SquirrelMail

Update of /cvsroot/squirrelmail/squirrelmail
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv28709

Modified Files:
	ChangeLog 
Log Message:
HttpOnly cookies


Index: ChangeLog
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/ChangeLog,v
retrieving revision 1.644
retrieving revision 1.645
diff -u -w -r1.644 -r1.645
--- ChangeLog	15 Oct 2005 11:12:53 -0000	1.644
+++ ChangeLog	15 Oct 2005 16:49:34 -0000	1.645
@@ -454,6 +454,8 @@
     Windows systems.
   - Sanitized names displayed in address book listing.
   - Added extra field controls to address book class.
+  - HttpOnly cookie support (cookies inaccessible by JS). This will protect 
+    IE6 browsers.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------

Update of /cvsroot/squirrelmail/squirrelmail/src
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv27029/src

Modified Files:
	webmail.php redirect.php right_main.php search.php 
Log Message:
Support for HttpOnly cookies.
HttpOnly cookies prohibit access by Javascript. Currently only IE6 supports
it. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
In order to achieve that the cookie with the session_id also contains the
httponly cookie attribute I introduced a new function, sqsession_start which
overwrites the cookie set by php by our own cookie containing the session_id
and the httponly attribute.
All session_start calls are replaced by sqsession_start.



Index: webmail.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/webmail.php,v
retrieving revision 1.113
retrieving revision 1.114
diff -u -w -r1.113 -r1.114
--- webmail.php	18 Sep 2005 10:25:53 -0000	1.113
+++ webmail.php	15 Oct 2005 16:44:59 -0000	1.114
@@ -74,7 +74,7 @@
  */
 $my_language = getPref($data_dir, $username, 'language');
 if ($my_language != $squirrelmail_language) {
-    setcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
+    sqsetcookie('squirrelmail_language', $my_language, time()+2592000, $base_uri);
 }
 
 $err=set_up_language(getPref($data_dir, $username, 'language'));

Index: redirect.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/redirect.php,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -w -r1.91 -r1.92
--- redirect.php	18 Sep 2005 10:25:53 -0000	1.91
+++ redirect.php	15 Oct 2005 16:44:59 -0000	1.92
@@ -58,7 +58,7 @@
 
 set_up_language($squirrelmail_language, true);
 /* Refresh the language cookie. */
-setcookie('squirrelmail_language', $squirrelmail_language, time()+2592000,
+sqsetcookie('squirrelmail_language', $squirrelmail_language, time()+2592000,
           $base_uri);
 
 if (!isset($login_username)) {
@@ -93,7 +93,7 @@
 
     $username = $login_username;
     sqsession_register ($username, 'username');
-    setcookie('key', $key, 0, $base_uri);
+    sqsetcookie('key', $key, false, $base_uri);
     do_hook ('login_verified');
 
 }

Index: right_main.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/right_main.php,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -w -r1.141 -r1.142
--- right_main.php	18 Sep 2005 10:25:53 -0000	1.141
+++ right_main.php	15 Oct 2005 16:44:59 -0000	1.142
@@ -277,7 +277,7 @@
         session_write_close();
         // restart the session. Do not use sqsession_is_active because the session_id
         // isn't empty after a session_write_close
-        session_start();
+        sqsession_start();
         if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) {
             $compose_width = '640';
         }

Index: search.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/search.php,v
retrieving revision 1.154
retrieving revision 1.155
diff -u -w -r1.154 -r1.155
--- search.php	18 Sep 2005 10:25:53 -0000	1.154
+++ search.php	15 Oct 2005 16:44:59 -0000	1.155
@@ -1360,7 +1360,7 @@
         session_write_close();
         // restart the session. Do not use sqsession_is_active because the session_id
         // isn't empty after a session_write_close
-        session_start();
+        sqsession_start();
 
         if (!preg_match("/^[0-9]{3,4}$/", $compose_width)) {
             $compose_width = '640';

Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv27029/functions

Modified Files:
	global.php 
Log Message:
Support for HttpOnly cookies.
HttpOnly cookies prohibit access by Javascript. Currently only IE6 supports
it. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
In order to achieve that the cookie with the session_id also contains the
httponly cookie attribute I introduced a new function, sqsession_start which
overwrites the cookie set by php by our own cookie containing the session_id
and the httponly attribute.
All session_start calls are replaced by sqsession_start.



