/**
* Does the actual password changing (meaning it calls the hook function
* from the backend that does this. If something goes wrong, return error
* message(s). If everything ok, change the password in the session so the
* user doesn't have to log out, and redirect back to the options screen.
*/
function cpw_do_change()
{
global $cpw_backend;
sqgetGlobalVar('cpw_curpass', $curpw, SQ_POST);
sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST);
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION);
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('username', $username, SQ_SESSION);
require_once SM_PATH . 'plugins/change_password/backend/' . $cpw_backend . '.php';
$msgs = do_hook('change_password_dochange', $temp = array('username' => &$username, 'curpw' => &$curpw, 'newpw' => &$newpw));
/* something bad happened, return */
if (count($msgs) > 0) {
return $msgs;
}
/* update our password stored in the session */
$onetimepad = OneTimePadCreate(strlen($newpw));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($newpw, $onetimepad);
sqsetcookie('key', $key, 0, $base_uri);
/* make sure we write the session data before we redirect */
session_write_close();
header('Location: ' . SM_PATH . 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1&smtoken=' . sm_generate_security_token());
exit;
}
function sqauth_save_password($pass)
{
sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION);
$onetimepad = OneTimePadCreate(strlen($pass));
sqsession_register($onetimepad, 'onetimepad');
$key = OneTimePadEncrypt($pass, $onetimepad);
sqsetcookie('key', $key, false, $base_uri);
return $key;
}
/**
* Function to start the session and store the cookie with the session_id as
* HttpOnly cookie which means that the cookie isn't accessible by javascript
* (IE6 only)
* Note that as sqsession_is_active() no longer discriminates as to when
* it calls this function, session_start() has to have E_NOTICE suppression
* (thus the @ sign).
*
* @return void
*
* @since 1.4.16
*
*/
function sqsession_start()
{
global $base_uri;
session_set_cookie_params(0, $base_uri);
@session_start();
// could be: sq_call_function_suppress_errors('session_start');
$session_id = session_id();
// session_starts sets the sessionid cookie but without the httponly var
// setting the cookie again sets the httponly cookie attribute
//
// need to check if headers have been sent, since sqsession_is_active()
// has become just a passthru to this function, so the sqsetcookie()
// below is called every time, even after headers have already been sent
//
if (!headers_sent()) {
sqsetcookie(session_name(), $session_id, false, $base_uri);
}
}
sqsession_register($onetimepad, 'onetimepad');
/* remove redundant spaces */
$login_username = trim($login_username);
/* Verify that username and password are correct. */
if ($force_username_lowercase) {
$login_username = strtolower($login_username);
}
$imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0);
$sqimap_capabilities = sqimap_capability($imapConnection);
sqsession_register($sqimap_capabilities, 'sqimap_capabilities');
$delimiter = sqimap_get_delimiter($imapConnection);
sqimap_logout($imapConnection);
sqsession_register($delimiter, 'delimiter');
$username = $login_username;
sqsession_register($username, 'username');
sqsetcookie('key', $key, 0, $base_uri);
do_hook('login_verified');
}
/* Set the login variables. */
$user_is_logged_in = true;
$just_logged_in = true;
/* And register with them with the session. */
sqsession_register($user_is_logged_in, 'user_is_logged_in');
sqsession_register($just_logged_in, 'just_logged_in');
/* parse the accepted content-types of the client */
$attachment_common_types = array();
$attachment_common_types_parsed = array();
sqsession_register($attachment_common_types, 'attachment_common_types');
sqsession_register($attachment_common_types_parsed, 'attachment_common_types_parsed');
if (sqgetGlobalVar('HTTP_ACCEPT', $http_accept, SQ_SERVER) && !isset($attachment_common_types_parsed[$http_accept])) {
attachment_common_parse($http_accept);
function session_regenerate_id()
{
global $base_uri;
$tv = gettimeofday();
sqgetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER);
$buf = sprintf("%.15s%ld%ld%0.8f", $remote_addr, $tv['sec'], $tv['usec'], php_combined_lcg() * 10);
session_id(md5($buf));
if (ini_get('session.use_cookies')) {
sqsetcookie(session_name(), session_id(), 0, $base_uri);
}
return TRUE;
}
//array();
}
/**
* initializing user settings
*/
require SM_PATH . 'include/load_prefs.php';
/**
* We'll need this to later have a noframes version
*
* Check if the user has a language preference, but no cookie.
* Send him a cookie with his language preference, if there is
* such discrepancy.
*/
$my_language = getPref($data_dir, $username, 'language');
if ($my_language != $squirrelmail_language) {
sqsetcookie('squirrelmail_language', $my_language, time() + 2592000, $base_uri);
}
$set_up_langage_after_template_setup = TRUE;
$timeZone = getPref($data_dir, $username, 'timezone');
/* Check to see if we are allowed to set the TZ environment variable.
* We are able to do this if ...
* safe_mode is disabled OR
* safe_mode_allowed_env_vars is empty (you are allowed to set any) OR
* safe_mode_allowed_env_vars contains TZ
*/
$tzChangeAllowed = !ini_get('safe_mode') || !strcmp(ini_get('safe_mode_allowed_env_vars'), '') || preg_match('/^([\\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars'));
if ($timeZone != SMPREF_NONE && $timeZone != "" && $tzChangeAllowed) {
// get time zone key, if strict or custom strict timezones are used
if (isset($time_zone_type) && ($time_zone_type == 1 || $time_zone_type == 3)) {
/* load time zone functions */
require SM_PATH . 'include/timezones.php';
* exist, but there seems to be no reason to do so.
*/
sqsession_is_active();
if (function_exists('session_regenerate_id')) {
session_regenerate_id();
}
/**
* The cookie part. session_start and session_regenerate_session normally set
* their own cookie. SquirrelMail sets another cookie which overwites the
* php cookies. The sqsetcookie function sets the cookie by using the header
* function which gives us full control how the cookie is set. We do that
* to add the HttpOnly cookie attribute which blocks javascript access on
* IE6 SP1.
*/
sqsetcookie(session_name(), session_id(), false, $base_uri);
sqsetcookie('key', $key, false, $base_uri);
sqsession_register($onetimepad, 'onetimepad');
$sqimap_capabilities = sqimap_capability($imapConnection);
/* Server side sorting control */
if (isset($sqimap_capabilities['SORT']) && $sqimap_capabilities['SORT'] == true && isset($disable_server_sort) && $disable_server_sort) {
unset($sqimap_capabilities['SORT']);
}
/* Thread sort control */
if (isset($sqimap_capabilities['THREAD']) && $sqimap_capabilities['THREAD'] == true && isset($disable_thread_sort) && $disable_thread_sort) {
unset($sqimap_capabilities['THREAD']);
}
sqsession_register($sqimap_capabilities, 'sqimap_capabilities');
$delimiter = sqimap_get_delimiter($imapConnection);
if (isset($sqimap_capabilities['NAMESPACE']) && $sqimap_capabilities['NAMESPACE'] == true) {
$namespace = sqimap_get_namespace($imapConnection);
sqsession_register($namespace, 'sqimap_namespace');
