githubFork/roundcubemail.git

- Fix CVE-2010-0464: Disable DNS prefetching (#1486449)

alecpl

2010-02-26 ebc619c149f82e9151bbf672cf065447f4d12923

commit \| author \| age
4e17e6	1	<?php
T	2
	3	/*
	4	+-----------------------------------------------------------------------+
	5	\| rcube_shared.inc \|
	6	\| \|
	7	\| This file is part of the RoundCube PHP suite \|
f11541	8	\| Copyright (C) 2005-2007, RoundCube Dev. - Switzerland \|
30233b	9	\| Licensed under the GNU GPL \|
4e17e6	10	\| \|
T	11	\| CONTENTS: \|
	12	\| Shared functions and classes used in PHP projects \|
	13	\| \|
	14	+-----------------------------------------------------------------------+
	15	\| Author: Thomas Bruederli <roundcube@gmail.com> \|
	16	+-----------------------------------------------------------------------+
	17
	18	$Id$
	19
	20	*/
	21
	22
6d969b	23	/**
T	24	* RoundCube shared functions
	25	*
	26	* @package Core
	27	*/
4e17e6	28
a0109c	29
6d969b	30	/**
T	31	* Send HTTP headers to prevent caching this page
	32	*/
4e17e6	33	function send_nocacheing_headers()
6d969b	34	{
4e17e6	35	if (headers_sent())
T	36	return;
	37
	38	header("Expires: ".gmdate("D, d M Y H:i:s")." GMT");
	39	header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
456c7e	40	header("Cache-Control: private, must-revalidate, post-check=0, pre-check=0");
4e17e6	41	header("Pragma: no-cache");
ebc619	42	// Request browser to disable DNS prefetching (CVE-2010-0464)
A	43	header("X-DNS-Prefetch-Control: off");
0dbac3	44
T	45	// We need to set the following headers to make downloads work using IE in HTTPS mode.
5818e4	46	if (rcube_https_check()) {
0dbac3	47	header('Pragma: ');
T	48	header('Cache-Control: ');
	49	}
6d969b	50	}
4e17e6	51
T	52
6d969b	53	/**
T	54	* Send header with expire date 30 days in future
	55	*
	56	* @param int Expiration time in seconds
	57	*/
ff52be	58	function send_future_expire_header($offset=2600000)
6d969b	59	{
1a98a6	60	if (headers_sent())
T	61	return;
	62
ff52be	63	header("Expires: ".gmdate("D, d M Y H:i:s", mktime()+$offset)." GMT");
T	64	header("Cache-Control: max-age=$offset");
1a98a6	65	header("Pragma: ");
6d969b	66	}
4e17e6	67
T	68
6d969b	69	/**
T	70	* Check request for If-Modified-Since and send an according response.
	71	* This will terminate the current script if headers match the given values
	72	*
	73	* @param int Modified date as unix timestamp
	74	* @param string Etag value for caching
	75	*/
3f5cef	76	function send_modified_header($mdate, $etag=null, $skip_check=false)
ff52be	77	{
T	78	if (headers_sent())
	79	return;
	80
	81	$iscached = false;
	82	$etag = $etag ? "\"$etag\"" : null;
3f5cef	83
A	84	if (!$skip_check)
	85	{
	86	if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] && strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) >= $mdate)
	87	$iscached = true;
	88
	89	if ($etag)
	90	$iscached = ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag);
	91	}
ff52be	92
T	93	if ($iscached)
	94	header("HTTP/1.x 304 Not Modified");
	95	else
	96	header("Last-Modified: ".gmdate("D, d M Y H:i:s", $mdate)." GMT");
	97
496da6	98	header("Cache-Control: private, must-revalidate, max-age=0");
ff52be	99	header("Expires: ");
T	100	header("Pragma: ");
	101
	102	if ($etag)
	103	header("Etag: $etag");
	104
	105	if ($iscached)
1b4d73	106	{
T	107	ob_end_clean();
ff52be	108	exit;
1b4d73	109	}
ff52be	110	}
T	111
	112
f11541	113	/**
T	114	* Similar function as in_array() but case-insensitive
6d969b	115	*
T	116	* @param mixed Needle value
	117	* @param array Array to search in
	118	* @return boolean True if found, False if not
f11541	119	*/
4e17e6	120	function in_array_nocase($needle, $haystack)
6d969b	121	{
ee258c	122	$needle = mb_strtolower($needle);
4e17e6	123	foreach ($haystack as $value)
ee258c	124	if ($needle===mb_strtolower($value))
6d969b	125	return true;
T	126
	127	return false;
	128	}
4e17e6	129
T	130
f11541	131	/**
T	132	* Find out if the string content means TRUE or FALSE
6d969b	133	*
T	134	* @param string Input value
	135	* @return boolean Imagine what!
