wwsympa.fcgi.in

#!--PERL--
# -*- indent-tabs-mode: nil; -*-
# vim:ft=perl:et:sw=4
# $Id$

# Sympa - SYsteme de Multi-Postage Automatique
#
# Copyright (c) 1997, 1998, 1999 Institut Pasteur & Christophe Wolfhugel
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
# Copyright 2017, 2018, 2019, 2020, 2021 The Sympa Community. See the
# AUTHORS.md file at the top-level directory of this distribution and at
# <https://github.com/sympa-community/sympa.git>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

use strict;
##use warnings;
use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';

use DateTime;
use DateTime::Format::Mail;
use Digest::MD5;
use Encode qw();
use English qw(-no_match_vars);
use IO::File qw();
use MIME::EncWords;
use MIME::Lite::HTML;
use POSIX qw();
use Time::Local qw();
use URI;
use Data::Dumper;    # tentative

BEGIN {
    # For some environments not providing Archive::Zip::Simple*, Archive::Zip
    # may be used.  The latter is discouraged because it is memory-consuming.
    eval 'use Archive::Zip::SimpleUnzip qw()';
    eval 'use Archive::Zip::SimpleZip qw()';
    require Archive::Zip
        unless $Archive::Zip::SimpleUnzip::VERSION
        and $Archive::Zip::SimpleZip::VERSION;
}

use Sympa;
use Sympa::Archive;
use Conf;
use Sympa::ConfDef;
use Sympa::Constants;
use Sympa::Crash Hook => \&_crash_handler;    # Show traceback.
use Sympa::Database;
use Sympa::DatabaseManager;
use Sympa::Family;
use Sympa::HTMLSanitizer;
use Sympa::Language;
use Sympa::List;
use Sympa::List::Config;
use Sympa::List::Users;
use Sympa::Log;
use Sympa::Message;
use Sympa::Regexps;
use Sympa::Robot;
use Sympa::Scenario;
use Sympa::Spindle::ProcessRequest;
use Sympa::Spindle::ResendArchive;
use Sympa::Spool::Archive;
use Sympa::Spool::Auth;
use Sympa::Spool::Held;
use Sympa::Spool::Incoming;
use Sympa::Spool::Listmaster;
use Sympa::Spool::Moderation;
use Sympa::Spool::Outgoing;
use Sympa::Spool::Topic;
use Sympa::Task;
use Sympa::Template;
use Sympa::Ticket;
use Sympa::Tools::Data;
use Sympa::Tools::File;
use Sympa::Tools::Password;
use Sympa::Tools::SMIME;
use Sympa::Tools::Text;
use Sympa::Tracking;
use Sympa::User;
use Sympa::WWW::Auth;
use Sympa::WWW::FastCGI;
use Sympa::WWW::Marc::Search;
use Sympa::WWW::Session;
use Sympa::WWW::SharedDocument;
use Sympa::WWW::Tools;

## WWSympa librairies
my %options;

my $sympa_conf_file = Sympa::Constants::CONFIG;

our $list;
our $param = {};
our $robot_id;
our $session;

my $robot;
my $cookie_domain;
my $ip;
my $rss;
my $ajax;
my $auth_services;

my $allow_absolute_path;    #FIXME: to be removed in the future.
my @other_include_path;     #FIXME: ditto.

my @stash;

## Load sympa config
unless (Conf::load()) {
    printf STDERR
        "Unable to load sympa configuration, file %s or one of the vhost robot.conf files contain errors. Exiting.\n",
        Conf::get_sympa_conf();
    exit 1;
}

# Open log
my $log = Sympa::Log->instance;
$log->{level} = $Conf::Conf{'log_level'};
$log->openlog($Conf::Conf{'log_facility'} || $Conf::Conf{'syslog'},
    $Conf::Conf{'log_socket_type'});

Sympa::Spool::Listmaster->instance->{use_bulk} = 1;

# hash of all the description files already loaded
# format :
#     $desc_files{pathfile}{'date'} : date of the last load
#     $desc_files{pathfile}{'desc_hash'} : hash which describes
#                         the description file

#%desc_files_map; NOT USED ANYMORE

## Shared directory and description file

#$shared = 'shared';
#$desc = '.desc';

