Source for file init.php
Documentation is available at init.php
* init.php -- initialisation file
* File should be loaded in every file in src/ or plugins that occupate an entire frame
* @copyright 2006-2020 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id: init.php 14845 2020-01-07 08:09:34Z pdontthink $
* This is a development version so in order to track programmer mistakes we
* set the error reporting to E_ALL
FIXME: disabling this for now, because we now have $sm_debug_mode, but the problem with that is that we don't know what it will be until we have loaded the config file, a good 175 lines below after several important files have been included, etc. For now, we'll trust that developers have turned on E_ALL in php.ini anyway, but this can be uncommented if not.
//error_reporting(E_ALL);
* Make sure we have a page name
* If register_globals are on, unregister globals.
* Second test covers boolean set as string (php_value register_globals off).
if ((bool)
ini_get('register_globals') &&
* Remove all globals that are not reserved by PHP
* 'value' and 'key' are used by foreach. Don't unset them inside foreach.
foreach ($GLOBALS as $key =>
$value) {
case 'HTTP_SESSION_VARS':
// Unset variables used in foreach
unset
($GLOBALS['value']);
* Used as a dummy value, e.g., for passing as an empty
* hook argument (where the value is passed by reference,
* and therefore NULL itself is not acceptable).
* The global $server_os variable will be "windows" if
* we are working in a Windows environment or "*nix"
if (DIRECTORY_SEPARATOR ==
'\\') $server_os =
'windows'; else $server_os =
'*nix';
* [#1518885] session.use_cookies = off breaks SquirrelMail
* When session cookies are not used, all http redirects, meta refreshes,
* src/download.php and javascript URLs are broken. Setting must be set
* before session is started.
if (!(bool)
ini_get('session.use_cookies') ||
ini_get('session.use_cookies') ==
'off') {
ini_set('session.use_cookies','1');
* Initialize seed of random number generator.
* We use a number of things to randomize input: current time in ms,
* info about the remote client, info about the current process, the
* randomness of uniqid and stat of the current file.
* We seed this here only once per init, not only to save cycles
* but also to make the result of mt_rand more random (it now also
* depends on the number of times mt_rand was called before in this
$seed =
microtime() .
$_SERVER['REMOTE_PORT'] .
$_SERVER['REMOTE_ADDR'] .
getmypid();
/* Avoid warnings with Win32 */
if(!empty($_SERVER['UNIQUE_ID'])) {
$seed .=
$_SERVER['UNIQUE_ID'];
// mt_srand() uses an integer to seed, so we need to distill our
// very large seed to something useful (without taking a sub-string,
// the integer conversion of such a large number is always 0 on
// many systems, but strangely, 9 hex numbers - even if larger
// than a signed 32 bit integer - seem to be an acceptable "integer"
// seed (perhaps it is used as unsigned?)...
// we may want to revisit this and always force it to be less than
// PHP 4.2 and up don't require seeding, but their used seed algorithm
// is of questionable quality, so we keep doing it ourselves. */
* calculate SM_PATH and calculate the base_uri
* assumptions made: init.php is only called from plugins or from the src dir.
* files in the plugin directory may not be part of a subdirectory called "src"
if (isset
($_SERVER['SCRIPT_NAME'])) {
$a =
explode('/', $_SERVER['SCRIPT_NAME']);
} elseif (isset
($HTTP_SERVER_VARS['SCRIPT_NAME'])) {
$a =
explode('/', $HTTP_SERVER_VARS['SCRIPT_NAME']);
$error =
'Unable to detect script environment. Please test your PHP '
.
'settings and send your PHP core configuration, $_SERVER and '
.
'$HTTP_SERVER_VARS contents to the SquirrelMail developers.';
for($i =
count($a) -
2; $i > -
1; --
$i) {
if ($a[$i] ===
'src' ||
$a[$i] ===
'plugins') {
define('SM_BASE_URI', $base_uri);
* global var $bInit is used to check if initialisation took place.