f11541	136	*/
4e17e6	137	function get_boolean($str)
6d969b	138	{
4e17e6	139	$str = strtolower($str);
ee258c	140	if (in_array($str, array('false', '0', 'no', 'nein', ''), TRUE))
4e17e6	141	return FALSE;
T	142	else
	143	return TRUE;
6d969b	144	}
4e17e6	145
T	146
6d969b	147	/**
T	148	* Parse a human readable string for a number of bytes
	149	*
	150	* @param string Input string
47f072	151	* @return float Number of bytes
6d969b	152	*/
86df15	153	function parse_bytes($str)
6d969b	154	{
86df15	155	if (is_numeric($str))
47f072	156	return floatval($str);
892af4	157
A	158	if (preg_match('/([0-9\.]+)\s([a-z])/i', $str, $regs))
6d969b	159	{
T	160	$bytes = floatval($regs[1]);
	161	switch (strtolower($regs[2]))
86df15	162	{
6d969b	163	case 'g':
892af4	164	case 'gb':
6d969b	165	$bytes *= 1073741824;
T	166	break;
	167	case 'm':
892af4	168	case 'mb':
6d969b	169	$bytes *= 1048576;
T	170	break;
	171	case 'k':
892af4	172	case 'kb':
6d969b	173	$bytes *= 1024;
T	174	break;
86df15	175	}
6d969b	176	}
86df15	177
47f072	178	return floatval($bytes);
6d969b	179	}
86df15	180
6d969b	181	/**
T	182	* Create a human readable string for a number of bytes
	183	*
	184	* @param int Number of bytes
	185	* @return string Byte string
	186	*/
3ea0e3	187	function show_bytes($bytes)
6d969b	188	{
3ea0e3	189	if ($bytes > 1073741824)
6d969b	190	{
3ea0e3	191	$gb = $bytes/1073741824;
f613a1	192	$str = sprintf($gb>=10 ? "%d " : "%.1f ", $gb) . rcube_label('GB');
6d969b	193	}
3ea0e3	194	else if ($bytes > 1048576)
6d969b	195	{
3ea0e3	196	$mb = $bytes/1048576;
f613a1	197	$str = sprintf($mb>=10 ? "%d " : "%.1f ", $mb) . rcube_label('MB');
6d969b	198	}
3ea0e3	199	else if ($bytes > 1024)
f613a1	200	$str = sprintf("%d ", round($bytes/1024)) . rcube_label('KB');
4e17e6	201	else
f613a1	202	$str = sprintf('%d ', $bytes) . rcube_label('B');
3ea0e3	203
T	204	return $str;
6d969b	205	}
4e17e6	206
T	207
6d969b	208	/**
T	209	* Convert paths like ../xxx to an absolute path using a base url
	210	*
	211	* @param string Relative path
	212	* @param string Base URL
	213	* @return string Absolute URL
	214	*/
4e17e6	215	function make_absolute_url($path, $base_url)
6d969b	216	{
T	217	$host_url = $base_url;
	218	$abs_path = $path;
97bd2c	219
T	220	// check if path is an absolute URL
	221	if (preg_match('/^[fhtps]+:\/\//', $path))
	222	return $path;
4e17e6	223
6d969b	224	// cut base_url to the last directory
aa055c	225	if (strrpos($base_url, '/')>7)
6d969b	226	{
T	227	$host_url = substr($base_url, 0, strpos($base_url, '/'));
	228	$base_url = substr($base_url, 0, strrpos($base_url, '/'));
	229	}
	230
	231	// $path is absolute
	232	if ($path{0}=='/')