## subroutines
our %comm = (
    'confirm_action' => 'do_confirm_action',
    'home'           => 'do_home',
    'logout'         => 'do_logout',
    #'loginrequest'           => 'do_loginrequest',
    'login'               => 'do_login',
    'sso_login'           => 'do_sso_login',
    'sso_login_succeeded' => 'do_sso_login_succeeded',
    'subscribe'           => 'do_subscribe',
    #'multiple_subscribe'     => 'do_multiple_subscribe',
    #'subrequest'             => 'do_subrequest',
    'subindex'       => 'do_subindex',
    'suboptions'     => 'do_suboptions',
    'signoff'        => 'do_signoff',
    'auto_signoff'   => 'do_auto_signoff',
    'family_signoff' => 'do_family_signoff',
    #'family_signoff_request' => 'do_family_signoff_request',
    #XXX'multiple_signoff'    => 'do_multiple_signoff',
    #'sigrequest' => 'do_sigrequest',
    'sigindex' => 'do_sigindex',
    'decl_add' => 'do_decl_add',
    'decl_del' => 'do_decl_del',
    'my'       => 'do_my',
    #'which' => 'do_which',
    'lists'            => 'do_lists',
    'lists_categories' => 'do_lists_categories',
    'latest_lists'     => 'do_latest_lists',
    'active_lists'     => 'do_active_lists',
    'including_lists'  => 'do_including_lists',
    'info'             => 'do_info',
    'subscriber_count' => 'do_subscriber_count',
    'review'           => 'do_review',
    'search'           => 'do_search',
    'pref',            => 'do_pref',
    'setpref'          => 'do_setpref',
    'setpasswd'        => 'do_setpasswd',
    'renewpasswd'      => 'do_renewpasswd',
    'firstpasswd'      => 'do_firstpasswd',
    'requestpasswd'    => 'do_requestpasswd',
    'choosepasswd'     => 'do_choosepasswd',
    'set'              => 'do_set',
    'admin'            => 'do_admin',
    'import'           => 'do_import',
    'add'              => 'do_add',
    'auth_add'         => 'do_auth_add',
    'del'              => 'do_del',
    'auth_del'         => 'do_auth_del',
    'mass_del'         => 'do_mass_del',
    'modindex'         => 'do_modindex',
    'docindex'         => 'do_docindex',
    'reject'           => 'do_reject',
    #XXX'reject_notify' => 'do_reject_notify',
    'distribute'      => 'do_distribute',
    'add_frommod'     => 'do_add_frommod',
    'viewmod'         => 'do_viewmod',
    'd_reject_shared' => 'do_d_reject_shared',
    #XXX'reject_notify_shared' => 'do_reject_notify_shared',
    'd_install_shared'  => 'do_d_install_shared',
    'editfile'          => 'do_editfile',
    'savefile'          => 'do_savefile',
    'arc'               => 'do_arc',
    'latest_arc'        => 'do_latest_arc',
    'latest_d_read'     => 'do_latest_d_read',
    'arc_manage'        => 'do_arc_manage',
    'remove_arc'        => 'do_remove_arc',
    'send_me'           => 'do_send_me',
    'view_source'       => 'do_view_source',
    'tracking'          => 'do_tracking',
    'arcsearch_form'    => 'do_arcsearch_form',
    'arcsearch_id'      => 'do_arcsearch_id',
    'arcsearch'         => 'do_arcsearch',
    'rebuildarc'        => 'do_rebuildarc',
    'rebuildallarc'     => 'do_rebuildallarc',
    'arc_download'      => 'do_arc_download',
    'arc_delete'        => 'do_arc_delete',
    'serveradmin'       => 'do_serveradmin',
    'set_loglevel'      => 'do_set_loglevel',
    'set_dumpvars'      => 'do_set_dumpvars',
    'show_sessions'     => 'do_show_sessions',
    'unset_dumpvars'    => 'do_unset_dumpvars',
    'set_session_email' => 'do_set_session_email',
    'restore_email'     => 'do_restore_email',
    'skinsedit'         => 'do_skinsedit',
    #XXX'css' => 'do_css',
    'help'                     => 'do_help',
    'edit_list_request'        => 'do_edit_list_request',
    'edit_list'                => 'do_edit_list',
    'create_list_request'      => 'do_create_list_request',
    'create_list'              => 'do_create_list',
    'get_pending_lists'        => 'do_get_pending_lists',
    'get_closed_lists'         => 'do_get_closed_lists',
    'get_latest_lists'         => 'do_get_latest_lists',
    'get_inactive_lists'       => 'do_get_inactive_lists',
    'get_biggest_lists'        => 'do_get_biggest_lists',
