githubFork/roundcubemail.git

			@@ -28,8 +28,14 @@
			*/
			class rcube
			{
			const INIT_WITH_DB = 1;
			// Init options
			const INIT_WITH_DB = 1;
			const INIT_WITH_PLUGINS = 2;

			// Request status
			const REQUEST_VALID = 0;
			const REQUEST_ERROR_URL = 1;
			const REQUEST_ERROR_TOKEN = 2;

			/**
			* Singleton instace of rcube
			@@ -101,6 +107,12 @@
			*/
			public $user;

			/**
			* Request status
			*
			* @var int
			*/
			public $request_status = 0;

			/* private/protected vars */
			protected $texts;
			@@ -172,9 +184,13 @@
			public function get_dbh()
			{
			if (!$this->db) {
			$config_all = $this->config->all();
			$this->db = rcube_db::factory($config_all['db_dsnw'], $config_all['db_dsnr'], $config_all['db_persistent']);
			$this->db->set_debug((bool)$config_all['sql_debug']);
			$this->db = rcube_db::factory(
			$this->config->get('db_dsnw'),
			$this->config->get('db_dsnr'),
			$this->config->get('db_persistent')
			);

			$this->db->set_debug((bool)$this->config->get('sql_debug'));
			}

			return $this->db;
			@@ -199,7 +215,10 @@
			$this->mc_available = 0;

			// add all configured hosts to pool
			$pconnect = $this->config->get('memcache_pconnect', true);
			$pconnect = $this->config->get('memcache_pconnect', true);
			$timeout = $this->config->get('memcache_timeout', 1);
			$retry_interval = $this->config->get('memcache_retry_interval', 15);

			foreach ($this->config->get('memcache_hosts', array()) as $host) {
			if (substr($host, 0, 7) != 'unix://') {
			list($host, $port) = explode(':', $host);
			@@ -210,7 +229,7 @@
			}

			$this->mc_available += intval($this->memcache->addServer(
			$host, $port, $pconnect, 1, 1, 15, false, array($this, 'memcache_failure')));
			$host, $port, $pconnect, 1, $timeout, $retry_interval, false, array($this, 'memcache_failure')));
			}

			// test connection and failover (will result in $this->mc_available == 0 on complete failure)
			@@ -385,8 +404,12 @@

			$this->storage->set_options($options);
			$this->set_storage_prop();
			}

			// subscribe to 'storage_connected' hook for session logging
			if ($this->config->get('imap_log_session', false)) {
			$this->plugins->register_hook('storage_connected', array($this, 'storage_log_session'));
			}
			}

			/**
			* Set storage parameters.
			@@ -454,6 +477,16 @@


			/**
			* Callback for IMAP connection events to log session identifiers
			*/
			public function storage_log_session($args)
			{
			if (!empty($args['session']) && session_id()) {
			$this->write_log('imap_session', $args['session']);
			}
			}

			/**
			* Create session object and start the session.
			*/
			public function session_init()
			@@ -491,8 +524,13 @@
			// use database for storing session data
			$this->session = new rcube_session($this->get_dbh(), $this->config);

			$path = $_SERVER['SCRIPT_NAME'];
			if (strpos($path, '://')) {
			$path = parse_url($path, PHP_URL_PATH); // #1490582
			}

			$this->session->register_gc_handler(array($this, 'gc'));
			$this->session->set_secret($this->config->get('des_key') . dirname($_SERVER['SCRIPT_NAME']));
			$this->session->set_secret($this->config->get('des_key') . dirname($path));
			$this->session->set_ip_check($this->config->get('ip_check'));

			if ($this->config->get('session_auth_name')) {
			@@ -824,12 +862,19 @@
			* upon decryption; see http://php.net/mcrypt_generic#68082
			*/
			$clear = pack("a*H2", $clear, "80");
			$ckey = $this->config->get_crypto_key($key);

