Mirror
/
RoundcubeMail
mirror of https://github.com/roundcube/roundcubemail.git
1
0
Fork 0
Code Issues Releases Wiki Activity
RoundCube Webmail
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12444 Commits
57 Branches
196 Tags
151 MiB
Tree: 1.4.16
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1.4.16'
${ noResults }
RoundcubeMail/index.php

327 lines
12 KiB
Raw Permalink Normal View History

Initial revision
20 years ago
CS fixes
10 years ago
-fixed disclaimer
17 years ago
- s/RoundCube/Roundcube/
15 years ago
Bring back 1.4-git as a version number
2 years ago
-fixed disclaimer
17 years ago
Remove year(s) from copyright headers + some cleanup
6 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
Changed license to GNU GPLv3+ with exceptions for skins and plugins
14 years ago
-fixed disclaimer
17 years ago
CS fixes
12 years ago
-fixed disclaimer
17 years ago
Initial revision
20 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Optimized loading time; added periodic mail check; added EXPUNGE command
20 years ago
- Fix imap_init hook broken in r3258 (#1486493)
16 years ago
PHP7: Fixed some E_WARNING errors that previously were E_STRICT
10 years ago
More code cleanup
17 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
- Merge devel-framework branch, resolved conflicts
13 years ago
Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385) Added 'common_headers' hook
7 years ago
- Make the whole PHP output non-cacheable (#1487797)
14 years ago
- get rid of some hardcoded action names and move decission about output compression to the user
16 years ago
Little improvements for message parsing and encoding
19 years ago
Show appropriate error message if config files are missing
17 years ago
CS fixes
12 years ago
Show appropriate error message if config files are missing
17 years ago
Improved error handling in DB connection failure
20 years ago
Merged devel-framework branch (r5746:5779) back into trunk
14 years ago
CS fixes
12 years ago
CS fixes
10 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Improved error handling in DB connection failure
20 years ago
Initial revision
20 years ago
- Merge devel-framework branch, resolved conflicts
13 years ago
CS fixes
10 years ago
Changed codebase to PHP5 with autoloader + added some new classes from the devel-vnext branch
18 years ago
Initial revision
20 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
CS fixes
12 years ago
Support hostname and hostname:port in force_https option (#5511)
9 years ago
CS fixes
12 years ago
Revert r3038 and allow to specify the port as value of force_https
16 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Initial revision
20 years ago
- Fix setting task name according to auth state. So, any action before user is authenticated is assigned to 'login' task instead of 'mail'. Now binding plugins to 'login' task is possible and realy usefull. It's also possible to bind to all tasks excluding 'login'.
16 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Changed 'password_charset' default to 'UTF-8' (#6522)
7 years ago
Merged branch devel-api (from r2208 to r2387) back into trunk (omitting some sample plugins)
17 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
Add option to log successful logins.
