Mirror
/
RoundcubeMail
mirror of https://github.com/roundcube/roundcubemail.git
1
0
Fork 0
Code Issues Releases Wiki Activity
RoundCube Webmail
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12602 Commits
57 Branches
196 Tags
151 MiB
Tree: 993b888afe
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '993b888afe'
${ noResults }
RoundcubeMail/index.php

278 lines
11 KiB
Raw Normal View History

Initial revision
20 years ago
CS fixes
10 years ago
-fixed disclaimer
17 years ago
- s/RoundCube/Roundcube/
15 years ago
Prepare release 1.6.0
3 years ago
-fixed disclaimer
17 years ago
Remove year(s) from copyright headers + some cleanup
6 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
CS fixes
12 years ago
-fixed disclaimer
17 years ago
Initial revision
20 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Optimized loading time; added periodic mail check; added EXPUNGE command
20 years ago
- Fix imap_init hook broken in r3258 (#1486493)
16 years ago
Fix a few PHP notices (#7791)
5 years ago
More code cleanup
17 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
- Merge devel-framework branch, resolved conflicts
13 years ago
Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385) Added 'common_headers' hook
7 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
- get rid of some hardcoded action names and move decission about output compression to the user
16 years ago
Little improvements for message parsing and encoding
19 years ago
Display a generic error page on initial DB/configuration errors (#8222)
4 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Improved error handling in DB connection failure
20 years ago
Initial revision
20 years ago
- Merge devel-framework branch, resolved conflicts
13 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Initial revision
20 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
CS fixes
12 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
FIX PHP8 fatal error and some warnings (#7931)
4 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
FIX PHP8 fatal error and some warnings (#7931)
4 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
CS fixes
12 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Initial revision
20 years ago
- Fix setting task name according to auth state. So, any action before user is authenticated is assigned to 'login' task instead of 'mail'. Now binding plugins to 'login' task is possible and realy usefull. It's also possible to bind to all tasks excluding 'login'.
16 years ago
Fix various PHP8 warnings (#8392)
4 years ago
Changed 'password_charset' default to 'UTF-8' (#6522)
7 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
Add option to log successful logins.
17 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
9 years ago
Fix fatal error/warning on invalid input to user parameter (#8152) Added a new utility method: rcube_utils::get_input_string()
4 years ago
CS fixes
9 years ago
CS fixes, potential PHP8 warning (#7781)
5 years ago
CS fixes
9 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Fix fatal error/warning on invalid input to user parameter (#8152) Added a new utility method: rcube_utils::get_input_string()
4 years ago
CS fixes
12 years ago
Fix PHP8 warning
4 years ago
CS fixes
12 years ago
PHP8: More warnings fixed
5 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
CS fixes
12 years ago
CS fixes
9 years ago
CS fixes
12 years ago
Display custom error messages from plugins hooks (as documented in the API spec)
11 years ago
CS fixes
12 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
9 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
CS fixes, potential PHP8 warning (#7781)
5 years ago
- Handle situation when $IMAP object isn't initialized on log in
15 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Log also failed logins to userlogins log
12 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes, potential PHP8 warning (#7781)
5 years ago
CS fixes
12 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Basic support for OAuth2 user login and IMAP/SMTP authentication - Add "Login with XXX" button to login screen if oauth is configured - Perform OAuth login procedure and get an access token - Implement XOAUTH2 authentication type for IAMP and SMTP Requires a patched and not yet released version of Net_SMTP.
6 years ago
Check if OAuth is enabled before including `oauth.inc` step file
5 years ago
Fix oauth action run
5 years ago
Basic support for OAuth2 user login and IMAP/SMTP authentication - Add "Login with XXX" button to login screen if oauth is configured - Perform OAuth login procedure and get an access token - Implement XOAUTH2 authentication type for IAMP and SMTP Requires a patched and not yet released version of Net_SMTP.