Index: global.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/global.php,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -w -r1.53 -r1.54
--- global.php	18 Sep 2005 10:25:47 -0000	1.53
+++ global.php	15 Oct 2005 16:44:59 -0000	1.54
@@ -257,9 +257,9 @@
 
     global $base_uri;
 
-    if (isset($_COOKIE[session_name()])) setcookie(session_name(), '', time() - 5, $base_uri);
-    if (isset($_COOKIE['username'])) setcookie('username','',time() - 5,$base_uri);
-    if (isset($_COOKIE['key'])) setcookie('key','',time() - 5,$base_uri);
+    if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
+    if (isset($_COOKIE['username'])) sqsetcookie('username','',0,$base_uri);
+    if (isset($_COOKIE['key'])) sqsetcookie('key','',0,$base_uri);
 
     $sessid = session_id();
     if (!empty( $sessid )) {
@@ -275,14 +275,67 @@
  * (even though autoglobal), is not created unless a session is
  * started, unlike $_POST, $_GET and such
  */
-
 function sqsession_is_active() {
-
     $sessid = session_id();
     if ( empty( $sessid ) ) {
+        sqsession_start();
+    }
+}
+
+/**
+ * Function to start the session and store the cookie with the session_id as
+ * HttpOnly cookie which means that the cookie isn't accessible by javascript
+ * (IE6 only)
+ */
+function sqsession_start() {
+    global $PHP_SELF;
+
+    $dirs = array('|src/.*|', '|plugins/.*|', '|functions/.*|');
+    $repl = array('', '', '');
+    $base_uri = preg_replace($dirs, $repl, $PHP_SELF);
+
         session_start();
+    $sessid = session_id();
+    // session_starts sets the sessionid cookie buth without the httponly var
+    // setting the cookie again sets the httponly cookie attribute
+    sqsetcookie(session_name(),$sessid,false,$base_uri);
     }
+
+
+/**
+ * Set a cookie
+ * @param string  $sName     The name of the cookie.
+ * @param string  $sValue    The value of the cookie.
+ * @param int     $iExpire   The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch.
+ * @param string  $sPath     The path on the server in which the cookie will be available on.
+ * @param string  $sDomain   The domain that the cookie is available.
+ * @param boolean $bSecure   Indicates that the cookie should only be transmitted over a secure HTTPS connection.
+ * @param boolean $bHttpOnly Disallow JS to access the cookie (IE6 only)
+ * @return void
+ */
+function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
+    $sHeader = "Set-Cookie: $sName=$sValue";
+    if ($sPath) {
+        $sHeader .= "; Path=\"$sPath\"";
+    }
+    if ($iExpire !==false) {
+        $sHeader .= "; Max-Age=$iExpire";
 }
+    if ($sPath) {
+        $sHeader .= "; Path=$sPath";
+    }
+    if ($sDomain) {
+        $sHeader .= "; Domain=$sDomain";
+    }
+    if ($bSecure) {
+        $sHeader .= "; Secure";
+    }
+    if ($bHttpOnly) {
+        $sHeader .= "; HttpOnly";
+    }
+    $sHeader .= "; Version=1";
 
+    header($sHeader);
+}
 // vim: et ts=4
 ?>
\ No newline at end of file

Update of /cvsroot/squirrelmail/squirrelmail/src
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv3126/src

Modified Files:
	addressbook.php 
Log Message:
sanitizing address book listing. extra field row is added for plugins
that want to add html tags to address book listing (like vcard_abook).


Index: addressbook.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/src/addressbook.php,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -w -r1.94 -r1.95
--- addressbook.php	18 Sep 2005 10:25:53 -0000	1.94
+++ addressbook.php	15 Oct 2005 11:12:53 -0000	1.95
@@ -247,6 +247,11 @@
     /* List addresses */
     if (count($alist) > 0) {
         echo addForm($form_url, 'post');
+        if ($abook->add_extra_field) {
+            $abook_fields = 6;
+        } else {
+            $abook_fields = 5;
+        }
         while(list($undef,$row) = each($alist)) {
 
             /* New table header for each backend */
@@ -257,10 +262,10 @@
                                 html_tag( 'td',
                                     addSubmit(_("Edit selected"), 'editaddr').
                                     addSubmit(_("Delete selected"), 'deladdr'),
-                                    'center', '', 'colspan="5"' )
+                                    'center', '', "colspan=\"$abook_fields\"" )
                                 ) .
                             html_tag( 'tr',
-                                html_tag( 'td', '&nbsp;<br />', 'center', '', 'colspan="5"' )
+                                html_tag( 'td', '&nbsp;<br />', 'center', '', "colspan=\"$abook_fields\"" )
                                 ),
                             'center' );
                     echo "\n<!-- start of address book table -->\n" .
@@ -278,20 +283,22 @@
                                     'left', '', 'width="1%"' ) . "\n" .
                                 html_tag( 'th', _("Info") .
                                     show_abook_sort_button($abook_sort_order, _("sort by info"), 6, 7),
-                                    'left', '', 'width="1%"' ) . "\n",
+                                    'left', '', 'width="1%"' ) .
+                                  ($abook->add_extra_field ? html_tag( 'th', '&nbsp;','left', '', 'width="1%"'): '') . 
+                                "\n",
                                 '', $color[9] ) . "\n";
                 }
 
