From f5d61d845f8cfce4c7b559a900df846947e45b00 Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Wed, 21 Oct 2009 04:47:40 -0400
Subject: [PATCH] Revert r3038 and allow to specify the port as value of force_https

---
 index.php |   38 +++++++++++++++++++++++++++++---------
 1 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/index.php b/index.php
index e8111b1..e0956b4 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
 /*
  +-------------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                           |
- | Version 0.3-20090419                                                    |
+ | Version 0.3-20090814                                                    |
  |                                                                         |
  | Copyright (C) 2005-2009, RoundCube Dev. - Switzerland                   |
  |                                                                         |
@@ -63,12 +63,19 @@
   raise_error(array('code' => hexdec($_GET['_code'])), FALSE, TRUE);
 }
 
+// check if https is required (for login) and redirect if necessary
+if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
+  $https_port = is_bool($force_https) ? 443 : $force_https;
+  if (!(isset($_SERVER['HTTPS']) || $_SERVER['SERVER_PORT'] == $use_https || $RCMAIL->config->get('use_https'))) {
+    header('Location: https://' . $_SERVER['HTTP_HOST'] . ($https_port != 443 ? ':' . $https_port : '') . $_SERVER['REQUEST_URI']);
+    exit;
+  }
+}
 
 // trigger startup plugin hook
 $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
 $RCMAIL->set_task($startup['task']);
 $RCMAIL->action = $startup['action'];
-
 
 // try to log in
 if ($RCMAIL->action=='login' && $RCMAIL->task=='mail') {
@@ -78,13 +85,15 @@
   $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
     'host' => $RCMAIL->autoselect_host(),
     'user' => trim(get_input_value('_user', RCUBE_INPUT_POST)),
+    'cookiecheck' => true,
   )) + array('pass' => get_input_value('_pass', RCUBE_INPUT_POST, true, 'ISO-8859-1'));
 
   // check if client supports cookies
-  if (empty($_COOKIE)) {
+  if ($auth['cookiecheck'] && empty($_COOKIE)) {
     $OUTPUT->show_message("cookiesdisabled", 'warning');
   }
-  else if ($_SESSION['temp'] && !empty($auth['user']) && !empty($auth['host']) && isset($auth['pass']) && 
+  else if ($_SESSION['temp'] && !$auth['abort'] && !empty($auth['host']) &&
+            !empty($auth['user']) && isset($auth['pass']) && 
             $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'])) {
     // create new session ID
     rcube_sess_unset('temp');
@@ -122,9 +131,11 @@
 
 // end session
 else if ($RCMAIL->task=='logout' && isset($_SESSION['user_id'])) {
+  $userdata = array('user' => $_SESSION['username'], 'host' => $_SESSION['imap_host'], 'lang' => $RCMAIL->user->language);
   $OUTPUT->show_message('loggedout');
   $RCMAIL->logout_actions();
   $RCMAIL->kill_session();
+  $RCMAIL->plugins->exec_hook('logout_after', $userdata);
 }
 
 // check session and auth cookie
@@ -135,22 +146,30 @@
   }
 }
 
+// don't check for valid request tokens in these actions
+$request_check_whitelist = array('login'=>1, 'spell'=>1);
 
 // check client X-header to verify request origin
 if ($OUTPUT->ajax_call) {
-  if (!$RCMAIL->config->get('devel_mode') && !rc_request_header('X-RoundCube-Referer')) {
+  if (!$RCMAIL->config->get('devel_mode') && rc_request_header('X-RoundCube-Request') != $RCMAIL->get_request_token() && !empty($RCMAIL->user->ID)) {
     header('HTTP/1.1 404 Not Found');
     die("Invalid Request");
   }
 }
-
+// check request token in POST form submissions
+else if (!empty($_POST) && !$request_check_whitelist[$RCMAIL->action] && !$RCMAIL->check_request()) {
+  $OUTPUT->show_message('invalidrequest', 'error');
+  $OUTPUT->send($RCMAIL->task);
+}
 
 // not logged in -> show login page
 if (empty($RCMAIL->user->ID)) {
-  
   if ($OUTPUT->ajax_call)
     $OUTPUT->redirect(array(), 2000);
   
+  if (!empty($_REQUEST['_framed']))
+    $OUTPUT->command('redirect', '?');
+
   // check if installer is still active
   if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
     $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
@@ -212,7 +231,8 @@
 );
 
 // include task specific functions
-include_once 'program/steps/'.$RCMAIL->task.'/func.inc';
+if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/func.inc'))
+  include_once($incfile);
 
 // allow 5 "redirects" to another action
 $redirects = 0; $incstep = null;
@@ -226,7 +246,7 @@
     break;
   }
   // try to include the step file
-  else if (is_file(($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile))) {
+  else if (is_file($incfile = 'program/steps/'.$RCMAIL->task.'/'.$stepfile)) {
     include($incfile);
     $redirects++;
   }

--
Gitblit v1.9.1