Improved reading of POST and GET values

release-0.6
thomascube 19 years ago
parent 8eba300088
commit ea7c46b4f3

@ -1,4 +1,4 @@
AddDefaultCharset UTF-8 # AddDefaultCharset UTF-8
php_flag display_errors On php_flag display_errors On
php_value upload_max_filesize 2m php_value upload_max_filesize 2m

@ -82,23 +82,6 @@ require_once('PEAR.php');
// PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE); // PEAR::setErrorHandling(PEAR_ERROR_TRIGGER, E_USER_NOTICE);
// strip magic quotes from Superglobals...
if ((bool)get_magic_quotes_gpc()) // by "php Pest"
{
// Really EGPCSR - Environment $_ENV, GET $_GET , POST $_POST, Cookie $_COOKIE, Server $_SERVER
// and their HTTP_*_VARS cousins (separate arrays, not references) and $_REQUEST
$fnStripMagicQuotes = create_function(
'&$mData, $fnSelf',
'if (is_array($mData)) { foreach ($mData as $mKey=>$mValue) $fnSelf($mData[$mKey], $fnSelf); return; } '.
'$mData = stripslashes($mData);'
);
// do each set of EGPCSR as you find necessary
$fnStripMagicQuotes($_POST, $fnStripMagicQuotes);
$fnStripMagicQuotes($_GET, $fnStripMagicQuotes);
}
// catch some url/post parameters // catch some url/post parameters
$_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth']; $_auth = !empty($_POST['_auth']) ? $_POST['_auth'] : $_GET['_auth'];
$_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail'); $_task = !empty($_POST['_task']) ? $_POST['_task'] : (!empty($_GET['_task']) ? $_GET['_task'] : 'mail');
@ -144,7 +127,10 @@ if ($_action=='login' && $_task=='mail')
{ {
show_message("cookiesdisabled", 'warning'); show_message("cookiesdisabled", 'warning');
} }
else if (isset($_POST['_user']) && isset($_POST['_pass']) && rcmail_login($_POST['_user'], $_POST['_pass'], $host)) else if (isset($_POST['_user']) && isset($_POST['_pass']) &&
rcmail_login(get_input_value('_user', RCUBE_INPUT_POST),
get_input_value('_pass', RCUBE_INPUT_POST),
$host))
{ {
// send redirect // send redirect
header("Location: $COMM_PATH"); header("Location: $COMM_PATH");

@ -24,6 +24,12 @@ require_once('lib/utf7.inc');
require_once('lib/utf8.class.php'); require_once('lib/utf8.class.php');
// define constannts for input reading
define('RCUBE_INPUT_GET', 0x0101);
define('RCUBE_INPUT_POST', 0x0102);
define('RCUBE_INPUT_GPC', 0x0103);
// register session and connect to server // register session and connect to server
function rcmail_startup($task='mail') function rcmail_startup($task='mail')
{ {
@ -376,6 +382,8 @@ function rcmail_login($user, $pass, $host=NULL)
$imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE; $imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE;
$imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']); $imap_port = isset($a_host['port']) ? $a_host['port'] : ($imap_ssl ? 993 : $CONFIG['default_port']);
} }
else
$imap_port = $CONFIG['default_port'];
// query if user already registered // query if user already registered
$sql_result = $DB->query("SELECT user_id, username, language, preferences $sql_result = $DB->query("SELECT user_id, username, language, preferences
@ -897,6 +905,49 @@ function rep_specialchars_output($str, $enctype='', $mode='', $newlines=TRUE)
} }
/**
* Read input value and convert it for internal use
* Performs stripslashes() and charset conversion if necessary
*
* @param string Field name to read
* @param int Source to get value from (GPC)
* @param boolean Allow HTML tags in field value
* @param string Charset to convert into
* @return string Field value or NULL if not available
*/
function get_input_value($fname, $source, $allow_html=FALSE, $charset=NULL)
{
global $OUTPUT;
$value = NULL;
if ($source==RCUBE_INPUT_GET && isset($_GET[$fname]))
$value = $_GET[$fname];
else if ($source==RCUBE_INPUT_POST && isset($_POST[$fname]))
$value = $_POST[$fname];
else if ($source==RCUBE_INPUT_GPC)
{
if (isset($_GET[$fname]))
$value = $_GET[$fname];
else if (isset($_POST[$fname]))
$value = $_POST[$fname];
else if (isset($_COOKIE[$fname]))
$value = $_COOKIE[$fname];
}
// strip slashes if magic_quotes enabled
if ((bool)get_magic_quotes_gpc())
$value = stripslashes($value);
// remove HTML tags if not allowed
if (!$allow_html)
$value = strip_tags($value);
// convert to internal charset
return rcube_charset_convert($value, $OUTPUT->get_charset(), $charset);
}
// ************** template parsing and gui functions ************** // ************** template parsing and gui functions **************
@ -1482,7 +1533,7 @@ function rcmail_login_form($attrib)
$input_action = new hiddenfield(array('name' => '_action', 'value' => 'login')); $input_action = new hiddenfield(array('name' => '_action', 'value' => 'login'));
$fields = array(); $fields = array();
$fields['user'] = $input_user->show($_POST['_user']); $fields['user'] = $input_user->show(get_input_value('_user', RCUBE_INPUT_POST));
$fields['pass'] = $input_pass->show(); $fields['pass'] = $input_pass->show();
$fields['action'] = $input_action->show(); $fields['action'] = $input_action->show();

