robin.thoni
/
docker-roundcube-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 10 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 Commits
2 Branches
Tree: 6486178dfa
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6486178dfa'
${ noResults }
docker-roundcube-server/roundcube/roundcubemail-1.3.6/index.php

index.php 12KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324 
  1. <?php

  2. /**

  3.  +-------------------------------------------------------------------------+

  4.  | Roundcube Webmail IMAP Client                                           |

  5.  | Version 1.3.6                                                           |

  6.  |                                                                         |

  7.  | Copyright (C) 2005-2017, The Roundcube Dev Team                         |

  8.  |                                                                         |

  9.  | This program is free software: you can redistribute it and/or modify    |

  10.  | it under the terms of the GNU General Public License (with exceptions   |

  11.  | for skins & plugins) as published by the Free Software Foundation,      |

  12.  | either version 3 of the License, or (at your option) any later version. |

  13.  |                                                                         |

  14.  | This file forms part of the Roundcube Webmail Software for which the    |

  15.  | following exception is added: Plugins and Skins which merely make       |

  16.  | function calls to the Roundcube Webmail Software, and for that purpose  |

  17.  | include it by reference shall not be considered modifications of        |

  18.  | the software.                                                           |

  19.  |                                                                         |

  20.  | If you wish to use this file in another project or create a modified    |

  21.  | version that will not be part of the Roundcube Webmail Software, you    |

  22.  | may remove the exception above and use this source code under the       |

  23.  | original version of the license.                                        |

  24.  |                                                                         |

  25.  | This program is distributed in the hope that it will be useful,         |

  26.  | but WITHOUT ANY WARRANTY; without even the implied warranty of          |

  27.  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the            |

  28.  | GNU General Public License for more details.                            |

  29.  |                                                                         |

  30.  | You should have received a copy of the GNU General Public License       |

  31.  | along with this program.  If not, see http://www.gnu.org/licenses/.     |

  32.  |                                                                         |

  33.  +-------------------------------------------------------------------------+

  34.  | Author: Thomas Bruederli <roundcube@gmail.com>                          |

  35.  | Author: Aleksander Machniak <alec@alec.pl>                              |

  36.  +-------------------------------------------------------------------------+

  37. */

  38. 

  39. // include environment

  40. require_once 'program/include/iniset.php';

  41. 

  42. // init application, start session, init output class, etc.

  43. $RCMAIL = rcmail::get_instance(0, $GLOBALS['env']);

  44. 

  45. // Make the whole PHP output non-cacheable (#1487797)

  46. $RCMAIL->output->nocacheing_headers();

  47. $RCMAIL->output->common_headers();

  48. 

  49. // turn on output buffering

  50. ob_start();

  51. 

  52. // check if config files had errors

  53. if ($err_str = $RCMAIL->config->get_error()) {

  54.     rcmail::raise_error(array(

  55.         'code' => 601,

  56.         'type' => 'php',

  57.         'message' => $err_str), false, true);

  58. }

  59. 

  60. // check DB connections and exit on failure

  61. if ($err_str = $RCMAIL->db->is_error()) {

  62.     rcmail::raise_error(array(

  63.         'code' => 603,

  64.         'type' => 'db',

  65.         'message' => $err_str), false, true);

  66. }

  67. 

  68. // error steps

  69. if ($RCMAIL->action == 'error' && !empty($_GET['_code'])) {

  70.     rcmail::raise_error(array('code' => hexdec($_GET['_code'])), false, true);

  71. }

  72. 

  73. // check if https is required (for login) and redirect if necessary

  74. if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {

  75.     // force_https can be true, <hostname>, <hostname>:<port>, <port>

  76.     if (!is_bool($force_https)) {

  77.         list($host, $port) = explode(':', $force_https);

  78. 

  79.         if (is_numeric($host) && empty($port)) {

  80.             $port = $host;

  81.             $host = '';

  82.         }

  83.     }

  84. 

  85.     if (!rcube_utils::https_check($port ?: 443)) {

  86.         if (empty($host)) {

  87.             $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);

  88.         }

  89.         if ($port && $port != 443) {

  90.             $host .= ':' . $port;

  91.         }

  92. 

  93.         header('Location: https://' . $host . $_SERVER['REQUEST_URI']);

  94.         exit;

  95.     }

  96. }

  97. 

