wwsympa.fcgi.in 582 KB
Newer Older
1
#!--PERL--
2
3
4
5
# -*- indent-tabs-mode: nil; -*-
# vim:ft=perl:et:sw=4
# $Id$

6
# Sympa - SYsteme de Multi-Postage Automatique
7
8
9
10
#
# Copyright (c) 1997, 1998, 1999 Institut Pasteur & Christophe Wolfhugel
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
11
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
12
13
# Copyright 2017, 2018, 2019 The Sympa Community. See the AUTHORS.md file at
# the top-level directory of this distribution and at
14
# <https://github.com/sympa-community/sympa.git>.
15
16
17
18
19
20
21
22
23
24
25
26
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
27
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
28

29
## Copyright 1999 Comité Réseaux des Universités
root's avatar
root committed
30
## web interface to Sympa mailing lists manager
salaun's avatar
salaun committed
31
## Sympa: http://www.sympa.org/
root's avatar
root committed
32
## Authors :
salaun's avatar
   
salaun committed
33
##           Serge Aumont <sa AT cru.fr>
34
##           Olivier Salaün <os AT cru.fr>
35

36
37
use strict;
##use warnings;
38
use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';
olivier.salaun's avatar
olivier.salaun committed
39

40
use Archive::Zip qw();
41
use CGI::Fast qw();
42
use DateTime;
43
use DateTime::Format::Mail;
44
use Digest::MD5;
sikeda's avatar
sikeda committed
45
use Encode qw();
46
use English qw(-no_match_vars);
47
use IO::File qw();
sikeda's avatar
sikeda committed
48
use MIME::EncWords;
49
use MIME::Lite::HTML;
sikeda's avatar
sikeda committed
50
use POSIX qw();
51
use Time::Local qw();
52
use URI;
53
use Data::Dumper;    # tentative
54
BEGIN { eval 'use Crypt::OpenSSL::X509'; }
55

56
use Sympa;
sikeda's avatar
sikeda committed
57
use Sympa::Archive;
root's avatar
root committed
58
use Conf;
59
use Sympa::ConfDef;
60
use Sympa::Constants;
61
use Sympa::Crash Hook => \&_crash_handler;    # Show traceback.
62
use Sympa::Database;
63
use Sympa::DatabaseManager;
sikeda's avatar
sikeda committed
64
use Sympa::Family;
65
use Sympa::HTMLSanitizer;
66
use Sympa::Language;
67
use Sympa::List;
IKEDA Soji's avatar
IKEDA Soji committed
68
69
use Sympa::List::Config;
use Sympa::List::Users;
70
use Sympa::Log;
71
use Sympa::Message;
sikeda's avatar
sikeda committed
72
use Sympa::Regexps;
73
74
use Sympa::Robot;
use Sympa::Scenario;
75
use Sympa::Spindle::ProcessRequest;
76
use Sympa::Spindle::ResendArchive;
77
use Sympa::Spool::Archive;
78
use Sympa::Spool::Auth;
79
use Sympa::Spool::Held;
80
use Sympa::Spool::Incoming;
81
use Sympa::Spool::Listmaster;
82
use Sympa::Spool::Moderation;
83
84
use Sympa::Spool::Outgoing;
use Sympa::Spool::Topic;
85
use Sympa::Task;
86
use Sympa::Template;
87
use Sympa::Ticket;
88
89
use Sympa::Tools::Data;
use Sympa::Tools::File;
90
use Sympa::Tools::Password;
91
use Sympa::Tools::Text;
92
use Sympa::Tracking;
sikeda's avatar
sikeda committed
93
use Sympa::User;
IKEDA Soji's avatar
IKEDA Soji committed
94
95
96
97
98
99
use Sympa::WWW::Auth;
use Sympa::WWW::Marc::Search;
use Sympa::WWW::Report;
use Sympa::WWW::Session;
use Sympa::WWW::SharedDocument;
use Sympa::WWW::Tools;
root's avatar
root committed
100
101

## WWSympa librairies
102
my %options;
root's avatar
root committed
103

104
my $sympa_conf_file = Sympa::Constants::CONFIG;
root's avatar
root committed
105

106
107
108
109
our $list;
our $param = {};
our $robot_id;
our $session;
110

111
my $robot;
IKEDA Soji's avatar
IKEDA Soji committed
112
my $cookie_domain;
113
my $ip;
114
my $rss;
115
my $ajax;
salaun's avatar
salaun committed
116

117
my $allow_absolute_path;    #FIXME: to be removed in the future.
118
my @other_include_path;     #FIXME: ditto.
119

root's avatar
root committed
120
## Load sympa config
121
unless (Conf::load()) {
122
    printf STDERR
123
124
        "Unable to load sympa configuration, file %s or one of the vhost robot.conf files contain errors. Exiting.\n",
        Conf::get_sympa_conf();
125
    exit 1;
root's avatar
root committed
126
127
}

128
129
130
131
132
# Open log
my $log = Sympa::Log->instance;
$log->{level} = $Conf::Conf{'log_level'};
$log->openlog($Conf::Conf{'log_facility'} || $Conf::Conf{'syslog'},
    $Conf::Conf{'log_socket_type'});
133

134
Sympa::Spool::Listmaster->instance->{use_bulk} = 1;
root's avatar
root committed
135
136
137
138
139
140
141
142
143
144
145

# hash of all the description files already loaded
# format :
#     $desc_files{pathfile}{'date'} : date of the last load
#     $desc_files{pathfile}{'desc_hash'} : hash which describes
#                         the description file

#%desc_files_map; NOT USED ANYMORE

## Shared directory and description file

146
147
#$shared = 'shared';
#$desc = '.desc';
root's avatar
root committed
148
149

## subroutines
150
our %comm = (
Luc Didry's avatar
Luc Didry committed
151
152
153
    'confirm_action' => 'do_confirm_action',
    'home'           => 'do_home',
    'logout'         => 'do_logout',
154
    #'loginrequest'           => 'do_loginrequest',
Luc Didry's avatar
Luc Didry committed
155
156
157
158
    'login'               => 'do_login',
    'sso_login'           => 'do_sso_login',
    'sso_login_succeeded' => 'do_sso_login_succeeded',
    'subscribe'           => 'do_subscribe',
159
    #'multiple_subscribe'     => 'do_multiple_subscribe',
160
    #'subrequest'             => 'do_subrequest',
161
162
163
164
165
166
    'subindex'               => 'do_subindex',
    'suboptions'             => 'do_suboptions',
    'signoff'                => 'do_signoff',
    'auto_signoff'           => 'do_auto_signoff',
    'family_signoff'         => 'do_family_signoff',
    'family_signoff_request' => 'do_family_signoff_request',
167
    #XXX'multiple_signoff'    => 'do_multiple_signoff',
168
    #'sigrequest' => 'do_sigrequest',
169
170
171
172
    'sigindex' => 'do_sigindex',
    'decl_add' => 'do_decl_add',
    'decl_del' => 'do_decl_del',
    'my'       => 'do_my',
173
    #'which' => 'do_which',
174
    'lists'            => 'do_lists',
175
    'lists_categories' => 'do_lists_categories',
176
177
    'latest_lists'     => 'do_latest_lists',
    'active_lists'     => 'do_active_lists',
178
    'including_lists'  => 'do_including_lists',
179
180
181
182
183
184
185
186
187
188
189
190
191
    'info'             => 'do_info',
    'subscriber_count' => 'do_subscriber_count',
    'review'           => 'do_review',
    'search'           => 'do_search',
    'pref',            => 'do_pref',
    'setpref'          => 'do_setpref',
    'setpasswd'        => 'do_setpasswd',
    'renewpasswd'      => 'do_renewpasswd',
    'firstpasswd'      => 'do_firstpasswd',
    'requestpasswd'    => 'do_requestpasswd',
    'choosepasswd'     => 'do_choosepasswd',
    'set'              => 'do_set',
    'admin'            => 'do_admin',
192
    'import'           => 'do_import',
193
    'add'              => 'do_add',
194
    'auth_add'         => 'do_auth_add',
195
    'del'              => 'do_del',
196
    'auth_del'         => 'do_auth_del',
197
    'mass_del'         => 'do_mass_del',
198
    'modindex'         => 'do_modindex',
199
    'docindex'         => 'do_docindex',
200
201
202
203
204
205
206
    'reject'           => 'do_reject',
    #XXX'reject_notify' => 'do_reject_notify',
    'distribute'      => 'do_distribute',
    'add_frommod'     => 'do_add_frommod',
    'viewmod'         => 'do_viewmod',
    'd_reject_shared' => 'do_d_reject_shared',
    #XXX'reject_notify_shared' => 'do_reject_notify_shared',
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
    'd_install_shared'  => 'do_d_install_shared',
    'editfile'          => 'do_editfile',
    'savefile'          => 'do_savefile',
    'arc'               => 'do_arc',
    'latest_arc'        => 'do_latest_arc',
    'latest_d_read'     => 'do_latest_d_read',
    'arc_manage'        => 'do_arc_manage',
    'remove_arc'        => 'do_remove_arc',
    'send_me'           => 'do_send_me',
    'view_source'       => 'do_view_source',
    'tracking'          => 'do_tracking',
    'arcsearch_form'    => 'do_arcsearch_form',
    'arcsearch_id'      => 'do_arcsearch_id',
    'arcsearch'         => 'do_arcsearch',
    'rebuildarc'        => 'do_rebuildarc',
    'rebuildallarc'     => 'do_rebuildallarc',
    'arc_download'      => 'do_arc_download',
    'arc_delete'        => 'do_arc_delete',
    'serveradmin'       => 'do_serveradmin',
    'set_loglevel'      => 'do_set_loglevel',
    'set_dumpvars'      => 'do_set_dumpvars',
    'show_sessions'     => 'do_show_sessions',
    'unset_dumpvars'    => 'do_unset_dumpvars',
    'set_session_email' => 'do_set_session_email',
    'restore_email'     => 'do_restore_email',
    'skinsedit'         => 'do_skinsedit',
233
    #XXX'css' => 'do_css',
234
235
236
237
238
239
240
241
242
243
244
245
246
247
    'help'                     => 'do_help',
    'edit_list_request'        => 'do_edit_list_request',
    'edit_list'                => 'do_edit_list',
    'create_list_request'      => 'do_create_list_request',
    'create_list'              => 'do_create_list',
    'get_pending_lists'        => 'do_get_pending_lists',
    'get_closed_lists'         => 'do_get_closed_lists',
    'get_latest_lists'         => 'do_get_latest_lists',