* At this moment it's a workarounf for the include of addrbook_search_html
* inside compose.php. If we found a better way then remove this. Do only use
* this var if you know for sure a page can be called stand alone and be included
* This theme as a failsafe if no themes were found, or if we error
* out before anything could be initialised.
$color[0] =
'#DCDCDC'; /* light gray TitleBar */
$color[1] =
'#800000'; /* red */
$color[2] =
'#CC0000'; /* light red Warning/Error Messages */
$color[3] =
'#A0B8C8'; /* green-blue Left Bar Background */
$color[4] =
'#FFFFFF'; /* white Normal Background */
$color[5] =
'#FFFFCC'; /* light yellow Table Headers */
$color[6] =
'#000000'; /* black Text on left bar */
$color[7] =
'#0000CC'; /* blue Links */
$color[8] =
'#000000'; /* black Normal text */
$color[9] =
'#ABABAB'; /* mid-gray Darker version of #0 */
$color[10] =
'#666666'; /* dark gray Darker version of #9 */
$color[11] =
'#770000'; /* dark red Special Folders color */
$color[13] =
'#800000'; /* (dark red) Color for quoted text -- > 1 quote */
$color[14] =
'#ff0000'; /* (red) Color for quoted text -- >> 2 or more */
$color[15] =
'#002266'; /* (dark blue) Unselectable folders */
$color[16] =
'#ff9933'; /* (orange) Highlight color */
require
(SM_PATH .
'include/constants.php');
require
(SM_PATH .
'functions/global.php');
require
(SM_PATH .
'functions/strings.php');
require
(SM_PATH .
'functions/arrays.php');
require
(SM_PATH .
'functions/files.php');
/* load default configuration */
require
(SM_PATH .
'config/config_default.php');
/* reset arrays in default configuration */
$aTemplateSet[0]['ID'] =
'default';
$aTemplateSet[0]['NAME'] =
'Default';
/* load site configuration */
require
(SM_PATH .
'config/config.php');
/* load local configuration overrides */
require
(SM_PATH .
'config/config_local.php');
* Set PHP error reporting level based on the SquirrelMail debug mode
$error_level =
($error_level |
E_ALL) & ~
2048 & ~
8192;
$error_level |=
2048 |
8192;
require
(SM_PATH .
'functions/plugin.php');
require
(SM_PATH .
'include/languages.php');
require
(SM_PATH .
'class/template/Template.class.php');
require
(SM_PATH .
'class/error.class.php');
* If magic_quotes_runtime is on, SquirrelMail breaks in new and creative ways.
* Force magic_quotes_runtime off.
* If there's a better place, please let me know.
ini_set('magic_quotes_runtime','0');
/* if running with magic_quotes_gpc then strip the slashes
from POST and GET global arrays */
* Strip any tags added to the url from PHP_SELF.
* This fixes hand crafted url XXS expoits for any
* page that uses PHP_SELF as the FORM action
* Update: strip_tags() won't catch something like
* src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script>
* contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E
* because it doesn't bother with broken tags.
* sm_encode_html_special_chars() is the preferred method.
* QUERY_STRING also needs the same treatment since it is
* Update again: the encoding of ampersands that occurs
* using sm_encode_html_special_chars() corrupts the query strings
* in normal URIs, so we have to let those through.
FIXME: will the de-sanitizing of ampersands create any security/XSS problems?
if (isset
($_SERVER['REQUEST_URI']))
if (isset
($_SERVER['PHP_SELF']))
if (isset
($_SERVER['QUERY_STRING']))
/** set the name of the session cookie */
if (!isset
($session_name) ||
!$session_name) {
$session_name =
'SQMSESSID';
* When session.auto_start is On we want to destroy/close the session
if (!empty($sSessionAutostartID) &&
$sSessionAutostartName !==
$session_name) {
$sCookiePath =
ini_get('session.cookie_path');
$sCookieDomain =
ini_get('session.cookie_domain');
sqsetcookie($sSessionAutostartName,'',1,$sCookiePath,$sCookieDomain);
* includes from classes stored in the session
require
(SM_PATH .