			if (function_exists('mcrypt_module_open') &&
			if (function_exists('openssl_encrypt')) {
			$method = 'DES-EDE3-CBC';
			$opts = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
			$iv = $this->create_iv(openssl_cipher_iv_length($method));
			$cipher = $iv . openssl_encrypt($clear, $method, $ckey, $opts, $iv);
			}
			else if (function_exists('mcrypt_module_open') &&
			($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, ""))
			) {
			$iv = $this->create_iv(mcrypt_enc_get_iv_size($td));
			mcrypt_generic_init($td, $this->config->get_crypto_key($key), $iv);
			mcrypt_generic_init($td, $ckey, $iv);
			$cipher = $iv . mcrypt_generic($td, $clear);
			mcrypt_generic_deinit($td);
			mcrypt_module_close($td);
			@@ -840,13 +885,13 @@
			if (function_exists('des')) {
			$des_iv_size = 8;
			$iv = $this->create_iv($des_iv_size);
			$cipher = $iv . des($this->config->get_crypto_key($key), $clear, 1, 1, $iv);
			$cipher = $iv . des($ckey, $clear, 1, 1, $iv);
			}
			else {
			self::raise_error(array(
			'code' => 500, 'type' => 'php',
			'file' => __FILE__, 'line' => __LINE__,
			'message' => "Could not perform encryption; make sure Mcrypt is installed or lib/des.inc is available"
			'message' => "Could not perform encryption; make sure OpenSSL or Mcrypt or lib/des.inc is available"
			), true, true);
			}
			}
			@@ -871,12 +916,13 @@
			}

			$cipher = $base64 ? base64_decode($cipher) : $cipher;
			$ckey = $this->config->get_crypto_key($key);

			if (function_exists('mcrypt_module_open') &&
			($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, ""))
			) {
			$iv_size = mcrypt_enc_get_iv_size($td);
			$iv = substr($cipher, 0, $iv_size);
			if (function_exists('openssl_decrypt')) {
			$method = 'DES-EDE3-CBC';
			$opts = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
			$iv_size = openssl_cipher_iv_length($method);
			$iv = substr($cipher, 0, $iv_size);

			// session corruption? (#1485970)
			if (strlen($iv) < $iv_size) {
			@@ -884,7 +930,21 @@
			}

			$cipher = substr($cipher, $iv_size);
			mcrypt_generic_init($td, $this->config->get_crypto_key($key), $iv);
			$clear = openssl_decrypt($cipher, $method, $ckey, $opts, $iv);
			}
			else if (function_exists('mcrypt_module_open') &&
			($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, ""))
			) {
			$iv_size = mcrypt_enc_get_iv_size($td);
			$iv = substr($cipher, 0, $iv_size);

			// session corruption? (#1485970)
			if (strlen($iv) < $iv_size) {
			return '';
			}

			$cipher = substr($cipher, $iv_size);
			mcrypt_generic_init($td, $ckey, $iv);
			$clear = mdecrypt_generic($td, $cipher);
			mcrypt_generic_deinit($td);
			mcrypt_module_close($td);
			@@ -894,15 +954,15 @@

			if (function_exists('des')) {
			$des_iv_size = 8;
			$iv = substr($cipher, 0, $des_iv_size);
			$iv = substr($cipher, 0, $des_iv_size);
			$cipher = substr($cipher, $des_iv_size);
			$clear = des($this->config->get_crypto_key($key), $cipher, 0, 1, $iv);
			$clear = des($ckey, $cipher, 0, 1, $iv);
			}
			else {
			self::raise_error(array(
			'code' => 500, 'type' => 'php',
			'file' => __FILE__, 'line' => __LINE__,
			'message' => "Could not perform decryption; make sure Mcrypt is installed or lib/des.inc is available"
			'message' => "Could not perform decryption; make sure OpenSSL or Mcrypt or lib/des.inc is available"
			), true, true);
			}
			}
			@@ -934,6 +994,102 @@
			}

			return $iv;
			}


			/**
			* Returns session token for secure URLs
			*
			* @param bool $generate Generate token if not exists in session yet
			*
			* @return string\|bool Token string, False when disabled
			*/
			public function get_secure_url_token($generate = false)
			{
			if ($len = $this->config->get('use_secure_urls')) {
			if (empty($_SESSION['secure_token']) && $generate) {
			// generate x characters long token
			$length = $len > 1 ? $len : 16;
			$token = rcube_utils::random_bytes($length);

			$plugin = $this->plugins->exec_hook('secure_token',
			array('value' => $token, 'length' => $length));

