wwsympa.fcgi.in 584 KB
Newer Older
1
#!--PERL--
2
3
4
5
# -*- indent-tabs-mode: nil; -*-
# vim:ft=perl:et:sw=4
# $Id$

6
# Sympa - SYsteme de Multi-Postage Automatique
7
8
9
10
#
# Copyright (c) 1997, 1998, 1999 Institut Pasteur & Christophe Wolfhugel
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
11
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
12
13
# Copyright 2017, 2018, 2019, 2020, 2021 The Sympa Community. See the
# AUTHORS.md file at the top-level directory of this distribution and at
14
# <https://github.com/sympa-community/sympa.git>.
15
16
17
18
19
20
21
22
23
24
25
26
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
27
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
28

29
## Copyright 1999 Comité Réseaux des Universités
root's avatar
root committed
30
## web interface to Sympa mailing lists manager
salaun's avatar
salaun committed
31
## Sympa: http://www.sympa.org/
root's avatar
root committed
32
## Authors :
salaun's avatar
   
salaun committed
33
##           Serge Aumont <sa AT cru.fr>
34
##           Olivier Salaün <os AT cru.fr>
35

36
37
use strict;
##use warnings;
38
use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';
olivier.salaun's avatar
olivier.salaun committed
39

40
use Archive::Zip qw();
41
use DateTime;
42
use DateTime::Format::Mail;
43
use Digest::MD5;
sikeda's avatar
sikeda committed
44
use Encode qw();
45
use English qw(-no_match_vars);
46
use IO::File qw();
sikeda's avatar
sikeda committed
47
use MIME::EncWords;
48
use MIME::Lite::HTML;
sikeda's avatar
sikeda committed
49
use POSIX qw();
50
use Time::Local qw();
51
use URI;
52
use Data::Dumper;    # tentative
53
BEGIN { eval 'use Crypt::OpenSSL::X509'; }
54

55
use Sympa;
sikeda's avatar
sikeda committed
56
use Sympa::Archive;
root's avatar
root committed
57
use Conf;
58
use Sympa::ConfDef;
59
use Sympa::Constants;
60
use Sympa::Crash Hook => \&_crash_handler;    # Show traceback.
61
use Sympa::Database;
62
use Sympa::DatabaseManager;
sikeda's avatar
sikeda committed
63
use Sympa::Family;
64
use Sympa::HTMLSanitizer;
65
use Sympa::Language;
66
use Sympa::List;
IKEDA Soji's avatar
IKEDA Soji committed
67
68
use Sympa::List::Config;
use Sympa::List::Users;
69
use Sympa::Log;
70
use Sympa::Message;
sikeda's avatar
sikeda committed
71
use Sympa::Regexps;
72
73
use Sympa::Robot;
use Sympa::Scenario;
74
use Sympa::Spindle::ProcessRequest;
75
use Sympa::Spindle::ResendArchive;
76
use Sympa::Spool::Archive;
77
use Sympa::Spool::Auth;
78
use Sympa::Spool::Held;
79
use Sympa::Spool::Incoming;
80
use Sympa::Spool::Listmaster;
81
use Sympa::Spool::Moderation;
82
83
use Sympa::Spool::Outgoing;
use Sympa::Spool::Topic;
84
use Sympa::Task;
85
use Sympa::Template;
86
use Sympa::Ticket;
87
88
use Sympa::Tools::Data;
use Sympa::Tools::File;
89
use Sympa::Tools::Password;
90
use Sympa::Tools::Text;
91
use Sympa::Tracking;
sikeda's avatar
sikeda committed
92
use Sympa::User;
IKEDA Soji's avatar
IKEDA Soji committed
93
use Sympa::WWW::Auth;
94
use Sympa::WWW::FastCGI;
IKEDA Soji's avatar
IKEDA Soji committed
95
96
97
98
99
use Sympa::WWW::Marc::Search;
use Sympa::WWW::Report;
use Sympa::WWW::Session;
use Sympa::WWW::SharedDocument;
use Sympa::WWW::Tools;
root's avatar
root committed
100
101

## WWSympa librairies
102
my %options;
root's avatar
root committed
103

104
my $sympa_conf_file = Sympa::Constants::CONFIG;
root's avatar
root committed
105