17 years ago
CS fixes
12 years ago
CS fixes
9 years ago
CS fixes
12 years ago
Fix error when using back button after sending an email (#1490009)
10 years ago
CS fixes
12 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
CS fixes
12 years ago
CS fixes
9 years ago
CS fixes
12 years ago
Display custom error messages from plugins hooks (as documented in the API spec)
11 years ago
CS fixes
12 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
CS fixes
12 years ago
CS fixes
9 years ago
CS fixes
12 years ago
Show explicit error message when provided hostname is invalid (#1488550)
13 years ago
Fix login error message display broken in b51de327
11 years ago
- Handle situation when $IMAP object isn't initialized on log in
15 years ago
CS fixes
12 years ago
Log also failed logins to userlogins log
12 years ago
CS fixes
12 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Fix CSRF bypass that could be used to log out an authenticated user (#7302)
5 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Fixed bugs #1364122, #1468895, ticket #1483811 and other minor bugs
19 years ago
Remove obsolete code that disables session check on 'send' action
11 years ago
CS fixes
12 years ago
Added cookie mismatch detection, display an error message informing the user to clear cookies
6 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
Added cookie mismatch detection, display an error message informing the user to clear cookies
6 years ago
Prevent from "Call to undefined method rcmail_output_json::add_footer()" error
12 years ago
Warn for unsent/unsaved message when closing compose window; remove localStorage copy if page was left intentionally but not on session errors (#1489818)
11 years ago
Prevent from "Call to undefined method rcmail_output_json::add_footer()" error
12 years ago
CS fixes
12 years ago
Add id attribute to the installer warning
8 years ago
CS fixes
12 years ago
Fix typo
9 years ago
CS fixes
12 years ago
Plugin API: Add possibility to specify HTTP return code via 'unauthenticated' hook
7 years ago
Fix so 401 error is returned only on failed logon requests (#7010)
6 years ago
Plugin API: Add possibility to specify HTTP return code via 'unauthenticated' hook
7 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
CS fixes
12 years ago
Plugin API: Add 'unauthenticated' hook (#1488138)
13 years ago
Plugin API: Add possibility to specify HTTP return code via 'unauthenticated' hook
7 years ago
Return "401 Unauthorized" status when login fails (#5663)
8 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Improve system security by using optional special URL with security token Allows to define separate server/path for image/js/css files Fix bugs where CSRF attacks were still possible on some requests
11 years ago
Add option (disabled_actions) to disable UI elements/actions (#1489638)
11 years ago
Fix so "Action disabled" error uses more appropriate 404 code (#5440)
9 years ago
Add option (disabled_actions) to disable UI elements/actions (#1489638)
11 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Initial revision
20 years ago
- Plugin API: added 'ready' hook (#1488073)
14 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Moved code block to a more appropriate position + codestyle
17 years ago
CS fixes
12 years ago
Moved code block to a more appropriate position + codestyle
17 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
CS fixes
12 years ago
- Fix "Server Error! (Not Found)" when using utils/save-pref action (#1487023)
15 years ago
Re-design of caching (new database table added\!); some bugfixes; Postgres support
20 years ago
Initial revision
20 years ago
Simplify step inclusion in controller (index.php)
17 years ago
CS fixes
12 years ago
Simplify step inclusion in controller (index.php)
17 years ago
Remove unused variable
8 years ago
Simplify step inclusion in controller (index.php)
17 years ago
CS fixes
12 years ago
Give precedence to plugin.* actions over custom tasks registered by plugins
11 years ago
CS fixes
12 years ago
Give precedence to plugin.* actions over custom tasks registered by plugins
11 years ago
CS fixes
12 years ago
Merged branch devel-addressbook from r443 back to trunk
19 years ago
Initial revision
20 years ago
Plugin API: Add 'refresh' hook
13 years ago
CS fixes
12 years ago
Plugin API: Add 'refresh' hook
13 years ago
Initial revision
20 years ago
Simplify step inclusion in controller (index.php)
17 years ago
Next step: introduce the application class 'rcmail' and get rid of some global vars
17 years ago
Fix for URL injection vulnerability (Bug #1307966)
20 years ago
- Framework refactoring (I hope it's the last one): rcube,rcmail,rcube_ui -> rcube,rcmail,rcube_utils renamed main.inc into rcube_bc.inc
13 years ago
CS fixes
12 years ago
  1. <?php
  2. /**
  3. +-------------------------------------------------------------------------+
  4. | Roundcube Webmail IMAP Client |
  5. | Version 1.4-git |
  6. | |
  7. | Copyright (C) The Roundcube Dev Team |
  8. | |
  9. | This program is free software: you can redistribute it and/or modify |
  10. | it under the terms of the GNU General Public License (with exceptions |
  11. | for skins & plugins) as published by the Free Software Foundation, |
  12. | either version 3 of the License, or (at your option) any later version. |
  13. | |
  14. | This file forms part of the Roundcube Webmail Software for which the |
  15. | following exception is added: Plugins and Skins which merely make |
  16. | function calls to the Roundcube Webmail Software, and for that purpose |
  17. | include it by reference shall not be considered modifications of |
  18. | the software. |
  19. | |
  20. | If you wish to use this file in another project or create a modified |
  21. | version that will not be part of the Roundcube Webmail Software, you |
  22. | may remove the exception above and use this source code under the |
  23. | original version of the license. |
  24. | |
  25. | This program is distributed in the hope that it will be useful, |
  26. | but WITHOUT ANY WARRANTY; without even the implied warranty of |
  27. | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
  28. | GNU General Public License for more details. |
  29. | |
  30. | You should have received a copy of the GNU General Public License |
  31. | along with this program. If not, see http://www.gnu.org/licenses/. |
  32. | |
  33. +-------------------------------------------------------------------------+
  34. | Author: Thomas Bruederli <roundcube@gmail.com> |
  35. | Author: Aleksander Machniak <alec@alec.pl> |
  36. +-------------------------------------------------------------------------+
  37. */
  39. // include environment
  40. require_once 'program/include/iniset.php';
  42. // init application, start session, init output class, etc.