	233	$abs_path = $host_url.$path;
	234	else
	235	{
	236	// strip './' because its the same as ''
	237	$path = preg_replace('/^\.\//', '', $path);
	238
	239	if (preg_match_all('/\.\.\//', $path, $matches, PREG_SET_ORDER))
	240	foreach ($matches as $a_match)
4e17e6	241	{
6d969b	242	if (strrpos($base_url, '/'))
T	243	$base_url = substr($base_url, 0, strrpos($base_url, '/'));
	244
	245	$path = substr($path, 3);
4e17e6	246	}
T	247
6d969b	248	$abs_path = $base_url.'/'.$path;
T	249	}
	250
	251	return $abs_path;
	252	}
4e17e6	253
7145e0	254	/**
A	255	* Wrapper function for wordwrap
	256	*/
	257	function rc_wordwrap($string, $width=75, $break="\n", $cut=false)
	258	{
	259	$para = explode($break, $string);
	260	$string = '';
	261	while (count($para)) {
	262	$list = explode(' ', array_shift($para));
	263	$len = 0;
	264	while (count($list)) {
	265	$line = array_shift($list);
	266	$l = mb_strlen($line);
	267	$newlen = $len + $l + ($len ? 1 : 0);
	268
	269	if ($newlen <= $width) {
	270	$string .= ($len ? ' ' : '').$line;
78ebe7	271	$len += (1 + $l);
7145e0	272	} else {
A	273	if ($l > $width) {
	274	if ($cut) {
	275	$start = 0;
	276	while ($l) {
	277	$str = mb_substr($line, $start, $width);
	278	$strlen = mb_strlen($str);
	279	$string .= ($len ? $break : '').$str;
	280	$start += $strlen;
	281	$l -= $strlen;
	282	$len = $strlen;
	283	}
	284	} else {
	285	$string .= ($len ? $break : '').$line;
	286	if (count($list)) $string .= $break;
	287	$len = 0;
	288	}
	289	} else {
	290	$string .= $break.$line;
	291	$len = $l;
	292	}
	293	}
	294	}
	295	if (count($para)) $string .= $break;
	296	}
	297	return $string;
	298	}
86df15	299
6d969b	300	/**
88f66e	301	* Read a specific HTTP request header
T	302	*
0144c5	303	* @access static
T	304	* @param string $name Header name
	305	* @return mixed Header value or null if not available
88f66e	306	*/
T	307	function rc_request_header($name)
5a6eff	308	{
88f66e	309	if (function_exists('getallheaders'))
5a6eff	310	{
T	311	$hdrs = array_change_key_case(getallheaders(), CASE_UPPER);
0144c5	312	$key = strtoupper($name);
5a6eff	313	}
88f66e	314	else
5a6eff	315	{
0144c5	316	$key = 'HTTP_' . strtoupper(strtr($name, '-', '_'));
db401b	317	$hdrs = array_change_key_case($_SERVER, CASE_UPPER);
5a6eff	318	}
T	319
	320	return $hdrs[$key];
88f66e	321	}
1cded8	322
T	323
6d969b	324	/**
T	325	* Make sure the string ends with a slash
	326	*/
bac7d1	327	function slashify($str)
6d969b	328	{
bac7d1	329	return unslashify($str).'/';
6d969b	330	}
bac7d1	331
T	332
6d969b	333	/**
T	334	* Remove slash at the end of the string
	335	*/
bac7d1	336	function unslashify($str)