106
107
108
109
our $list;
our $param = {};
our $robot_id;
our $session;
110

111
my $robot;
IKEDA Soji's avatar
IKEDA Soji committed
112
my $cookie_domain;
113
my $ip;
114
my $rss;
115
my $ajax;
salaun's avatar
salaun committed
116

117
my $allow_absolute_path;    #FIXME: to be removed in the future.
118
my @other_include_path;     #FIXME: ditto.
119

root's avatar
root committed
120
## Load sympa config
121
unless (Conf::load()) {
122
    printf STDERR
123
124
        "Unable to load sympa configuration, file %s or one of the vhost robot.conf files contain errors. Exiting.\n",
        Conf::get_sympa_conf();
125
    exit 1;
root's avatar
root committed
126
127
}

128
129
130
131
132
# Open log
my $log = Sympa::Log->instance;
$log->{level} = $Conf::Conf{'log_level'};
$log->openlog($Conf::Conf{'log_facility'} || $Conf::Conf{'syslog'},
    $Conf::Conf{'log_socket_type'});
133

134
Sympa::Spool::Listmaster->instance->{use_bulk} = 1;
root's avatar
root committed
135
136
137
138
139
140
141
142
143
144
145

# hash of all the description files already loaded
# format :
#     $desc_files{pathfile}{'date'} : date of the last load
#     $desc_files{pathfile}{'desc_hash'} : hash which describes
#                         the description file

#%desc_files_map; NOT USED ANYMORE

## Shared directory and description file

146
147
#$shared = 'shared';
#$desc = '.desc';
root's avatar
root committed
148
149

