githubFork/roundcubemail.git

- Fix attachments uploading, broken with devel-addressbook branch merge

alecpl

2011-02-25 b649c49e64a487ac8ad347aed42336dec2e74cd7

commit \| author \| age
4e17e6	1	<?php
T	2	/*
a6f90e	3	+-------------------------------------------------------------------------+
e019f2	4	\| Roundcube Webmail IMAP Client \|
f5e7b3	5	\| Version 0.6-svn \|
a6f90e	6	\| \|
f5e7b3	7	\| Copyright (C) 2005-2011, The Roundcube Dev Team \|
a6f90e	8	\| \|
A	9	\| This program is free software; you can redistribute it and/or modify \|
	10	\| it under the terms of the GNU General Public License version 2 \|
	11	\| as published by the Free Software Foundation. \|
	12	\| \|
	13	\| This program is distributed in the hope that it will be useful, \|
	14	\| but WITHOUT ANY WARRANTY; without even the implied warranty of \|
	15	\| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \|
	16	\| GNU General Public License for more details. \|
	17	\| \|
	18	\| You should have received a copy of the GNU General Public License along \|
	19	\| with this program; if not, write to the Free Software Foundation, Inc., \|
	20	\| 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. \|
	21	\| \|
	22	+-------------------------------------------------------------------------+
	23	\| Author: Thomas Bruederli <roundcube@gmail.com> \|
	24	+-------------------------------------------------------------------------+
4e17e6	25
T	26	$Id$
	27
	28	*/
15a9d1	29
47124c	30	// include environment
T	31	require_once 'program/include/iniset.php';
15a9d1	32
48bc52	33	// init application, start session, init output class, etc.
83a763	34	$RCMAIL = rcmail::get_instance();
T	35
d51c93	36	// turn on output buffering
A	37	ob_start();
8affba	38
8c72e3	39	// check if config files had errors
T	40	if ($err_str = $RCMAIL->config->get_error()) {
	41	raise_error(array(
	42	'code' => 601,
	43	'type' => 'php',
	44	'message' => $err_str), false, true);
	45	}
	46
8affba	47	// check DB connections and exit on failure
47124c	48	if ($err_str = $DB->is_error()) {
f11541	49	raise_error(array(
T	50	'code' => 603,
	51	'type' => 'db',
	52	'message' => $err_str), FALSE, TRUE);
	53	}
8affba	54
4e17e6	55	// error steps
197601	56	if ($RCMAIL->action=='error' && !empty($_GET['_code'])) {
4e17e6	57	raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
47124c	58	}
570f0b	59
f5d61d	60	// check if https is required (for login) and redirect if necessary
T	61	if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
	62	$https_port = is_bool($force_https) ? 443 : $force_https;
5818e4	63	if (!rcube_https_check($https_port)) {
76c94b	64	$host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
A	65	$host .= ($https_port != 443 ? ':' . $https_port : '');
	66	header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
f5d61d	67	exit;
T	68	}
	69	}
	70
cc97ea	71	// trigger startup plugin hook
T	72	$startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
	73	$RCMAIL->set_task($startup['task']);
	74	$RCMAIL->action = $startup['action'];
	75
4e17e6	76	// try to log in
9b94eb	77	if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
784a42	78	$request_valid = $_SESSION['temp'] && $RCMAIL->check_request(RCUBE_INPUT_POST, 'login');
T	79
0129d7	80	// purge the session in case of new login when a session already exists
cc97ea	81	$RCMAIL->kill_session();
5f560e	82
cc97ea	83	$auth = $RCMAIL->plugins->exec_hook('authenticate', array(
T	84	'host' => $RCMAIL->autoselect_host(),
	85	'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
5f560e	86	'pass' => get_input_value('_pass', RCUBE_INPUT_POST, true,
A	87	$RCMAIL->config->get('password_charset', 'ISO-8859-1')),
446364	88	'cookiecheck' => true,
784a42	89	'valid' => $request_valid,
64608b	90	));
cc97ea	91
4e17e6	92	// check if client supports cookies
446364	93	if ($auth['cookiecheck'] && empty($_COOKIE)) {
f11541	94	$OUTPUT->show_message("cookiesdisabled", 'warning');
T	95	}
784a42	96	else if ($auth['valid'] && !$auth['abort'] &&
64608b	97	!empty($auth['host']) && !empty($auth['user']) &&
A	98	$RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
aad6e2	99	// create new session ID
929a50	100	$RCMAIL->session->remove('temp');
A	101	$RCMAIL->session->regenerate_id();
aad6e2	102
T	103	// send auth cookie if necessary
cf2da2	104	$RCMAIL->session->set_auth_cookie();
aad6e2	105
5e0045	106	// log successful login
354455	107	rcmail_log_login();
10eedb	108
cc97ea	109	// restore original request parameters
88007c	110	$query = array();
32234d	111	if ($url = get_input_value('_url', RCUBE_INPUT_POST)) {
cc97ea	112	parse_str($url, $query);
32234d	113
T	114	// prevent endless looping on login page
	115	if ($query['_task'] == 'login')
	116	unset($query['_task']);
	117	}
cc97ea	118
T	119	// allow plugins to control the redirect url after login success
