From: <pdo...@us...> - 2008-09-23 01:12:40
|
Revision: 13281 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13281&view=rev Author: pdontthink Date: 2008-09-23 01:12:29 +0000 (Tue, 23 Sep 2008) Log Message: ----------- Fix session autostart code - session_name() return value does not indicate session has started; Remove dead code (cookie cleanup) Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2008-09-19 23:58:19 UTC (rev 13280) +++ trunk/squirrelmail/include/init.php 2008-09-23 01:12:29 UTC (rev 13281) @@ -258,12 +258,12 @@ * When session.auto_start is On we want to destroy/close the session */ $sSessionAutostartName = session_name(); -$sCookiePath = null; -if (isset($sSessionAutostartName) && $sSessionAutostartName !== $session_name) { +$sSessionAutostartID = session_id(); +if (!empty($sSessionAutostartID) && $sSessionAutostartName !== $session_name) { $sCookiePath = ini_get('session.cookie_path'); $sCookieDomain = ini_get('session.cookie_domain'); // reset the cookie - setcookie($sSessionAutostartName,'',time() - 604800,$sCookiePath,$sCookieDomain); + sqsetcookie($sSessionAutostartName,'',1,$sCookiePath,$sCookieDomain); @session_destroy(); session_write_close(); } @@ -514,22 +514,6 @@ */ $icon_theme_path = (!$use_icons || $icon_theme=='none') ? NULL : ($icon_theme == 'template' ? SM_PATH . Template::calculate_template_images_directory($sTemplateID) : $icon_theme); - /** - * cleanup old cookies with a cookie path the same as the standard php.ini - * cookie path. All previous SquirrelMail version used the standard php.ini - * cookie path for storing the session name. That behaviour changed. - */ - if ($sCookiePath !== SM_BASE_URI) { - /** - * do not delete the standard sessions with session.name is i.e. PHPSESSID - * because they probably belong to other php apps - */ - if (ini_get('session.name') !== $sSessionAutostartName) { - // This does not work. Sometimes the cookie with SQSESSID=deleted and path / - // is picked up in webmail.php => login will fail - //sqsetcookie(ini_get('session.name'),'',0,$sCookiePath); - } - } break; default: require(SM_PATH . 'functions/display_messages.php' ); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2008-11-20 20:05:41
|
Revision: 13319 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13319&view=rev Author: pdontthink Date: 2008-11-20 20:05:35 +0000 (Thu, 20 Nov 2008) Log Message: ----------- Add global variable indicating server OS Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2008-10-31 02:41:38 UTC (rev 13318) +++ trunk/squirrelmail/include/init.php 2008-11-20 20:05:35 UTC (rev 13319) @@ -75,6 +75,14 @@ $null = NULL; /** + * The global $server_os variable will be "windows" if + * we are working in a Windows environment or "*nix" + * otherwise. + */ +global $server_os; +if (DIRECTORY_SEPARATOR == '\\') $server_os = 'windows'; else $server_os = '*nix'; + +/** * [#1518885] session.use_cookies = off breaks SquirrelMail * * When session cookies are not used, all http redirects, meta refreshes, This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2008-11-20 22:32:36
|
Revision: 13322 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13322&view=rev Author: pdontthink Date: 2008-11-20 22:32:32 +0000 (Thu, 20 Nov 2008) Log Message: ----------- The random number seed generator was creating float values that, when fed to mt_srand(), which expects an integer, were seen as zero on some systems because it was such a large number. This fix takes a sub-string of the seed's MD5 before converting it to an integer in order to fix that problem. Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2008-11-20 21:46:12 UTC (rev 13321) +++ trunk/squirrelmail/include/init.php 2008-11-20 22:32:32 UTC (rev 13322) @@ -120,10 +120,21 @@ $seed .= uniqid(mt_rand(),TRUE); $seed .= implode( '', stat( __FILE__) ); -/** PHP 4.2 and up don't require seeding, but their used seed algorithm - * is of questionable quality, so we keep doing it ourselves. */ -mt_srand(hexdec(md5($seed))); +// mt_srand() uses an integer to seed, so we need to distill our +// very large seed to something useful (without taking a sub-string, +// the integer conversion of such a large number is always 0 on +// many systems, but strangely, 9 hex numbers - even if larger +// than a signed 32 bit integer - seem to be an acceptable "integer" +// seed (perhaps it is used as unsigned?)... +// we may want to revisit this and always force it to be less than +// 2,147,483,647 +// +$seed = hexdec(substr(md5($seed), 0, 9)); +// PHP 4.2 and up don't require seeding, but their used seed algorithm +// is of questionable quality, so we keep doing it ourselves. */ +mt_srand($seed); + /** * calculate SM_PATH and calculate the base_uri * assumptions made: init.php is only called from plugins or from the src dir. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2010-01-27 23:05:42
|