  98. // trigger startup plugin hook

  99. $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));

  100. $RCMAIL->set_task($startup['task']);

  101. $RCMAIL->action = $startup['action'];

  102. 

  103. // try to log in

  104. if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {

  105.     $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();

  106.     $pass_charset  = $RCMAIL->config->get('password_charset', 'ISO-8859-1');

  107. 

  108.     // purge the session in case of new login when a session already exists

  109.     $RCMAIL->kill_session();

  110. 

  111.     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(

  112.             'host'  => $RCMAIL->autoselect_host(),

  113.             'user'  => trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)),

  114.             'pass'  => rcube_utils::get_input_value('_pass', rcube_utils::INPUT_POST, true, $pass_charset),

  115.             'valid' => $request_valid,

  116.             'cookiecheck' => true,

  117.     ));

  118. 

  119.     // Login

  120.     if ($auth['valid'] && !$auth['abort']

  121.         && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck'])

  122.     ) {

  123.         // create new session ID, don't destroy the current session

  124.         // it was destroyed already by $RCMAIL->kill_session() above

  125.         $RCMAIL->session->remove('temp');

  126.         $RCMAIL->session->regenerate_id(false);

  127. 

  128.         // send auth cookie if necessary

  129.         $RCMAIL->session->set_auth_cookie();

  130. 

  131.         // log successful login

  132.         $RCMAIL->log_login();

  133. 

  134.         // restore original request parameters

  135.         $query = array();

  136.         if ($url = rcube_utils::get_input_value('_url', rcube_utils::INPUT_POST)) {

  137.             parse_str($url, $query);

  138. 

  139.             // prevent endless looping on login page

  140.             if ($query['_task'] == 'login') {

  141.                 unset($query['_task']);

  142.             }

  143. 

  144.             // prevent redirect to compose with specified ID (#1488226)

  145.             if ($query['_action'] == 'compose' && !empty($query['_id'])) {

  146.                 $query = array('_action' => 'compose');

  147.             }

  148.         }

  149. 

  150.         // allow plugins to control the redirect url after login success

  151.         $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));

  152.         unset($redir['abort'], $redir['_err']);

  153. 

  154.         // send redirect

  155.         $OUTPUT->redirect($redir, 0, true);

  156.     }

  157.     else {

  158.         if (!$auth['valid']) {

  159.             $error_code = rcmail::ERROR_INVALID_REQUEST;

  160.         }

  161.         else {

  162.             $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error();

  163.         }

  164. 

  165.         $error_labels = array(

  166.             rcmail::ERROR_STORAGE          => 'storageerror',

  167.             rcmail::ERROR_COOKIES_DISABLED => 'cookiesdisabled',

  168.             rcmail::ERROR_INVALID_REQUEST  => 'invalidrequest',

  169.             rcmail::ERROR_INVALID_HOST     => 'invalidhost',

  170.             rcmail::ERROR_RATE_LIMIT       => 'accountlocked',

  171.         );

  172. 

  173.         $error_message = !empty($auth['error']) && !is_numeric($auth['error']) ? $auth['error'] : ($error_labels[$error_code] ?: 'loginfailed');

  174. 

  175.         $OUTPUT->show_message($error_message, 'warning');

  176. 

  177.         // log failed login

  178.         $RCMAIL->log_login($auth['user'], true, $error_code);

  179. 

  180.         $RCMAIL->plugins->exec_hook('login_failed', array(

  181.             'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));

  182. 

  183.         $RCMAIL->kill_session();

  184.     }

  185. }

  186. 

  187. // end session

  188. else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {

  189.     $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);

  190. 

  191.     $userdata = array(

  192.         'user' => $_SESSION['username'],

  193.         'host' => $_SESSION['storage_host'],

  194.         'lang' => $RCMAIL->user->language,

  195.     );

  196. 

  197.     $OUTPUT->show_message('loggedout');

  198. 

  199.     $RCMAIL->logout_actions();

  200.     $RCMAIL->kill_session();

  201.     $RCMAIL->plugins->exec_hook('logout_after', $userdata);

  202. }

  203. 