    'set_pending_list_request' => 'do_set_pending_list_request',
    'install_pending_list'     => 'do_install_pending_list',
    'edit_config'              => 'do_edit_config',
    #XXX'submit_list' => 'do_submit_list',
    'editsubscriber'      => 'do_editsubscriber',
    'edit'                => 'do_edit',
    'viewbounce'          => 'do_viewbounce',
    'redirect'            => 'do_redirect',
    'rename_list_request' => 'do_rename_list_request',
    'move_list'           => 'do_move_list',
    'copy_list'           => 'do_copy_list',
    'reviewbouncing'      => 'do_reviewbouncing',
    'resetbounce'         => 'do_resetbounce',
    'scenario_test'       => 'do_scenario_test',
    'search_list'         => 'do_search_list',
    'search_list_request' => 'do_search_list_request',
    'show_cert'           => 'do_show_cert',
    'close_list'          => 'do_close_list',
    'open_list'           => 'do_open_list',
    'purge_list'          => 'do_purge_list',
    'upload_pictures'     => 'do_upload_pictures',
    'delete_pictures'     => 'do_delete_pictures',
    'd_read'              => 'do_d_read',
    'd_create_child'      => 'do_d_create_child',
    'd_unzip'             => 'do_d_unzip',
    'd_editfile'          => 'do_d_editfile',
    'd_properties'        => 'do_d_properties',
    'd_update'            => 'do_d_update',
    'd_describe'          => 'do_d_describe',
    'd_delete'            => 'do_d_delete',
    'd_rename'            => 'do_d_rename',
    'd_control'           => 'do_d_control',
    'd_change_access'     => 'do_d_change_access',
    'd_set_owner'         => 'do_d_set_owner',
    'd_admin'             => 'do_d_admin',
    'dump_scenario'       => 'do_dump_scenario',
    'export_member'       => 'do_export_member',
    'remind'              => 'do_remind',
    'move_user'           => 'do_move_user',
    'load_cert'           => 'do_load_cert',
    'compose_mail'        => 'do_compose_mail',
    'send_mail'           => 'do_send_mail',
    'request_topic'       => 'do_request_topic',
    'tag_topic_by_sender' => 'do_tag_topic_by_sender',
    'search_user'         => 'do_search_user',
    'set_lang'            => 'do_set_lang',
    'attach'              => 'do_attach',
    'stats'               => 'do_stats',
    'viewlogs'            => 'do_viewlogs',
    'wsdl'                => 'do_wsdl',
    'sync_include'        => 'do_sync_include',
    'review_family'       => 'do_review_family',
    'ls_templates'        => 'do_ls_templates',
    'remove_template'     => 'do_remove_template',
    'copy_template'       => 'do_copy_template',
    'view_template'       => 'do_view_template',
    'edit_template'       => 'do_edit_template',
    #'rss' => 'do_rss', #FIXME:Currently processed in differenct way.
    'rss_request'     => 'do_rss_request',
    'maintenance'     => 'do_maintenance',
    'blocklist'       => 'do_blocklist',
    'edit_attributes' => 'do_edit_attributes',
    'ticket'          => 'do_ticket',
    'manage_template' => 'do_manage_template',
    'rt_create'       => 'do_rt_create',
    'rt_delete'       => 'do_rt_delete',
    'rt_edit'         => 'do_rt_edit',
    'rt_setdefault'   => 'do_rt_setdefault',
    'rt_update'       => 'do_rt_update',
    #XXX'send_newsletter' => 'do_send_newsletter',
    'suspend'                => 'do_suspend',
    'suspend_request'        => 'do_suspend_request',
    'suspend_request_action' => 'do_suspend_request_action',
    'show_exclude'           => 'do_show_exclude',
    # 'ca' stands for 'custom_action'. I used a short name to make it discrete
    # in a URL.
    'ca' => 'do_ca',
    # 'lca' stands for 'list_custom_action'. I used a short name to make it
    # discrete in a URL.
    'lca' => 'do_lca',
    #XXX'automatic_lists_management_request' =>
    #XXX    'do_automatic_lists_management_request',
    #XXX'automatic_lists_management'    => 'do_automatic_lists_management',
    'create_automatic_list'         => 'do_create_automatic_list',
    'create_automatic_list_request' => 'do_create_automatic_list_request',
    'auth'                          => 'do_auth',
    'delete_account'                => 'do_delete_account',
);