Revision: 13895 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13895&view=rev Author: pdontthink Date: 2010-01-27 23:05:18 +0000 (Wed, 27 Jan 2010) Log Message: ----------- REQUEST_URI is used in php_self(), so make sure it's sanitized too Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2010-01-25 03:23:30 UTC (rev 13894) +++ trunk/squirrelmail/include/init.php 2010-01-27 23:05:18 UTC (rev 13895) @@ -276,6 +276,7 @@ * QUERY_STRING also needs the same treatment since it is * used in php_self(). */ +$_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2010-01-27 23:36:59
|
Revision: 13897 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13897&view=rev Author: pdontthink Date: 2010-01-27 23:36:52 +0000 (Wed, 27 Jan 2010) Log Message: ----------- Avoid notices in some environments Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2010-01-27 23:35:26 UTC (rev 13896) +++ trunk/squirrelmail/include/init.php 2010-01-27 23:36:52 UTC (rev 13897) @@ -276,9 +276,12 @@ * QUERY_STRING also needs the same treatment since it is * used in php_self(). */ -$_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); -$_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); -$_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); +if (isset($_SERVER['REQUEST_URI'])) + $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); +if (isset($_SERVER['PHP_SELF'])) + $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); +if (isset($_SERVER['QUERY_STRING'])) + $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); $PHP_SELF = php_self(); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2010-06-26 10:15:55
|
Revision: 13957 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13957&view=rev Author: pdontthink Date: 2010-06-26 10:15:49 +0000 (Sat, 26 Jun 2010) Log Message: ----------- Aggressive sanitizing of REQUEST_URI, PHP_SELF, and QUERY_STRING corrupted page URIs by encoding ampersands in the query string, so we have to un-sanitize ampersands. Will this cause any security/XSS issues? Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2010-06-25 21:31:10 UTC (rev 13956) +++ trunk/squirrelmail/include/init.php 2010-06-26 10:15:49 UTC (rev 13957) @@ -275,13 +275,17 @@ * htmlspecialchars() is the preferred method. * QUERY_STRING also needs the same treatment since it is * used in php_self(). + * Update again: the encoding of ampersands that occurs + * using htmlspecialchars() corrupts the query strings + * in normal URIs, so we have to let those through. +FIXME: will the de-sanitizing of ampersands create any security/XSS problems? */ if (isset($_SERVER['REQUEST_URI'])) - $_SERVER['REQUEST_URI'] = htmlspecialchars($_SERVER['REQUEST_URI']); + $_SERVER['REQUEST_URI'] = str_replace('&', '&', htmlspecialchars($_SERVER['REQUEST_URI'])); if (isset($_SERVER['PHP_SELF'])) - $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); + $_SERVER['PHP_SELF'] = str_replace('&', '&', htmlspecialchars($_SERVER['PHP_SELF'])); if (isset($_SERVER['QUERY_STRING'])) - $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); + $_SERVER['QUERY_STRING'] = str_replace('&', '&', htmlspecialchars($_SERVER['QUERY_STRING'])); $PHP_SELF = php_self(); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2017-05-02 19:55:47
|
Revision: 14656 http://sourceforge.net/p/squirrelmail/code/14656 Author: pdontthink Date: 2017-05-02 19:55:46 +0000 (Tue, 02 May 2017) Log Message: ----------- Make server TZ available after it is changed Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2017-05-02 19:52:32 UTC (rev 14655) +++ trunk/squirrelmail/include/init.php 2017-05-02 19:55:46 UTC (rev 14656) @@ -693,6 +693,8 @@ $set_up_langage_after_template_setup = TRUE; $timeZone = getPref($data_dir, $username, 'timezone'); + global $server_timezone; + $server_timezone = date('T'); /* Check to see if we are allowed to set the TZ environment variable. * We are able to do this if ... This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2017-11-10 02:39:27
|
Revision: 14724 http://sourceforge.net/p/squirrelmail/code/14724 Author: pdontthink Date: 2017-11-10 02:39:26 +0000 (Fri, 10 Nov 2017) Log Message: ----------- May as well grab offset info too Modified Paths: -------------- trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2017-11-10 02:35:13 UTC (rev 14723) +++ trunk/squirrelmail/include/init.php 2017-11-10 02:39:26 UTC (rev 14724) @@ -693,8 +693,9 @@ $set_up_langage_after_template_setup = TRUE; $timeZone = getPref($data_dir, $username, 'timezone'); - global $server_timezone; - $server_timezone = date('T'); + global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds; + list($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds) + = explode('::', date('T::O::Z')); /* Check to see if we are allowed to set the TZ environment variable. * We are able to do this if ... This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |