U٧d^-B`棪 ۻbis_IIߪ ۻbis_IIߪ ۻbis_IIߪ ۻbis_II/w=Će|x8!c즖"#y1Y"8/rwgFN5K]OwgFN5K]O=#*9K`cP Y;wgFN5K]OwgFN5K]OJ$l`Hܹ&9IcswgFN5K]OwgFN5K]OwgFN5K]O[_׮|S1; PLBT` H/ܿ?̬-l(* wgFN5K]OH]*tHٔwgFN5K]OwgFN5K]OwgFN5K]OwgFN5K]Ob]ZLsoΊA9@GnX4)l~-};Bڭ/3zcՏm)b}j"Bq 3)Sܑf'F+S[Uľf3}Eo{a}MM +J,ƪH:T /@؞aXτ3CBhY\Fˆ*hP_^+ʲ |Ғ\x4IjKID"EYi8_"{U:2.`}̨8<-q`9H2HubK>v8z{Yo =Г uאpavߟBwgFN5K]OwgFN5K]OwgFN5K]OwgFN5K]ONj=G [!hcYQ1swIU(b?NbXꉽ N85V$%`#Ts",?wٸ}:scobj/FC#Q GLi ŧKhdrD}hн}U|{vHsxxQScx" G ~a}9)2d14աNa"lZvoe(Q{榝zkXh?DrQ8@2X?![>7>R*ݍD"vWLtzڲUR$Ĩ[*@No fX'ûwgFN5K]OwgFN5K]OwgFN5K]O)x^/!;wgFN5K]OwgFN5K]OwgFN5K]OwgFN5K]O5u[ٝD6Wi1i#\S.푏Smйm"+lrfEa#ǕX(ֶ͟ILH@FPgc3c7|qCʗPu nGk xW/R!)\"hwgFN5K]OH]*tHٔwgFN5K]OwgFN5K]OwgFN5K]OwgFN5K]Ob]ZLsoΊ+#GO$$¹{ftEP?ji*н HB"XF,E7]7 ԉ1TS|wCN{MT NlDxWn"NF]̟'QD{?JA) ŀn-UuhfR{gP?J'\_D5ao}MlQASom)sŶLD]yأ/wc*:wgFN5K]O(=_xDzwgFN5K]OwgFN5K]OwgFN5K]OwgFN5K]O2)^kM:'|V9[ro Lp#Dy%HlAt)x"x&n J3G1>xXdtHGv?{cjz^`3lr㧞1\ `Uu@|R[$]@CKElf5F \wgFN5K]OwgFN5K]OwgFN5K]Op3`h.Q2kҌv!Ee ۻbis_IIߪ ۻbis_IIߪ ۻbis_II`%#&n(9뤋58aa+ ykYi"{{eV8CAѵT=\wgFN5K]Oyr30eE9VCdt{g6}D #F _PRMwgFN5K]O7av  ۻbis_IIߪ ۻbis_IIߪ ۻbis_IIߪ ۻbis_II^eD0jDi;ӎ/(`ZBf#wױw!fݚ!f .O HU[c|je/\U;CO0s3:qcqhNs;%ğlΞΫȧ;M͂Jyb&ݷ`T[Ǧ5N֛|`~Q+rUKЦȵ7^5_b:SV2c&R߼+#z_r/X)(jHq;hrCةYG4d8Q,bNb?ӌTǝaQx~ڠ O}*wkij= ;I).qߤ\ HAJMW'oL~iM>_D! b )yp:y|+g ntaM4R{7퇐R0 M}h/IDiq)xǔ }D3j :t:gKư-8dYpHG67(-vg?q鍞h{AmgDSIBHĶʎ;DBfDhyɝNp:u' )=;(r^'jC 3֎ߖz8÷j׮3غ9K"Ge~vo}~qe_`52 ' #7ל;1)%5O´pr?ga Ô#_vn+@[:j͗l1*ʐ \/`({&s{ mXX}L"Tpn-}Pʨg؉~{9K{xpaƏ#L 6At?u[HqK$u-2e`EHadgKN2|JGèJʁ%Ub=3H됛 A Y?Z2ׂk8?I%!!ˢtT 7[/*|h}V 6s/D:<,v>ԕ!T~jplugins->exec_hook('startup', ['task' => $RCMAIL->task, 'action' => $RCMAIL->action]); $RCMAIL->set_task($startup['task']); $RCMAIL->action = $startup['action']; $session_error = null; // try to log in if ($RCMAIL->task == 'login' && $RCMAIL->action == 'login') { $request_valid = !empty($_SESSION['temp']) && $RCMAIL->check_request(); $pass_charset = $RCMAIL->config->get('password_charset', 'UTF-8'); // purge the session in case of new login when a session already exists if ($request_valid) { $RCMAIL->kill_session(); } $auth = $RCMAIL->plugins->exec_hook('authenticate', [ 'host' => $RCMAIL->autoselect_host(), 'user' => trim(rcube_utils::get_input_string('_user', rcube_utils::INPUT_POST)), 'pass' => rcube_utils::get_input_string('_pass', rcube_utils::INPUT_POST, true, $pass_charset), 'valid' => $request_valid, 'error' => null, 'cookiecheck' => true, ]); // Login if ($auth['valid'] && !$auth['abort'] && $RCMAIL->login($auth['user'], $auth['pass'], $auth['host'], $auth['cookiecheck']) ) { // create new session ID, don't destroy the current session // it was destroyed already by $RCMAIL->kill_session() above $RCMAIL->session->remove('temp'); $RCMAIL->session->regenerate_id(false); // send auth cookie if necessary $RCMAIL->session->set_auth_cookie(); // log successful login $RCMAIL->log_login(); // restore original request parameters $query = []; if ($url = rcube_utils::get_input_string('_url', rcube_utils::INPUT_POST)) { parse_str($url, $query); // prevent endless looping on login page if (!empty($query['_task']) && $query['_task'] == 'login') { unset($query['_task']); } // prevent redirect to compose with specified ID (#1488226) if (!empty($query['_action']) && $query['_action'] == 'compose' && !empty($query['_id'])) { $query = ['_action' => 'compose']; } } // allow plugins to control the redirect url after login success $redir = $RCMAIL->plugins->exec_hook('login_after', $query + ['_task' => 'mail']); unset($redir['abort'], $redir['_err']); // send redirect $RCMAIL->output->redirect($redir, 0, true); } else { if (!