                 // Separate different backends with <hr />
                 if($prevbackend > 0) {
                     echo  html_tag( 'tr',
-                            html_tag( 'td', "<hr />", 'center', '' ,'colspan="5"' )
+                            html_tag( 'td', "<hr />", 'center', '' ,"colspan=\"$abook_fields\"" )
                             );
                 }
 
                 // Print backend name
                 echo html_tag( 'tr',
-                        html_tag( 'td', "\n" . '<strong>' . $row['source'] . '</strong>' . "\n", 'center', $color[0] ,'colspan="5"' )
+                        html_tag( 'td', "\n" . '<strong>' . $row['source'] . '</strong>' . "\n", 'center', $color[0] ,"colspan=\"$abook_fields\"" )
                         );
 
                 $line = 0;
@@ -309,7 +316,6 @@
             } else {
                 $tr_bgcolor = $color[4];
             }
-            if ($squirrelmail_language == 'ja_JP') {
                 echo html_tag( 'tr', '', '', $tr_bgcolor);
                 if ($abook->backends[$row['backend']]->writeable) {
                     echo html_tag( 'td',
@@ -322,32 +328,42 @@
                             '&nbsp;' ,
                             'center', '', 'valign="top" width="1%"' );
                 }
-                echo html_tag( 'td', '&nbsp;' . $row['nickname'] . '&nbsp;', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) .
-                    html_tag( 'td', '&nbsp;' . $row['lastname'] . ' ' . $row['firstname'] . '&nbsp;', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) .
-                    html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . '&nbsp;';
-            } else {
-                echo html_tag( 'tr', '', '', $tr_bgcolor);
-                if ($abook->backends[$row['backend']]->writeable) {
                     echo html_tag( 'td',
-                            '<small>' .
-                            addCheckBox('sel[]', $selected, $row['backend'] . ':' . $row['nickname']).
-                            '</small>' ,
-                            'center', '', 'valign="top" width="1%"' );
+                           '&nbsp;' . htmlspecialchars($row['nickname']) . '&nbsp;', 
+                           'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' );
+
+            // different full name display formating for Japanese translation
+            if ($squirrelmail_language == 'ja_JP') {
+                /*
+                 * translation uses euc-jp character set internally.
+                 * htmlspecialchars() should not break any characters.
+                 */
+                echo html_tag( 'td', 
+                               '&nbsp;' . htmlspecialchars($row['lastname']) . ' ' . htmlspecialchars($row['firstname']) . '&nbsp;',
+                               'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' );
                 } else {
                     echo html_tag( 'td',
-                            '&nbsp;' ,
-                            'center', '', 'valign="top" width="1%"' );
-                }
-                echo html_tag( 'td', '&nbsp;' . $row['nickname'] . '&nbsp;', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) .
-                    html_tag( 'td', '&nbsp;' . $row['name'] . '&nbsp;', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) .
-                    html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . '&nbsp;';
+                               '&nbsp;' . htmlspecialchars($row['name']) . '&nbsp;',
+                               'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' );
             }
+
+            // email address column
+            echo html_tag( 'td', '', 'left', '', 'valign="top" width="1%" style="white-space: nowrap;"' ) . '&nbsp;';
             $email = $abook->full_address($row);
             echo makeComposeLink('src/compose.php?send_to='.rawurlencode($email),
                     htmlspecialchars($row['email'])).
-                '&nbsp;</td>'."\n".
-                html_tag( 'td', '&nbsp;' . htmlspecialchars($row['label']) . '&nbsp;', 'left', '', 'valign="top" width="1%"' ) .
-                "</tr>\n";
+                '&nbsp;</td>'."\n";
+
+            // info column
+            echo html_tag( 'td', '&nbsp;' . htmlspecialchars($row['label']) . '&nbsp;', 'left', '', 'valign="top" width="1%"' );
+
+            // add extra column if third party backend needs it
+            if ($abook->add_extra_field) {
+                echo html_tag( 'td', 
+                               '&nbsp;' . (isset($row['extra']) ? $row['extra'] : '') . '&nbsp;',
+                               'left', '', 'valign="top" width="1%"' );
+            }
+            echo "</tr>\n";
             $line++;
         }
         echo "</table>" .
@@ -360,7 +376,7 @@
                         html_tag( 'td',
                             addSubmit(_("Edit selected"), 'editaddr') .
                             addSubmit(_("Delete selected"), 'deladdr'),
-                            'center', '', 'colspan="5"' )
+                            'center', '', "colspan=\"$abook_fields\"" )
                         ),
                     'center' );
         }

Update of /cvsroot/squirrelmail/squirrelmail
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv3126

Modified Files:
	ChangeLog 
Log Message:
sanitizing address book listing. extra field row is added for plugins
that want to add html tags to address book listing (like vcard_abook).


Index: ChangeLog
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/ChangeLog,v
retrieving revision 1.643
retrieving revision 1.644
diff -u -w -r1.643 -r1.644
--- ChangeLog	15 Oct 2005 08:54:25 -0000	1.643
+++ ChangeLog	15 Oct 2005 11:12:53 -0000	1.644
@@ -452,6 +452,8 @@
     Reported by João Carlos Mendes Luís.
   - Added CR trimming to SquirrelSpell plugin in order to fix problems on
     Windows systems.
+  - Sanitized names displayed in address book listing.
+  - Added extra field controls to address book class.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------

Update of /cvsroot/squirrelmail/squirrelmail/functions
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv3126/functions

Modified Files:
	addressbook.php 
Log Message:
sanitizing address book listing. extra field row is added for plugins
that want to add html tags to address book listing (like vcard_abook).


Index: addressbook.php
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/functions/addressbook.php,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -w -r1.80 -r1.81
--- addressbook.php	18 Sep 2005 10:25:47 -0000	1.80
+++ addressbook.php	15 Oct 2005 11:12:53 -0000	1.81
@@ -447,6 +447,20 @@
      * @var string
      */
     var $localbackendname = '';
+    /**
+     * Controls use of 'extra' field
+     * 
+     * Extra field can be used to add link to form, which allows 
+     * to modify all fields supported by backend. This is the only field 
+     * that is not sanitized with htmlspecialchars. Backends MUST make
+     * sure that field data is sanitized and displayed correctly inside
+     * table cell. Use of html formating in other address book fields is
+     * not allowed. Backends that don't return 'extra' row in address book 
+     * data should not modify this object property.
+     * @var boolean
+     * @since 1.5.1
+     */
+    var $add_extra_field = false;
 
     /**
      * Constructor function.

Update of /cvsroot/squirrelmail/squirrelmail/plugins/squirrelspell/modules
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv13057/plugins/squirrelspell/modules

Modified Files:
	check_me.mod 
Log Message:
Windows aspell returns \r\n line endings. if \r is not removed, it breaks 
javascript and list of suggestions is empty.


Index: check_me.mod
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/plugins/squirrelspell/modules/check_me.mod,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -w -r1.26 -r1.27
--- check_me.mod	18 Sep 2005 10:25:51 -0000	1.26
+++ check_me.mod	15 Oct 2005 08:54:25 -0000	1.27
@@ -121,7 +121,7 @@
     $sqspell_output = array();
     for($i=1; $i<=2; $i++) {
         while(!feof($pipes[$i])) {
-           array_push($sqspell_output, rtrim(fgetss($pipes[$i],999),"\n"));
+           array_push($sqspell_output, rtrim(fgetss($pipes[$i],999),"\r\n"));
         }
         fclose($pipes[$i]);
     }

Update of /cvsroot/squirrelmail/squirrelmail
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv13057

Modified Files:
	ChangeLog 
Log Message:
Windows aspell returns \r\n line endings. if \r is not removed, it breaks 
javascript and list of suggestions is empty.


Index: ChangeLog
===================================================================
RCS file: /cvsroot/squirrelmail/squirrelmail/ChangeLog,v
retrieving revision 1.642
retrieving revision 1.643
diff -u -w -r1.642 -r1.643
--- ChangeLog	9 Oct 2005 20:38:58 -0000	1.642
+++ ChangeLog	15 Oct 2005 08:54:25 -0000	1.643
@@ -450,6 +450,8 @@
     sqimap_mailbox_exists() check. Reported by Daniel Watts.
   - Fixed decoding of quoted-printable text in decodeBody function.
     Reported by João Carlos Mendes Luís.
+  - Added CR trimming to SquirrelSpell plugin in order to fix problems on
+    Windows systems.
 
 Version 1.5.0 - 2 February 2004
 -------------------------------