'class/mime.class.php');
ini_set('session.name' , $session_name);
* When on login page, have to reset the user session, making
* sure to save session restore data first
if (!sqGetGlobalVar('session_expired_post', $sep, SQ_SESSION))
if (!sqGetGlobalVar('session_expired_location', $sel, SQ_SESSION))
* in some rare instances, the session seems to stick
* around even after destroying it (!!), so if it does,
* we'll manually flatten the $_SESSION data
* Allow administrators to define custom session handlers
* for SquirrelMail without needing to change anything in
* php.ini (application-level).
* In config_local.php, admin needs to put:
* $custom_session_handlers = array(
* session_module_name('user');
* session_set_save_handler(
* $custom_session_handlers[0],
* $custom_session_handlers[1],
* $custom_session_handlers[2],
* $custom_session_handlers[3],
* $custom_session_handlers[4],
* $custom_session_handlers[5]
* We need to replicate that code once here because PHP has
* long had a bug that resets the session handler mechanism
* when the session data is also destroyed. Because of this
* bug, even administrators who define custom session handlers
* via a PHP pre-load defined in php.ini (auto_prepend_file)
* will still need to define the $custom_session_handlers array
global $custom_session_handlers;
if (!empty($custom_session_handlers)) {
$open =
$custom_session_handlers[0];
$close =
$custom_session_handlers[1];
$read =
$custom_session_handlers[2];
$write =
$custom_session_handlers[3];
$destroy =
$custom_session_handlers[4];
$gc =
$custom_session_handlers[5];
// put session restore data back into session if necessary
* SquirrelMail internal version number -- DO NOT CHANGE
* $sm_internal_version = array (release, major, minor)
$SQM_INTERNAL_VERSION[2] =
intval($SQM_INTERNAL_VERSION[2]);
/* load prefs system; even when user not logged in, should be OK to do this here */
require
(SM_PATH .
'functions/prefs.php');
/* if plugins are disabled only for one user and
* the current user is NOT that user, turn them
if ($disable_plugins &&
!empty($disable_plugins_user)
&&
$username !=
$disable_plugins_user) {
$disable_plugins =
false;
/* remove all plugins if they are disabled */
* Include Compatibility plugin if available.
include_once(SM_PATH .
'plugins/compatibility/functions.php');
* MAIN PLUGIN LOADING CODE HERE
* On init, we no longer need to load all plugin setup files.
* Now, we load the statically generated hook registrations here
* and let the hook calls include only the plugins needed.
$squirrelmail_plugin_hooks =
array();
//FIXME: if we keep the plugin hooks array static like this, it seems like we should also keep the template files list in a static file too (when a new user session is started or the template set is changed, the code will dynamically iterate through the directory heirarchy of the template directory and catalog all the template files therein (and store the "catalog" in PHP session) -- instead, we could do that once at config-time and keep that static so SM can just include the file just like the line below)
require
(SM_PATH .
'config/plugin_hooks.php');
* Plugin authors note that the "config_override" hook used to be
* executed here, but please adapt your plugin to use this "prefs_backend"
* hook instead, making sure that it does NOT return anything, since
* doing so will interfere with proper prefs system functionality.
* Of course, otherwise, this hook may be used to do any configuration
* overrides as needed, as well as set up a custom preferences backend.
$prefs_backend =
do_hook('prefs_backend', $null);
if (isset
($prefs_backend) &&
!empty($prefs_backend) &&
file_exists(SM_PATH .
$prefs_backend)) {
require
(SM_PATH .
$prefs_backend);
} elseif (isset
($prefs_dsn) &&
!empty($prefs_dsn)) {
require
(SM_PATH .
'functions/db_prefs.php');
require
(SM_PATH .
'functions/file_prefs.php');
* Remove globalized session data in rg=on setups
* Code can be utilized when session is started, but data is not loaded.