## subroutines
150
our %comm = (
Luc Didry's avatar
Luc Didry committed
151
152
153
    'confirm_action' => 'do_confirm_action',
    'home'           => 'do_home',
    'logout'         => 'do_logout',
154
    #'loginrequest'           => 'do_loginrequest',
Luc Didry's avatar
Luc Didry committed
155
156
157
158
    'login'               => 'do_login',
    'sso_login'           => 'do_sso_login',
    'sso_login_succeeded' => 'do_sso_login_succeeded',
    'subscribe'           => 'do_subscribe',
159
    #'multiple_subscribe'     => 'do_multiple_subscribe',
160
    #'subrequest'             => 'do_subrequest',
161
162
163
164
165
166
    'subindex'       => 'do_subindex',
    'suboptions'     => 'do_suboptions',
    'signoff'        => 'do_signoff',
    'auto_signoff'   => 'do_auto_signoff',
    'family_signoff' => 'do_family_signoff',
    #'family_signoff_request' => 'do_family_signoff_request',
167
    #XXX'multiple_signoff'    => 'do_multiple_signoff',
168
    #'sigrequest' => 'do_sigrequest',
169
170
171
172
    'sigindex' => 'do_sigindex',
    'decl_add' => 'do_decl_add',
    'decl_del' => 'do_decl_del',
    'my'       => 'do_my',
173
    #'which' => 'do_which',
174
    'lists'            => 'do_lists',
175
    'lists_categories' => 'do_lists_categories',
176
177
    'latest_lists'     => 'do_latest_lists',
    'active_lists'     => 'do_active_lists',
178
    'including_lists'  => 'do_including_lists',
179
180
181
182
183
184
185
186
187
188
189
190
191
    'info'             => 'do_info',
    'subscriber_count' => 'do_subscriber_count',
    'review'           => 'do_review',
    'search'           => 'do_search',
    'pref',            => 'do_pref',
    'setpref'          => 'do_setpref',
    'setpasswd'        => 'do_setpasswd',
    'renewpasswd'      => 'do_renewpasswd',
    'firstpasswd'      => 'do_firstpasswd',
    'requestpasswd'    => 'do_requestpasswd',
    'choosepasswd'     => 'do_choosepasswd',
    'set'              => 'do_set',
    'admin'            => 'do_admin',
192
    'import'           => 'do_import',
193
    'add'              => 'do_add',
194
    'auth_add'         => 'do_auth_add',
195
    'del'              => 'do_del',
196
    'auth_del'         => 'do_auth_del',
197
    'mass_del'         => 'do_mass_del',
198
    'modindex'         => 'do_modindex',
199
    'docindex'         => 'do_docindex',
200
201
202
203
204
205
206
    'reject'           => 'do_reject',
    #XXX'reject_notify' => 'do_reject_notify',
    'distribute'      => 'do_distribute',
    'add_frommod'     => 'do_add_frommod',
    'viewmod'         => 'do_viewmod',
    'd_reject_shared' => 'do_d_reject_shared',
    #XXX'reject_notify_shared' => 'do_reject_notify_shared',
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
    'd_install_shared'  => 'do_d_install_shared',
    'editfile'          => 'do_editfile',
    'savefile'          => 'do_savefile',
    'arc'               => 'do_arc',
    'latest_arc'        => 'do_latest_arc',
    'latest_d_read'     => 'do_latest_d_read',
    'arc_manage'        => 'do_arc_manage',
    'remove_arc'        => 'do_remove_arc',
    'send_me'           => 'do_send_me',
    'view_source'       => 'do_view_source',
    'tracking'          => 'do_tracking',
    'arcsearch_form'    => 'do_arcsearch_form',
    'arcsearch_id'      => 'do_arcsearch_id',
    'arcsearch'         => 'do_arcsearch',
    'rebuildarc'        => 'do_rebuildarc',
    'rebuildallarc'     => 'do_rebuildallarc',
    'arc_download'      => 'do_arc_download',
    'arc_delete'        => 'do_arc_delete',
    'serveradmin'       => 'do_serveradmin',
    'set_loglevel'      => 'do_set_loglevel',
    'set_dumpvars'      => 'do_set_dumpvars',
    'show_sessions'     => 'do_show_sessions',
    'unset_dumpvars'    => 'do_unset_dumpvars',
    'set_session_email' => 'do_set_session_email',
    'restore_email'     => 'do_restore_email',
    'skinsedit'         => 'do_skinsedit',
233
    #XXX'css' => 'do_css',
234
235
236
237
238
239
240
241
242
243
244
245
246
247
    'help'                     => 'do_help',
    'edit_list_request'        => 'do_edit_list_request',
    'edit_list'                => 'do_edit_list',
    'create_list_request'      => 'do_create_list_request',
    'create_list'              => 'do_create_list',
    'get_pending_lists'        => 'do_get_pending_lists',
    'get_closed_lists'         => 'do_get_closed_lists',
    'get_latest_lists'         => 'do_get_latest_lists',
    'get_inactive_lists'       => 'do_get_inactive_lists',