  43. $RCMAIL = rcmail::get_instance(0, $GLOBALS['env']);
  45. // Make the whole PHP output non-cacheable (#1487797)
  46. $RCMAIL->output->nocacheing_headers();
  47. $RCMAIL->output->common_headers(!empty($_SESSION['user_id']));
  49. // turn on output buffering
  50. ob_start();
  52. // check if config files had errors
  53. if ($err_str = $RCMAIL->config->get_error()) {
  54. rcmail::raise_error(array(
  55. 'code' => 601,
  56. 'type' => 'php',
  57. 'message' => $err_str), false, true);
  58. }
  60. // check DB connections and exit on failure
  61. if ($err_str = $RCMAIL->db->is_error()) {
  62. rcmail::raise_error(array(
  63. 'code' => 603,
  64. 'type' => 'db',
  65. 'message' => $err_str), false, true);
  66. }
  68. // error steps
  69. if ($RCMAIL->action == 'error' && !empty($_GET['_code'])) {
  70. rcmail::raise_error(array('code' => hexdec($_GET['_code'])), false, true);
  71. }
  73. // check if https is required (for login) and redirect if necessary
  74. if (empty($_SESSION['user_id']) && ($force_https = $RCMAIL->config->get('force_https', false))) {
  75. // force_https can be true, <hostname>, <hostname>:<port>, <port>
  76. if (!is_bool($force_https)) {
  77. list($host, $port) = explode(':', $force_https);
  79. if (is_numeric($host) && empty($port)) {
  80. $port = $host;
  81. $host = '';
  82. }
  83. }
  85. if (!rcube_utils::https_check($port ?: 443)) {
  86. if (empty($host)) {
  87. $host = preg_replace('/:[0-9]+$/', '', $_SERVER['HTTP_HOST']);
  88. }
  89. if ($port && $port != 443) {
  90. $host .= ':' . $port;
  91. }
  93. header('Location: https://' . $host . $_SERVER['REQUEST_URI']);
  94. exit;
  95. }
  96. }
  98. // trigger startup plugin hook
  99. $startup = $RCMAIL->plugins->exec_hook('startup', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
  100. $RCMAIL->set_task($startup['task']);
  101. $RCMAIL->action = $startup['action'];
  103. // try to log in
  104. if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') {
  105. $request_valid = $_SESSION['temp'] && $RCMAIL->check_request();
  106. $pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8');
  108. // purge the session in case of new login when a session already exists
  109. if ($request_valid) {
  110. $RCMAIL->kill_session();
  111. }
  113. $auth = $RCMAIL->plugins->exec_hook('authenticate', array(
  114. 'host' => $RCMAIL->autoselect_host(),
  115. 'user' => trim(rcube_utils::get_input_value('_user', rcube_utils::INPUT_POST)),
  116. 'pass' => rcube_utils::get_input_value('_pass', rcube_utils::INPUT_POST, true, $pass_charset),
  117. 'valid' => $request_valid,
  118. 'cookiecheck' => true,
  119. ));
  121. // Login
  122. if ($auth['valid'] && !$auth['abort']
  123. && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck'])
  124. ) {
  125. // create new session ID, don't destroy the current session
  126. // it was destroyed already by $RCMAIL->kill_session() above
  127. $RCMAIL->session->remove('temp');
  128. $RCMAIL->session->regenerate_id(false);
  130. // send auth cookie if necessary
  131. $RCMAIL->session->set_auth_cookie();
  133. // log successful login
  134. $RCMAIL->log_login();
  136. // restore original request parameters
  137. $query = array();
