate_session();
aad6e2	107
5e0045	108	// log successful login
354455	109	rcmail_log_login();
10eedb	110
cc97ea	111	// restore original request parameters
98cb0f	112	$query = array();
T	113	if ($url = get_input_value('_url', RCUBE_INPUT_POST)) {
cc97ea	114	parse_str($url, $query);
5228a5	115
98cb0f	116	// prevent endless looping on login page
T	117	if ($query['_task'] == 'login')
	118	unset($query['_task']);
	119	}
cc97ea	120
T	121	// allow plugins to control the redirect url after login success
98cb0f	122	$redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));
cc97ea	123	unset($redir['abort']);
5e0045	124
4e17e6	125	// send redirect
cc97ea	126	$OUTPUT->redirect($redir);
4e17e6	127	}
47124c	128	else {
6d99f9	129	$error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
A	130
b46e5b	131	$OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning');
8fcc3e	132	$RCMAIL->plugins->exec_hook('login_failed', array(
6d99f9	133	'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c4	134	$RCMAIL->kill_session();
f11541	135	}
T	136	}
4e17e6	137
b46e5b	138	// end session (after optional referer check)
T	139	else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') \|\| rcube_check_referer())) {
7ef47e	140	$userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
f11541	141	$OUTPUT->show_message('loggedout');
1854c4	142	$RCMAIL->logout_actions();
T	143	$RCMAIL->kill_session();
7ef47e	144	$RCMAIL->plugins->exec_hook('logout_after', $userdata);
f11541	145	}
4e17e6	146
bac7d1	147	// check session and auth cookie
9b94eb	148	else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
1854c4	149	if (!$RCMAIL->authenticate_session()) {
f11541	150	$OUTPUT->show_message('sessionerror', 'error');
1854c4	151	$RCMAIL->kill_session();
4e17e6	152	}
f11541	153	}
4e17e6	154
T	155	// not logged in -> show login page
197601	156	if (empty($RCMAIL->user->ID)) {
83a763	157	if ($OUTPUT->ajax_call)
c719f3	158	$OUTPUT->redirect(array(), 2000);
9b94eb	159
ccc80d	160	if (!empty($_REQUEST['_framed']))
b57133	161	$OUTPUT->command('redirect', '?');
ccc80d	162
330127	163	// check if installer is still active
83a763	164	if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c	165	$OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
T	166	html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
e019f2	167	html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
A	168	html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
47124c	169	these files may expose sensitive configuration data like server passwords and encryption keys
T	170	to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
	171	)
	172	);
	173	}
249db1	174
b46e5b	175	$RCMAIL->set_task('login');
f11541	176	$OUTPUT->send('login');
T	177	}
249db1	178	// CSRF prevention
A	179	else {
	180	// don't check for valid request tokens in these actions
	181	$request_check_whitelist = array('login'=>1, 'spell'=>1);
4e17e6	182
249db1	183	// check client X-header to verify request origin
A	184	if ($OUTPUT->ajax_call) {
382b8b	185	if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token() && !$RCMAIL->config->get('devel_mode')) {
249db1	186	header('HTTP/1.1 404 Not Found');
A	187	die("Invalid Request");
	188	}
	189	}
	190	// check request token in POST form submissions
	191	else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
	192	$OUTPUT->show_message('invalidrequest', 'error');
	193	$OUTPUT->send($RCMAIL->task);
	194	}
b46e5b	195
T	196	// check referer if configured
	197	if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
	198	raise_error(array(
	199	'code' => 403,
	200	'type' => 'php',
	201	'message' => "Referer check failed"), true, true);
	202	}
249db1	203	}
4e17e6	204
249db1	205	// handle special actions
48aff9	206	if ($RCMAIL->action == 'keep-alive') {
T	207	$OUTPUT->reset();
	208	$OUTPUT->send();
	209	}
249db1	210	else if ($RCMAIL->action == 'save-pref') {
A	211	include 'steps/utils/save_pref.inc';
	212	}
4e17e6	213
6ea6c9	214
T	215	// map task/action to a certain include file
	216	$action_map = array(
	217	'mail' => array(
	218	'preview' => 'show.inc',
	219	'print' => 'show.inc',
	220	'moveto' => 'move_del.inc',
	221	'delete' => 'move_del.inc',
	222	'send' => 'sendmail.inc',
	223	'expunge' => 'folders.inc',
	224	'purge' => 'folders.inc',
133bb0	225	'remove-attachment' => 'attachments.inc',
A	226	'display-attachment' => 'attachments.inc',
	227	'upload' => 'attachments.inc',
c0297f	228	'group-expand' => 'autocomplete.inc',
6ea6c9	229	),
88375f	230
6ea6c9	231	'addressbook' => array(
T	232	'add' => 'edit.inc',
3baa72	233	'group-create' => 'groups.inc',
T	234	'group-rename' => 'groups.inc',
	235	'group-delete' => 'groups.inc',
aa12df	236	'group-addmembers' => 'groups.inc',
T	237	'group-delmembers' => 'groups.inc',
6ea6c9	238	),
af3c04	239
6ea6c9	240	'settings' => array(
af3c04	241	'folders' => 'folders.inc',
A	242	'rename-folder' => 'folders.inc',
	243	'delete-folder' => 'folders.inc',
	244	'subscribe' => 'folders.inc',
	245	'unsubscribe' => 'folders.inc',
	246	'purge' => 'folders.inc',
	247	'folder-size' => 'folders.inc',
6ea6c9	248	'add-identity' => 'edit_identity.inc',
T	249	)
	250	);
f5aa16	251
6ea6c9	252	// include task specific functions
564a2b	253	if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
A	254	include_once($incfile);
4e17e6	255
6ea6c9	256	// allow 5 "redirects" to another action
T	257	$redirects = 0; $incstep = null;
	258	while ($redirects < 5) {
	259	$stepfile = !empty($action_map[$RCMAIL->task][$RCMAIL->action]) ?
	260	$action_map[$RCMAIL->task][$RCMAIL->action] : strtr($RCMAIL->action, '-', '_') . '.inc';
05a631	261
cc97ea	262	// execute a plugin action
05a631	263	if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
T	264	$RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
	265	break;
	266	}
	267	else if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea	268	$RCMAIL->plugins->exec_action($RCMAIL->action);
T	269	break;
	270	}
6ea6c9	271	// try to include the step file
564a2b	272	else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) {
6ea6c9	273	include($incfile);
T	274	$redirects++;
	275	}
	276	else {
	277	break;
	278	}
	279	}
4e17e6	280
T	281
6ea6c9	282	// parse main template (default)
197601	283	$OUTPUT->send($RCMAIL->task);
539cd4	284
T	285
	286	// if we arrive here, something went wrong
f11541	287	raise_error(array(
T	288	'code' => 404,
	289	'type' => 'php',
	290	'line' => __LINE__,
	291	'file' => __FILE__,
47124c	292	'message' => "Invalid request"), true, true);
b25dfd	293