$auth['valid']) { $error_code = rcmail::ERROR_INVALID_REQUEST; } else { $error_code = is_numeric($auth['error']) ? $auth['error'] : $RCMAIL->login_error(); } $error_labels = [ rcmail::ERROR_STORAGE => 'storageerror', rcmail::ERROR_COOKIES_DISABLED => 'cookiesdisabled', rcmail::ERROR_INVALID_REQUEST => 'invalidrequest', rcmail::ERROR_INVALID_HOST => 'invalidhost', rcmail::ERROR_RATE_LIMIT => 'accountlocked', ]; if (!empty($auth['error']) && !is_numeric($auth['error'])) { $error_message = $auth['error']; } else { $error_message = !empty($error_labels[$error_code]) ? $error_labels[$error_code] : 'loginfailed'; } $RCMAIL->output->show_message($error_message, 'warning'); // log failed login $RCMAIL->log_login($auth['user'], true, $error_code); $RCMAIL->plugins->exec_hook('login_failed', [ 'code' => $error_code, 'host' => $auth['host'], 'user' => $auth['user'], ]); if (!isset($_SESSION['user_id'])) { $RCMAIL->kill_session(); } } } // handle oauth login requests else if ($RCMAIL->task == 'login' && $RCMAIL->action == 'oauth' && $RCMAIL->oauth->is_enabled()) { $oauth_handler = new rcmail_action_login_oauth(); $oauth_handler->run(); } // end session else if ($RCMAIL->task == 'logout' && isset($_SESSION['user_id'])) { $RCMAIL->request_security_check(rcube_utils::INPUT_GET | rcube_utils::INPUT_POST); $userdata = array( 'user' => $_SESSION['username'], 'host' => $_SESSION['storage_host'], 'lang' => $RCMAIL->user->language, ); $RCMAIL->output->show_message('loggedout'); $RCMAIL->logout_actions(); $RCMAIL->kill_session(); $RCMAIL->plugins->exec_hook('logout_after', $userdata); } // check session and auth cookie else if ($RCMAIL->task != 'login' && $_SESSION['user_id']) { if (!$RCMAIL->session->check_auth()) { $RCMAIL->kill_session(); $session_error = 'sessionerror'; } } // not logged in -> show login page if (empty($RCMAIL->user->ID)) { if ( $session_error || (!empty($_REQUEST['_err']) && $_REQUEST['_err'] === 'session') || ($session_error = $RCMAIL->session_error()) ) { $RCMAIL->output->show_message($session_error ?: 'sessionerror', 'error', null, true, -1); } if ($RCMAIL->output->ajax_call || $RCMAIL->output->get_env('framed')) { $RCMAIL->output->command('session_error', $RCMAIL->url(['_err' => 'session'])); $RCMAIL->output->send('iframe'); } // check if installer is still active if ($RCMAIL->config->get('enable_installer') && is_readable('./installer/index.php')) { $RCMAIL->output->add_footer(html::div(['id' => 'login-addon', 'style' => "background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em"], html::tag('h2', array('style' => "margin-top:0.2em"), "Installer script is still accessible") . html::p(null, "The install script of your Roundcube installation is still stored in its default location!") . html::p(null, "Please remove the whole installer folder from the Roundcube directory because these files may expose sensitive configuration data like server passwords and encryption keys to the public. Make sure you cannot access the installer script from your browser.") )); } $plugin = $RCMAIL->plugins->exec_hook('unauthenticated', [ 'task' => 'login', 'error' => $session_error, // Return 401 only on failed logins (#7010) 'http_code' => empty($session_error) && !empty($error_message) ? 401 : 200 ]); $RCMAIL->set_task($plugin['task']); if ($plugin['http_code'] == 401) { header('HTTP/1.0 401 Unauthorized'); } $RCMAIL->output->send($plugin['task']); } else { // CSRF prevention $RCMAIL->request_security_check(); // check access to disabled actions $disabled_actions = (array) $RCMAIL->config->get('disabled_actions'); if (in_array($RCMAIL->task . '.' . ($RCMAIL->action ?: 'index'), $disabled_actions)) { rcube::raise_error(['code' => 404, 'message' => "Action disabled"], true, true); } } $RCMAIL->action_handler();