@ -108,7 +108,7 @@ class rcube_html_page
// set default page title // set default page title
if (!strlen($this->title)) if (!strlen($this->title))
$this->title = 'RoundCube|Mail'; $this->title = 'RoundCube Mail';
// replace specialchars in content // replace specialchars in content
$__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE); $__page_title = rep_specialchars_output($this->title, 'html', 'show', FALSE);
@ -117,7 +117,10 @@ class rcube_html_page
// include meta tag with charset // include meta tag with charset
if (!empty($this->charset)) if (!empty($this->charset))
$__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";; {
header('Content-Type: text/html; charset='.$this->charset);
$__page_header = '<meta http-equiv="content-type" content="text/html; charset='.$this->charset.'" />'."\n";
}
// definition of the code to be placed in the document header and footer // definition of the code to be placed in the document header and footer

@ -255,7 +255,7 @@ function get_form_tags($attrib)
$hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task'])); $hiddenfields = new hiddenfield(array('name' => '_task', 'value' => $GLOBALS['_task']));
$hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch')); $hiddenfields->add(array('name' => '_action', 'value' => 'ldappublicsearch'));
if ($_GET['_framed'] || $_POST['_framed']) if ($_framed)
$hiddenfields->add(array('name' => '_framed', 'value' => 1)); $hiddenfields->add(array('name' => '_framed', 'value' => 1));
$form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : ''; $form_start .= !strlen($attrib['form']) ? '<form name="form" action="./" method="post">' : '';