6d969b	337	{
bac7d1	338	return preg_replace('/\/$/', '', $str);
6d969b	339	}
bac7d1	340
T	341
6d969b	342	/**
T	343	* Delete all files within a folder
	344	*
	345	* @param string Path to directory
	346	* @return boolean True on success, False if directory was not found
	347	*/
1cded8	348	function clear_directory($dir_path)
6d969b	349	{
1cded8	350	$dir = @opendir($dir_path);
T	351	if(!$dir) return FALSE;
	352
	353	while ($file = readdir($dir))
	354	if (strlen($file)>2)
	355	unlink("$dir_path/$file");
	356
	357	closedir($dir);
	358	return TRUE;
6d969b	359	}
9fee0e	360
T	361
6d969b	362	/**
T	363	* Create a unix timestamp with a specified offset from now
	364	*
	365	* @param string String representation of the offset (e.g. 20min, 5h, 2days)
	366	* @param int Factor to multiply with the offset
	367	* @return int Unix timestamp
	368	*/
cc9570	369	function get_offset_time($offset_str, $factor=1)
T	370	{
	371	if (preg_match('/^([0-9]+)\s*([smhdw])/i', $offset_str, $regs))
6d969b	372	{
cc9570	373	$amount = (int)$regs[1];
T	374	$unit = strtolower($regs[2]);
6d969b	375	}
cc9570	376	else
6d969b	377	{
cc9570	378	$amount = (int)$offset_str;
T	379	$unit = 's';
6d969b	380	}
cc9570	381
T	382	$ts = mktime();
	383	switch ($unit)
6d969b	384	{
cc9570	385	case 'w':
T	386	$amount *= 7;
	387	case 'd':
	388	$amount *= 24;
	389	case 'h':
	390	$amount *= 60;
bd4959	391	case 'm':
cc9570	392	$amount *= 60;
T	393	case 's':
	394	$ts += $amount * $factor;
6d969b	395	}
cc9570	396
T	397	return $ts;
6d969b	398	}
cc9570	399
ee258c	400
A	401	/**
	402	* Replace the middle part of a string with ...
	403	* if it is longer than the allowed length
	404	*
	405	* @param string Input string
	406	* @param int Max. length
	407	* @param string Replace removed chars with this
	408	* @return string Abbreviated string
	409	*/
	410	function abbreviate_string($str, $maxlength, $place_holder='...')
	411	{
	412	$length = mb_strlen($str);
	413
	414	if ($length > $maxlength)
	415	{
cea5bc	416	$place_holder_length = mb_strlen($place_holder);
A	417	$first_part_length = floor(($maxlength - $place_holder_length)/2);
	418	$second_starting_location = $length - $maxlength + $first_part_length + $place_holder_length;
	419	$str = mb_substr($str, 0, $first_part_length) . $place_holder . mb_substr($str, $second_starting_location);
ee258c	420	}
A	421
	422	return $str;
	423	}
cc9570	424
a0109c	425	/**
734584	426	* A method to guess the mime_type of an attachment.
T	427	*
	428	* @param string $path Path to the file.
0ea569	429	* @param string $name File name (with suffix)
734584	430	* @param string $failover Mime type supplied for failover.