my %comm_aliases = (
    'add_fromsub'             => 'auth_add',
    'add_request'             => 'import',
    'automatic_lists'         => 'create_automatic_list',
    'automatic_lists_request' => 'create_automatic_list_request',
    'blacklist'               => 'blocklist',
    'change_email'            => 'move_user',
    'change_email_request'    => 'move_user',
    'del_fromsig'             => 'auth_del',
    'dump'                    => 'export_member',
    'family_signoff_request'  => 'family_signoff',
    'ignoresig'               => 'decl_del',
    'ignoresub'               => 'decl_add',
    'loginrequest'            => 'login',
    'rename_list'             => 'move_list',
    'restore_list'            => 'open_list',
    'sigrequest'              => 'signoff',
    'subrequest'              => 'subscribe',
);

# No longer used.
#my %auth_action;

# Arguments awaited in the PATH_INFO, depending on the action.
# NOTE:
# * The email addresses should NOT be embedded in PATH_INFO, because included
#   slashes (/) cannot be handled correctly by web servers. They are kept just
#   for compatibility to earlier releases of Sympa.  Use query parameters
#   instead.
our %action_args = (
    'default'         => ['list'],
    'editfile'        => ['list', 'file', 'previous_action'],
    'requestpasswd'   => ['email'],
    'choosepasswd'    => ['email', 'passwd'],
    'lists'           => ['topic', 'subtopic'],
    'latest_lists'    => ['topic', 'subtopic'],
    'active_lists'    => ['topic', 'subtopic'],
    'including_lists' => ['list'],
    'login'           => ['previous_action', 'previous_list'],
    'sso_login' => ['auth_service_name', 'subaction', 'email', 'ticket'],
    'sso_login_succeeded' =>
        ['auth_service_name', 'previous_action', 'previous_list'],
    #'loginrequest' => ['previous_action', 'previous_list'],
    'logout'      => ['previous_action', 'previous_list'],
    'renewpasswd' => ['previous_action', 'previous_list'],
    'firstpasswd' => ['previous_action', 'previous_list'],
    #XXX'css' => ['file'],
    'pref'             => ['previous_action', 'previous_list'],
    'reject'           => ['list',            'id'],
    'distribute'       => ['list',            'id'],
    'add_frommod'      => ['list',            'id'],
    'dump_scenario'    => ['list',            'scenario_function'],
    'd_reject_shared'  => ['list',            'id'],
    'd_install_shared' => ['list',            'id'],
    'modindex'         => ['list'],
    'docindex'         => ['list'],
    'viewmod'          => ['list',            'id', '@file'],
    'add'              => ['list',            'email'],
    'import' => ['list'],
    'del'    => ['list', 'email'],
    #'editsubscriber' =>
    #    ['list', 'email', 'previous_action', 'custom_attribute'],
    #'editsubscriber' => ['list', 'email', 'previous_action'],
    'editsubscriber' => ['list'],
    'edit'           => ['list', 'role'],
    #'viewbounce' => ['list', 'email', '@file'],
    'viewbounce' => ['list', 'dir', '@file'],
    #'resetbounce'    => ['list', 'email'],
    'review'         => ['list', 'page',  'size', 'sortby'],
    'reviewbouncing' => ['list', 'page',  'size'],
    'arc'            => ['list', 'month', '@arc_file'],
    'latest_arc'     => ['list'],
    'arc_manage'     => ['list'],
    'arcsearch_form' => ['list', 'archive_name'],
    'arcsearch_id'   => ['list', 'archive_name', '@msgid'],
    'rebuildarc'     => ['list', 'month'],
    'rebuildallarc' => [],
    'arc_download'  => ['list'],
    'arc_delete'    => ['list', 'zip'],
    'home'          => [],
    'help'          => ['help_topic'],
    'show_cert'     => [],
    'subscribe'     => ['list'],
    #'subrequest' => ['list','email'],
    'subindex'       => ['list'],
    'decl_add'       => ['list'],
    'signoff'        => ['list'],
    'auto_signoff'   => ['list'],
    'family_signoff' => ['family'],
    #'family_signoff_request' => ['family', 'email'],
    #'sigrequest'             => ['list',   'email'],
    'sigindex'           => ['list'],
    'decl_del'           => ['list'],
    'set'                => ['list', 'email', 'reception', 'gecos'],
    'serveradmin'        => ['subaction'],
    'set_session_email'  => ['email'],
    'skinsedit'          => [],
    'get_pending_lists'  => [],
    'get_closed_lists'   => [],
    'get_latest_lists'   => [],
    'get_inactive_lists' => [],
    'get_biggest_lists'  => [],
    'search_list'        => ['filter_list'],
    'shared'            => ['list', '@path'],        #FIXME: no such function.
    'd_read'            => ['list', '@path'],
    'latest_d_read'     => ['list'],
    'd_admin'           => ['list', 'd_admin'],
    'd_delete'          => ['list', '@path'],
    'd_rename'          => ['list', '@path'],
    'd_create_child'    => ['list', '@path'],
    'd_update'          => ['list', '@path'],
    'd_describe'        => ['list', '@path'],
    'd_editfile'        => ['list', '@path'],
    'd_properties'      => ['list', '@path'],
    'd_control'         => ['list', '@path'],
    'd_change_access'   => ['list', '@path'],
    'd_set_owner'       => ['list', '@path'],
    'export_member'     => ['list', 'format'],
    'search'            => ['list', 'filter'],
    'search_user'       => ['email'],
    'set_lang'          => ['lang'],
    'attach'            => ['list', 'dir', 'file'],
    'stats'             => ['list'],
    'edit_list_request' => ['list', 'group'],
    'move_list'           => ['list', 'new_listname', 'new_robot'],
    'copy_list'           => ['list', 'new_listname', 'new_robot'],
    'redirect'            => [],
    'viewlogs'            => ['list', 'page', 'size', 'sortby'],
    'wsdl'                => [],
    'sync_include'        => ['list'],
    'review_family'       => ['family_name'],
    'ls_templates'        => ['list'],
    'view_template'       => [],
    'remove_template'     => [],
    'copy_template'       => ['list'],
    'edit_template'       => ['list'],
    'rss_request'         => ['list'],
    'request_topic'       => ['list', 'authkey'],
    'tag_topic_by_sender' => ['list'],
    'ticket'              => ['ticket'],
    'move_user'           => [],
    'manage_template'     => ['subaction', 'list', 'message_template'],
    'rt_delete'           => ['list', 'message_template'],
    'rt_edit'             => ['list', 'message_template'],
    'send_newsletter'     => [],
    'compose_mail'        => ['list', 'subaction'],
    'suspend'             => ['list'],
    'suspend_request'     => ['subaction'],
    'show_exclude'        => ['list'],
    'ca'                  => ['custom_action', '@cap'],
    'lca'                 => ['custom_action', 'list', '@cap'],
    #XXX'automatic_lists_management_request' => [],
    #XXX'automatic_lists_management'         => [],
    'create_automatic_list'         => ['family'],
    'create_automatic_list_request' => ['family'],
    'auth'                          => ['id', 'heldaction', 'listname'],
    'auth_add'                      => ['list'],
    'auth_del'                      => ['list'],
);