6 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
19 years ago
Remove obsolete code that disables session check on 'send' action
11 years ago
CS fixes
12 years ago
Added cookie mismatch detection, display an error message informing the user to clear cookies
6 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
PHP8: More warnings fixed
5 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
PHP8: More warnings fixed
5 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Prevent from "Call to undefined method rcmail_output_json::add_footer()" error
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Prevent from "Call to undefined method rcmail_output_json::add_footer()" error
12 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
CS fixes
12 years ago
Fix typo
9 years ago
CS fixes
12 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Plugin API: Add possibility to specify HTTP return code via 'unauthenticated' hook
7 years ago
Fix so 401 error is returned only on failed logon requests (#7010)
6 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
CS fixes
12 years ago
Plugin API: Add 'unauthenticated' hook (#1488138)
13 years ago
Plugin API: Add possibility to specify HTTP return code via 'unauthenticated' hook
7 years ago
Return "401 Unauthorized" status when login fails (#5663)
8 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Add option (disabled_actions) to disable UI elements/actions (#1489638)
11 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
Add option (disabled_actions) to disable UI elements/actions (#1489638)
11 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Initial revision
20 years ago
Steps -> Actions refactoring (#7688) * Move action handling code to rcmail class * Add rcmail_action class * Add action aliases * Get rid of $OUTPUT global * Move some methods from rcmail to rcmail_action * PHP8 compat. fixes * Add framework for testing actions * Fix obvious code mistakes
5 years ago
  1. <?php
  2. /**
  3. +-------------------------------------------------------------------------+
  4. | Roundcube Webmail IMAP Client |
  5. | Version 1.6.0 |
  6. | |
  7. | Copyright (C) The Roundcube Dev Team |
  8. | |
  9. | This program is free software: you can redistribute it and/or modify |
  10. | it under the terms of the GNU General Public License (with exceptions |
  11. | for skins & plugins) as published by the Free Software Foundation, |
  12. | either version 3 of the License, or (at your option) any later version. |
  13. | |
  14. | This file forms part of the Roundcube Webmail Software for which the |
  15. | following exception is added: Plugins and Skins which merely make |
  16. | function calls to the Roundcube Webmail Software, and for that purpose |
  17. | include it by reference shall not be considered modifications of |
  18. | the software. |
  19. | |
  20. | If you wish to use this file in another project or create a modified |
  21. | version that will not be part of the Roundcube Webmail Software, you |
  22. | may remove the exception above and use this source code under the |
  23. | original version of the license. |
  24. | |
  25. | This program is distributed in the hope that it will be useful, |
  26. | but WITHOUT ANY WARRANTY; without even the implied warranty of |
  27. | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
  28. | GNU General Public License for more details. |
  29. | |
  30. | You should have received a copy of the GNU General Public License |
  31. | along with this program. If not, see http://www.gnu.org/licenses/. |
  32. | |
  33. +-------------------------------------------------------------------------+
  34. | Author: Thomas Bruederli <roundcube@gmail.com> |
  35. | Author: Aleksander Machniak <alec@alec.pl> |
  36. +-------------------------------------------------------------------------+
  37. */
  39. // include environment
  40. require_once 'program/include/iniset.php';
  42. // init application, start session, init output class, etc.
  43. $RCMAIL = rcmail::get_instance(0, isset($GLOBALS['env']) ? $GLOBALS['env'] : null);
  45. // Make the whole PHP output non-cacheable (#1487797)
  46. $RCMAIL->output->nocacheing_headers();
  47. $RCMAIL->output->common_headers(!empty($_SESSION['user_id']));
  49. // turn on output buffering
  50. ob_start();
  52. // check the initial error state
  53. if ($RCMAIL->config->get_error() || $RCMAIL->db->is_error()) {
  54. rcmail_fatal_error();
  55. }
  57. // error steps
  58. if ($RCMAIL->action == 'error' && !empty($_GET['_code'])) {
  59. rcmail::raise_error(['code' => hexdec($_GET['_code'])], false, true);
  60. }
  62. // check if https is required (for login) and redirect if necessary
  63. if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
  64. // force_https can be true, <hostname>, <hostname>:<port>, <port>
  65. if (!is_bool($force_https)) {
  66. list($host, $port) = explode(':', $force_https);
  68. if (is_numeric($host) && empty($port)) {
  69. $port = $host;
  70. $host = '';
  71. }
  72. }
  74. if (empty($port)) {
  75. $port = 443;
  76. }
  78. if (!rcube_utils::https_check($port)) {
  79. if (empty($host)) {
  80. $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
  81. }
  82. if ($port != 443) {
  83. $host .= ':' . $port;
  84. }
  86. header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
  87. exit;
  88. }
  89. }
  91. // trigger startup plugin hook
  92. $startup = $RCMAIL->plugins->exec_hook('startup', ['task' => $RCMAIL->task, 'action' => $RCMAIL->action]);
  93. $RCMAIL->set_task($startup['task']);
  94. $RCMAIL->action = $startup['action'];
  96. $session_error = null;
  98. // try to log in
  99. if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
  100. $request_valid = !empty($_SESSION['temp']) && $RCMAIL->check_request();
  101. $pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');
  103. // purge the session in case of new login when a session already exists
  104. if ($request_valid) {