T	431	*
	432	* @return string
	433	* @author Till Klampaeckel <till@php.net>
	434	* @see http://de2.php.net/manual/en/ref.fileinfo.php
	435	* @see http://de2.php.net/mime_content_type
	436	*/
0ea569	437	function rc_mime_content_type($path, $name, $failover = 'application/octet-stream')
734584	438	{
6d5dba	439	$mime_type = null;
T	440	$mime_magic = rcmail::get_instance()->config->get('mime_magic');
0ea569	441	$mime_ext = @include(RCMAIL_CONFIG_DIR . '/mimetypes.php');
T	442	$suffix = $name ? substr($name, strrpos($name, '.')+1) : '*';
a0109c	443
0ea569	444	// use file name suffix with hard-coded mime-type map
T	445	if (is_array($mime_ext)) {
	446	$mime_type = $mime_ext[$suffix];
734584	447	}
0ea569	448	// try fileinfo extension if available
3e6380	449	if (!$mime_type && function_exists('finfo_open')) {
A	450	if ($finfo = finfo_open(FILEINFO_MIME, $mime_magic)) {
	451	$mime_type = finfo_file($finfo, $path);
	452	finfo_close($finfo);
734584	453	}
T	454	}
0ea569	455	// try PHP's mime_content_type
35dc0b	456	if (!$mime_type && function_exists('mime_content_type')) {
3e6380	457	$mime_type = mime_content_type($path);
6d5dba	458	}
0ea569	459	// fall back to user-submitted string
734584	460	if (!$mime_type) {
6d5dba	461	$mime_type = $failover;
734584	462	}
T	463
	464	return $mime_type;
	465	}
	466
b54121	467	/**
A	468	* A method to guess encoding of a string.
	469	*
	470	* @param string $string String.
	471	* @param string $failover Default result for failover.
	472	*
	473	* @return string
	474	*/
	475	function rc_detect_encoding($string, $failover='')
	476	{
	477	if (!function_exists('mb_detect_encoding')) {
	478	return $failover;
	479	}
	480
	481	// FIXME: the order is important, because sometimes
	482	// iso string is detected as euc-jp and etc.
	483	$enc = array(
b58f11	484	'UTF-8', 'SJIS', 'BIG5', 'GB2312',
T	485	'ISO-8859-1', 'ISO-8859-2', 'ISO-8859-3', 'ISO-8859-4',
	486	'ISO-8859-5', 'ISO-8859-6', 'ISO-8859-7', 'ISO-8859-8', 'ISO-8859-9',
	487	'ISO-8859-10', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16',
	488	'WINDOWS-1252', 'WINDOWS-1251', 'EUC-JP', 'EUC-TW', 'KOI8-R',
	489	'ISO-2022-KR', 'ISO-2022-JP'
b54121	490	);
A	491
	492	$result = mb_detect_encoding($string, join(',', $enc));
	493
	494	return $result ? $result : $failover;
	495	}
	496
1a00f1	497	/**
A	498	* Removes non-unicode characters from input
	499	*
	500	* @param mixed $input String or array.
	501	* @return string
	502	*/
	503	function rc_utf8_clean($input)
	504	{
	505	// handle input of type array
	506	if (is_array($input)) {
	507	foreach ($input as $idx => $val)
	508	$input[$idx] = rc_utf8_clean($val);
	509	return $input;
	510	}
	511
b6c512	512	if (!is_string($input) \|\| $input == '')
1a00f1	513	return $input;
2717f9	514
b6c512	515	// iconv/mbstring are much faster (especially with long strings)
6481d4	516	if (function_exists('mb_convert_encoding') && ($res = mb_convert_encoding($input, 'UTF-8', 'UTF-8')) !== false)
b6c512	517	return $res;
A	518
ecbd5b	519	if (function_exists('iconv') && ($res = @iconv('UTF-8', 'UTF-8//IGNORE', $input)) !== false)
b6c512	520	return $res;
1a00f1	521
A	522	$regexp = '/^('.
