robin.thoni
/
docker-roundcube-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 10 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 Commits
2 Branches
Tree: 66eaa0da8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '66eaa0da8a'
${ noResults }
docker-roundcube-server/roundcube/roundcubemail-1.2.2/index.php

index.php 12KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312 
  1. <?php

  2. /**

  3.  +-------------------------------------------------------------------------+

  4.  | Roundcube Webmail IMAP Client                                           |

  5.  | Version 1.2.2                                                           |

  6.  |                                                                         |

  7.  | Copyright (C) 2005-2016, The Roundcube Dev Team                         |

  8.  |                                                                         |

  9.  | This program is free software: you can redistribute it and/or modify    |

  10.  | it under the terms of the GNU General Public License (with exceptions   |

  11.  | for skins & plugins) as published by the Free Software Foundation,      |

  12.  | either version 3 of the License, or (at your option) any later version. |

  13.  |                                                                         |

  14.  | This file forms part of the Roundcube Webmail Software for which the    |

  15.  | following exception is added: Plugins and Skins which merely make       |

  16.  | function calls to the Roundcube Webmail Software, and for that purpose  |

  17.  | include it by reference shall not be considered modifications of        |

  18.  | the software.                                                           |

  19.  |                                                                         |

  20.  | If you wish to use this file in another project or create a modified    |

  21.  | version that will not be part of the Roundcube Webmail Software, you    |

  22.  | may remove the exception above and use this source code under the       |

  23.  | original version of the license.                                        |

  24.  |                                                                         |

  25.  | This program is distributed in the hope that it will be useful,         |

  26.  | but WITHOUT ANY WARRANTY; without even the implied warranty of          |

  27.  | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the            |

  28.  | GNU General Public License for more details.                            |

  29.  |                                                                         |

  30.  | You should have received a copy of the GNU General Public License       |

  31.  | along with this program.  If not, see http://www.gnu.org/licenses/.     |

  32.  |                                                                         |

  33.  +-------------------------------------------------------------------------+

  34.  | Author: Thomas Bruederli <roundcube@gmail.com>                          |

  35.  | Author: Aleksander Machniak <alec@alec.pl>                              |

  36.  +-------------------------------------------------------------------------+

  37. */

  38. 

  39. // include environment

  40. require_once 'program/include/iniset.php';

  41. 

  42. // init application, start session, init output class, etc.

  43. $RCMAIL = rcmail::get_instance(0, $GLOBALS['env']);

  44. 

  45. // Make the whole PHP output non-cacheable (#1487797)

  46. $RCMAIL->output->nocacheing_headers();

  47. $RCMAIL->output->common_headers();

  48. 

  49. // turn on output buffering

  50. ob_start();

  51. 

  52. // check if config files had errors

  53. if ($err_str = $RCMAIL->config->get_error()) {

  54.     rcmail::raise_error(array(

  55.         'code' => 601,

  56.         'type' => 'php',

  57.         'message' => $err_str), false, true);

  58. }

  59. 

  60. // check DB connections and exit on failure

  61. if ($err_str = $RCMAIL->db->is_error()) {

  62.     rcmail::raise_error(array(

  63.         'code' => 603,

  64.         'type' => 'db',

  65.         'message' => $err_str), false, true);

  66. }

  67. 

  68. // error steps

  69. if ($RCMAIL->action == 'error' && !empty($_GET['_code'])) {

  70.     rcmail::raise_error(array('code' => hexdec($_GET['_code'])), false, true);

  71. }

  72. 

  73. // check if https is required (for login) and redirect if necessary

  74. if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {

  75.     $https_port = is_bool($force_https) ? 443 : $force_https;

  76. 

  77.     if (!rcube_utils::https_check($https_port)) {

  78.         $host  = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);

  79.         $host .= ($https_port != 443 ? ':' . $https_port : '');

  80. 

  81.         header('Location: https://' . $host . $_SERVER['REQUEST_URI']);

  82.         exit;

  83.     }

  84. }

  85. 

  86. // trigger startup plugin hook

  87. $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));

  88. $RCMAIL->set_task($startup['task']);

  89. $RCMAIL->action = $startup['action'];

  90. 

  91. // try to log in

  92. if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {

  93.     $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();

  94. 