			$_SESSION['secure_token'] = $plugin['value'];
			}

			return $_SESSION['secure_token'];
			}

			return false;
			}


			/**
			* Generate a unique token to be used in a form request
			*
			* @return string The request token
			*/
			public function get_request_token()
			{
			if (empty($_SESSION['request_token'])) {
			$plugin = $this->plugins->exec_hook('request_token', array(
			'value' => rcube_utils::random_bytes(32)));

			$_SESSION['request_token'] = $plugin['value'];
			}

			return $_SESSION['request_token'];
			}


			/**
			* Check if the current request contains a valid token.
			* Empty requests aren't checked until use_secure_urls is set.
			*
			* @param int Request method
			*
			* @return boolean True if request token is valid false if not
			*/
			public function check_request($mode = rcube_utils::INPUT_POST)
			{
			// check secure token in URL if enabled
			if ($token = $this->get_secure_url_token()) {
			foreach (explode('/', preg_replace('/[?#&].*$/', '', $_SERVER['REQUEST_URI'])) as $tok) {
			if ($tok == $token) {
			return true;
			}
			}

			$this->request_status = self::REQUEST_ERROR_URL;

			return false;
			}

			$sess_tok = $this->get_request_token();

			// ajax requests
			if (rcube_utils::request_header('X-Roundcube-Request') == $sess_tok) {
			return true;
			}

			// skip empty requests
			if (($mode == rcube_utils::INPUT_POST && empty($_POST))
			\|\| ($mode == rcube_utils::INPUT_GET && empty($_GET))
			) {
			return true;
			}

			// default method of securing requests
			$token = rcube_utils::get_input_value('_token', $mode);
			$sess_id = $_COOKIE[ini_get('session.name')];

			if (empty($sess_id) \|\| $token != $sess_tok) {
			$this->request_status = self::REQUEST_ERROR_TOKEN;
			return false;
			}

			return true;
			}


			@@ -1114,8 +1270,12 @@
			$line = var_export($line, true);
			}

			$date_format = self::$instance ? self::$instance->config->get('log_date_format') : null;
			$log_driver = self::$instance ? self::$instance->config->get('log_driver') : null;
			$date_format = $log_driver = $session_key = null;
			if (self::$instance) {
			$date_format = self::$instance->config->get('log_date_format');
			$log_driver = self::$instance->config->get('log_driver');
			$session_key = intval(self::$instance->config->get('log_session_id', 8));
			}

			if (empty($date_format)) {
			$date_format = 'd-M-Y H:i:s O';
			@@ -1134,8 +1294,8 @@
			}

			// add session ID to the log
			if ($sess = session_id()) {
			$line = '<' . substr($sess, 0, 8) . '> ' . $line;
			if ($session_key > 0 && ($sess = session_id())) {
			$line = '<' . substr($sess, 0, $session_key) . '> ' . $line;
			}

			if ($log_driver == 'syslog') {
			@@ -1237,6 +1397,9 @@
			}

			exit(1);
			}
			else if ($cli) {
			fwrite(STDERR, 'ERROR: ' . $arg['message']);
			}
			}

			@@ -1504,32 +1667,30 @@
			// send thru SMTP server using custom SMTP library
			if ($this->config->get('smtp_server')) {
			// generate list of recipients
			$a_recipients = array($mailto);
			$a_recipients = (array) $mailto;

			if (strlen($headers['Cc']))
			$a_recipients[] = $headers['Cc'];
			if (strlen($headers['Bcc']))
			$a_recipients[] = $headers['Bcc'];

			// clean Bcc from header for recipients
			$send_headers = $headers;
			unset($send_headers['Bcc']);
			// here too, it because txtHeaders() below use $message->_headers not only $send_headers
			unset($message->_headers['Bcc']);

			$smtp_headers = $message->txtHeaders($send_headers, true);
			// remove Bcc header and get the whole head of the message as string
			$smtp_headers = $this->message_head($message, array('Bcc'));

			if ($message->getParam('delay_file_io')) {
			// use common temp dir
			$temp_dir = $this->config->get('temp_dir');
			$body_file = tempnam($temp_dir, 'rcmMsg');
			if (PEAR::isError($mime_result = $message->saveMessageBody($body_file))) {
			$temp_dir = $this->config->get('temp_dir');
			$body_file = tempnam($temp_dir, 'rcmMsg');
			$mime_result = $message->saveMessageBody($body_file);

			if (is_a($mime_result, 'PEAR_Error')) {
			self::raise_error(array('code' => 650, 'type' => 'php',
			'file' => __FILE__, 'line' => __LINE__,
			'message' => "Could not create message: ".$mime_result->getMessage()),
			TRUE, FALSE);
			true, false);
			return false;
			}