    'get_biggest_lists'        => 'do_get_biggest_lists',
    'set_pending_list_request' => 'do_set_pending_list_request',
    'install_pending_list'     => 'do_install_pending_list',
    'edit_config'              => 'do_edit_config',
    #XXX'submit_list' => 'do_submit_list',
Luc Didry's avatar
Luc Didry committed
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
    'editsubscriber'      => 'do_editsubscriber',
    'edit'                => 'do_edit',
    'viewbounce'          => 'do_viewbounce',
    'redirect'            => 'do_redirect',
    'rename_list_request' => 'do_rename_list_request',
    'move_list'           => 'do_move_list',
    'copy_list'           => 'do_copy_list',
    'reviewbouncing'      => 'do_reviewbouncing',
    'resetbounce'         => 'do_resetbounce',
    'scenario_test'       => 'do_scenario_test',
    'search_list'         => 'do_search_list',
    'search_list_request' => 'do_search_list_request',
    'show_cert'           => 'do_show_cert',
    'close_list'          => 'do_close_list',
    'open_list'           => 'do_open_list',
    'purge_list'          => 'do_purge_list',
    'upload_pictures'     => 'do_upload_pictures',
    'delete_pictures'     => 'do_delete_pictures',
    'd_read'              => 'do_d_read',
    'd_create_child'      => 'do_d_create_child',
    'd_unzip'             => 'do_d_unzip',
    'd_editfile'          => 'do_d_editfile',
    'd_properties'        => 'do_d_properties',
    'd_update'            => 'do_d_update',
    'd_describe'          => 'do_d_describe',
    'd_delete'            => 'do_d_delete',
    'd_rename'            => 'do_d_rename',
    'd_control'           => 'do_d_control',
    'd_change_access'     => 'do_d_change_access',
    'd_set_owner'         => 'do_d_set_owner',
    'd_admin'             => 'do_d_admin',
    'dump_scenario'       => 'do_dump_scenario',
    'export_member'       => 'do_export_member',
    'remind'              => 'do_remind',
    'move_user'           => 'do_move_user',
    'load_cert'           => 'do_load_cert',
    'compose_mail'        => 'do_compose_mail',
    'send_mail'           => 'do_send_mail',
    'request_topic'       => 'do_request_topic',
    'tag_topic_by_sender' => 'do_tag_topic_by_sender',
    'search_user'         => 'do_search_user',
    'set_lang'            => 'do_set_lang',
    'attach'              => 'do_attach',
    'stats'               => 'do_stats',
    'viewlogs'            => 'do_viewlogs',
    'wsdl'                => 'do_wsdl',
    'sync_include'        => 'do_sync_include',
    'review_family'       => 'do_review_family',
    'ls_templates'        => 'do_ls_templates',
    'remove_template'     => 'do_remove_template',
    'copy_template'       => 'do_copy_template',
    'view_template'       => 'do_view_template',
    'edit_template'       => 'do_edit_template',
301
302
303
    #'rss' => 'do_rss', #FIXME:Currently processed in differenct way.
    'rss_request'     => 'do_rss_request',
    'maintenance'     => 'do_maintenance',
304
    'blocklist'       => 'do_blocklist',
305
306
307
    'edit_attributes' => 'do_edit_attributes',
    'ticket'          => 'do_ticket',
    'manage_template' => 'do_manage_template',
308
309
310
311
312
    'rt_create'       => 'do_rt_create',
    'rt_delete'       => 'do_rt_delete',
    'rt_edit'         => 'do_rt_edit',
    'rt_setdefault'   => 'do_rt_setdefault',
    'rt_update'       => 'do_rt_update',
313
    #XXX'send_newsletter' => 'do_send_newsletter',
sikeda's avatar
sikeda committed
314
    'suspend'                => 'do_suspend',
315
316
317
318
319
320
321
322
323
    'suspend_request'        => 'do_suspend_request',
    'suspend_request_action' => 'do_suspend_request_action',
    'show_exclude'           => 'do_show_exclude',
    # 'ca' stands for 'custom_action'. I used a short name to make it discrete
    # in a URL.
    'ca' => 'do_ca',
    # 'lca' stands for 'list_custom_action'. I used a short name to make it
    # discrete in a URL.
    'lca' => 'do_lca',
324
325
326
327
328
329
    #XXX'automatic_lists_management_request' =>
    #XXX    'do_automatic_lists_management_request',
    #XXX'automatic_lists_management'    => 'do_automatic_lists_management',
    'create_automatic_list'         => 'do_create_automatic_list',
    'create_automatic_list_request' => 'do_create_automatic_list_request',
    'auth'                          => 'do_auth',
330
    'delete_account'                => 'do_delete_account',
331
332
);