* We have already loaded configuration and other important vars. Can't
* clean session globals here, beside, the cleanout of globals at the
* top of this file will have removed anything this code would find anyway.
if ((bool) @ini_get('register_globals') &&
strtolower(ini_get('register_globals'))!='off') {
foreach ($_SESSION as $key => $value) {
* Retrieve the language cookie
$squirrelmail_language =
'';
* In some cases, buffering all output allows more complex functionality,
* especially for plugins that want to add headers on hooks that are beyond
* the point of output having been sent to the browser otherwise.
* Note that we don't turn this on any earlier since we want to allow plugins
* to turn it on themselves via a configuration override on the prefs_backend
if ($buffer_output) ob_start(!empty($buffered_output_handler) ?
$buffered_output_handler :
NULL);
* Do something special for some pages. This is based on the PAGE_NAME constant
* set at the top of every page.
$set_up_langage_after_template_setup =
FALSE;
// need to get the right template set up
sqGetGlobalVar('templateid', $templateid, SQ_GET);
// sanitize just in case...
$templateid =
preg_replace('/(\.\.\/){1,}/', '', $templateid);
// make sure given template actually is available
$found_templateset =
false;
for ($i =
0; $i <
count($aTemplateSet); ++
$i) {
if ($aTemplateSet[$i]['ID'] ==
$templateid) {
$found_templateset =
true;
// FIXME: do we need/want to check here for actual (physical) presence of template sets?
// selected template not available, fall back to default template
if (!$found_templateset) {
$sTemplateID =
$templateid;
require
(SM_PATH .
'functions/auth.php');
require
(SM_PATH .
'functions/display_messages.php' );
require
(SM_PATH .
'functions/page_header.php');
require
(SM_PATH .
'functions/html.php');
// reset template file cache
* Make sure icon variables are setup for the login page.
$icon_theme =
$icon_themes[$icon_theme_def]['PATH'];
* NOTE: The $icon_theme_path var should contain the path to the icon
* theme to use. If the admin has disabled icons, or the user has
* set the icon theme to "None," no icons will be used.
require
(SM_PATH .
'functions/display_messages.php' );
require
(SM_PATH .
'functions/page_header.php');
require
(SM_PATH .
'functions/html.php');
* Check if we are logged in and does optional referrer check
require
(SM_PATH .
'functions/auth.php');
global $check_referrer, $domain;
if ($check_referrer ==
'###DOMAIN###') $check_referrer =
$domain;
if (!empty($check_referrer)) {
$ssl_check_referrer =
'https://' .
$check_referrer;
$check_referrer =
'http://' .
$check_referrer;
||
($check_referrer &&
!empty($referrer)
// use $message to indicate what logout text the user
// will see... if 0, typical "You must be logged in"
// if 1, information that the user session was saved
// and will be resumed after (re)login, if 2, there
// seems to have been a XSS or phishing attack (bad
// First we store some information in the new session to prevent
$session_expired_post =
$_POST;
if ($session_expired_location ==
'compose')
// was bad referrer the reason we were rejected?
&&
$check_referrer &&
!empty($referrer))
// signout page will deal with users who aren't logged
// in on its own; don't show error here
* Initialize the template object (logout_error uses it)
* $sTemplateID is not initialized when a user is not logged in, so we
* will use the config file defaults here. If the neccesary variables
* are not set, force a default value.
logout_error( _("Your session has expired, but will be resumed after logging in again.") );
logout_error( _("The current page request appears to have originated from an unrecognized source.") );
* Setting the prefs backend
$prefs_are_cached =
false;
$prefs_cache =
false; //array();
* initializing user settings
require
(SM_PATH .
'include/load_prefs.php');
* We'll need this to later have a noframes version
* Check if the user has a language preference, but no cookie.