## Define the required parameters for each action
## Parameter names refer to the %in structure of to $param if mentionned as
## 'param.x'
## This structure is used to determine if any parameter is missing
## The list of parameters is not ordered
## Some keywords are reserved: param.list and param.user.email
## Alternate parameters can be defined with the '|' character
## Limits of this structure: it does not define optional parameters (a or b)
## Limit: it does not allow to have a specific error message and redirect to a
## given page if the parameter is missing
our %required_args = (
    'active_lists'   => ['for|count'],
    'admin'          => ['param.list', 'param.user.email'],
    'add'            => ['param.list', 'param.user.email'],
    'import'         => ['param.list', 'param.user.email'],
    'arc'            => ['param.list'],
    'arc_delete'     => ['param.user.email', 'param.list'],
    'arc_download'   => ['param.user.email', 'param.list'],
    'arc_manage'     => ['param.list'],
    'arcsearch'      => ['param.list'],
    'arcsearch_form' => ['param.list'],
    'arcsearch_id'   => ['param.list'],
    'auth'           => ['id', 'heldaction', 'email'],
    'auth_add'       => ['param.list', 'param.user.email', 'id'],
    'auth_del'       => ['param.list', 'param.user.email', 'id'],
    'auto_signoff'   => ['param.list', 'email'],
    'attach'         => ['param.list'],
    'blocklist'      => ['param.list'],
    'move_user' =>
        ['param.user.email', 'current_email|old_email', 'email|new_email'],
    'close_list'    => ['param.user.email', 'param.list'],
    'compose_mail'  => ['param.user.email', 'param.list'],
    'copy_template' => ['webormail'],
    ## other required parameters are checked in the subroutine
    'create_automatic_list'         => ['param.user.email', 'family'],
    'create_automatic_list_request' => ['param.user.email', 'family'],
    'create_list'                   => ['param.user.email', 'info'],
    'create_list_request'           => ['param.user.email'],
    #XXX'css' => [],
    'd_admin'         => ['param.list', 'param.user.email'],
    'd_change_access' => ['param.list', 'param.user.email'],
    'd_control'       => ['param.list', 'param.user.email'],
    'd_create_child' =>
        ['param.list', 'param.user.email', 'new_name|uploaded_file'],
    'd_delete'         => ['param.list', 'param.user.email'],
    'd_describe'       => ['param.list', 'param.user.email', 'content'],
    'd_editfile'       => ['param.list', 'param.user.email'],
    'd_install_shared' => ['param.list', 'param.user.email', 'id'],
    'd_properties'     => ['param.list', 'param.user.email'],
    'd_read'          => ['param.list'],
    'd_reject_shared' => ['param.list', 'param.user.email', 'id'],
    'd_rename'        => ['param.list', 'param.user.email', 'new_name'],
    'd_update' =>
        ['param.list', 'param.user.email', 'content|url|uploaded_file'],
    'd_set_owner'     => ['param.list', 'param.user.email'],
    'd_unzip'         => ['param.list', 'param.user.email', 'uploaded_file'],
    'del'             => ['param.list', 'param.user.email', 'email'],
    'delete_pictures' => ['param.list', 'param.user.email'],
    'distribute'      => ['param.list', 'param.user.email', 'id|idspam'],
    'add_frommod'     => ['param.list', 'param.user.email', 'id'],
    'dump_scenario'   => ['param.list', 'scenario_function|pname'],
    'edit'            => ['param.list', 'param.user.email', 'role', 'email'],
    'edit_list'         => ['param.user.email', 'param.list'],
    'edit_list_request' => ['param.user.email', 'param.list'],
    'edit_template'     => ['webormail'],
    'editfile'          => ['param.user.email'],
    'editsubscriber'    => ['param.list',       'param.user.email', 'email'],
    'export_member'        => ['param.list'],
    'family_signoff'       => ['family', 'email'],
    'get_closed_lists'     => ['param.user.email'],
    'get_inactive_lists'   => ['param.user.email'],
    'get_latest_lists'     => ['param.user.email'],
    'get_biggest_lists'    => ['param.user.email'],
    'get_pending_lists'    => ['param.user.email'],
    'decl_del'             => ['param.list', 'param.user.email', 'id'],
    'decl_add'             => ['param.list', 'param.user.email', 'id'],
    'delete_account'       => ['passwd', 'i_understand_the_consequences'],
    'including_lists'      => ['param.list', 'param.user.email'],
    'info'                 => ['param.list'],
    'install_pending_list' => ['param.user.email'],
    'edit_config'          => ['param.user.email'],
    'latest_arc'           => ['param.list', 'for|count'],
    'latest_d_read'        => ['param.list', 'for', 'count'],
    'latest_lists'         => ['for|count'],
    'load_cert'            => ['param.list'],
    'logout'               => ['param.user.email'],
    'manage_template'      => ['param.list', 'param.user.email'],
    'my'                   => ['param.user.email'],
    'rt_create' => ['param.list', 'param.user.email', 'new_template_name'],
    'rt_delete' => ['param.list', 'param.user.email', 'message_template'],
    'rt_edit'   => ['param.list', 'param.user.email', 'message_template'],
    'rt_setdefault' => ['param.list', 'param.user.email', 'new_default'],
    'rt_update' =>
        ['param.list', 'param.user.email', 'message_template', 'content'],
    'modindex'      => ['param.list',       'param.user.email'],
    'docindex'      => ['param.list',       'param.user.email'],
    'pref'          => ['param.user.email'],
    'purge_list'    => ['param.user.email', 'selected_lists'],
    'rebuildallarc' => ['param.user.email'],
    'rebuildarc'    => ['param.user.email', 'param.list'],
    'reject'        => ['param.list',       'param.user.email', 'id|idspam'],
    'remind'        => ['param.list',       'param.user.email'],
    'remove_arc'      => ['param.list'],
    'remove_template' => ['webormail'],
    'move_list' =>
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
    'copy_list' =>
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
    'open_list'           => ['param.user.email', 'param.list'],
    'rename_list_request' => ['param.user.email', 'param.list'],
    'request_topic'       => ['param.list',       'authkey'],
    'resetbounce'     => ['param.list', 'param.user.email', 'email'],
    'review'          => ['param.list'],
    'review_family'   => ['param.user.email', 'family_name'],
    'reviewbouncing'  => ['param.list'],
    'rss_request'     => [],
    'savefile'        => ['param.user.email', 'file'],
    'search'          => ['param.list'],
    'search_user'     => ['param.user.email', 'email'],
    'send_mail'       => ['param.user.email'],
    'send_newsletter' => ['param.list', 'param.user.email', 'url'],
    'send_me'         => ['param.list'],
    'view_source'     => ['param.list'],
    'tracking'        => ['param.list'],
    'requestpasswd'   => ['email'],
    'serveradmin'     => ['param.user.email'],
    'set'      => ['param.user.email', 'param.list', 'reception|visibility'],
    'set_lang' => [],
    'set_pending_list_request' => ['param.user.email'],
    'setpasswd'        => ['param.user.email', 'newpasswd1', 'newpasswd2'],
    'setpref'          => ['param.user.email'],
    'sigindex'         => ['param.list', 'param.user.email'],
    'signoff'          => ['param.list'],
    'skinsedit'        => ['param.user.email'],
    'sso_login'        => ['auth_service_name'],
    'stats'            => ['param.list'],
    'subindex'         => ['param.list', 'param.user.email'],
    'suboptions'       => ['param.list', 'param.user.email'],
    'subscribe'        => ['param.list'],
    'subscriber_count' => ['param.list'],
    'suspend'          => ['param.list', 'param.user.email'],
    'suspend_request'  => [],
    'suspend_request_action' => [],
    'show_exclude'           => ['param.list'],
    'sync_include'           => ['param.list', 'param.user.email'],
    'tag_topic_by_sender'    => ['param.list'],
    'upload_pictures'        => ['param.user.email', 'param.list'],
    'view_template'          => ['webormail'],
    'viewbounce'             => ['param.list', 'email|file'],
    'viewlogs'               => ['param.list'],
    'viewmod' => ['param.list', 'param.user.email', 'id|idspam'],
    'wsdl'    => [],
    #'which' => ['param.user.email'],
);