  138. if ($url = rcube_utils::get_input_value('_url', rcube_utils::INPUT_POST)) {
  139. parse_str($url, $query);
  141. // prevent endless looping on login page
  142. if ($query['_task'] == 'login') {
  143. unset($query['_task']);
  144. }
  146. // prevent redirect to compose with specified ID (#1488226)
  147. if ($query['_action'] == 'compose' && !empty($query['_id'])) {
  148. $query = array('_action' => 'compose');
  149. }
  150. }
  152. // allow plugins to control the redirect url after login success
  153. $redir = $RCMAIL->plugins->exec_hook('login_after', $query + array('_task' => 'mail'));
  154. unset($redir['abort'], $redir['_err']);
  156. // send redirect
  157. $OUTPUT->redirect($redir, 0, true);
  158. }
  159. else {
  160. if (!$auth['valid']) {
  161. $error_code = rcmail::ERROR_INVALID_REQUEST;
  162. }
  163. else {
  164. $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error();
  165. }
  167. $error_labels = array(
  168. rcmail::ERROR_STORAGE => 'storageerror',
  169. rcmail::ERROR_COOKIES_DISABLED => 'cookiesdisabled',
  170. rcmail::ERROR_INVALID_REQUEST => 'invalidrequest',
  171. rcmail::ERROR_INVALID_HOST => 'invalidhost',
  172. rcmail::ERROR_RATE_LIMIT => 'accountlocked',
  173. );
  175. $error_message = !empty($auth['error']) && !is_numeric($auth['error']) ? $auth['error'] : ($error_labels[$error_code] ?: 'loginfailed');
  177. $OUTPUT->show_message($error_message, 'warning');
  179. // log failed login
  180. $RCMAIL->log_login($auth['user'], true, $error_code);
  182. $RCMAIL->plugins->exec_hook('login_failed', array(
  183. 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user']));
  185. if (!isset($_SESSION['user_id'])) {
  186. $RCMAIL->kill_session();
  187. }
  188. }
  189. }
  191. // end session
  192. else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) {
  193. $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST);
  195. $userdata = array(
  196. 'user' => $_SESSION['username'],
  197. 'host' => $_SESSION['storage_host'],
  198. 'lang' => $RCMAIL->user->language,
  199. );
  201. $OUTPUT->show_message('loggedout');
  203. $RCMAIL->logout_actions();
  204. $RCMAIL->kill_session();
  205. $RCMAIL->plugins->exec_hook('logout_after', $userdata);
  206. }
  208. // check session and auth cookie
  209. else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) {
  210. if (!$RCMAIL->session->check_auth()) {
  211. $RCMAIL->kill_session();
  212. $session_error = 'sessionerror';
  213. }
  214. }
  216. // not logged in -> show login page
  217. if (empty($RCMAIL->user->ID)) {
  218. if ($session_error || $_REQUEST['_err'] === 'session' || ($session_error = $RCMAIL->session_error())) {
  219. $OUTPUT->show_message($session_error ?: 'sessionerror', 'error', null, true, -1);
  220. }
  222. if ($OUTPUT->ajax_call || $OUTPUT->get_env('framed')) {
  223. $OUTPUT->command('session_error', $RCMAIL->url(array('_err' => 'session')));
  224. $OUTPUT->send('iframe');
  225. }
  227. // check if installer is still active
  228. if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) {
  229. $OUTPUT->add_footer(html::div(array('id' => 'login-addon', 'style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"),
  230. html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") .