333
my %comm_aliases = (
334
335
336
337
    'add_fromsub'             => 'auth_add',
    'add_request'             => 'import',
    'automatic_lists'         => 'create_automatic_list',
    'automatic_lists_request' => 'create_automatic_list_request',
338
    'blacklist'               => 'blocklist',
339
340
    'change_email'            => 'move_user',
    'change_email_request'    => 'move_user',
341
    'del_fromsig'             => 'auth_del',
342
    'dump'                    => 'export_member',
343
    'family_signoff_request'  => 'family_signoff',
344
345
    'ignoresig'               => 'decl_del',
    'ignoresub'               => 'decl_add',
346
    'loginrequest'            => 'login',
347
    'rename_list'             => 'move_list',
348
    'restore_list'            => 'open_list',
349
350
    'sigrequest'              => 'signoff',
    'subrequest'              => 'subscribe',
351
352
);

353
354
# No longer used.
#my %auth_action;
355

356
357
358
359
360
361
# Arguments awaited in the PATH_INFO, depending on the action.
# NOTE:
# * The email addresses should NOT be embedded in PATH_INFO, because included
#   slashes (/) cannot be handled correctly by web servers. They are kept just
#   for compatibility to earlier releases of Sympa.  Use query parameters
#   instead.
362
our %action_args = (
Luc Didry's avatar
Luc Didry committed
363
364
365
    'default'         => ['list'],
    'editfile'        => ['list', 'file', 'previous_action'],
    'requestpasswd'   => ['email'],
sikeda's avatar
sikeda committed
366
367
368
369
    'choosepasswd'    => ['email', 'passwd'],
    'lists'           => ['topic', 'subtopic'],
    'latest_lists'    => ['topic', 'subtopic'],
    'active_lists'    => ['topic', 'subtopic'],
370
    'including_lists' => ['list'],
Luc Didry's avatar
Luc Didry committed
371
    'login'           => ['previous_action', 'previous_list'],
372
373
374
    'sso_login' => ['auth_service_name', 'subaction', 'email', 'ticket'],
    'sso_login_succeeded' =>
        ['auth_service_name', 'previous_action', 'previous_list'],
375
    #'loginrequest' => ['previous_action', 'previous_list'],
Luc Didry's avatar
Luc Didry committed
376
377
378
    'logout'      => ['previous_action', 'previous_list'],
    'renewpasswd' => ['previous_action', 'previous_list'],
    'firstpasswd' => ['previous_action', 'previous_list'],
379
    #XXX'css' => ['file'],
380
381
382
383
    'pref'             => ['previous_action', 'previous_list'],
    'reject'           => ['list',            'id'],
    'distribute'       => ['list',            'id'],
    'add_frommod'      => ['list',            'id'],
384
    'dump_scenario'    => ['list',            'scenario_function'],
385
386
387
    'd_reject_shared'  => ['list',            'id'],
    'd_install_shared' => ['list',            'id'],
    'modindex'         => ['list'],
388
    'docindex'         => ['list'],
Luc Didry's avatar
Luc Didry committed
389
390
391
392
    'viewmod'          => ['list',            'id', '@file'],
    'add'              => ['list',            'email'],
    'import' => ['list'],
    'del'    => ['list', 'email'],
393
394
395
    #'editsubscriber' =>
    #    ['list', 'email', 'previous_action', 'custom_attribute'],
    #'editsubscriber' => ['list', 'email', 'previous_action'],
396
    'editsubscriber' => ['list'],
397
    'edit'           => ['list', 'role'],
398
399
    #'viewbounce' => ['list', 'email', '@file'],
    'viewbounce' => ['list', 'dir', '@file'],
400
    #'resetbounce'    => ['list', 'email'],
401
    'review'         => ['list', 'page',  'size', 'sortby'],
402
403
404
405
406
    'reviewbouncing' => ['list', 'page',  'size'],
    'arc'            => ['list', 'month', '@arc_file'],
    'latest_arc'     => ['list'],
    'arc_manage'     => ['list'],
    'arcsearch_form' => ['list', 'archive_name'],
407
    'arcsearch_id'   => ['list', 'archive_name', '@msgid'],
408
409
410
411
412
413
414
    'rebuildarc'     => ['list', 'month'],
    'rebuildallarc' => [],
    'arc_download'  => ['list'],
    'arc_delete'    => ['list', 'zip'],