    'get_inactive_lists'       => 'do_get_inactive_lists',
    'get_biggest_lists'        => 'do_get_biggest_lists',
    'set_pending_list_request' => 'do_set_pending_list_request',
    'install_pending_list'     => 'do_install_pending_list',
    'edit_config'              => 'do_edit_config',
    #XXX'submit_list' => 'do_submit_list',
Luc Didry's avatar
Luc Didry committed
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
    'editsubscriber'      => 'do_editsubscriber',
    'edit'                => 'do_edit',
    'viewbounce'          => 'do_viewbounce',
    'redirect'            => 'do_redirect',
    'rename_list_request' => 'do_rename_list_request',
    'move_list'           => 'do_move_list',
    'copy_list'           => 'do_copy_list',
    'reviewbouncing'      => 'do_reviewbouncing',
    'resetbounce'         => 'do_resetbounce',
    'scenario_test'       => 'do_scenario_test',
    'search_list'         => 'do_search_list',
    'search_list_request' => 'do_search_list_request',
    'show_cert'           => 'do_show_cert',
    'close_list'          => 'do_close_list',
    'open_list'           => 'do_open_list',
    'purge_list'          => 'do_purge_list',
    'upload_pictures'     => 'do_upload_pictures',
    'delete_pictures'     => 'do_delete_pictures',
    'd_read'              => 'do_d_read',
    'd_create_child'      => 'do_d_create_child',
    'd_unzip'             => 'do_d_unzip',
    'd_editfile'          => 'do_d_editfile',
    'd_properties'        => 'do_d_properties',
    'd_update'            => 'do_d_update',
    'd_describe'          => 'do_d_describe',
    'd_delete'            => 'do_d_delete',
    'd_rename'            => 'do_d_rename',
    'd_control'           => 'do_d_control',
    'd_change_access'     => 'do_d_change_access',
    'd_set_owner'         => 'do_d_set_owner',
    'd_admin'             => 'do_d_admin',
    'dump_scenario'       => 'do_dump_scenario',
    'export_member'       => 'do_export_member',
    'remind'              => 'do_remind',
    'move_user'           => 'do_move_user',
    'load_cert'           => 'do_load_cert',
    'compose_mail'        => 'do_compose_mail',
    'send_mail'           => 'do_send_mail',
    'request_topic'       => 'do_request_topic',
    'tag_topic_by_sender' => 'do_tag_topic_by_sender',
    'search_user'         => 'do_search_user',
    'set_lang'            => 'do_set_lang',
    'attach'              => 'do_attach',
    'stats'               => 'do_stats',
    'viewlogs'            => 'do_viewlogs',
    'wsdl'                => 'do_wsdl',
    'sync_include'        => 'do_sync_include',
    'review_family'       => 'do_review_family',
    'ls_templates'        => 'do_ls_templates',
    'remove_template'     => 'do_remove_template',
    'copy_template'       => 'do_copy_template',
    'view_template'       => 'do_view_template',
    'edit_template'       => 'do_edit_template',
301
302
303
304
305
306
307
    #'rss' => 'do_rss', #FIXME:Currently processed in differenct way.
    'rss_request'     => 'do_rss_request',
    'maintenance'     => 'do_maintenance',
    'blacklist'       => 'do_blacklist',
    'edit_attributes' => 'do_edit_attributes',
    'ticket'          => 'do_ticket',
    'manage_template' => 'do_manage_template',
308
309
310
311
312
    'rt_create'       => 'do_rt_create',
    'rt_delete'       => 'do_rt_delete',
    'rt_edit'         => 'do_rt_edit',
    'rt_setdefault'   => 'do_rt_setdefault',
    'rt_update'       => 'do_rt_update',
313
    #XXX'send_newsletter' => 'do_send_newsletter',
sikeda's avatar
sikeda committed
314
    'suspend'                => 'do_suspend',
315
316
317
318
319
320
321
322
323
    'suspend_request'        => 'do_suspend_request',
    'suspend_request_action' => 'do_suspend_request_action',
    'show_exclude'           => 'do_show_exclude',
    # 'ca' stands for 'custom_action'. I used a short name to make it discrete
    # in a URL.
    'ca' => 'do_ca',
    # 'lca' stands for 'list_custom_action'. I used a short name to make it
    # discrete in a URL.
    'lca' => 'do_lca',
324
325
326
327
328
329
    #XXX'automatic_lists_management_request' =>
    #XXX    'do_automatic_lists_management_request',
    #XXX'automatic_lists_management'    => 'do_automatic_lists_management',
    'create_automatic_list'         => 'do_create_automatic_list',
    'create_automatic_list_request' => 'do_create_automatic_list_request',
    'auth'                          => 'do_auth',
330
    'delete_account'                => 'do_delete_account',
331
332
);

