/** * Does the actual password changing (meaning it calls the hook function * from the backend that does this. If something goes wrong, return error * message(s). If everything ok, change the password in the session so the * user doesn't have to log out, and redirect back to the options screen. */ function cpw_do_change() { global $cpw_backend; sqgetGlobalVar('cpw_curpass', $curpw, SQ_POST); sqgetGlobalVar('cpw_newpass', $newpw, SQ_POST); sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION); sqgetGlobalVar('key', $key, SQ_COOKIE); sqgetGlobalVar('username', $username, SQ_SESSION); require_once SM_PATH . 'plugins/change_password/backend/' . $cpw_backend . '.php'; $msgs = do_hook('change_password_dochange', $temp = array('username' => &$username, 'curpw' => &$curpw, 'newpw' => &$newpw)); /* something bad happened, return */ if (count($msgs) > 0) { return $msgs; } /* update our password stored in the session */ $onetimepad = OneTimePadCreate(strlen($newpw)); sqsession_register($onetimepad, 'onetimepad'); $key = OneTimePadEncrypt($newpw, $onetimepad); sqsetcookie('key', $key, 0, $base_uri); /* make sure we write the session data before we redirect */ session_write_close(); header('Location: ' . SM_PATH . 'src/options.php?optmode=submit&optpage=change_password&plugin_change_password=1&smtoken=' . sm_generate_security_token()); exit; }
function sqauth_save_password($pass) { sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION); $onetimepad = OneTimePadCreate(strlen($pass)); sqsession_register($onetimepad, 'onetimepad'); $key = OneTimePadEncrypt($pass, $onetimepad); sqsetcookie('key', $key, false, $base_uri); return $key; }
/** * Function to start the session and store the cookie with the session_id as * HttpOnly cookie which means that the cookie isn't accessible by javascript * (IE6 only) * Note that as sqsession_is_active() no longer discriminates as to when * it calls this function, session_start() has to have E_NOTICE suppression * (thus the @ sign). * * @return void * * @since 1.4.16 * */ function sqsession_start() { global $base_uri; session_set_cookie_params(0, $base_uri); @session_start(); // could be: sq_call_function_suppress_errors('session_start'); $session_id = session_id(); // session_starts sets the sessionid cookie but without the httponly var // setting the cookie again sets the httponly cookie attribute // // need to check if headers have been sent, since sqsession_is_active() // has become just a passthru to this function, so the sqsetcookie() // below is called every time, even after headers have already been sent // if (!headers_sent()) { sqsetcookie(session_name(), $session_id, false, $base_uri); } }
sqsession_register($onetimepad, 'onetimepad'); /* remove redundant spaces */ $login_username = trim($login_username); /* Verify that username and password are correct. */ if ($force_username_lowercase) { $login_username = strtolower($login_username); } $imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0); $sqimap_capabilities = sqimap_capability($imapConnection); sqsession_register($sqimap_capabilities, 'sqimap_capabilities'); $delimiter = sqimap_get_delimiter($imapConnection); sqimap_logout($imapConnection); sqsession_register($delimiter, 'delimiter'); $username = $login_username; sqsession_register($username, 'username'); sqsetcookie('key', $key, 0, $base_uri); do_hook('login_verified'); } /* Set the login variables. */ $user_is_logged_in = true; $just_logged_in = true; /* And register with them with the session. */ sqsession_register($user_is_logged_in, 'user_is_logged_in'); sqsession_register($just_logged_in, 'just_logged_in'); /* parse the accepted content-types of the client */ $attachment_common_types = array(); $attachment_common_types_parsed = array(); sqsession_register($attachment_common_types, 'attachment_common_types'); sqsession_register($attachment_common_types_parsed, 'attachment_common_types_parsed'); if (sqgetGlobalVar('HTTP_ACCEPT', $http_accept, SQ_SERVER) && !isset($attachment_common_types_parsed[$http_accept])) { attachment_common_parse($http_accept);
function session_regenerate_id() { global $base_uri; $tv = gettimeofday(); sqgetGlobalVar('REMOTE_ADDR', $remote_addr, SQ_SERVER); $buf = sprintf("%.15s%ld%ld%0.8f", $remote_addr, $tv['sec'], $tv['usec'], php_combined_lcg() * 10); session_id(md5($buf)); if (ini_get('session.use_cookies')) { sqsetcookie(session_name(), session_id(), 0, $base_uri); } return TRUE; }
//array(); } /** * initializing user settings */ require SM_PATH . 'include/load_prefs.php'; /** * We'll need this to later have a noframes version * * Check if the user has a language preference, but no cookie. * Send him a cookie with his language preference, if there is * such discrepancy. */ $my_language = getPref($data_dir, $username, 'language'); if ($my_language != $squirrelmail_language) { sqsetcookie('squirrelmail_language', $my_language, time() + 2592000, $base_uri); } $set_up_langage_after_template_setup = TRUE; $timeZone = getPref($data_dir, $username, 'timezone'); /* Check to see if we are allowed to set the TZ environment variable. * We are able to do this if ... * safe_mode is disabled OR * safe_mode_allowed_env_vars is empty (you are allowed to set any) OR * safe_mode_allowed_env_vars contains TZ */ $tzChangeAllowed = !ini_get('safe_mode') || !strcmp(ini_get('safe_mode_allowed_env_vars'), '') || preg_match('/^([\\w_]+,)*TZ/', ini_get('safe_mode_allowed_env_vars')); if ($timeZone != SMPREF_NONE && $timeZone != "" && $tzChangeAllowed) { // get time zone key, if strict or custom strict timezones are used if (isset($time_zone_type) && ($time_zone_type == 1 || $time_zone_type == 3)) { /* load time zone functions */ require SM_PATH . 'include/timezones.php';
* exist, but there seems to be no reason to do so. */ sqsession_is_active(); if (function_exists('session_regenerate_id')) { session_regenerate_id(); } /** * The cookie part. session_start and session_regenerate_session normally set * their own cookie. SquirrelMail sets another cookie which overwites the * php cookies. The sqsetcookie function sets the cookie by using the header * function which gives us full control how the cookie is set. We do that * to add the HttpOnly cookie attribute which blocks javascript access on * IE6 SP1. */ sqsetcookie(session_name(), session_id(), false, $base_uri); sqsetcookie('key', $key, false, $base_uri); sqsession_register($onetimepad, 'onetimepad'); $sqimap_capabilities = sqimap_capability($imapConnection); /* Server side sorting control */ if (isset($sqimap_capabilities['SORT']) && $sqimap_capabilities['SORT'] == true && isset($disable_server_sort) && $disable_server_sort) { unset($sqimap_capabilities['SORT']); } /* Thread sort control */ if (isset($sqimap_capabilities['THREAD']) && $sqimap_capabilities['THREAD'] == true && isset($disable_thread_sort) && $disable_thread_sort) { unset($sqimap_capabilities['THREAD']); } sqsession_register($sqimap_capabilities, 'sqimap_capabilities'); $delimiter = sqimap_get_delimiter($imapConnection); if (isset($sqimap_capabilities['NAMESPACE']) && $sqimap_capabilities['NAMESPACE'] == true) { $namespace = sqimap_get_namespace($imapConnection); sqsession_register($namespace, 'sqimap_namespace');