@ -23,7 +23,7 @@
if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed'])) if ((empty($_POST['_name']) || empty($_POST['_email'])) && empty($_GET['_framed']))
{ {
show_message('formincomplete', 'warning'); show_message('formincomplete', 'warning');
rcmail_overwrite_action($_POST['_cid'] ? 'show' : 'add'); rcmail_overwrite_action(empty($_POST['_cid']) ? 'add' : 'show');
return; return;
} }
@ -32,7 +32,7 @@ $a_save_cols = array('name', 'firstname', 'surname', 'email');
$contacts_table = get_table_name('contacts'); $contacts_table = get_table_name('contacts');
// update an existing contact // update an existing contact
if ($_POST['_cid']) if (!empty($_POST['_cid']))
{ {
$a_write_sql = array(); $a_write_sql = array();
@ -44,7 +44,7 @@ if ($_POST['_cid'])
$a_write_sql[] = sprintf("%s=%s", $a_write_sql[] = sprintf("%s=%s",
$DB->quoteIdentifier($col), $DB->quoteIdentifier($col),
$DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); $DB->quote(get_input_value($fname, RCUBE_INPUT_POST)));
} }
if (sizeof($a_write_sql)) if (sizeof($a_write_sql))
@ -65,7 +65,7 @@ if ($_POST['_cid'])
$_action = 'show'; $_action = 'show';
show_message('successfullysaved', 'confirmation'); show_message('successfullysaved', 'confirmation');
if ($_POST['_framed']) if ($_framed)
{ {
// define list of cols to be displayed // define list of cols to be displayed
$a_show_cols = array('name', 'email'); $a_show_cols = array('name', 'email');
@ -115,20 +115,20 @@ else
if (isset($_GET['_emails']) && isset($_GET['_names'])) if (isset($_GET['_emails']) && isset($_GET['_names']))
{ {
$sql .= "AND email IN ("; $sql .= "AND email IN (";
$emails = explode(',', $_GET['_emails']); $emails = explode(',', get_input_value('_emails', RCUBE_INPUT_GET));
$names = explode(',', $_GET['_names']); $names = explode(',', get_input_value('_names', RCUBE_INPUT_GET));
$count = count($emails); $count = count($emails);
$n = 0; $n = 0;
foreach ($emails as $email) foreach ($emails as $email)
{ {
$end = (++$n == $count) ? '' : ','; $end = (++$n == $count) ? '' : ',';
$sql .= $DB->quote(strip_tags($email)) . $end; $sql .= $DB->quote($email) . $end;
} }
$sql .= ")"; $sql .= ")";
$ldap_form = true; $ldap_form = true;
} }
else if (isset($_POST['_email'])) else if (isset($_POST['_email']))
$sql .= "AND email = " . $DB->quote(strip_tags($_POST['_email'])); $sql .= "AND email = " . $DB->quote(get_input_value('_email', RCUBE_INPUT_POST));
$sql_result = $DB->query($sql); $sql_result = $DB->query($sql);
@ -151,9 +151,9 @@ else
foreach ($emails as $email) foreach ($emails as $email)
{ {
$DB->query("INSERT INTO $contacts_table $DB->query("INSERT INTO $contacts_table
(user_id, name, email) (user_id, name, email
VALUES ({$_SESSION['user_id']}," . $DB->quote(strip_tags($names[$n++])) . "," . VALUES ({$_SESSION['user_id']}," . $DB->quote($names[$n++]) . "," .
$DB->quote(strip_tags($email)) . ")"); $DB->quote($email) . ")");
$insert_id[] = $DB->insert_id(); $insert_id[] = $DB->insert_id();
} }
} }
@ -166,7 +166,7 @@ else
continue; continue;
$a_insert_cols[] = $col; $a_insert_cols[] = $col;
$a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST));
} }
if (sizeof($a_insert_cols)) if (sizeof($a_insert_cols))
@ -187,7 +187,7 @@ else
$_action = 'show'; $_action = 'show';
$_GET['_cid'] = $insert_id; $_GET['_cid'] = $insert_id;
if ($_POST['_framed']) if ($_framed)
{ {
// add contact row or jump to the page where it should appear // add contact row or jump to the page where it should appear
$commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME); $commands = sprintf("if(parent.%s)parent.", $JS_OBJECT_NAME);

@ -21,9 +21,9 @@
$REMOTE_REQUEST = TRUE; $REMOTE_REQUEST = TRUE;
if ($_GET['_address']) if (!empty($_GET['_address']))
{ {
$contact_arr = $IMAP->decode_address_list($_GET['_address']); $contact_arr = $IMAP->decode_address_list(get_input_value('_address', RCUBE_INPUT_GET));
if (sizeof($contact_arr)) if (sizeof($contact_arr))
{ {
$contact = $contact_arr[1]; $contact = $contact_arr[1];

@ -142,7 +142,7 @@ function rcmail_compose_headers($attrib)
if ($fname && !empty($_POST[$fname])) if ($fname && !empty($_POST[$fname]))
$fvalue = $_POST[$fname]; $fvalue = get_input_value($fname, RCUBE_INPUT_POST);
else if ($header && is_object($REPLY_MESSAGE['headers'])) else if ($header && is_object($REPLY_MESSAGE['headers']))
{ {
// get recipent address(es) out of the message headers // get recipent address(es) out of the message headers
@ -309,7 +309,7 @@ function rcmail_compose_body($attrib)
// use posted message body // use posted message body
if (!empty($_POST['_message'])) if (!empty($_POST['_message']))
$body = stripslashes($_POST['_message']); $body = get_input_value('_message', RCUBE_INPUT_POST, TRUE);
// compose reply-body // compose reply-body
else if (is_array($REPLY_MESSAGE['parts'])) else if (is_array($REPLY_MESSAGE['parts']))
@ -433,7 +433,7 @@ function rcmail_compose_subject($attrib)
// use subject from post // use subject from post
if (isset($_POST['_subject'])) if (isset($_POST['_subject']))
$subject = stripslashes($_POST['_subject']); $subject = get_input_value('_subject', RCUBE_INPUT_POST);
// create a reply-subject // create a reply-subject
else if (isset($REPLY_MESSAGE['subject'])) else if (isset($REPLY_MESSAGE['subject']))