333
my %comm_aliases = (
334
335
336
337
338
339
    'add_fromsub'             => 'auth_add',
    'add_request'             => 'import',
    'automatic_lists'         => 'create_automatic_list',
    'automatic_lists_request' => 'create_automatic_list_request',
    'change_email'            => 'move_user',
    'change_email_request'    => 'move_user',
340
    'del_fromsig'             => 'auth_del',
341
    'dump'                    => 'export_member',
342
343
    'ignoresig'               => 'decl_del',
    'ignoresub'               => 'decl_add',
344
    'loginrequest'            => 'login',
345
    'rename_list'             => 'move_list',
346
    'restore_list'            => 'open_list',
347
348
    'sigrequest'              => 'signoff',
    'subrequest'              => 'subscribe',
349
350
);

351
352
# No longer used.
#my %auth_action;
353

354
355
356
357
358
359
# Arguments awaited in the PATH_INFO, depending on the action.
# NOTE:
# * The email addresses should NOT be embedded in PATH_INFO, because included
#   slashes (/) cannot be handled correctly by web servers. They are kept just
#   for compatibility to earlier releases of Sympa.  Use query parameters
#   instead.
360
our %action_args = (
Luc Didry's avatar
Luc Didry committed
361
362
363
    'default'         => ['list'],
    'editfile'        => ['list', 'file', 'previous_action'],
    'requestpasswd'   => ['email'],
sikeda's avatar
sikeda committed
364
365
366
367
    'choosepasswd'    => ['email', 'passwd'],
    'lists'           => ['topic', 'subtopic'],
    'latest_lists'    => ['topic', 'subtopic'],
    'active_lists'    => ['topic', 'subtopic'],
368
    'including_lists' => ['list'],
Luc Didry's avatar
Luc Didry committed
369
    'login'           => ['previous_action', 'previous_list'],
370
371
372
    'sso_login' => ['auth_service_name', 'subaction', 'email', 'ticket'],
    'sso_login_succeeded' =>
        ['auth_service_name', 'previous_action', 'previous_list'],
373
    #'loginrequest' => ['previous_action', 'previous_list'],
Luc Didry's avatar
Luc Didry committed
374
375
376
    'logout'      => ['previous_action', 'previous_list'],
    'renewpasswd' => ['previous_action', 'previous_list'],
    'firstpasswd' => ['previous_action', 'previous_list'],
377
    #XXX'css' => ['file'],
378
379
380
381
    'pref'             => ['previous_action', 'previous_list'],
    'reject'           => ['list',            'id'],
    'distribute'       => ['list',            'id'],
    'add_frommod'      => ['list',            'id'],
382
    'dump_scenario'    => ['list',            'scenario_function'],
383
384
385
    'd_reject_shared'  => ['list',            'id'],
    'd_install_shared' => ['list',            'id'],
    'modindex'         => ['list'],
386
    'docindex'         => ['list'],
Luc Didry's avatar
Luc Didry committed
387
388
389
390
    'viewmod'          => ['list',            'id', '@file'],
    'add'              => ['list',            'email'],
    'import' => ['list'],
    'del'    => ['list', 'email'],
391
392
393
    #'editsubscriber' =>
    #    ['list', 'email', 'previous_action', 'custom_attribute'],
    #'editsubscriber' => ['list', 'email', 'previous_action'],
394
    'editsubscriber' => ['list'],
395
    'edit'           => ['list', 'role'],
396
397
    #'viewbounce' => ['list', 'email', '@file'],
    'viewbounce' => ['list', 'dir', '@file'],
398
    #'resetbounce'    => ['list', 'email'],
399
    'review'         => ['list', 'page',  'size', 'sortby'],
400
401
402
403
404
    'reviewbouncing' => ['list', 'page',  'size'],
    'arc'            => ['list', 'month', '@arc_file'],
    'latest_arc'     => ['list'],
    'arc_manage'     => ['list'],
    'arcsearch_form' => ['list', 'archive_name'],
405
    'arcsearch_id'   => ['list', 'archive_name', '@msgid'],
406
407
408
409
410
411
412
    'rebuildarc'     => ['list', 'month'],
    'rebuildallarc' => [],
    'arc_download'  => ['list'],
    'arc_delete'    => ['list', 'zip'],
    'home'          => [],
    'help'          => ['help_topic'],
    'show_cert'     => [],
413
    'subscribe'     => ['list'],
414
    #'subrequest' => ['list','email'],
Luc Didry's avatar
Luc Didry committed
415
416
417
    'subindex'               => ['list'],
    'decl_add'               => ['list'],
    'signoff'                => ['list'],
418
    'auto_signoff'           => ['list'],
419
420
    'family_signoff'         => ['family', 'email'],
    'family_signoff_request' => ['family', 'email'],
421
    #'sigrequest'             => ['list',   'email'],
Luc Didry's avatar
Luc Didry committed
422
423
    'sigindex'           => ['list'],
    'decl_del'           => ['list'],
424
    'set'                => ['list', 'email', 'reception', 'gecos'],
425
426
427
428
429
430
431
432
    'serveradmin'        => ['subaction'],
    'set_session_email'  => ['email'],
    'skinsedit'          => [],
    'get_pending_lists'  => [],
    'get_closed_lists'   => [],
    'get_latest_lists'   => [],
    'get_inactive_lists' => [],
    'get_biggest_lists'  => [],
sikeda's avatar
sikeda committed
433
    'search_list'        => ['filter_list'],
Luc Didry's avatar
Luc Didry committed
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
    'shared'            => ['list', '@path'],        #FIXME: no such function.
    'd_read'            => ['list', '@path'],
    'latest_d_read'     => ['list'],
    'd_admin'           => ['list', 'd_admin'],
    'd_delete'          => ['list', '@path'],
    'd_rename'          => ['list', '@path'],
    'd_create_child'    => ['list', '@path'],
    'd_update'          => ['list', '@path'],
    'd_describe'        => ['list', '@path'],
    'd_editfile'        => ['list', '@path'],
    'd_properties'      => ['list', '@path'],
    'd_control'         => ['list', '@path'],
    'd_change_access'   => ['list', '@path'],
    'd_set_owner'       => ['list', '@path'],
    'export_member'     => ['list', 'format'],
    'search'            => ['list', 'filter'],
    'search_user'       => ['email'],
    'set_lang'          => ['lang'],
    'attach'            => ['list', 'dir', 'file'],
    'stats'             => ['list'],
454
    'edit_list_request' => ['list', 'group'],
Luc Didry's avatar
Luc Didry committed
455
456
457
458
459
460
461
462
463
464
465
466
467
    'move_list'           => ['list', 'new_listname', 'new_robot'],
    'copy_list'           => ['list', 'new_listname', 'new_robot'],
    'redirect'            => [],
    'viewlogs'            => ['list', 'page', 'size', 'sortby'],
    'wsdl'                => [],
    'sync_include'        => ['list'],
    'review_family'       => ['family_name'],
    'ls_templates'        => ['list'],
    'view_template'       => [],
    'remove_template'     => [],
    'copy_template'       => ['list'],
    'edit_template'       => ['list'],
    'rss_request'         => ['list'],
468
469
470
    'request_topic'       => ['list', 'authkey'],
    'tag_topic_by_sender' => ['list'],
    'ticket'              => ['ticket'],
471
    'move_user'           => [],
Luc Didry's avatar
Luc Didry committed
472
473
474
475
476
477
478
479
480
481
    'manage_template'     => ['subaction', 'list', 'message_template'],
    'rt_delete'           => ['list', 'message_template'],
    'rt_edit'             => ['list', 'message_template'],
    'send_newsletter'     => [],
    'compose_mail'        => ['list', 'subaction'],
    'suspend'             => ['list'],
    'suspend_request'     => ['subaction'],
    'show_exclude'        => ['list'],
    'ca'                  => ['custom_action', '@cap'],
    'lca'                 => ['custom_action', 'list', '@cap'],
482
483
    #XXX'automatic_lists_management_request' => [],
    #XXX'automatic_lists_management'         => [],
Luc Didry's avatar
Luc Didry committed
484
485
486
487
488
    'create_automatic_list'         => ['family'],
    'create_automatic_list_request' => ['family'],
    'auth'                          => ['id', 'heldaction', 'listname'],
    'auth_add'                      => ['list'],
    'auth_del'                      => ['list'],
489
);
root's avatar
root committed
490