    'home'          => [],
    'help'          => ['help_topic'],
    'show_cert'     => [],
415
    'subscribe'     => ['list'],
416
    #'subrequest' => ['list','email'],
417
418
419
420
421
422
    'subindex'       => ['list'],
    'decl_add'       => ['list'],
    'signoff'        => ['list'],
    'auto_signoff'   => ['list'],
    'family_signoff' => ['family'],
    #'family_signoff_request' => ['family', 'email'],
423
    #'sigrequest'             => ['list',   'email'],
Luc Didry's avatar
Luc Didry committed
424
425
    'sigindex'           => ['list'],
    'decl_del'           => ['list'],
426
    'set'                => ['list', 'email', 'reception', 'gecos'],
427
428
429
430
431
432
433
434
    'serveradmin'        => ['subaction'],
    'set_session_email'  => ['email'],
    'skinsedit'          => [],
    'get_pending_lists'  => [],
    'get_closed_lists'   => [],
    'get_latest_lists'   => [],
    'get_inactive_lists' => [],
    'get_biggest_lists'  => [],
sikeda's avatar
sikeda committed
435
    'search_list'        => ['filter_list'],
Luc Didry's avatar
Luc Didry committed
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
    'shared'            => ['list', '@path'],        #FIXME: no such function.
    'd_read'            => ['list', '@path'],
    'latest_d_read'     => ['list'],
    'd_admin'           => ['list', 'd_admin'],
    'd_delete'          => ['list', '@path'],
    'd_rename'          => ['list', '@path'],
    'd_create_child'    => ['list', '@path'],
    'd_update'          => ['list', '@path'],
    'd_describe'        => ['list', '@path'],
    'd_editfile'        => ['list', '@path'],
    'd_properties'      => ['list', '@path'],
    'd_control'         => ['list', '@path'],
    'd_change_access'   => ['list', '@path'],
    'd_set_owner'       => ['list', '@path'],
    'export_member'     => ['list', 'format'],
    'search'            => ['list', 'filter'],
    'search_user'       => ['email'],
    'set_lang'          => ['lang'],
    'attach'            => ['list', 'dir', 'file'],
    'stats'             => ['list'],
456
    'edit_list_request' => ['list', 'group'],
Luc Didry's avatar
Luc Didry committed
457
458
459
460
461
462
463
464
465
466
467
468
469
    'move_list'           => ['list', 'new_listname', 'new_robot'],
    'copy_list'           => ['list', 'new_listname', 'new_robot'],
    'redirect'            => [],
    'viewlogs'            => ['list', 'page', 'size', 'sortby'],
    'wsdl'                => [],
    'sync_include'        => ['list'],
    'review_family'       => ['family_name'],
    'ls_templates'        => ['list'],
    'view_template'       => [],
    'remove_template'     => [],
    'copy_template'       => ['list'],
    'edit_template'       => ['list'],
    'rss_request'         => ['list'],
470
471
472
    'request_topic'       => ['list', 'authkey'],
    'tag_topic_by_sender' => ['list'],
    'ticket'              => ['ticket'],
473
    'move_user'           => [],
Luc Didry's avatar
Luc Didry committed
474
475
476
477
478
479
480
481
482
483
    'manage_template'     => ['subaction', 'list', 'message_template'],
    'rt_delete'           => ['list', 'message_template'],
    'rt_edit'             => ['list', 'message_template'],
    'send_newsletter'     => [],
    'compose_mail'        => ['list', 'subaction'],
    'suspend'             => ['list'],
    'suspend_request'     => ['subaction'],
    'show_exclude'        => ['list'],
    'ca'                  => ['custom_action', '@cap'],
    'lca'                 => ['custom_action', 'list', '@cap'],
484
485
    #XXX'automatic_lists_management_request' => [],
    #XXX'automatic_lists_management'         => [],
Luc Didry's avatar
Luc Didry committed
486
487
488
489
490
    'create_automatic_list'         => ['family'],
    'create_automatic_list_request' => ['family'],
    'auth'                          => ['id', 'heldaction', 'listname'],
    'auth_add'                      => ['list'],
    'auth_del'                      => ['list'],
491
);
root's avatar
root committed
492