@ -83,7 +83,7 @@ $mailto_regexp = array('/[,;]\s*[\r\n]+/', '/[\r\n]+/', '/[,;]\s*$/m');
$mailto_replace = array(', ', ', ', ''); $mailto_replace = array(', ', ', ', '');
// repalce new lines and strip ending ', ' // repalce new lines and strip ending ', '
$mailto = preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_to'])); $mailto = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_to', RCUBE_INPUT_POST, TRUE, $message_charset));
// decode address strings // decode address strings
$to_address_arr = $IMAP->decode_address_list($mailto); $to_address_arr = $IMAP->decode_address_list($mailto);
@ -104,22 +104,22 @@ $headers = array('Date' => date('D, j M Y G:i:s O'),
'To' => rcube_charset_convert($mailto, $input_charset, $message_charset)); 'To' => rcube_charset_convert($mailto, $input_charset, $message_charset));
// additional recipients // additional recipients
if ($_POST['_cc']) if (!empty($_POST['_cc']))
$headers['Cc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_cc'])), $input_charset, $message_charset); $headers['Cc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_cc', RCUBE_INPUT_POST, TRUE, $message_charset));
if ($_POST['_bcc']) if (!empty($_POST['_bcc']))
$headers['Bcc'] = rcube_charset_convert(preg_replace($mailto_regexp, $mailto_replace, stripslashes($_POST['_bcc'])), $input_charset, $message_charset); $headers['Bcc'] = preg_replace($mailto_regexp, $mailto_replace, get_input_value('_bcc', RCUBE_INPUT_POST, TRUE, $message_charset));
if (strlen($identity_arr['bcc'])) if (!empty($identity_arr['bcc']))
$headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc']; $headers['Bcc'] = ($headers['Bcc'] ? $headers['Bcc'].', ' : '') . $identity_arr['bcc'];
// add subject // add subject
$headers['Subject'] = rcube_charset_convert(trim($_POST['_subject']), $input_charset, $message_charset); $headers['Subject'] = trim(get_input_value('_subject', RCUBE_INPUT_POST, FALSE, $message_charset));
if (strlen($identity_arr['organization'])) if (!empty($identity_arr['organization']))
$headers['Organization'] = $identity_arr['organization']; $headers['Organization'] = $identity_arr['organization'];
if (strlen($identity_arr['reply-to'])) if (!empty($identity_arr['reply-to']))
$headers['Reply-To'] = $identity_arr['reply-to']; $headers['Reply-To'] = $identity_arr['reply-to'];
if (!empty($_SESSION['compose']['reply_msgid'])) if (!empty($_SESSION['compose']['reply_msgid']))
@ -128,7 +128,7 @@ if (!empty($_SESSION['compose']['reply_msgid']))
if (!empty($_SESSION['compose']['references'])) if (!empty($_SESSION['compose']['references']))
$headers['References'] = $_SESSION['compose']['references']; $headers['References'] = $_SESSION['compose']['references'];
if ($_POST['_priority']) if (!empty($_POST['_priority']))
{ {
$priority = (int)$_POST['_priority']; $priority = (int)$_POST['_priority'];
$a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest'); $a_priorities = array(1=>'lowest', 2=>'low', 4=>'high', 5=>'highest');
@ -141,11 +141,11 @@ if ($_POST['_priority'])
$headers['Message-ID'] = $message_id; $headers['Message-ID'] = $message_id;
$headers['X-Sender'] = $from; $headers['X-Sender'] = $from;
if ($CONFIG['useragent']) if (!empty($CONFIG['useragent']))
$headers['User-Agent'] = $CONFIG['useragent']; $headers['User-Agent'] = $CONFIG['useragent'];
// fetch message body // fetch message body
$message_body = rcube_charset_convert($_POST['_message'], $input_charset, $message_charset); $message_body = get_input_value('_message', RCUBE_INPUT_POST, TRUE, $message_charset);
// append generic footer to all messages // append generic footer to all messages
if (!empty($CONFIG['generic_message_footer'])) if (!empty($CONFIG['generic_message_footer']))