491
## Define the required parameters for each action
492
493
## Parameter names refer to the %in structure of to $param if mentionned as
## 'param.x'
494
495
## This structure is used to determine if any parameter is missing
## The list of parameters is not ordered
496
497
498
## Some keywords are reserved: param.list and param.user.email
## Alternate parameters can be defined with the '|' character
## Limits of this structure: it does not define optional parameters (a or b)
499
500
501
## Limit: it does not allow to have a specific error message and redirect to a
## given page if the parameter is missing
our %required_args = (
Luc Didry's avatar
Luc Didry committed
502
503
504
505
506
507
508
509
510
511
512
513
    'active_lists'   => ['for|count'],
    'admin'          => ['param.list', 'param.user.email'],
    'add'            => ['param.list', 'param.user.email'],
    'import'         => ['param.list', 'param.user.email'],
    'arc'            => ['param.list'],
    'arc_delete'     => ['param.user.email', 'param.list'],
    'arc_download'   => ['param.user.email', 'param.list'],
    'arc_manage'     => ['param.list'],
    'arcsearch'      => ['param.list'],
    'arcsearch_form' => ['param.list'],
    'arcsearch_id'   => ['param.list'],
    'auth'           => ['id', 'heldaction', 'email'],
514
515
    'auth_add'       => ['param.list', 'param.user.email', 'id'],
    'auth_del'       => ['param.list', 'param.user.email', 'id'],
Luc Didry's avatar
Luc Didry committed
516
517
518
519
520
521
522
523
    'auto_signoff'   => ['param.list', 'email'],
    'attach'         => ['param.list'],
    'blacklist'      => ['param.list'],
    'move_user' =>
        ['param.user.email', 'current_email|old_email', 'email|new_email'],
    'close_list'    => ['param.user.email', 'param.list'],
    'compose_mail'  => ['param.user.email', 'param.list'],
    'copy_template' => ['webormail'],
524
    ## other required parameters are checked in the subroutine
525
526
    'create_automatic_list'         => ['param.user.email', 'family'],
    'create_automatic_list_request' => ['param.user.email', 'family'],
527
    'create_list'                   => ['param.user.email', 'info'],
528
    'create_list_request'           => ['param.user.email'],
529
    #XXX'css' => [],
530
531
532
533
534
    'd_admin'         => ['param.list', 'param.user.email'],
    'd_change_access' => ['param.list', 'param.user.email'],
    'd_control'       => ['param.list', 'param.user.email'],
    'd_create_child' =>
        ['param.list', 'param.user.email', 'new_name|uploaded_file'],
535
536
537
538
539
540
541
542
    'd_delete'         => ['param.list', 'param.user.email'],
    'd_describe'       => ['param.list', 'param.user.email', 'content'],
    'd_editfile'       => ['param.list', 'param.user.email'],
    'd_install_shared' => ['param.list', 'param.user.email', 'id'],
    'd_properties'     => ['param.list', 'param.user.email'],
    'd_read'          => ['param.list'],
    'd_reject_shared' => ['param.list', 'param.user.email', 'id'],
    'd_rename'        => ['param.list', 'param.user.email', 'new_name'],
543
    'd_update' =>
544
        ['param.list', 'param.user.email', 'content|url|uploaded_file'],
545
    'd_set_owner'     => ['param.list', 'param.user.email'],
sikeda's avatar
sikeda committed
546
    'd_unzip'         => ['param.list', 'param.user.email', 'uploaded_file'],
547
548
549
550
    'del'             => ['param.list', 'param.user.email', 'email'],
    'delete_pictures' => ['param.list', 'param.user.email'],
    'distribute'      => ['param.list', 'param.user.email', 'id|idspam'],
    'add_frommod'     => ['param.list', 'param.user.email', 'id'],
551
    'dump_scenario'   => ['param.list', 'scenario_function|pname'],
552
    'edit'            => ['param.list', 'param.user.email', 'role', 'email'],
Luc Didry's avatar
Luc Didry committed
553
554
555
556
557
558
559
560
561
562
563
    'edit_list'         => ['param.user.email', 'param.list'],
    'edit_list_request' => ['param.user.email', 'param.list'],
    'edit_template'     => ['webormail'],
    'editfile'          => ['param.user.email'],
    'editsubscriber'    => ['param.list',       'param.user.email', 'email'],
    'export_member'        => ['param.list'],
    'get_closed_lists'     => ['param.user.email'],
    'get_inactive_lists'   => ['param.user.email'],
    'get_latest_lists'     => ['param.user.email'],
    'get_biggest_lists'    => ['param.user.email'],
    'get_pending_lists'    => ['param.user.email'],
564
565
    'decl_del'             => ['param.list', 'param.user.email', 'id'],
    'decl_add'             => ['param.list', 'param.user.email', 'id'],
566
    'delete_account'       => ['passwd', 'i_understand_the_consequences'],
567
    'including_lists'      => ['param.list', 'param.user.email'],
568
569
570
571
    'info'                 => ['param.list'],
    'install_pending_list' => ['param.user.email'],
    'edit_config'          => ['param.user.email'],
    'latest_arc'           => ['param.list', 'for|count'],
Luc Didry's avatar
Luc Didry committed
572
573
574
575
576
577
    'latest_d_read'        => ['param.list', 'for', 'count'],
    'latest_lists'         => ['for|count'],
    'load_cert'            => ['param.list'],
    'logout'               => ['param.user.email'],
    'manage_template'      => ['param.list', 'param.user.email'],
    'my'                   => ['param.user.email'],
578
    'rt_create' => ['param.list', 'param.user.email', 'new_template_name'],
Luc Didry's avatar
Luc Didry committed
579
580
    'rt_delete' => ['param.list', 'param.user.email', 'message_template'],
    'rt_edit'   => ['param.list', 'param.user.email', 'message_template'],
581
582
583
    'rt_setdefault' => ['param.list', 'param.user.email', 'new_default'],
    'rt_update' =>
        ['param.list', 'param.user.email', 'message_template', 'content'],
Luc Didry's avatar
Luc Didry committed
584
585
586
587
588
589
590
591
    'modindex'      => ['param.list',       'param.user.email'],
    'docindex'      => ['param.list',       'param.user.email'],
    'pref'          => ['param.user.email'],
    'purge_list'    => ['param.user.email', 'selected_lists'],
    'rebuildallarc' => ['param.user.email'],
    'rebuildarc'    => ['param.user.email', 'param.list'],
    'reject'        => ['param.list',       'param.user.email', 'id|idspam'],
    'remind'        => ['param.list',       'param.user.email'],
592
593
    'remove_arc'      => ['param.list'],
    'remove_template' => ['webormail'],
594
    'move_list' =>
595
596
597
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
    'copy_list' =>
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
598
    'open_list'           => ['param.user.email', 'param.list'],
599
600
    'rename_list_request' => ['param.user.email', 'param.list'],
    'request_topic'       => ['param.list',       'authkey'],
Luc Didry's avatar
Luc Didry committed
601
    'resetbounce'     => ['param.list', 'param.user.email', 'email'],
602
603
604
605
606
    'review'          => ['param.list'],
    'review_family'   => ['param.user.email', 'family_name'],
    'reviewbouncing'  => ['param.list'],
    'rss_request'     => [],
    'savefile'        => ['param.user.email', 'file'],
607
    'search'          => ['param.list'],
608
609
610
611
612
613
614
615
    'search_user'     => ['param.user.email', 'email'],
    'send_mail'       => ['param.user.email'],
    'send_newsletter' => ['param.list', 'param.user.email', 'url'],
    'send_me'         => ['param.list'],
    'view_source'     => ['param.list'],
    'tracking'        => ['param.list'],
    'requestpasswd'   => ['email'],
    'serveradmin'     => ['param.user.email'],
616
    'set'      => ['param.user.email', 'param.list', 'reception|visibility'],
617
618
    'set_lang' => [],
    'set_pending_list_request' => ['param.user.email'],
Luc Didry's avatar
Luc Didry committed
619
620
621
622
623
624
625
626
627
628
629
630
631
    'setpasswd'        => ['param.user.email', 'newpasswd1', 'newpasswd2'],
    'setpref'          => ['param.user.email'],
    'sigindex'         => ['param.list', 'param.user.email'],
    'signoff'          => ['param.list'],
    'skinsedit'        => ['param.user.email'],
    'sso_login'        => ['auth_service_name'],
    'stats'            => ['param.list'],
    'subindex'         => ['param.list', 'param.user.email'],
    'suboptions'       => ['param.list', 'param.user.email'],
    'subscribe'        => ['param.list'],
    'subscriber_count' => ['param.list'],
    'suspend'          => ['param.list', 'param.user.email'],
    'suspend_request'  => [],
632
633
    'suspend_request_action' => [],
    'show_exclude'           => ['param.list'],
Luc Didry's avatar
Luc Didry committed
634
    'sync_include'           => ['param.list', 'param.user.email'],
635
636
637
    'tag_topic_by_sender'    => ['param.list'],
    'upload_pictures'        => ['param.user.email', 'param.list'],
    'view_template'          => ['webormail'],
Luc Didry's avatar
Luc Didry committed
638
    'viewbounce'             => ['param.list', 'email|file'],
639
640
641
    'viewlogs'               => ['param.list'],
    'viewmod' => ['param.list', 'param.user.email', 'id|idspam'],
    'wsdl'    => [],
642
    #'which' => ['param.user.email'],
643
);
644
645
646