493
## Define the required parameters for each action
494
495
## Parameter names refer to the %in structure of to $param if mentionned as
## 'param.x'
496
497
## This structure is used to determine if any parameter is missing
## The list of parameters is not ordered
498
499
500
## Some keywords are reserved: param.list and param.user.email
## Alternate parameters can be defined with the '|' character
## Limits of this structure: it does not define optional parameters (a or b)
501
502
503
## Limit: it does not allow to have a specific error message and redirect to a
## given page if the parameter is missing
our %required_args = (
Luc Didry's avatar
Luc Didry committed
504
505
506
507
508
509
510
511
512
513
514
515
    'active_lists'   => ['for|count'],
    'admin'          => ['param.list', 'param.user.email'],
    'add'            => ['param.list', 'param.user.email'],
    'import'         => ['param.list', 'param.user.email'],
    'arc'            => ['param.list'],
    'arc_delete'     => ['param.user.email', 'param.list'],
    'arc_download'   => ['param.user.email', 'param.list'],
    'arc_manage'     => ['param.list'],
    'arcsearch'      => ['param.list'],
    'arcsearch_form' => ['param.list'],
    'arcsearch_id'   => ['param.list'],
    'auth'           => ['id', 'heldaction', 'email'],
516
517
    'auth_add'       => ['param.list', 'param.user.email', 'id'],
    'auth_del'       => ['param.list', 'param.user.email', 'id'],
Luc Didry's avatar
Luc Didry committed
518
519
    'auto_signoff'   => ['param.list', 'email'],
    'attach'         => ['param.list'],
520
    'blocklist'      => ['param.list'],
Luc Didry's avatar
Luc Didry committed
521
522
523
524
525
    'move_user' =>
        ['param.user.email', 'current_email|old_email', 'email|new_email'],
    'close_list'    => ['param.user.email', 'param.list'],
    'compose_mail'  => ['param.user.email', 'param.list'],
    'copy_template' => ['webormail'],
526
    ## other required parameters are checked in the subroutine
527
528
    'create_automatic_list'         => ['param.user.email', 'family'],
    'create_automatic_list_request' => ['param.user.email', 'family'],
529
    'create_list'                   => ['param.user.email', 'info'],
530
    'create_list_request'           => ['param.user.email'],
531
    #XXX'css' => [],
532
533
534
535
536
    'd_admin'         => ['param.list', 'param.user.email'],
    'd_change_access' => ['param.list', 'param.user.email'],
    'd_control'       => ['param.list', 'param.user.email'],
    'd_create_child' =>
        ['param.list', 'param.user.email', 'new_name|uploaded_file'],
537
538
539
540
541
542
543
544
    'd_delete'         => ['param.list', 'param.user.email'],
    'd_describe'       => ['param.list', 'param.user.email', 'content'],
    'd_editfile'       => ['param.list', 'param.user.email'],
    'd_install_shared' => ['param.list', 'param.user.email', 'id'],
    'd_properties'     => ['param.list', 'param.user.email'],
    'd_read'          => ['param.list'],
    'd_reject_shared' => ['param.list', 'param.user.email', 'id'],
    'd_rename'        => ['param.list', 'param.user.email', 'new_name'],
545
    'd_update' =>
546
        ['param.list', 'param.user.email', 'content|url|uploaded_file'],
547
    'd_set_owner'     => ['param.list', 'param.user.email'],
sikeda's avatar
sikeda committed
548
    'd_unzip'         => ['param.list', 'param.user.email', 'uploaded_file'],
549
550
551
552
    'del'             => ['param.list', 'param.user.email', 'email'],
    'delete_pictures' => ['param.list', 'param.user.email'],
    'distribute'      => ['param.list', 'param.user.email', 'id|idspam'],
    'add_frommod'     => ['param.list', 'param.user.email', 'id'],
553
    'dump_scenario'   => ['param.list', 'scenario_function|pname'],
554
    'edit'            => ['param.list', 'param.user.email', 'role', 'email'],
Luc Didry's avatar
Luc Didry committed
555
556
557
558
559
560
    'edit_list'         => ['param.user.email', 'param.list'],
    'edit_list_request' => ['param.user.email', 'param.list'],
    'edit_template'     => ['webormail'],
    'editfile'          => ['param.user.email'],
    'editsubscriber'    => ['param.list',       'param.user.email', 'email'],
    'export_member'        => ['param.list'],
561
    'family_signoff'       => ['family', 'email'],
Luc Didry's avatar
Luc Didry committed
562
563
564
565
566
    'get_closed_lists'     => ['param.user.email'],
    'get_inactive_lists'   => ['param.user.email'],
    'get_latest_lists'     => ['param.user.email'],
    'get_biggest_lists'    => ['param.user.email'],
    'get_pending_lists'    => ['param.user.email'],
567
568
    'decl_del'             => ['param.list', 'param.user.email', 'id'],
    'decl_add'             => ['param.list', 'param.user.email', 'id'],
569
    'delete_account'       => ['passwd', 'i_understand_the_consequences'],
570
    'including_lists'      => ['param.list', 'param.user.email'],
571
572
573
574
    'info'                 => ['param.list'],
    'install_pending_list' => ['param.user.email'],
    'edit_config'          => ['param.user.email'],
    'latest_arc'           => ['param.list', 'for|count'],