  95.     // purge the session in case of new login when a session already exists

  96.     $RCMAIL->kill_session();

  97. 

  98.     $auth = $RCMAIL->plugins->exec_hook('authenticate', array(

  99.         'host' => $RCMAIL->autoselect_host(),

  100.         'user' => trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)),

  101.         'pass' => rcube_utils::get_input_value('_pass', rcube_utils::INPUT_POST, true,

  102.             $RCMAIL->config->get('password_charset', 'ISO-8859-1')),

  103.         'cookiecheck' => true,

  104.         'valid'       => $request_valid,

  105.     ));

  106. 

  107.     // Login

  108.     if ($auth['valid'] && !$auth['abort']

  109.         && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck'])

  110.     ) {

  111.         // create new session ID, don't destroy the current session

  112.         // it was destroyed already by $RCMAIL->kill_session() above

  113.         $RCMAIL->session->remove('temp');

  114.         $RCMAIL->session->regenerate_id(false);

  115. 

  116.         // send auth cookie if necessary

  117.         $RCMAIL->session->set_auth_cookie();

  118. 

  119.         // log successful login

  120.         $RCMAIL->log_login();

  121. 

  122.         // restore original request parameters

  123.         $query = array();

  124.         if ($url = rcube_utils::get_input_value('_url', rcube_utils::INPUT_POST)) {

  125.             parse_str($url, $query);

  126. 

  127.             // prevent endless looping on login page

  128.             if ($query['_task'] == 'login') {

  129.                 unset($query['_task']);

  130.             }

  131. 

  132.             // prevent redirect to compose with specified ID (#1488226)

  133.             if ($query['_action'] == 'compose' && !empty($query['_id'])) {

  134.                 $query = array('_action' => 'compose');

  135.             }

  136.         }

  137. 

  138.         // allow plugins to control the redirect url after login success

  139.         $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));

  140.         unset($redir['abort'], $redir['_err']);

  141. 

  142.         // send redirect

  143.         $OUTPUT->redirect($redir, 0, true);

  144.     }

  145.     else {

  146.         if (!$auth['valid']) {

  147.             $error_code = RCMAIL::ERROR_INVALID_REQUEST;

  148.         }

  149.         else {

  150.             $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error();

  151.         }

  152. 

  153.         $error_labels = array(

  154.             RCMAIL::ERROR_STORAGE          => 'storageerror',

  155.             RCMAIL::ERROR_COOKIES_DISABLED => 'cookiesdisabled',

  156.             RCMAIL::ERROR_INVALID_REQUEST  => 'invalidrequest',

  157.             RCMAIL::ERROR_INVALID_HOST     => 'invalidhost',

  158.             RCMAIL::ERROR_RATE_LIMIT       => 'accountlocked',

  159.         );

  160. 

  161.         $error_message = !empty($auth['error']) && !is_numeric($auth['error']) ? $auth['error'] : ($error_labels[$error_code] ?: 'loginfailed');

  162. 

  163.         $OUTPUT->show_message($error_message, 'warning');

  164. 

  165.         // log failed login

  166.         $RCMAIL->log_login($auth['user'], true, $error_code);

  167. 

  168.         $RCMAIL->plugins->exec_hook('login_failed', array(

  169.             'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));

  170. 

  171.         $RCMAIL->kill_session();

  172.     }

  173. }

  174. 

  175. // end session

  176. else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {

  177.     $RCMAIL->request_security_check($mode = rcube_utils::INPUT_GET);

  178. 

  179.     $userdata = array(

  180.         'user' => $_SESSION['username'],

  181.         'host' => $_SESSION['storage_host'],

  182.         'lang' => $RCMAIL->user->language,

  183.     );

  184. 

  185.     $OUTPUT->show_message('loggedout');

  186. 

  187.     $RCMAIL->logout_actions();

  188.     $RCMAIL->kill_session();

  189.     $RCMAIL->plugins->exec_hook('logout_after', $userdata);

  190. }

  191. 

  192. // check session and auth cookie

  193. else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {

  194.     if (!$RCMAIL->session->check_auth()) {

  195.         $RCMAIL->kill_session();

  196.         $session_error = true;

  197.     }

  198. }

  199. 

