From ea7c46b4f37691702b8e78dea34c3e9a3afb232d Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 03 Mar 2006 11:34:35 -0500
Subject: [PATCH] Improved reading of POST and GET values
---
index.php | 22 +------
program/include/rcube_shared.inc | 7 +
program/include/main.inc | 53 +++++++++++++++++
program/steps/mail/compose.inc | 6 +-
program/steps/addressbook/save.inc | 26 ++++----
program/steps/settings/save_identity.inc | 5 +
program/steps/addressbook/ldapsearchform.inc | 2
program/steps/mail/sendmail.inc | 24 ++++----
program/steps/settings/manage_folders.inc | 16 ++--
.htaccess | 2
program/steps/mail/addcontact.inc | 4
11 files changed, 104 insertions(+), 63 deletions(-)
diff --git a/.htaccess b/.htaccess
index 0a3faf2..8130beb 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,4 +1,4 @@
-AddDefaultCharset UTF-8
+# AddDefaultCharset UTF-8
php_flag display_errors On
php_value upload_max_filesize 2m
diff --git a/index.php b/index.php
index fd09c02..d3cfade 100644
--- a/index.php
+++ b/index.php
@@ -82,23 +82,6 @@
// PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE);
-// strip magic quotes from Superglobals...
-if ((bool)get_magic_quotes_gpc()) // by "php Pest"
- {
- // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER
- // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST
- $fnStripMagicQuotes = create_function(
- '&$mData, $fnSelf',
- 'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '.
- '$mData = stripslashes($mData);'
- );
-
- // do each set of EGPCSR as you find necessary
- $fnStripMagicQuotes($_POST, $fnStripMagicQuotes);
- $fnStripMagicQuotes($_GET, $fnStripMagicQuotes);
- }
-
-
// catch some url/post parameters
$_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth'];
$_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail');
@@ -144,7 +127,10 @@
{
show_message("cookiesdisabled", 'warning');
}
- else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host))
+ else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+ rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
+ get_input_value('_pass', RCUBE_INPUT_POST),
+ $host))
{
// send redirect
header("Location: $COMM_PATH");
diff --git a/program/include/main.inc b/program/include/main.inc
index 3a15bfd..515de03 100644
--- a/program/include/main.inc
+++ b/program/include/main.inc
@@ -24,6 +24,12 @@
require_once('lib/utf8.class.php');
+// define constannts for input reading
+define('RCUBE_INPUT_GET', 0x0101);
+define('RCUBE_INPUT_POST', 0x0102);
+define('RCUBE_INPUT_GPC', 0x0103);
+
+
// register session and connect to server
function rcmail_startup($task='mail')
{
@@ -376,6 +382,8 @@
$imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE;
$imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']);
}
+ else
+ $imap_port = $CONFIG['default_port'];
// query if user already registered
$sql_result = $DB->query("SELECT user_id, username, language, preferences
@@ -895,6 +903,49 @@
// no encoding given -> return original string
return $str;
}
+
+
+/**
+ * Read input value and convert it for internal use
+ * Performs stripslashes() and charset conversion if necessary
+ *
+ * @param string Field name to read
+ * @param int Source to get value from (GPC)
+ * @param boolean Allow HTML tags in field value
+ * @param string Charset to convert into
+ * @return string Field value or NULL if not available
+ */
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+ {
+ global $OUTPUT;
+ $value = NULL;
+
+ if ($source==RCUBE_INPUT_GET && isset($_GET[$fname]))
+ $value = $_GET[$fname];
+ else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname]))
+ $value = $_POST[$fname];
+ else if ($source==RCUBE_INPUT_GPC)
+ {
+ if (isset($_GET[$fname]))
+ $value = $_GET[$fname];
+ else if (isset($_POST[$fname]))
+ $value = $_POST[$fname];
+ else if (isset($_COOKIE[$fname]))
+ $value = $_COOKIE[$fname];
+ }
+
+ // strip slashes if magic_quotes enabled
+ if ((bool)get_magic_quotes_gpc())
+ $value = stripslashes($value);
+
+ // remove HTML tags if not allowed
+ if (!$allow_html)
+ $value = strip_tags($value);
+
+ // convert to internal charset
+ return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset);
+ }
+
@@ -1482,7 +1533,7 @@
$input_action = new hiddenfield(array('name' => '_action', 'value' => 'login'));
$fields = array();
- $fields['user'] = $input_user->show($_POST['_user']);
+ $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST));
$fields['pass'] = $input_pass->show();
$fields['action'] = $input_action->show();
diff --git a/program/include/rcube_shared.inc b/program/include/rcube_shared.inc
index da56651..77753f5 100644
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@@ -108,7 +108,7 @@
// set default page title
if (!strlen($this->title))
- $this->title = 'RoundCube|Mail';
+ $this->title = 'RoundCube Mail';