## Defines the required privileges to access privileged actions
## You can define a set ofequiivalent privileges in the ARRAYREF
647
our %required_privileges = (
Luc Didry's avatar
Luc Didry committed
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
    'admin'                    => ['owner', 'editor'],
    'arc_delete'               => ['owner'],
    'arc_download'             => ['owner'],
    'arc_manage'               => ['owner'],
    'auth_add'                 => ['owner', 'editor'],
    'auth_del'                 => ['owner', 'editor'],
    'blacklist'                => ['owner', 'editor'],
    'close_list'               => ['privileged_owner'],
    'copy_template'            => ['listmaster'],
    'd_install_shared'         => ['editor', 'owner'],
    'd_reject_shared'          => ['editor', 'owner'],
    'distribute'               => ['editor', 'owner', 'listmaster'],
    'add_frommod'              => ['editor', 'owner'],
    'dump_scenario'            => ['listmaster'],
    'edit'                     => ['editor', 'owner', 'listmaster'],
    'edit_list'                => ['owner'],
    'edit_list_request'        => ['owner'],
    'edit_template'            => ['listmaster'],
    'editfile'                 => ['owner', 'listmaster'],
    'editsubscriber'           => ['owner', 'editor'],
    'get_closed_lists'         => ['listmaster'],
    'get_inactive_lists'       => ['listmaster'],
    'get_latest_lists'         => ['listmaster'],
    'get_biggest_lists'        => ['listmaster'],
    'get_pending_lists'        => ['listmaster'],
    'decl_del'                 => ['owner', 'editor'],
    'decl_add'                 => ['owner', 'editor'],
    'including_lists'          => ['owner', 'listmaster'],
    'install_pending_list'     => ['listmaster'],
    'edit_config'              => ['listmaster'],
    'ls_templates'             => ['listmaster'],
    'manage_template'          => ['owner'],
680
    'mass_del'                 => ['listmaster'],
Luc Didry's avatar
Luc Didry committed
681
682
683
684
685
686
687
688
689
690
691
692
693
    'rt_create'                => ['owner'],
    'rt_delete'                => ['owner'],
    'rt_edit'                  => ['owner'],
    'rt_setdefault'            => ['owner'],
    'rt_update'                => ['owner'],
    'modindex'                 => ['editor', 'owner', 'listmaster'],
    'docindex'                 => ['editor', 'owner', 'listmaster'],
    'purge_list'               => ['privileged_owner', 'listmaster'],
    'rebuildallarc'            => ['listmaster'],
    'rebuildarc'               => ['listmaster'],
    'reject'                   => ['editor', 'owner', 'listmaster'],
    'remove_template'          => ['listmaster'],
    'move_list'                => ['privileged_owner'],
694
    'copy_list'                => ['owner', 'listmaster'],
695
    'open_list'                => ['listmaster'],
696
697
698
699
    'rename_list_request'      => ['privileged_owner'],
    'resetbounce'              => ['owner', 'editor'],
    'review_family'            => ['listmaster'],
    'reviewbouncing'           => ['owner', 'editor'],
700
    'savefile'                 => ['owner', 'listmaster'],
701
702
703
704
705
706
707
    'search_user'              => ['listmaster'],
    'serveradmin'              => ['listmaster'],
    'set_dumpvars'             => ['listmaster'],
    'set_loglevel'             => ['listmaster'],
    'set_pending_list_request' => ['listmaster'],
    'set_session_email'        => ['listmaster'],
    'show_sessions'            => ['listmaster'],
708
    'sigindex'                 => ['owner', 'editor'],
709
710
711
712
713
714
715
    'stats'                    => ['owner'],
    'subindex'                 => ['owner', 'editor'],
    'sync_include'             => ['owner', 'editor'],
    'skinsedit'                => ['listmaster'],
    'view_template'            => ['listmaster'],
    'viewbounce'               => ['owner', 'editor'],
    'viewlogs'                 => ['owner', 'editor'],
Luc Didry's avatar
Luc Didry committed
716
    'viewmod'                  => ['editor', 'owner', 'listmaster'],
717
718
    #XXX'automatic_lists_management_request' => ['listmaster'],
    #XXX'automatic_lists_management'         => ['listmaster'],
719
720
);

