Improved reading of POST and GET values

19 years ago · ea7c46b4f3
parent 8eba300088
commit ea7c46b4f3
11 changed files with 104 additions and 63 deletions
--- a/.htaccess
+++ b/.htaccess
@ -1,4 +1,4 @@
-AddDefaultCharset	UTF-8
+# AddDefaultCharset	UTF-8
 php_flag	display_errors	On
 php_value	upload_max_filesize	2m

--- a/index.php
+++ b/index.php
@ -82,23 +82,6 @@ require_once('PEAR.php');
 // PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE);


-// strip magic quotes from Superglobals...
-if ((bool)get_magic_quotes_gpc())  // by "php Pest"
-  {
-  // Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER
-  // and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST
-  $fnStripMagicQuotes = create_function(
-        '&$mData, $fnSelf',
-        'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '.
-        '$mData = stripslashes($mData);'
-  );
-  
-  // do each set of EGPCSR as you find necessary
-  $fnStripMagicQuotes($_POST, $fnStripMagicQuotes);
-  $fnStripMagicQuotes($_GET, $fnStripMagicQuotes);
-  }
-
-
 // catch some url/post parameters
 $_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth'];
 $_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail');
@ -144,7 +127,10 @@ if ($_action=='login' && $_task=='mail')
    {
    show_message("cookiesdisabled", 'warning');
    }
-  else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host))
+  else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
+           rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
+                        get_input_value('_pass', RCUBE_INPUT_POST),
+                        $host))
    {
    // send redirect
    header("Location: $COMM_PATH");
--- a/program/include/main.inc
+++ b/program/include/main.inc
@ -24,6 +24,12 @@ require_once('lib/utf7.inc');
 require_once('lib/utf8.class.php');


+// define constannts for input reading
+define('RCUBE_INPUT_GET', 0x0101);
+define('RCUBE_INPUT_POST', 0x0102);
+define('RCUBE_INPUT_GPC', 0x0103);
+
+
 // register session and connect to server
 function rcmail_startup($task='mail')
  {
@ -376,6 +382,8 @@ function rcmail_login($user, $pass, $host=NULL)
    $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE;
    $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']);
    }
+  else
+    $imap_port = $CONFIG['default_port'];

  // query if user already registered
  $sql_result = $DB->query("SELECT user_id, username, language, preferences
@ -897,6 +905,49 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
  }


+/**
+ * Read input value and convert it for internal use
+ * Performs stripslashes() and charset conversion if necessary
+ * 
+ * @param  string   Field name to read
+ * @param  int      Source to get value from (GPC)
+ * @param  boolean  Allow HTML tags in field value
+ * @param  string   Charset to convert into
+ * @return string   Field value or NULL if not available
+ */
+function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
+  {
+  global $OUTPUT;
+  $value = NULL;
+  
+  if ($source==RCUBE_INPUT_GET && isset($_GET[$fname]))
+    $value = $_GET[$fname];
+  else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname]))
+    $value = $_POST[$fname];
+  else if ($source==RCUBE_INPUT_GPC)
+    {
+    if (isset($_GET[$fname]))
+      $value = $_GET[$fname];
+    else if (isset($_POST[$fname]))
+      $value = $_POST[$fname];
+    else if (isset($_COOKIE[$fname]))
+      $value = $_COOKIE[$fname];
+    }
+  
+  // strip slashes if magic_quotes enabled
+  if ((bool)get_magic_quotes_gpc())
+    $value = stripslashes($value);
+
+  // remove HTML tags if not allowed    
+  if (!$allow_html)
+    $value = strip_tags($value);
+  
+  // convert to internal charset
+  return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset);
+  }
+
+
+

 // ************** template parsing and gui functions **************

@ -1482,7 +1533,7 @@ function rcmail_login_form($attrib)
  $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login'));
    
  $fields = array();
-  $fields['user'] = $input_user->show($_POST['_user']);
+  $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST));
  $fields['pass'] = $input_pass->show();
  $fields['action'] = $input_action->show();
  
--- a/program/include/rcube_shared.inc
+++ b/program/include/rcube_shared.inc
@ -108,7 +108,7 @@ class rcube_html_page
  
    // set default page title
    if (!strlen($this->title))
-      $this->title = 'RoundCube|Mail';
+      $this->title = 'RoundCube Mail';
  
    // replace specialchars in content
    $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
@ -117,7 +117,10 @@ class rcube_html_page
    
    // include meta tag with charset
    if (!empty($this->charset))
-      $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";;
+      {
+      header('Content-Type: text/html; charset='.$this->charset);
+      $__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";
+      }
  
