/** * Reads and parses the HTTP-Basic-Auth data * * @access public * @return boolean data sent or not */ public static function AuthenticationInfo() { // split username & domain if received as one if (isset($_SERVER['PHP_AUTH_USER'])) { list(self::$authUser, self::$authDomain) = Utils::SplitDomainUser($_SERVER['PHP_AUTH_USER']); self::$authPassword = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ""; } if (defined('USE_FULLEMAIL_FOR_LOGIN') && !USE_FULLEMAIL_FOR_LOGIN) { self::$authUser = Utils::GetLocalPartFromEmail(self::$authUser); } // authUser & authPassword are unfiltered! return self::$authUser != "" && self::$authPassword != ""; }
/** * Reads and processes the request headers * * @access public * @return */ public static function ProcessHeaders() { self::$headers = array_change_key_case(apache_request_headers(), CASE_LOWER); self::$useragent = isset(self::$headers["user-agent"]) ? self::$headers["user-agent"] : self::UNKNOWN; if (!isset(self::$asProtocolVersion)) { self::$asProtocolVersion = isset(self::$headers["ms-asprotocolversion"]) ? self::filterEvilInput(self::$headers["ms-asprotocolversion"], self::NUMBERSDOT_ONLY) : ZPush::GetLatestSupportedASVersion(); } //if policykey is not yet set, try to set it from the header //the policy key might be set in Request::Initialize from the base64 encoded query if (!isset(self::$policykey)) { if (isset(self::$headers["x-ms-policykey"])) { self::$policykey = (int) self::filterEvilInput(self::$headers["x-ms-policykey"], self::NUMBERS_ONLY); } else { self::$policykey = 0; } } if (!empty($_SERVER['QUERY_STRING']) && Utils::IsBase64String($_SERVER['QUERY_STRING'])) { ZLog::Write(LOGLEVEL_DEBUG, "Using data from base64 encoded query string"); if (isset(self::$policykey)) { self::$headers["x-ms-policykey"] = self::$policykey; } if (isset(self::$asProtocolVersion)) { self::$headers["ms-asprotocolversion"] = self::$asProtocolVersion; } } if (!isset(self::$acceptMultipart) && isset(self::$headers["ms-asacceptmultipart"]) && strtoupper(self::$headers["ms-asacceptmultipart"]) == "T") { self::$acceptMultipart = true; } ZLog::Write(LOGLEVEL_DEBUG, sprintf("Request::ProcessHeaders() ASVersion: %s", self::$asProtocolVersion)); if (isset(self::$headers["x-push-plugin"])) { list($version, $build, $buildDate) = explode("/", self::$headers["x-push-plugin"]); self::$koeVersion = self::filterEvilInput($version, self::NUMBERSDOT_ONLY); self::$koeBuild = self::filterEvilInput($build, self::HEX_ONLY); self::$koeBuildDate = strtotime(self::filterEvilInput($buildDate, self::ISO8601)); } if (defined('USE_X_FORWARDED_FOR_HEADER') && USE_X_FORWARDED_FOR_HEADER == true && isset(self::$headers["x-forwarded-for"])) { $forwardedIP = self::filterEvilInput(self::$headers["x-forwarded-for"], self::NUMBERSDOT_ONLY); if ($forwardedIP) { ZLog::Write(LOGLEVEL_DEBUG, sprintf("'X-Forwarded-for' indicates remote IP: %s - connect is coming from IP: %s", $forwardedIP, self::$remoteAddr)); self::$remoteAddr = $forwardedIP; } } // Mobile devices send Authorization header using UTF-8 charset. Outlook sends it using ISO-8859-1 encoding. // For the successful authentication the user and password must be UTF-8 encoded. Try to determine which // charset was sent by the client and convert it to UTF-8. See https://jira.z-hub.io/browse/ZP-864. if (isset($_SERVER['PHP_AUTH_USER'])) { $encoding = mb_detect_encoding(self::$authUser, "UTF-8, ISO-8859-1"); if (!$encoding) { $encoding = mb_detect_encoding(self::$authUser, Utils::GetAvailableCharacterEncodings()); if ($encoding) { ZLog::Write(LOGLEVEL_WARN, sprintf("Request->ProcessHeaders(): mb_detect_encoding detected '%s' charset. This charset is not in the default detect list. Please report it to Z-Push developers.", $encoding)); } else { ZLog::Write(LOGLEVEL_ERROR, "Request->ProcessHeaders(): mb_detect_encoding failed to detect the Authorization header charset. It's possible that user won't be able to login."); } } if ($encoding && strtolower($encoding) != "utf-8") { ZLog::Write(LOGLEVEL_DEBUG, sprintf("Request->ProcessHeaders(): mb_detect_encoding detected '%s' charset. Authorization header will be converted to UTF-8 from it.", $encoding)); self::$authUser = mb_convert_encoding(self::$authUser, "UTF-8", $encoding); self::$authPassword = mb_convert_encoding(self::$authPassword, "UTF-8", $encoding); } } }