  200. // not logged in -> show login page

  201. if (empty($RCMAIL->user->ID)) {

  202.     // log session failures

  203.     $task = rcube_utils::get_input_value('_task', rcube_utils::INPUT_GPC);

  204. 

  205.     if ($task && !in_array($task, array('login','logout'))

  206.         && !$session_error && ($sess_id = $_COOKIE[ini_get('session.name')])

  207.     ) {

  208.         $RCMAIL->session->log("Aborted session $sess_id; no valid session data found");

  209.         $session_error = true;

  210.     }

  211. 

  212.     if ($session_error || $_REQUEST['_err'] == 'session') {

  213.         $OUTPUT->show_message('sessionerror', 'error', null, true, -1);

  214.     }

  215. 

  216.     if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) {

  217.         $OUTPUT->command('session_error', $RCMAIL->url(array('_err' => 'session')));

  218.         $OUTPUT->send('iframe');

  219.     }

  220. 

  221.     // check if installer is still active

  222.     if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {

  223.         $OUTPUT->add_footer(html::div(array('style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),

  224.             html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .

  225.             html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .

  226.             html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because .

  227.                 these files may expose sensitive configuration data like server passwords and encryption keys

  228.                 to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")

  229.         ));

  230.     }

  231. 

  232.     $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array('task' => 'login', 'error' => $session_error));

  233. 

  234.     $RCMAIL->set_task($plugin['task']);

  235. 

  236.     $OUTPUT->send($plugin['task']);

  237. }

  238. else {

  239.     // CSRF prevention

  240.     $RCMAIL->request_security_check();

  241. 

  242.     // check access to disabled actions

  243.     $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');

  244.     if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) {

  245.         rcube::raise_error(array(

  246.             'code' => 404, 'type' => 'php',

  247.             'message' => "Action disabled"), true, true);

  248.     }

  249. }

  250. 

  251. // we're ready, user is authenticated and the request is safe

  252. $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));

  253. $RCMAIL->set_task($plugin['task']);

  254. $RCMAIL->action = $plugin['action'];

  255. 

  256. // handle special actions

  257. if ($RCMAIL->action == 'keep-alive') {

  258.     $OUTPUT->reset();

  259.     $RCMAIL->plugins->exec_hook('keep_alive', array());

  260.     $OUTPUT->send();

  261. }

  262. else if ($RCMAIL->action == 'save-pref') {

  263.     include INSTALL_PATH . 'program/steps/utils/save_pref.inc';

  264. }

  265. 

  266. 

  267. // include task specific functions

  268. if (is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/func.inc')) {

  269.     include_once $incfile;

  270. }

  271. 

  272. // allow 5 "redirects" to another action

  273. $redirects = 0; $incstep = null;

  274. while ($redirects < 5) {

  275.     // execute a plugin action

  276.     if (preg_match('/^plugin\./', $RCMAIL->action)) {

  277.         $RCMAIL->plugins->exec_action($RCMAIL->action);

  278.         break;

  279.     }

  280.     // execute action registered to a plugin task

  281.     else if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {

  282.         if (!$RCMAIL->action) $RCMAIL->action = 'index';

  283.         $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);

  284.         break;

  285.     }

  286.     // try to include the step file

  287.     else if (($stepfile = $RCMAIL->get_action_file())

  288.         && is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/'.$stepfile)

  289.     ) {

  290.         // include action file only once (in case it don't exit)

  291.         include_once $incfile;

  292.         $redirects++;

  293.     }

  294.     else {

  295.         break;

  296.     }

  297. }

  298. 

  299. if ($RCMAIL->action == 'refresh') {

  300.     $RCMAIL->plugins->exec_hook('refresh', array('last' => intval(rcube_utils::get_input_value('_last', rcube_utils::INPUT_GPC))));

  301. }

  302. 

  303. // parse main template (default)

  304. $OUTPUT->send($RCMAIL->task);

  305. 

  306. // if we arrive here, something went wrong

  307. rcmail::raise_error(array(

  308.     'code' => 404,

  309.     'type' => 'php',

  310.     'line' => __LINE__,

  311.     'file' => __FILE__,

  312.     'message' => "Invalid request"), true, true);