@ -29,7 +29,7 @@ if ($_action=='subscribe')
if (strlen($_GET['_mboxes'])) if (strlen($_GET['_mboxes']))
$IMAP->subscribe(array($_GET['_mboxes'])); $IMAP->subscribe(array($_GET['_mboxes']));
if ($_GET['_remote']) if ($REMOTE_REQUEST)
rcube_remote_response('// subscribed'); rcube_remote_response('// subscribed');
} }
@ -39,22 +39,22 @@ else if ($_action=='unsubscribe')
if (strlen($_GET['_mboxes'])) if (strlen($_GET['_mboxes']))
$IMAP->unsubscribe(array($_GET['_mboxes'])); $IMAP->unsubscribe(array($_GET['_mboxes']));
if ($_GET['_remote']) if ($REMOTE_REQUEST)
rcube_remote_response('// unsubscribed'); rcube_remote_response('// unsubscribed');
} }
// create a new mailbox // create a new mailbox
else if ($_action=='create-folder') else if ($_action=='create-folder')
{ {
if (strlen($_GET['_name'])) if (!empty($_GET['_name']))
$create = $IMAP->create_mailbox(rcube_charset_convert(strip_tags(trim($_GET['_name'])), $OUTPUT->get_charset()), TRUE); $create = $IMAP->create_mailbox(trim(get_input_value('_name', RCUBE_INPUT_GET)), TRUE);
if ($create && $_GET['_remote']) if ($create && $REMOTE_REQUEST)
{ {
$commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js')); $commands = sprintf("this.add_folder_row('%s')", rep_specialchars_output($create, 'js'));
rcube_remote_response($commands); rcube_remote_response($commands);
} }
else if (!$create && $_GET['_remote']) else if (!$create && $REMOTE_REQUEST)
{ {
$commands = show_message('errorsaving', 'error'); $commands = show_message('errorsaving', 'error');
rcube_remote_response($commands); rcube_remote_response($commands);
@ -69,9 +69,9 @@ else if ($_action=='delete-folder')
if (strlen($_GET['_mboxes'])) if (strlen($_GET['_mboxes']))
$deleted = $IMAP->delete_mailbox(array($_GET['_mboxes'])); $deleted = $IMAP->delete_mailbox(array($_GET['_mboxes']));
if ($_GET['_remote'] && $deleted) if ($REMOTE_REQUEST && $deleted)
rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js'))); rcube_remote_response(sprintf("this.remove_folder_row('%s')", rep_specialchars_output($_GET['_mboxes'], 'js')));
else if ($_GET['_remote']) else if ($REMOTE_REQUEST)
{ {
$commands = show_message('errorsaving', 'error'); $commands = show_message('errorsaving', 'error');
rcube_remote_response($commands); rcube_remote_response($commands);

@ -20,6 +20,7 @@
*/ */
$a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature'); $a_save_cols = array('name', 'email', 'organization', 'reply-to', 'bcc', 'standard', 'signature');
$a_html_cols = array('signature');
// check input // check input
@ -44,7 +45,7 @@ if ($_POST['_iid'])
$a_write_sql[] = sprintf("%s=%s", $a_write_sql[] = sprintf("%s=%s",
$DB->quoteIdentifier($col), $DB->quoteIdentifier($col),
$DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset()))); $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols))));
} }
if (sizeof($a_write_sql)) if (sizeof($a_write_sql))
@ -99,7 +100,7 @@ else
continue; continue;
$a_insert_cols[] = $DB->quoteIdentifier($col); $a_insert_cols[] = $DB->quoteIdentifier($col);
$a_insert_values[] = $DB->quote(rcube_charset_convert(strip_tags($_POST[$fname]), $OUTPUT->get_charset())); $a_insert_values[] = $DB->quote(get_input_value($fname, RCUBE_INPUT_POST, in_array($col, $a_html_cols)));
} }
if (sizeof($a_insert_cols)) if (sizeof($a_insert_cols))

Loading…
Cancel
Save