## Defines the required privileges to access privileged actions
## You can define a set ofequiivalent privileges in the ARRAYREF
our %required_privileges = (
    'admin'                    => ['owner', 'editor'],
    'arc_delete'               => ['owner'],
    'arc_download'             => ['owner'],
    'arc_manage'               => ['owner'],
    'auth_add'                 => ['owner', 'editor'],
    'auth_del'                 => ['owner', 'editor'],
    'blocklist'                => ['owner', 'editor'],
    'close_list'               => ['privileged_owner'],
    'copy_template'            => ['listmaster'],
    'd_install_shared'         => ['editor', 'owner'],
    'd_reject_shared'          => ['editor', 'owner'],
    'distribute'               => ['editor', 'owner', 'listmaster'],
    'add_frommod'              => ['editor', 'owner'],
    'dump_scenario'            => ['listmaster'],
    'edit'                     => ['editor', 'owner', 'listmaster'],
    'edit_list'                => ['owner'],
    'edit_list_request'        => ['owner'],
    'edit_template'            => ['listmaster'],
    'editfile'                 => ['owner', 'listmaster'],
    'editsubscriber'           => ['owner', 'editor'],
    'get_closed_lists'         => ['listmaster'],
    'get_inactive_lists'       => ['listmaster'],
    'get_latest_lists'         => ['listmaster'],
    'get_biggest_lists'        => ['listmaster'],
    'get_pending_lists'        => ['listmaster'],
    'decl_del'                 => ['owner', 'editor'],
    'decl_add'                 => ['owner', 'editor'],
    'including_lists'          => ['owner', 'listmaster'],
    'install_pending_list'     => ['listmaster'],
    'edit_config'              => ['listmaster'],
    'ls_templates'             => ['listmaster'],
    'manage_template'          => ['owner'],
    'mass_del'                 => ['listmaster'],
    'rt_create'                => ['owner'],
    'rt_delete'                => ['owner'],
    'rt_edit'                  => ['owner'],
    'rt_setdefault'            => ['owner'],
    'rt_update'                => ['owner'],
    'modindex'                 => ['editor', 'owner', 'listmaster'],
    'docindex'                 => ['editor', 'owner', 'listmaster'],
    'purge_list'               => ['privileged_owner', 'listmaster'],
    'rebuildallarc'            => ['listmaster'],
    'rebuildarc'               => ['listmaster'],
    'reject'                   => ['editor', 'owner', 'listmaster'],
    'remove_template'          => ['listmaster'],
    'move_list'                => ['privileged_owner'],
    'copy_list'                => ['owner', 'listmaster'],
    'open_list'                => ['listmaster'],
    'rename_list_request'      => ['privileged_owner'],
    'resetbounce'              => ['owner', 'editor'],
    'review_family'            => ['listmaster'],
    'reviewbouncing'           => ['owner', 'editor'],
    'savefile'                 => ['owner', 'listmaster'],
    'search_user'              => ['listmaster'],
    'serveradmin'              => ['listmaster'],
    'set_dumpvars'             => ['listmaster'],
    'set_loglevel'             => ['listmaster'],
    'set_pending_list_request' => ['listmaster'],
    'set_session_email'        => ['listmaster'],
    'show_sessions'            => ['listmaster'],
    'sigindex'                 => ['owner', 'editor'],
    'stats'                    => ['owner'],
    'subindex'                 => ['owner', 'editor'],
    'sync_include'             => ['owner', 'editor'],
    'skinsedit'                => ['listmaster'],
    'view_template'            => ['listmaster'],
    'viewbounce'               => ['owner', 'editor'],
    'viewlogs'                 => ['owner', 'editor'],
    'viewmod'                  => ['editor', 'owner', 'listmaster'],
    #XXX'automatic_lists_management_request' => ['listmaster'],
    #XXX'automatic_lists_management'         => ['listmaster'],
);