32234d	120	$redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));
cc97ea	121	unset($redir['abort']);
5e0045	122
4e17e6	123	// send redirect
cc97ea	124	$OUTPUT->redirect($redir);
4e17e6	125	}
47124c	126	else {
6d99f9	127	$error_code = is_object($IMAP) ? $IMAP->get_error_code() : -1;
A	128
784a42	129	$OUTPUT->show_message($error_code < -1 ? 'imaperror' : (!$auth['valid'] ? 'invalidrequest' : 'loginfailed'), 'warning');
8fcc3e	130	$RCMAIL->plugins->exec_hook('login_failed', array(
6d99f9	131	'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
1854c4	132	$RCMAIL->kill_session();
f11541	133	}
T	134	}
4e17e6	135
de62f0	136	// end session (after optional referer check)
T	137	else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id']) && (!$RCMAIL->config->get('referer_check') \|\| rcube_check_referer())) {
7ef47e	138	$userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
f11541	139	$OUTPUT->show_message('loggedout');
1854c4	140	$RCMAIL->logout_actions();
T	141	$RCMAIL->kill_session();
7ef47e	142	$RCMAIL->plugins->exec_hook('logout_after', $userdata);
f11541	143	}
4e17e6	144
bac7d1	145	// check session and auth cookie
9b94eb	146	else if ($RCMAIL->task != 'login' && $_SESSION['user_id'] && $RCMAIL->action != 'send') {
cf2da2	147	if (!$RCMAIL->session->check_auth()) {
f11541	148	$OUTPUT->show_message('sessionerror', 'error');
1854c4	149	$RCMAIL->kill_session();
4e17e6	150	}
f11541	151	}
4e17e6	152
T	153	// not logged in -> show login page
197601	154	if (empty($RCMAIL->user->ID)) {
83a763	155	if ($OUTPUT->ajax_call)
c719f3	156	$OUTPUT->redirect(array(), 2000);
9b94eb	157
ccc80d	158	if (!empty($_REQUEST['_framed']))
b57133	159	$OUTPUT->command('redirect', '?');
ccc80d	160
330127	161	// check if installer is still active
83a763	162	if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
47124c	163	$OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
T	164	html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
e019f2	165	html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
A	166	html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .
47124c	167	these files may expose sensitive configuration data like server passwords and encryption keys
T	168	to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
	169	)
	170	);
	171	}
249db1	172
784a42	173	$RCMAIL->set_task('login');
f11541	174	$OUTPUT->send('login');
T	175	}
249db1	176	// CSRF prevention
A	177	else {
	178	// don't check for valid request tokens in these actions
	179	$request_check_whitelist = array('login'=>1, 'spell'=>1);
4e17e6	180
249db1	181	// check client X-header to verify request origin
A	182	if ($OUTPUT->ajax_call) {
	183	if (rc_request_header('X-Roundcube-Request') != $RCMAIL->get_request_token()) {
	184	header('HTTP/1.1 404 Not Found');
	185	die("Invalid Request");
	186	}
	187	}
	188	// check request token in POST form submissions
	189	else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
	190	$OUTPUT->show_message('invalidrequest', 'error');
	191	$OUTPUT->send($RCMAIL->task);
	192	}
a77cf2	193
T	194	// check referer if configured
	195	if (!$request_check_whitelist[$RCMAIL->action] && $RCMAIL->config->get('referer_check') && !rcube_check_referer()) {
	196	raise_error(array(
	197	'code' => 403,
	198	'type' => 'php',
	199	'message' => "Referer check failed"), true, true);
	200	}
249db1	201	}
4e17e6	202
249db1	203	// handle special actions
48aff9	204	if ($RCMAIL->action == 'keep-alive') {
T	205	$OUTPUT->reset();
	206	$OUTPUT->send();
	207	}
249db1	208	else if ($RCMAIL->action == 'save-pref') {
A	209	include 'steps/utils/save_pref.inc';
	210	}
4e17e6	211
6ea6c9	212
T	213	// include task specific functions
564a2b	214	if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
A	215	include_once($incfile);
4e17e6	216
6ea6c9	217	// allow 5 "redirects" to another action
T	218	$redirects = 0; $incstep = null;
	219	while ($redirects < 5) {
cc97ea	220	// execute a plugin action
05a631	221	if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
T	222	$RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
	223	break;
	224	}
	225	else if (preg_match('/^plugin\./', $RCMAIL->action)) {
cc97ea	226	$RCMAIL->plugins->exec_action($RCMAIL->action);
T	227	break;
	228	}
6ea6c9	229	// try to include the step file
68d2d5	230	else if (($stepfile = $RCMAIL->get_action_file())
A	231	&& is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)
	232	) {
6ea6c9	233	include($incfile);
T	234	$redirects++;
	235	}
	236	else {
	237	break;
	238	}
	239	}
4e17e6	240
T	241
6ea6c9	242	// parse main template (default)
197601	243	$OUTPUT->send($RCMAIL->task);
539cd4	244
T	245
	246	// if we arrive here, something went wrong
f11541	247	raise_error(array(
T	248	'code' => 404,
	249	'type' => 'php',
	250	'line' => __LINE__,
	251	'file' => __FILE__,
47124c	252	'message' => "Invalid request"), true, true);
b25dfd	253