// replace specialchars in content
$__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
@@ -117,7 +117,10 @@
// include meta tag with charset
if (!empty($this->charset))
- $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";;
+ {
+ header('Content-Type: text/html; charset='.$this->charset);
+ $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";
+ }
// definition of the code to be placed in the document header and footer
diff --git a/program/steps/addressbook/ldapsearchform.inc b/program/steps/addressbook/ldapsearchform.inc
index 5c04406..a4e08dc 100644
--- a/program/steps/addressbook/ldapsearchform.inc
+++ b/program/steps/addressbook/ldapsearchform.inc
@@ -255,7 +255,7 @@
$hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
$hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
- if ($_GET['_framed'] || $_POST['_framed'])
+ if ($_framed)
$hiddenfields->add(array('name' => '_framed', 'value' => 1));
$form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
diff --git a/program/steps/addressbook/save.inc b/program/steps/addressbook/save.inc
index 32a6243..5135e4b 100644
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@@ -23,7 +23,7 @@
if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
{
show_message('formincomplete', 'warning');
- rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+ rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
return;
}
@@ -32,7 +32,7 @@
$contacts_table = get_table_name('contacts');
// update an existing contact
-if ($_POST['_cid'])
+if (!empty($_POST['_cid']))
{
$a_write_sql = array();
@@ -44,7 +44,7 @@
$a_write_sql[] = sprintf("%s=%s",
$DB->quoteIdentifier($col),
- $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+ $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
}
if (sizeof($a_write_sql))
@@ -65,7 +65,7 @@
$_action = 'show';
show_message('successfullysaved', 'confirmation');
- if ($_POST['_framed'])
+ if ($_framed)
{
// define list of cols to be displayed
$a_show_cols = array('name', 'email');
@@ -115,20 +115,20 @@
if (isset($_GET['_emails']) && isset($_GET['_names']))
{
$sql .= "AND email IN (";
- $emails = explode(',', $_GET['_emails']);
- $names = explode(',', $_GET['_names']);
+ $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
+ $names = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
$count = count($emails);
$n = 0;
foreach ($emails as $email)
{
$end = (++$n == $count) ? '' : ',';
- $sql .= $DB->quote(strip_tags($email)) . $end;
+ $sql .= $DB->quote($email) . $end;
}
$sql .= ")";
$ldap_form = true;
}
else if (isset($_POST['_email']))
- $sql .= "AND email = " . $DB->quote(strip_tags($_POST['_email']));
+ $sql .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));
$sql_result = $DB->query($sql);
@@ -151,9 +151,9 @@
foreach ($emails as $email)
{
$DB->query("INSERT INTO $contacts_table
- (user_id, name, email)
- VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," .
- $DB->quote(strip_tags($email)) . ")");
+ (user_id, name, email
+ VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," .
+ $DB->quote($email) . ")");
$insert_id[] = $DB->insert_id();
}
}
@@ -166,7 +166,7 @@
continue;
$a_insert_cols[] = $col;
- $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+ $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
}
if (sizeof($a_insert_cols))
@@ -187,7 +187,7 @@
$_action = 'show';
$_GET['_cid'] = $insert_id;
- if ($_POST['_framed'])
+ if ($_framed)
{
// add contact row or jump to the page where it should appear
$commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);
diff --git a/program/steps/mail/addcontact.inc b/program/steps/mail/addcontact.inc
index b1129ec..722b0f2 100644
--- a/program/steps/mail/addcontact.inc
+++ b/program/steps/mail/addcontact.inc
@@ -21,9 +21,9 @@
$REMOTE_REQUEST = TRUE;
-if ($_GET['_address'])
+if (!empty($_GET['_address']))
{
- $contact_arr = $IMAP->decode_address_list($_GET['_address']);
+ $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET));
if (sizeof($contact_arr))
{
$contact = $contact_arr[1];
diff --git a/program/steps/mail/compose.inc b/program/steps/mail/compose.inc
index 2241e6b..5846506 100644
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@@ -142,7 +142,7 @@
if ($fname && !empty($_POST[$fname]))
- $fvalue = $_POST[$fname];
+ $fvalue = get_input_value($fname, RCUBE_INPUT_POST);
else if ($header && is_object($REPLY_MESSAGE['headers']))
{
// get recipent address(es) out of the message headers
@@ -309,7 +309,7 @@
// use posted message body
if (!empty($_POST['_message']))
- $body = stripslashes($_POST['_message']);
+ $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE);
// compose reply-body
else if (is_array($REPLY_MESSAGE['parts']))
@@ -433,7 +433,7 @@
// use subject from post
if (isset($_POST['_subject']))
- $subject = stripslashes($_POST['_subject']);