# An action is a candidate for this list if it modifies an object or setting.
#
# Why not just protect all actions? Many of them are used in GET requests
# without any forms, making it more difficult to supply a CSRF token.
# This list intentionally starts out small in the name of breaking as little
# as possible.

our %require_csrftoken = (
    'add'       => 1,
    'del'       => 1,
    'move_user' => 1,
    'savefile'  => 1,
    'setpasswd' => 1,
    'setpref'   => 1,
);

# this definition is used to choose the left side menu type (admin ->
# listowner admin menu | serveradmin -> server_admin menu | none list or
# your_list menu)
my %action_type = (
    'review' => 'admin',
    'search' => 'admin',
    'admin'  => 'admin',
    'import' => 'admin',
    'add'    => 'admin',
    'del'    => 'admin',
    # 'modindex' =>'admin',
    'reject'            => 'admin',
    'reject_notify'     => 'admin',
    'distribute'        => 'admin',
    'add_frommod'       => 'admin',
    'viewmod'           => 'admin',
    'savefile'          => 'admin',
    'rebuildallarc'     => 'admin',    #FIXME: serveradmin?
    'reviewbouncing'    => 'admin',
    'edit'              => 'admin',
    'edit_list_request' => 'admin',
    'edit_list'         => 'admin',
    'editsubscriber'    => 'admin',
    'viewbounce'        => 'admin',
    'resetbounce'       => 'admin',
    'scenario_test'     => 'admin',
    'close_list'        => 'admin',
    'd_admin'           => 'admin',
    'd_reject_shared'   => 'admin',
    'd_install_shared'  => 'admin',
    'dump_scenario'     => 'admin',
    'export_member'     => 'admin',
    'open_list'         => 'admin',
    'remind'            => 'admin',
    #'subindex' => 'admin',
    'stats'               => 'admin',
    'decl_del'            => 'admin',
    'decl_add'            => 'admin',
    'move_list'           => 'admin',
    'copy_list'           => 'admin',
    'rename_list_request' => 'admin',
    'arc_manage'          => 'admin',
    'sync_include'        => 'admin',
    'view_template'       => 'admin',
    'remove_template'     => 'admin',
    'copy_template'       => 'admin',
    'edit_template'       => 'admin',
    'blocklist'           => 'admin',
    'viewlogs'            => 'admin',
    'serveradmin'         => 'serveradmin',
    'get_pending_lists'   => 'serveradmin',
    'get_closed_lists'    => 'serveradmin',
    'get_inactive_lists'  => 'serveradmin',
    'get_latest_lists'    => 'serveradmin',
    'get_biggest_lists'   => 'serveradmin',
    'ls_templates'        => 'serveradmin',
    'skinsedit'           => 'serveradmin',
    'review_family'       => 'serveradmin',
    'search_user'         => 'serveradmin',
    'show_sessions'       => 'serveradmin',
    'show_exclude'        => 'admin',
    'rebuildarc'          => 'serveradmin',
    'set_session_email'   => 'serveradmin',
    'set_loglevel'        => 'serveradmin',
    'editfile'            => 'serveradmin',    #FIXME: admin?
    'unset_dumpvars'      => 'serveradmin',
    'set_dumpvars'        => 'serveradmin',
    #XXX'automatic_lists_management_request' => 'serveradmin',
    #XXX'automatic_lists_management'         => 'serveradmin',
);

# Actions that are not used in return of login,
my %temporary_actions = (
    'confirm_action'      => 1,
    'logout'              => 1,
    'loginrequest'        => 1,
    'login'               => 1,
    'sso_login'           => 1,
    'sso_login_succeeded' => 1,
    'ticket'              => 1,
    #XXX'css' => 1,
    'rss'      => 1,    # FIXME:currently not used.
    'ajax'     => 1,
    'wsdl'     => 1,
    'redirect' => 1,
);

## Regexp applied on incoming parameters (%in)
## The aim is not a strict definition of parameter format
## but rather a security check
our %in_regexp = (
    ## Default regexp
    '*' => '[\w\-\.]+',

    ## List config parameters
    'single_param'   => '.+',
    'multiple_param' => '.+',
    'deleted_param'  => '.+',

    ## Textarea content
    'template_content'     => '.+',
    'content'              => '.+',
    'body'                 => '.+',
    'info'                 => '.+',
    'new_scenario_content' => '.+',
    'blacklist'            => '.*',    # Compat.<=6.2.60
    'blocklist'            => '.*',

    ## Integer
    'page' => '\d+|owner|editor',
    'size' => '\d+',

    ## Free data
    'subject'          => '.*',
    'gecos'            => '[^<>\\\*\$\n]+',
    'fromname'         => '[^<>\\\*\$\n]+',
    'additional_field' => '[^<>\\\*\$\n]+',
    'dump'             => '[^<>\\\*\$]+',     # contents email + gecos

    ## Search
    'filter'      => '.*',                    # search subscriber
    'filter_list' => '.*',                    # search list
    'key_word'    => '.*',
    'format'      => '[^<>\\\$\n]+',          # dump format/filter string