			$msg_body = fopen($body_file, 'r');
			}
			else {
			@@ -1549,39 +1710,33 @@
			if (!$sent) {
			self::raise_error(array('code' => 800, 'type' => 'smtp',
			'line' => __LINE__, 'file' => __FILE__,
			'message' => "SMTP error: ".join("\n", $response)), TRUE, FALSE);
			'message' => join("\n", $response)), true, false);
			}
			}
			// send mail using PHP's mail() function
			else {
			// unset some headers because they will be added by the mail() function
			$headers_enc = $message->headers($headers);
			$headers_php = $message->_headers;
			unset($headers_php['To'], $headers_php['Subject']);

			// reset stored headers and overwrite
			$message->_headers = array();
			$header_str = $message->txtHeaders($headers_php);
			// unset To,Subject headers because they will be added by the mail() function
			$header_str = $this->message_head($message, array('To', 'Subject'));

			// #1485779
			if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
			if (preg_match_all('/<([^@]+@[^>]+)>/', $headers_enc['To'], $m)) {
			$headers_enc['To'] = implode(', ', $m[1]);
			if (preg_match_all('/<([^@]+@[^>]+)>/', $headers['To'], $m)) {
			$headers['To'] = implode(', ', $m[1]);
			}
			}

			$msg_body = $message->get();

			if (PEAR::isError($msg_body)) {
			if (is_a($msg_body, 'PEAR_Error')) {
			self::raise_error(array('code' => 650, 'type' => 'php',
			'file' => __FILE__, 'line' => __LINE__,
			'message' => "Could not create message: ".$msg_body->getMessage()),
			TRUE, FALSE);
			true, false);
			}
			else {
			$delim = $this->config->header_delimiter();
			$to = $headers_enc['To'];
			$subject = $headers_enc['Subject'];
			$to = $headers['To'];
			$subject = $headers['Subject'];
			$header_str = rtrim($header_str);

			if ($delim != "\r\n") {
			@@ -1604,19 +1759,24 @@
			// remove MDN headers after sending
			unset($headers['Return-Receipt-To'], $headers['Disposition-Notification-To']);

			// get all recipients
			if ($headers['Cc'])
			$mailto .= $headers['Cc'];
			if ($headers['Bcc'])
			$mailto .= $headers['Bcc'];
			if (preg_match_all('/<([^@]+@[^>]+)>/', $mailto, $m))
			$mailto = implode(', ', array_unique($m[1]));

			if ($this->config->get('smtp_log')) {
			// get all recipient addresses
			if (is_array($mailto)) {
			$mailto = implode(',', $mailto);
			}
			if ($headers['Cc']) {
			$mailto .= ',' . $headers['Cc'];
			}
			if ($headers['Bcc']) {
			$mailto .= ',' . $headers['Bcc'];
			}

			$mailto = rcube_mime::decode_address_list($mailto, null, false, null, true);

			self::write_log('sendmail', sprintf("User %s [%s]; Message for %s; %s",
			$this->user->get_username(),
			$_SERVER['REMOTE_ADDR'],
			$mailto,
			rcube_utils::remote_addr(),
			implode(', ', $mailto),
			!empty($response) ? join('; ', $response) : ''));
			}
			}
			@@ -1629,12 +1789,32 @@
			fclose($msg_body);
			}

			$message->_headers = array();
			$message->headers($headers);
			$message->headers($headers, true);

			return $sent;
			}

			/**
			* Return message headers as a string
			*/
			protected function message_head($message, $unset = array())
			{
			// Mail_mime >= 1.9.0
			if (method_exists($message, 'isMultipart')) {
			foreach ($unset as $header) {
			$headers[$header] = null;
			}
			}
			else {
			$headers = $message->headers();
			foreach ($unset as $header) {
			unset($headers[$header]);
			}
			$message->_headers = array();
			}

			return $message->txtHeaders($headers, true);
			}
			}