  204. // check session and auth cookie

  205. else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {

  206.     if (!$RCMAIL->session->check_auth()) {

  207.         $RCMAIL->kill_session();

  208.         $session_error = true;

  209.     }

  210. }

  211. 

  212. // not logged in -> show login page

  213. if (empty($RCMAIL->user->ID)) {

  214.     // log session failures

  215.     $task = rcube_utils::get_input_value('_task', rcube_utils::INPUT_GPC);

  216. 

  217.     if ($task && !in_array($task, array('login','logout'))

  218.         && !$session_error && ($sess_id = $_COOKIE[ini_get('session.name')])

  219.     ) {

  220.         $RCMAIL->session->log("Aborted session $sess_id; no valid session data found");

  221.         $session_error = true;

  222.     }

  223. 

  224.     if ($session_error || $_REQUEST['_err'] == 'session') {

  225.         $OUTPUT->show_message('sessionerror', 'error', null, true, -1);

  226.     }

  227. 

  228.     if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) {

  229.         $OUTPUT->command('session_error', $RCMAIL->url(array('_err' => 'session')));

  230.         $OUTPUT->send('iframe');

  231.     }

  232. 

  233.     // check if installer is still active

  234.     if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {

  235.         $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),

  236.             html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .

  237.             html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .

  238.             html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because

  239.                 these files may expose sensitive configuration data like server passwords and encryption keys

  240.                 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")

  241.         ));

  242.     }

  243. 

  244.     $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array('task' => 'login', 'error' => $session_error));

  245. 

  246.     $RCMAIL->set_task($plugin['task']);

  247. 

  248.     $OUTPUT->send($plugin['task']);

  249. }

  250. else {

  251.     // CSRF prevention

  252.     $RCMAIL->request_security_check();

  253. 

  254.     // check access to disabled actions

  255.     $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');

  256.     if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) {

  257.         rcube::raise_error(array(

  258.             'code' => 404, 'type' => 'php',

  259.             'message' => "Action disabled"), true, true);

  260.     }

  261. }

  262. 

  263. // we're ready, user is authenticated and the request is safe

  264. $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));

  265. $RCMAIL->set_task($plugin['task']);

  266. $RCMAIL->action = $plugin['action'];

  267. 

  268. // handle special actions

  269. if ($RCMAIL->action == 'keep-alive') {

  270.     $OUTPUT->reset();

  271.     $RCMAIL->plugins->exec_hook('keep_alive', array());

  272.     $OUTPUT->send();

  273. }

  274. else if ($RCMAIL->action == 'save-pref') {

  275.     include INSTALL_PATH . 'program/steps/utils/save_pref.inc';

  276. }

  277. 

  278. 

  279. // include task specific functions

  280. if (is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/func.inc')) {

  281.     include_once $incfile;

  282. }

  283. 

  284. // allow 5 "redirects" to another action

  285. $redirects = 0; $incstep = null;

  286. while ($redirects < 5) {

  287.     // execute a plugin action

  288.     if (preg_match('/^plugin\./', $RCMAIL->action)) {

  289.         $RCMAIL->plugins->exec_action($RCMAIL->action);

  290.         break;

  291.     }

  292.     // execute action registered to a plugin task

  293.     else if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {

  294.         if (!$RCMAIL->action) $RCMAIL->action = 'index';

  295.         $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);

  296.         break;

  297.     }

  298.     // try to include the step file

  299.     else if (($stepfile = $RCMAIL->get_action_file())

  300.         && is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/'.$stepfile)

  301.     ) {

  302.         // include action file only once (in case it don't exit)

  303.         include_once $incfile;

  304.         $redirects++;

  305.     }

  306.     else {

  307.         break;

  308.     }

  309. }

  310. 

  311. if ($RCMAIL->action == 'refresh') {

  312.     $RCMAIL->plugins->exec_hook('refresh', array('last' => intval(rcube_utils::get_input_value('_last', rcube_utils::INPUT_GPC))));

  313. }

  314. 

  315. // parse main template (default)

  316. $OUTPUT->send($RCMAIL->task);

  317. 

  318. // if we arrive here, something went wrong

  319. rcmail::raise_error(array(

  320.     'code' => 404,

  321.     'type' => 'php',

  322.     'line' => __LINE__,

  323.     'file' => __FILE__,

  324.     'message' => "Invalid request"), true, true);