  
    // definition of the code to be placed in the document header and footer
--- a/program/steps/addressbook/ldapsearchform.inc
+++ b/program/steps/addressbook/ldapsearchform.inc
@ -255,7 +255,7 @@ function get_form_tags($attrib)
    $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
    $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
    
-    if ($_GET['_framed'] || $_POST['_framed'])
+    if ($_framed)
      $hiddenfields->add(array('name' => '_framed', 'value' => 1));
    
    $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';
--- a/program/steps/addressbook/save.inc
+++ b/program/steps/addressbook/save.inc
@ -23,7 +23,7 @@
 if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
  {
  show_message('formincomplete', 'warning');
-  rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add');
+  rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
  return;
  }

@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email');
 $contacts_table = get_table_name('contacts');

 // update an existing contact
-if ($_POST['_cid'])
+if (!empty($_POST['_cid']))
  {
  $a_write_sql = array();

@ -44,7 +44,7 @@ if ($_POST['_cid'])
    
    $a_write_sql[] = sprintf("%s=%s",
                             $DB->quoteIdentifier($col),
-                             $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+                             $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
    }

  if (sizeof($a_write_sql))
@ -65,7 +65,7 @@ if ($_POST['_cid'])
    $_action = 'show';
    show_message('successfullysaved', 'confirmation');    
    
-    if ($_POST['_framed'])
+    if ($_framed)
      {
      // define list of cols to be displayed
      $a_show_cols = array('name', 'email');
@ -115,20 +115,20 @@ else
  if (isset($_GET['_emails']) && isset($_GET['_names']))
    {
    $sql   .= "AND email IN (";
-    $emails = explode(',', $_GET['_emails']);
-    $names  = explode(',', $_GET['_names']);
+    $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
+    $names  = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
    $count  = count($emails);
    $n = 0;
    foreach ($emails as $email)
      {
      $end  = (++$n == $count) ? '' : ',';
-      $sql .= $DB->quote(strip_tags($email)) . $end;
+      $sql .= $DB->quote($email) . $end;
      }
    $sql .= ")";
    $ldap_form = true; 
    }
  else if (isset($_POST['_email'])) 
-    $sql  .= "AND email = " . $DB->quote(strip_tags($_POST['_email']));
+    $sql  .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));

  $sql_result = $DB->query($sql);

@ -151,9 +151,9 @@ else
    foreach ($emails as $email) 
      {
      $DB->query("INSERT INTO $contacts_table 
-                 (user_id, name, email)
-                 VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . 
-                                      $DB->quote(strip_tags($email)) . ")");
+                 (user_id, name, email
+                 VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," . 
+                                      $DB->quote($email) . ")");
      $insert_id[] = $DB->insert_id();
      }
    }
@ -166,7 +166,7 @@ else
        continue;
    
      $a_insert_cols[] = $col;
-      $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+      $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
      }
    
    if (sizeof($a_insert_cols))
@ -187,7 +187,7 @@ else
      $_action = 'show';
      $_GET['_cid'] = $insert_id;

-      if ($_POST['_framed'])
+      if ($_framed)
        {
        // add contact row or jump to the page where it should appear
        $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);
--- a/program/steps/mail/addcontact.inc
+++ b/program/steps/mail/addcontact.inc
@ -21,9 +21,9 @@

 $REMOTE_REQUEST = TRUE;

-if ($_GET['_address'])
+if (!empty($_GET['_address']))
  {
-  $contact_arr = $IMAP->decode_address_list($_GET['_address']);
+  $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET));
  if (sizeof($contact_arr))
    {
    $contact = $contact_arr[1];
--- a/program/steps/mail/compose.inc
+++ b/program/steps/mail/compose.inc
@ -142,7 +142,7 @@ function rcmail_compose_headers($attrib)

    
  if ($fname && !empty($_POST[$fname]))
-    $fvalue = $_POST[$fname];
+    $fvalue = get_input_value($fname, RCUBE_INPUT_POST);
  else if ($header && is_object($REPLY_MESSAGE['headers']))
    {
    // get recipent address(es) out of the message headers
@ -309,7 +309,7 @@ function rcmail_compose_body($attrib)
  
  // use posted message body
  if (!empty($_POST['_message']))
-    $body = stripslashes($_POST['_message']);
+    $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE);
    
  // compose reply-body
  else if (is_array($REPLY_MESSAGE['parts']))
@ -433,7 +433,7 @@ function rcmail_compose_subject($attrib)

  // use subject from post
  if (isset($_POST['_subject']))
-    $subject = stripslashes($_POST['_subject']);
+    $subject = get_input_value('_subject', RCUBE_INPUT_POST);
    
  // create a reply-subject
  else if (isset($REPLY_MESSAGE['subject']))
--- a/program/steps/mail/sendmail.inc
+++ b/program/steps/mail/sendmail.inc
@ -83,7 +83,7 @@ $mailto_regexp = array('/[,;]\s*[\r\n]+/', '/[\r\n]+/', '/[,;]\s*$/m');
 $mailto_replace = array(', ', ', ', '');

 // repalce new lines and strip ending ', '
-$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to']));
+$mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset));

 // decode address strings
 $to_address_arr = $IMAP->decode_address_list($mailto);
@ -104,22 +104,22 @@ $headers = array('Date' => date('D, j M Y G:i:s O'),
                 'To'   => rcube_charset_convert($mailto, $input_charset, $message_charset));

 // additional recipients
-if ($_POST['_cc'])
-  $headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset);
+if (!empty($_POST['_cc']))
+  $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset));

-if ($_POST['_bcc'])
-  $headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset);
+if (!empty($_POST['_bcc']))
+  $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset));
  
-if (strlen($identity_arr['bcc']))
+if (!empty($identity_arr['bcc']))
  $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];

 // add subject
-$headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset);
+$headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset));

-if (strlen($identity_arr['organization']))
+if (!empty($identity_arr['organization']))
  $headers['Organization'] = $identity_arr['organization'];

-if (strlen($identity_arr['reply-to']))
+if (!empty($identity_arr['reply-to']))
  $headers['Reply-To'] = $identity_arr['reply-to'];

 if (!empty($_SESSION['compose']['reply_msgid']))
@ -128,7 +128,7 @@ if (!empty($_SESSION['compose']['reply_msgid']))
 if (!empty($_SESSION['compose']['references']))
  $headers['References'] = $_SESSION['compose']['references'];

-if ($_POST['_priority'])
+if (!empty($_POST['_priority']))
  {
  $priority = (int)$_POST['_priority'];
  $a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest');
@ -141,11 +141,11 @@ if ($_POST['_priority'])
 $headers['Message-ID'] = $message_id;
 $headers['X-Sender'] = $from;

-if ($CONFIG['useragent'])
+if (!empty($CONFIG['useragent']))
  $headers['User-Agent'] = $CONFIG['useragent'];

 // fetch message body
-$message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset);
+$message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset);

 // append generic footer to all messages
 if (!empty($CONFIG['generic_message_footer']))
--- a/program/steps/settings/manage_folders.inc
+++ b/program/steps/settings/manage_folders.inc
@ -29,7 +29,7 @@ if ($_action=='subscribe')
  if (strlen($_GET['_mboxes']))
    $IMAP->subscribe(array($_GET['_mboxes']));

-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
    rcube_remote_response('// subscribed');
  }

@ -39,22 +39,22 @@ else if ($_action=='unsubscribe')
  if (strlen($_GET['_mboxes']))
    $IMAP->unsubscribe(array($_GET['_mboxes']));

-  if ($_GET['_remote'])
+  if ($REMOTE_REQUEST)
    rcube_remote_response('// unsubscribed');
  }

 // create a new mailbox
 else if ($_action=='create-folder')
  {
-  if (strlen($_GET['_name']))
-    $create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE);
+  if (!empty($_GET['_name']))
+    $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE);

-  if ($create && $_GET['_remote'])
+  if ($create && $REMOTE_REQUEST)
    {
    $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js'));
    rcube_remote_response($commands);
    }
-  else if (!$create && $_GET['_remote'])
+  else if (!$create && $REMOTE_REQUEST)
    {
    $commands = show_message('errorsaving', 'error');
    rcube_remote_response($commands);
@ -69,9 +69,9 @@ else if ($_action=='delete-folder')
  if (strlen($_GET['_mboxes']))
    $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes']));

-  if ($_GET['_remote'] && $deleted)
+  if ($REMOTE_REQUEST && $deleted)
    rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js')));
-  else if ($_GET['_remote'])
+  else if ($REMOTE_REQUEST)
    {
    $commands = show_message('errorsaving', 'error');
    rcube_remote_response($commands);
--- a/program/steps/settings/save_identity.inc
+++ b/program/steps/settings/save_identity.inc
@ -20,6 +20,7 @@
 */

 $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature');
+$a_html_cols = array('signature');


 // check input
@ -44,7 +45,7 @@ if ($_POST['_iid'])

    $a_write_sql[] = sprintf("%s=%s",
                             $DB->quoteIdentifier($col),
-                             $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())));
+                             $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))));
    }

  if (sizeof($a_write_sql))
@ -99,7 +100,7 @@ else
      continue;
    
    $a_insert_cols[] = $DB->quoteIdentifier($col);
-    $a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()));
+    $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)));
    }
    
  if (sizeof($a_insert_cols))