	523	// '[\x00-\x7F]'. // UTF8-1
	524	'\|[\xC2-\xDF][\x80-\xBF]'. // UTF8-2
	525	'\|\xE0[\xA0-\xBF][\x80-\xBF]'. // UTF8-3
	526	'\|[\xE1-\xEC][\x80-\xBF][\x80-\xBF]'. // UTF8-3
	527	'\|\xED[\x80-\x9F][\x80-\xBF]'. // UTF8-3
	528	'\|[\xEE-\xEF][\x80-\xBF][\x80-\xBF]'. // UTF8-3
	529	'\|\xF0[\x90-\xBF][\x80-\xBF][\x80-\xBF]'. // UTF8-4
	530	'\|[\xF1-\xF3][\x80-\xBF][\x80-\xBF][\x80-\xBF]'.// UTF8-4
	531	'\|\xF4[\x80-\x8F][\x80-\xBF][\x80-\xBF]'. // UTF8-4
	532	')$/';
	533
	534	$seq = '';
	535	$out = '';
	536
6481d4	537	for ($i = 0, $len = strlen($input); $i < $len; $i++) {
1a00f1	538	$chr = $input[$i];
A	539	$ord = ord($chr);
	540	// 1-byte character
	541	if ($ord <= 0x7F) {
	542	if ($seq)
	543	$out .= preg_match($regexp, $seq) ? $seq : '';
	544	$seq = '';
	545	$out .= $chr;
	546	// first (or second) byte of multibyte sequence
	547	} else if ($ord >= 0xC0) {
	548	if (strlen($seq)>1) {
	549	$out .= preg_match($regexp, $seq) ? $seq : '';
	550	$seq = '';
	551	} else if ($seq && ord($seq) < 0xC0) {
	552	$seq = '';
	553	}
	554	$seq .= $chr;
	555	// next byte of multibyte sequence
	556	} else if ($seq) {
	557	$seq .= $chr;
	558	}
	559	}
	560
	561	if ($seq)
	562	$out .= preg_match($regexp, $seq) ? $seq : '';
	563
	564	return $out;
	565	}
0ff635	566
2717f9	567
A	568	/**
	569	* Convert a variable into a javascript object notation
	570	*
	571	* @param mixed Input value
	572	* @return string Serialized JSON string
	573	*/
	574	function json_serialize($input)
	575	{
	576	$input = rc_utf8_clean($input);
63ffe3	577
a7dba8	578	// sometimes even using rc_utf8_clean() the input contains invalid UTF-8 sequences
A	579	// that's why we have @ here
	580	return @json_encode($input);
2717f9	581	}
A	582
	583
0ff635	584	/**
A	585	* Explode quoted string
	586	*
	587	* @param string Delimiter expression string for preg_match()
	588	* @param string Input string
	589	*/
	590	function rcube_explode_quoted_string($delimiter, $string)
	591	{
	592	$result = array();
	593	$strlen = strlen($string);
	594
	595	for ($q=$p=$i=0; $i < $strlen; $i++) {
	596	if ($string[$i] == "\"" && $string[$i-1] != "\\") {
	597	$q = $q ? false : true;
	598	}
	599	else if (!$q && preg_match("/$delimiter/", $string[$i])) {
	600	$result[] = substr($string, $p, $i - $p);
	601	$p = $i + 1;
	602	}
	603	}
	604
	605	$result[] = substr($string, $p);
	606	return $result;
	607	}
	608
ee258c	609
A	610	/**
	611	* mbstring replacement functions
	612	*/
	613
8f6a46	614	if (!extension_loaded('mbstring'))
A	615	{
ee258c	616	function mb_strlen($str)
A	617	{
	618	return strlen($str);
	619	}
	620
	621	function mb_strtolower($str)
	622	{
	623	return strtolower($str);
	624	}
	625
	626	function mb_strtoupper($str)
	627	{
	628	return strtoupper($str);
	629	}
	630
	631	function mb_substr($str, $start, $len=null)
	632	{
	633	return substr($str, $start, $len);
	634	}
	635
	636	function mb_strpos($haystack, $needle, $offset=0)
	637	{
	638	return strpos($haystack, $needle, $offset);
	639	}
	640
	641	function mb_strrpos($haystack, $needle, $offset=0)
	642	{
	643	return strrpos($haystack, $needle, $offset);
	644	}
	645	}
	646
b54121	647	?>