    ## File names
    'file'          => '[^<>\*\$\n]+',
    'template_path' => '[\w\-\.\/_]+',
    'arc_file'      => '[^<>\\\*\$\n]+',
    'path'          => '[^<>\\\*\$\n]+',
    'uploaded_file' =>
        '(.*[\/\\\\])?[^<>\*\$\n]+',          # Could be precised (use of "'")
    'dir'               => '[^<>\\\*\$\n]+',
    'new_name'          => '[^<>\\\*\$\[\]\/\n]+',
    'shortname'         => '[^<>\\\*\$\n]+',
    'id'                => '[^<>\\\*\$\n]+',
    'template_name'     => Sympa::Regexps::template_name(),
    'new_template_name' => Sympa::Regexps::template_name(),
    'message_template'  => Sympa::Regexps::template_name(),
    'new_default'       => Sympa::Regexps::template_name(),

    ## Archives
    ## format is yyyy-mm for 'arc' and mm for 'send_me'
    'month' => '\d{2}|\d{4}\-\d{2}',

    ## URL
    'referer'         => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'failure_referer' => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'url'             => '[^\\\$\*\"\'\`\^\|\<\>\n]+',

    ## Msg ID
    'msgid'       => '[^\\\*\"\'\`\^\|\n]+',
    'in_reply_to' => '[^\\\*\"\'\`\^\|\n]+',
    'message_id'  => '[^\\\*\"\'\`\^\|\n]+',
    'msg_subject' => '.*',

    ## Password
    'passwd'       => '.+',
    'password'     => '.+',
    'newpasswd1'   => '.+',
    'newpasswd2'   => '.+',
    'new_password' => '.+',

    ## Topics
    'topic'    => '\@?[\-\w\/]+',
    'topics'   => '[\-\w\/]+',
    'subtopic' => '[\-\w\/]+',

    ## List names
    'list' => '[\w\-\.\+]*',    ## Sympa::Regexps::listname() + uppercase
    'previous_list'  => '[\w\-\.\+]*',
    'listname'       => '[\w\-\.\+]*',
    'new_listname'   => '[\w\-\.\+]*',
    'selected_lists' => '[\w\-\.\+]*',

    ## Family names
    'family_name' => Sympa::Regexps::family_name(),
    'family'      => Sympa::Regexps::family_name(),

    # Email addresses
    'current_email' => Sympa::Regexps::email(),
    'email'         => Sympa::Regexps::email() . '|' . Sympa::Regexps::uid(),
    'init_email'    => Sympa::Regexps::email(),
    'old_email'     => Sympa::Regexps::email(),
    'new_email'     => Sympa::Regexps::email(),
    'sender'        => Sympa::Regexps::email(),
    'fromaddr'      => Sympa::Regexps::email(),
    'del_emails'    => '.*',
    'to' => '(([\w\-\_\.\/\+\=\']+|\".*\")\s[\w\-]+(\.[\w\-]+)+(,?))*',
    'automatic_list_part_*' => '[\w\-\.\+]*',

    ## Host
    'new_robot'   => Sympa::Regexps::host(),
    'remote_host' => Sympa::Regexps::host(),
    'remote_addr' => Sympa::Regexps::host(),

    ## Scenario name
    'scenario'    => Sympa::Regexps::scenario_name(),
    'read_access' => Sympa::Regexps::scenario_name(),
    'edit_access' => Sympa::Regexps::scenario_name(),
    ## RSS URL or blank
    'active_lists'  => '.*',
    'latest_lists'  => '.*',
    'latest_arc'    => '.*',
    'latest_d_read' => '.*',

    ##Logs
    'target_type' => '[\w\-\.\:]*',
    'target'      => Sympa::Regexps::email(),
    'date_from'   => '[\d\/\-]+',
    'date_to'     => '[\d\/\-]+',
    'ip'          => Sympa::Regexps::host(),

    ## colors
    'subaction_test'    => '.*',
    'subaction_reset'   => '.*',
    'subaction_install' => '.*',
    'color_0'           => '\#[0-9a-fA-F]+',
    'color_1'           => '\#[0-9a-fA-F]+',
    'color_2'           => '\#[0-9a-fA-F]+',
    'color_3'           => '\#[0-9a-fA-F]+',
    'color_4'           => '\#[0-9a-fA-F]+',
    'color_5'           => '\#[0-9a-fA-F]+',
    'color_6'           => '\#[0-9a-fA-F]+',
    'color_7'           => '\#[0-9a-fA-F]+',
    'color_8'           => '\#[0-9a-fA-F]+',
    'color_9'           => '\#[0-9a-fA-F]+',
    'color_10'          => '\#[0-9a-fA-F]+',
    'color_11'          => '\#[0-9a-fA-F]+',
    'color_12'          => '\#[0-9a-fA-F]+',
    'color_13'          => '\#[0-9a-fA-F]+',
    'color_14'          => '\#[0-9a-fA-F]+',
    'color_15'          => '\#[0-9a-fA-F]+',

    ## Custom attribute
    'custom_attribute' => '.*',

    ## Templates
    'scope' => 'distrib|robot|family|list|site',

    ## Custom Inputs from create_list_request.tt2
    'custom_input' => '.*',

    ## conf parameters
    'conf_new_value' => '.*',

    ## custom actions
    'cap'  => '.*',
    'lcap' => '.*',

    'plugin' => '.*',

    ## Envelope ID
    'envid' => '\w+',

    ## Authentication/moderation key
    'authkey' => '\w+',