721
722
723
724
725
726
727
728
# An action is a candidate for this list if it modifies an object or setting.
#
# Why not just protect all actions? Many of them are used in GET requests
# without any forms, making it more difficult to supply a CSRF token.
# This list intentionally starts out small in the name of breaking as little
# as possible.

our %require_csrftoken = (
729
730
731
732
733
734
    'add'       => 1,
    'del'       => 1,
    'move_user' => 1,
    'savefile'  => 1,
    'setpasswd' => 1,
    'setpref'   => 1,
735
736
);

737
738
739
# this definition is used to choose the left side menu type (admin ->
# listowner admin menu | serveradmin -> server_admin menu | none list or
# your_list menu)
740
my %action_type = (
Luc Didry's avatar
Luc Didry committed
741
742
743
744
745
746
    'review' => 'admin',
    'search' => 'admin',
    'admin'  => 'admin',
    'import' => 'admin',
    'add'    => 'admin',
    'del'    => 'admin',
747
    # 'modindex' =>'admin',
Luc Didry's avatar
Luc Didry committed
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
    'reject'            => 'admin',
    'reject_notify'     => 'admin',
    'distribute'        => 'admin',
    'add_frommod'       => 'admin',
    'viewmod'           => 'admin',
    'savefile'          => 'admin',
    'rebuildallarc'     => 'admin',    #FIXME: serveradmin?
    'reviewbouncing'    => 'admin',
    'edit'              => 'admin',
    'edit_list_request' => 'admin',
    'edit_list'         => 'admin',
    'editsubscriber'    => 'admin',
    'viewbounce'        => 'admin',
    'resetbounce'       => 'admin',
    'scenario_test'     => 'admin',
    'close_list'        => 'admin',
    'd_admin'           => 'admin',
    'd_reject_shared'   => 'admin',
    'd_install_shared'  => 'admin',
    'dump_scenario'     => 'admin',
    'export_member'     => 'admin',
    'open_list'         => 'admin',
    'remind'            => 'admin',
771
    #'subindex' => 'admin',
Luc Didry's avatar
Luc Didry committed
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
    'stats'               => 'admin',
    'decl_del'            => 'admin',
    'decl_add'            => 'admin',
    'move_list'           => 'admin',
    'copy_list'           => 'admin',
    'rename_list_request' => 'admin',
    'arc_manage'          => 'admin',
    'sync_include'        => 'admin',
    'view_template'       => 'admin',
    'remove_template'     => 'admin',
    'copy_template'       => 'admin',
    'edit_template'       => 'admin',
    'blacklist'           => 'admin',
    'viewlogs'            => 'admin',
    'serveradmin'         => 'serveradmin',
    'get_pending_lists'   => 'serveradmin',
    'get_closed_lists'    => 'serveradmin',
    'get_inactive_lists'  => 'serveradmin',
    'get_latest_lists'    => 'serveradmin',
    'get_biggest_lists'   => 'serveradmin',
    'ls_templates'        => 'serveradmin',
    'skinsedit'           => 'serveradmin',
    'review_family'       => 'serveradmin',
    'search_user'         => 'serveradmin',
    'show_sessions'       => 'serveradmin',
    'show_exclude'        => 'admin',
    'rebuildarc'          => 'serveradmin',
    'set_session_email'   => 'serveradmin',
    'set_loglevel'        => 'serveradmin',
    'editfile'            => 'serveradmin',    #FIXME: admin?
    'unset_dumpvars'      => 'serveradmin',
    'set_dumpvars'        => 'serveradmin',
804
805
    #XXX'automatic_lists_management_request' => 'serveradmin',
    #XXX'automatic_lists_management'         => 'serveradmin',
806
);
root's avatar
root committed
807

808
# Actions that are not used in return of login,
809
my %temporary_actions = (
810
    'confirm_action'      => 1,
811
812
813
814
815
816
    'logout'              => 1,
    'loginrequest'        => 1,
    'login'               => 1,
    'sso_login'           => 1,
    'sso_login_succeeded' => 1,
    'ticket'              => 1,
817
    #XXX'css' => 1,
818
819
820
821
    'rss'      => 1,    # FIXME:currently not used.
    'ajax'     => 1,
    'wsdl'     => 1,
    'redirect' => 1,
822
);
823

824
825
826
## Regexp applied on incoming parameters (%in)
## The aim is not a strict definition of parameter format
## but rather a security check
827
our %in_regexp = (
828
829
830
831
832
833
    ## Default regexp
    '*' => '[\w\-\.]+',

    ## List config parameters
    'single_param'   => '.+',
    'multiple_param' => '.+',
IKEDA Soji's avatar
IKEDA Soji committed
834
    'deleted_param'  => '.+',
835
836
837
838
839
840
841
842
843
844

    ## Textarea content
    'template_content'     => '.+',
    'content'              => '.+',
    'body'                 => '.+',
    'info'                 => '.+',
    'new_scenario_content' => '.+',
    'blacklist'            => '.*',

    ## Integer
845
    'page' => '\d+|owner|editor',
846
847
848
849
850
851
852
853
854
855
    'size' => '\d+',

    ## Free data
    'subject'          => '.*',
    'gecos'            => '[^<>\\\*\$\n]+',
    'fromname'         => '[^<>\\\*\$\n]+',
    'additional_field' => '[^<>\\\*\$\n]+',
    'dump'             => '[^<>\\\*\$]+',     # contents email + gecos

    ## Search
856
    'filter'      => '.*',                    # search subscriber
sikeda's avatar
sikeda committed
857
    'filter_list' => '.*',                    # search list
858
859
    'key_word'    => '.*',
    'format'      => '[^<>\\\$\n]+',          # dump format/filter string
860
861
862
863
864
865
866
867
868