  231. html::p(null, "The install script of your Roundcube installation is still stored in its default location!") .
  232. html::p(null, "Please <b>remove</b> the whole <tt>installer</tt> folder from the Roundcube directory because
  233. these files may expose sensitive configuration data like server passwords and encryption keys
  234. to the public. Make sure you cannot access the <a href=\"./installer/\">installer script</a> from your browser.")
  235. ));
  236. }
  238. $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', array(
  239. 'task' => 'login',
  240. 'error' => $session_error,
  241. // Return 401 only on failed logins (#7010)
  242. 'http_code' => empty($session_error) && !empty($error_message) ? 401 : 200
  243. ));
  245. $RCMAIL->set_task($plugin['task']);
  247. if ($plugin['http_code'] == 401) {
  248. header('HTTP/1.0 401 Unauthorized');
  249. }
  251. $OUTPUT->send($plugin['task']);
  252. }
  253. else {
  254. // CSRF prevention
  255. $RCMAIL->request_security_check();
  257. // check access to disabled actions
  258. $disabled_actions = (array) $RCMAIL->config->get('disabled_actions');
  259. if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) {
  260. rcube::raise_error(array(
  261. 'code' => 404, 'type' => 'php',
  262. 'message' => "Action disabled"), true, true);
  263. }
  264. }
  266. // we're ready, user is authenticated and the request is safe
  267. $plugin = $RCMAIL->plugins->exec_hook('ready', array('task' => $RCMAIL->task, 'action' => $RCMAIL->action));
  268. $RCMAIL->set_task($plugin['task']);
  269. $RCMAIL->action = $plugin['action'];
  271. // handle special actions
  272. if ($RCMAIL->action == 'keep-alive') {
  273. $OUTPUT->reset();
  274. $RCMAIL->plugins->exec_hook('keep_alive', array());
  275. $OUTPUT->send();
  276. }
  277. else if ($RCMAIL->action == 'save-pref') {
  278. include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
  279. }
  282. // include task specific functions
  283. if (is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/func.inc')) {
  284. include_once $incfile;
  285. }
  287. // allow 5 "redirects" to another action
  288. $redirects = 0;
  289. while ($redirects < 5) {
  290. // execute a plugin action
  291. if (preg_match('/^plugin\./', $RCMAIL->action)) {
  292. $RCMAIL->plugins->exec_action($RCMAIL->action);
  293. break;
  294. }
  295. // execute action registered to a plugin task
  296. else if ($RCMAIL->plugins->is_plugin_task($RCMAIL->task)) {
  297. if (!$RCMAIL->action) $RCMAIL->action = 'index';
  298. $RCMAIL->plugins->exec_action($RCMAIL->task.'.'.$RCMAIL->action);
  299. break;
  300. }
  301. // try to include the step file
  302. else if (($stepfile = $RCMAIL->get_action_file())
  303. && is_file($incfile = INSTALL_PATH . 'program/steps/'.$RCMAIL->task.'/'.$stepfile)
  304. ) {
  305. // include action file only once (in case it don't exit)
  306. include_once $incfile;
  307. $redirects++;
  308. }
  309. else {
  310. break;
  311. }
  312. }
  314. if ($RCMAIL->action == 'refresh') {
  315. $RCMAIL->plugins->exec_hook('refresh', array('last' => intval(rcube_utils::get_input_value('_last', rcube_utils::INPUT_GPC))));
  316. }
  318. // parse main template (default)
  319. $OUTPUT->send($RCMAIL->task);
  321. // if we arrive here, something went wrong
  322. rcmail::raise_error(array(
  323. 'code' => 404,
  324. 'type' => 'php',
  325. 'line' => __LINE__,
  326. 'file' => __FILE__,
  327. 'message' => "Invalid request"), true, true);