+ $subject = get_input_value('_subject', RCUBE_INPUT_POST);
// create a reply-subject
else if (isset($REPLY_MESSAGE['subject']))
diff --git a/program/steps/mail/sendmail.inc b/program/steps/mail/sendmail.inc
index ec0f116..70baba0 100644
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@@ -83,7 +83,7 @@
$mailto_replace = array(', ', ', ', '');
// repalce new lines and strip ending ', '
-$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to']));
+$mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset));
// decode address strings
$to_address_arr = $IMAP->decode_address_list($mailto);
@@ -104,22 +104,22 @@
'To' => rcube_charset_convert($mailto, $input_charset, $message_charset));
// additional recipients
-if ($_POST['_cc'])
- $headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset);
+if (!empty($_POST['_cc']))
+ $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset));
-if ($_POST['_bcc'])
- $headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset);
+if (!empty($_POST['_bcc']))
+ $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset));
-if (strlen($identity_arr['bcc']))
+if (!empty($identity_arr['bcc']))
$headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];
// add subject
-$headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset);
+$headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset));
-if (strlen($identity_arr['organization']))
+if (!empty($identity_arr['organization']))
$headers['Organization'] = $identity_arr['organization'];
-if (strlen($identity_arr['reply-to']))
+if (!empty($identity_arr['reply-to']))
$headers['Reply-To'] = $identity_arr['reply-to'];
if (!empty($_SESSION['compose']['reply_msgid']))
@@ -128,7 +128,7 @@
if (!empty($_SESSION['compose']['references']))
$headers['References'] = $_SESSION['compose']['references'];
-if ($_POST['_priority'])
+if (!empty($_POST['_priority']))
{
$priority = (int)$_POST['_priority'];
$a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest');
@@ -141,11 +141,11 @@
$headers['Message-ID'] = $message_id;
$headers['X-Sender'] = $from;
-if ($CONFIG['useragent'])
+if (!empty($CONFIG['useragent']))
$headers['User-Agent'] = $CONFIG['useragent'];
// fetch message body
-$message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset);
+$message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset);
// append generic footer to all messages
if (!empty($CONFIG['generic_message_footer']))
diff --git a/program/steps/settings/manage_folders.inc b/program/steps/settings/manage_folders.inc
index 6f49018..86b9bb7 100644
--- a/program/steps/settings/manage_folders.inc
+++ b/program/steps/settings/manage_folders.inc
@@ -29,7 +29,7 @@
if (strlen($_GET['_mboxes']))
$IMAP->subscribe(array($_GET['_mboxes']));
- if ($_GET['_remote'])
+ if ($REMOTE_REQUEST)
rcube_remote_response('// subscribed');
}
@@ -39,22 +39,22 @@
if (strlen($_GET['_mboxes']))
$IMAP->unsubscribe(array($_GET['_mboxes']));
- if ($_GET['_remote'])
+ if ($REMOTE_REQUEST)
rcube_remote_response('// unsubscribed');
}
// create a new mailbox
else if ($_action=='create-folder')
{
- if (strlen($_GET['_name']))
- $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE);
+ if (!empty($_GET['_name']))
+ $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE);
- if ($create && $_GET['_remote'])
+ if ($create && $REMOTE_REQUEST)
{
$commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js'));
rcube_remote_response($commands);
}
- else if (!$create && $_GET['_remote'])
+ else if (!$create && $REMOTE_REQUEST)
{
$commands = show_message('errorsaving', 'error');
rcube_remote_response($commands);
@@ -69,9 +69,9 @@
if (strlen($_GET['_mboxes']))
$deleted = $IMAP->delete_mailbox(array($_GET['_mboxes']));
- if ($_GET['_remote'] && $deleted)
+ if ($REMOTE_REQUEST && $deleted)
rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js')));
- else if ($_GET['_remote'])
+ else if ($REMOTE_REQUEST)
{
$commands = show_message('errorsaving', 'error');
rcube_remote_response($commands);
diff --git a/program/steps/settings/save_identity.inc b/program/steps/settings/save_identity.inc
index 1bfbf48..f5780de 100644
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@@ -20,6 +20,7 @@
*/
$a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature');
+$a_html_cols = array('signature');
// check input
@@ -44,7 +45,7 @@
$a_write_sql[] = sprintf("%s=%s",
$DB->quoteIdentifier($col),
- $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+ $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))));
}
if (sizeof($a_write_sql))
@@ -99,7 +100,7 @@
continue;
$a_insert_cols[] = $DB->quoteIdentifier($col);
- $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+ $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)));
}
if (sizeof($a_insert_cols))
--
Gitblit v1.9.1