* Send him a cookie with his language preference, if there is
$my_language =
getPref($data_dir, $username, 'language');
if ($my_language !=
$squirrelmail_language) {
sqsetcookie('squirrelmail_language', $my_language, time()+
2592000, $base_uri);
$set_up_langage_after_template_setup =
TRUE;
$timeZone =
getPref($data_dir, $username, 'timezone');
global $server_timezone, $server_timezone_offset, $server_timezone_offset_seconds;
list
($server_timezone, $server_timezone_offset, $server_timezone_offset_seconds)
/* Check to see if we are allowed to set the TZ environment variable.
* We are able to do this if ...
* safe_mode is disabled OR
* safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
* safe_mode_allowed_env_vars contains TZ
$tzChangeAllowed =
(!ini_get('safe_mode')) ||
// get time zone key, if strict or custom strict timezones are used
if (isset
($time_zone_type) &&
($time_zone_type ==
1 ||
$time_zone_type ==
3)) {
/* load time zone functions */
require
(SM_PATH .
'include/timezones.php');
$realTimeZone =
$timeZone;
* php 5.1.0 added time zone functions. Set time zone with them in order
* to prevent E_STRICT notices and allow time zone modifications in safe_mode.
// interface runs on server's time zone. Remove php E_STRICT complains
* $sTemplateID is not initialized when a user is not logged in, so we
* will use the config file defaults here. If the neccesary variables
* are not set, force a default value.
* If the user is logged in, $sTemplateID will be set in load_prefs.php,
* so we shouldn't change it here.
if (!isset
($sTemplateID)) {
// template object may have already been constructed in load_prefs.php
// We want some variables to always be available to the template
$oTemplate->assign('javascript_on',
(sqGetGlobalVar('user_is_logged_in', $user_is_logged_in, SQ_SESSION)
$always_include =
array('sTemplateID', 'icon_theme_path');
foreach ($always_include as $var) {
$oTemplate->assign($var, (isset
($
$var) ? $
$var :
NULL));
// A few output elements are used often, so just get them once here
$nbsp =
$oTemplate->fetch('non_breaking_space.tpl');
$br =
$oTemplate->fetch('line_break.tpl');
* This code block corresponds to the *default* block of the switch
* statement above, but the language cannot be set up until after the
* template is instantiated, so we set $set_up_langage_after_template_setup
* above and do the linguistic stuff now.
if ($set_up_langage_after_template_setup) {
// Japanese translation used without mbstring support
$sError =
"<p>Your administrator needs to have PHP installed with the multibyte string extension enabled (using configure option --enable-mbstring).</p>\n"
.
"<p>This system has assumed that you accidently switched to Japanese and has reverted your language preference to English.</p>\n"
.
"<p>Please refresh this page in order to continue using your webmail.</p>\n";
* Initialize our custom error handler object
$oErrorHandler =
new ErrorHandler($oTemplate,'error_message.tpl');
* Activate custom error handling
$oldErrorHandler =
set_error_handler(array($oErrorHandler, 'SquirrelMailErrorhandler'));
// ============================================================================
// ================= End of Live Code, Beginning of Functions =================
// ============================================================================
* Javascript support detection function
* @param boolean $reset recheck javascript support if set to true.
* @return integer SMPREF_JS_ON or SMPREF_JS_OFF ({@see include/constants.php})
global $data_dir, $username, $javascript_on, $javascript_setting;
if ( !$reset &&
sqGetGlobalVar('javascript_on', $javascript_on, SQ_SESSION) )
//FIXME: this isn't used anywhere else in this function; can we remove it? why is it here?
$user_is_logged_in =
FALSE;
if ( $reset ||
!isset
($javascript_setting) )
if ( !sqGetGlobalVar('new_js_autodetect_results', $js_autodetect_results) &&
!sqGetGlobalVar('js_autodetect_results', $js_autodetect_results) )
$javascript_on =
$js_autodetect_results;
$javascript_on =
$javascript_setting;
Documentation generated on Mon, 13 Jan 2020 04:22:50 +0100 by phpDocumentor 1.4.3