  105. $RCMAIL->kill_session();
  106. }
  108. $auth = $RCMAIL->plugins->exec_hook('authenticate', [
  109. 'host' => $RCMAIL->autoselect_host(),
  110. 'user' => trim(rcube_utils::get_input_string('_user', rcube_utils::INPUT_POST)),
  111. 'pass' => rcube_utils::get_input_string('_pass', rcube_utils::INPUT_POST, true, $pass_charset),
  112. 'valid' => $request_valid,
  113. 'error' => null,
  114. 'cookiecheck' => true,
  115. ]);
  117. // Login
  118. if ($auth['valid'] && !$auth['abort']
  119. && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck'])
  120. ) {
  121. // create new session ID, don't destroy the current session
  122. // it was destroyed already by $RCMAIL->kill_session() above
  123. $RCMAIL->session->remove('temp');
  124. $RCMAIL->session->regenerate_id(false);
  126. // send auth cookie if necessary
  127. $RCMAIL->session->set_auth_cookie();
  129. // log successful login
  130. $RCMAIL->log_login();
  132. // restore original request parameters
  133. $query = [];
  134. if ($url = rcube_utils::get_input_string('_url', rcube_utils::INPUT_POST)) {
  135. parse_str($url, $query);
  137. // prevent endless looping on login page
  138. if (!empty($query['_task']) && $query['_task'] == 'login') {
  139. unset($query['_task']);
  140. }
  142. // prevent redirect to compose with specified ID (#1488226)
  143. if (!empty($query['_action']) && $query['_action'] == 'compose' && !empty($query['_id'])) {
  144. $query = ['_action' => 'compose'];
  145. }
  146. }
  148. // allow plugins to control the redirect url after login success
  149. $redir = $RCMAIL->plugins->exec_hook('login_after', $query + ['_task' => 'mail']);
  150. unset($redir['abort'], $redir['_err']);
  152. // send redirect
  153. $RCMAIL->output->redirect($redir, 0, true);
  154. }
  155. else {
  156. if (!$auth['valid']) {
  157. $error_code = rcmail::ERROR_INVALID_REQUEST;
  158. }
  159. else {
  160. $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error();
  161. }
  163. $error_labels = [
  164. rcmail::ERROR_STORAGE => 'storageerror',
  165. rcmail::ERROR_COOKIES_DISABLED => 'cookiesdisabled',
  166. rcmail::ERROR_INVALID_REQUEST => 'invalidrequest',
  167. rcmail::ERROR_INVALID_HOST => 'invalidhost',
  168. rcmail::ERROR_RATE_LIMIT => 'accountlocked',
  169. ];
  171. if (!empty($auth['error']) && !is_numeric($auth['error'])) {
  172. $error_message = $auth['error'];
  173. }
  174. else {
  175. $error_message = !empty($error_labels[$error_code]) ? $error_labels[$error_code] : 'loginfailed';
  176. }
  178. $RCMAIL->output->show_message($error_message, 'warning');
  180. // log failed login
  181. $RCMAIL->log_login($auth['user'], true, $error_code);
  183. $RCMAIL->plugins->exec_hook('login_failed', [
  184. 'code' => $error_code,
  185. 'host' => $auth['host'],
  186. 'user' => $auth['user'],
  187. ]);
  189. if (!isset($_SESSION['user_id'])) {
  190. $RCMAIL->kill_session();
  191. }
  192. }
  193. }
  195. // handle oauth login requests
  196. else if ($RCMAIL->task == 'login' && $RCMAIL->action == 'oauth' && $RCMAIL->oauth->is_enabled()) {
  197. $oauth_handler = new rcmail_action_login_oauth();
  198. $oauth_handler->run();
  199. }
  201. // end session
  202. else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
  203. $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
  205. $userdata = array(
  206. 'user' => $_SESSION['username'],
  207. 'host' => $_SESSION['storage_host'],
  208. 'lang' => $RCMAIL->user->language,
  209. );
  211. $RCMAIL->output->show_message('loggedout');
  213. $RCMAIL->logout_actions();
  214. $RCMAIL->kill_session();
  215. $RCMAIL->plugins->exec_hook('logout_after', $userdata);
  216. }
  218. // check session and auth cookie
  219. else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {
  220. if (!$RCMAIL->session->check_auth()) {
  221. $RCMAIL->kill_session();
  222. $session_error = 'sessionerror';
  223. }
  224. }
  226. // not logged in -> show login page
  227. if (empty($RCMAIL->user->ID)) {
  228. if (
  229. $session_error
  230. || (!empty($_REQUEST['_err']) && $_REQUEST['_err'] === 'session')
  231. || ($session_error = $RCMAIL->session_error())
  232. ) {
  233. $RCMAIL->output->show_message($session_error ?: 'sessionerror', 'error', null, true, -1);
  234. }
  236. if ($RCMAIL->output->ajax_call || $RCMAIL->output->get_env('framed')) {
  237. $RCMAIL->output->command('session_error', $RCMAIL->url(['_err' => 'session']));
  238. $RCMAIL->output->send('iframe');
  239. }
  241. // check if installer is still active
  242. if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
  243. $RCMAIL->output->add_footer(html::div(['id' => 'login-addon', 'style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"],
  244. html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
  245. html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
  246. html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because
  247. these files may expose sensitive configuration data like server passwords and encryption keys
  248. to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
  249. ));
  250. }
  252. $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', [
  253. 'task' => 'login',
  254. 'error' => $session_error,
  255. // Return 401 only on failed logins (#7010)
  256. 'http_code' => empty($session_error) && !empty($error_message) ? 401 : 200
  257. ]);
  259. $RCMAIL->set_task($plugin['task']);
  261. if ($plugin['http_code'] == 401) {
  262. header('HTTP/1.0 401 Unauthorized');
  263. }
  265. $RCMAIL->output->send($plugin['task']);
  266. }
  267. else {
  268. // CSRF prevention
  269. $RCMAIL->request_security_check();
  271. // check access to disabled actions
  272. $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');
  273. if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) {
  274. rcube::raise_error(['code' => 404, 'message' => "Action disabled"], true, true);
  275. }
  276. }
  278. $RCMAIL->action_handler();