    ## File names
    'file'          => '[^<>\*\$\n]+',
    'template_path' => '[\w\-\.\/_]+',
    'arc_file'      => '[^<>\\\*\$\n]+',
    'path'          => '[^<>\\\*\$\n]+',
    'uploaded_file' =>
        '(.*[\/\\\\])?[^<>\*\$\n]+',          # Could be precised (use of "'")
    'dir'               => '[^<>\\\*\$\n]+',
869
    'new_name'          => '[^<>\\\*\$\[\]\/\n]+',
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
    'shortname'         => '[^<>\\\*\$\n]+',
    'id'                => '[^<>\\\*\$\n]+',
    'template_name'     => Sympa::Regexps::template_name(),
    'new_template_name' => Sympa::Regexps::template_name(),
    'message_template'  => Sympa::Regexps::template_name(),
    'new_default'       => Sympa::Regexps::template_name(),

    ## Archives
    ## format is yyyy-mm for 'arc' and mm for 'send_me'
    'month' => '\d{2}|\d{4}\-\d{2}',

    ## URL
    'referer'         => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'failure_referer' => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'url'             => '[^\\\$\*\"\'\`\^\|\<\>\n]+',

    ## Msg ID
    'msgid'       => '[^\\\*\"\'\`\^\|\n]+',
    'in_reply_to' => '[^\\\*\"\'\`\^\|\n]+',
    'message_id'  => '[^\\\*\"\'\`\^\|\n]+',

    ## Password
    'passwd'       => '.+',
    'password'     => '.+',
    'newpasswd1'   => '.+',
    'newpasswd2'   => '.+',
    'new_password' => '.+',

    ## Topics
899
    'topic'    => '\@?[\-\w\/]+',
900
901
902
903
904
905
906
907
908
909
910
911
912
913
    'topics'   => '[\-\w\/]+',
    'subtopic' => '[\-\w\/]+',

    ## List names
    'list' => '[\w\-\.\+]*',    ## Sympa::Regexps::listname() + uppercase
    'previous_list'  => '[\w\-\.\+]*',
    'listname'       => '[\w\-\.\+]*',
    'new_listname'   => '[\w\-\.\+]*',
    'selected_lists' => '[\w\-\.\+]*',

    ## Family names
    'family_name' => Sympa::Regexps::family_name(),
    'family'      => Sympa::Regexps::family_name(),

914
    # Email addresses
915
    'current_email' => Sympa::Regexps::email(),
Luc Didry's avatar
Luc Didry committed
916
917
918
919
920
921
922
    'email'         => Sympa::Regexps::email() . '|' . Sympa::Regexps::uid(),
    'init_email'    => Sympa::Regexps::email(),
    'old_email'     => Sympa::Regexps::email(),
    'new_email'     => Sympa::Regexps::email(),
    'sender'        => Sympa::Regexps::email(),
    'fromaddr'      => Sympa::Regexps::email(),
    'del_emails'    => '.*',
923
    'to' => '(([\w\-\_\.\/\+\=\']+|\".*\")\s[\w\-]+(\.[\w\-]+)+(,?))*',
924
925
926
927
928
929
930
931
    'automatic_list_part_*' => '[\w\-\.\+]*',

    ## Host
    'new_robot'   => Sympa::Regexps::host(),
    'remote_host' => Sympa::Regexps::host(),
    'remote_addr' => Sympa::Regexps::host(),

    ## Scenario name
932
933
934
    'scenario'    => Sympa::Regexps::scenario_name(),
    'read_access' => Sympa::Regexps::scenario_name(),
    'edit_access' => Sympa::Regexps::scenario_name(),
935
936
937
938
939
940
941
942
943
944
945
946
947
948
    ## RSS URL or blank
    'active_lists'  => '.*',
    'latest_lists'  => '.*',
    'latest_arc'    => '.*',
    'latest_d_read' => '.*',

    ##Logs
    'target_type' => '[\w\-\.\:]*',
    'target'      => Sympa::Regexps::email(),
    'date_from'   => '[\d\/\-]+',
    'date_to'     => '[\d\/\-]+',
    'ip'          => Sympa::Regexps::host(),

    ## colors
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
    'subaction_test'    => '.*',
    'subaction_reset'   => '.*',
    'subaction_install' => '.*',
    'color_0'           => '\#[0-9a-fA-F]+',
    'color_1'           => '\#[0-9a-fA-F]+',
    'color_2'           => '\#[0-9a-fA-F]+',
    'color_3'           => '\#[0-9a-fA-F]+',
    'color_4'           => '\#[0-9a-fA-F]+',
    'color_5'           => '\#[0-9a-fA-F]+',
    'color_6'           => '\#[0-9a-fA-F]+',
    'color_7'           => '\#[0-9a-fA-F]+',
    'color_8'           => '\#[0-9a-fA-F]+',
    'color_9'           => '\#[0-9a-fA-F]+',
    'color_10'          => '\#[0-9a-fA-F]+',
    'color_11'          => '\#[0-9a-fA-F]+',
    'color_12'          => '\#[0-9a-fA-F]+',
    'color_13'          => '\#[0-9a-fA-F]+',
    'color_14'          => '\#[0-9a-fA-F]+',
    'color_15'          => '\#[0-9a-fA-F]+',
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985

    ## Custom attribute
    'custom_attribute' => '.*',

    ## Templates
    'scope' => 'distrib|robot|family|list|site',

    ## Custom Inputs from create_list_request.tt2
    'custom_input' => '.*',

    ## conf parameters
    'conf_new_value' => '.*',

    ## custom actions
    'cap'  => '.*',
    'lcap' => '.*',

    'plugin' => '.*',
986
987
988

    ## Envelope ID
    'envid' => '\w+',
989
990
991

    ## Authentication/moderation key
    'authkey' => '\w+',
992
993
994

    # Role
    'role' => 'member|editor|owner',
995
996
997

    ## CSRF token is a lower case MD5 hash
    'csrftoken' => '^[0-9a-f]{32}$',
998
);
999

1000
## Regexp applied on incoming parameters (%in)
For faster browsing, not all history is shown. View entire blame