Luc Didry's avatar
Luc Didry committed
575
576
577
578
579
580
    'latest_d_read'        => ['param.list', 'for', 'count'],
    'latest_lists'         => ['for|count'],
    'load_cert'            => ['param.list'],
    'logout'               => ['param.user.email'],
    'manage_template'      => ['param.list', 'param.user.email'],
    'my'                   => ['param.user.email'],
581
    'rt_create' => ['param.list', 'param.user.email', 'new_template_name'],
Luc Didry's avatar
Luc Didry committed
582
583
    'rt_delete' => ['param.list', 'param.user.email', 'message_template'],
    'rt_edit'   => ['param.list', 'param.user.email', 'message_template'],
584
585
586
    'rt_setdefault' => ['param.list', 'param.user.email', 'new_default'],
    'rt_update' =>
        ['param.list', 'param.user.email', 'message_template', 'content'],
Luc Didry's avatar
Luc Didry committed
587
588
589
590
591
592
593
594
    'modindex'      => ['param.list',       'param.user.email'],
    'docindex'      => ['param.list',       'param.user.email'],
    'pref'          => ['param.user.email'],
    'purge_list'    => ['param.user.email', 'selected_lists'],
    'rebuildallarc' => ['param.user.email'],
    'rebuildarc'    => ['param.user.email', 'param.list'],
    'reject'        => ['param.list',       'param.user.email', 'id|idspam'],
    'remind'        => ['param.list',       'param.user.email'],
595
596
    'remove_arc'      => ['param.list'],
    'remove_template' => ['webormail'],
597
    'move_list' =>
598
599
600
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
    'copy_list' =>
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
601
    'open_list'           => ['param.user.email', 'param.list'],
602
603
    'rename_list_request' => ['param.user.email', 'param.list'],
    'request_topic'       => ['param.list',       'authkey'],
Luc Didry's avatar
Luc Didry committed
604
    'resetbounce'     => ['param.list', 'param.user.email', 'email'],
605
606
607
608
609
    'review'          => ['param.list'],
    'review_family'   => ['param.user.email', 'family_name'],
    'reviewbouncing'  => ['param.list'],
    'rss_request'     => [],
    'savefile'        => ['param.user.email', 'file'],
610
    'search'          => ['param.list'],
611
612
613
614
615
616
617
618
    'search_user'     => ['param.user.email', 'email'],
    'send_mail'       => ['param.user.email'],
    'send_newsletter' => ['param.list', 'param.user.email', 'url'],
    'send_me'         => ['param.list'],
    'view_source'     => ['param.list'],
    'tracking'        => ['param.list'],
    'requestpasswd'   => ['email'],
    'serveradmin'     => ['param.user.email'],
619
    'set'      => ['param.user.email', 'param.list', 'reception|visibility'],
620
621
    'set_lang' => [],
    'set_pending_list_request' => ['param.user.email'],
Luc Didry's avatar
Luc Didry committed
622
623
624
625
626
627
628
629
630
631
632
633
634
    'setpasswd'        => ['param.user.email', 'newpasswd1', 'newpasswd2'],
    'setpref'          => ['param.user.email'],
    'sigindex'         => ['param.list', 'param.user.email'],
    'signoff'          => ['param.list'],
    'skinsedit'        => ['param.user.email'],
    'sso_login'        => ['auth_service_name'],
    'stats'            => ['param.list'],
    'subindex'         => ['param.list', 'param.user.email'],
    'suboptions'       => ['param.list', 'param.user.email'],
    'subscribe'        => ['param.list'],
    'subscriber_count' => ['param.list'],
    'suspend'          => ['param.list', 'param.user.email'],
    'suspend_request'  => [],
635
636
    'suspend_request_action' => [],
    'show_exclude'           => ['param.list'],
Luc Didry's avatar
Luc Didry committed
637
    'sync_include'           => ['param.list', 'param.user.email'],
638
639
640
    'tag_topic_by_sender'    => ['param.list'],
    'upload_pictures'        => ['param.user.email', 'param.list'],
    'view_template'          => ['webormail'],
Luc Didry's avatar
Luc Didry committed
641
    'viewbounce'             => ['param.list', 'email|file'],
642
643
644
    'viewlogs'               => ['param.list'],
    'viewmod' => ['param.list', 'param.user.email', 'id|idspam'],
    'wsdl'    => [],
645
    #'which' => ['param.user.email'],
646
);
647
648
649

## Defines the required privileges to access privileged actions
## You can define a set ofequiivalent privileges in the ARRAYREF
650
our %required_privileges = (
Luc Didry's avatar
Luc Didry committed
651
652
653
654
655
656
    'admin'                    => ['owner', 'editor'],
    'arc_delete'               => ['owner'],
    'arc_download'             => ['owner'],
    'arc_manage'               => ['owner'],
    'auth_add'                 => ['owner', 'editor'],
    'auth_del'                 => ['owner', 'editor'],
657
    'blocklist'                => ['owner', 'editor'],
Luc Didry's avatar
Luc Didry committed
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
    'close_list'               => ['privileged_owner'],
    'copy_template'            => ['listmaster'],
    'd_install_shared'         => ['editor', 'owner'],
    'd_reject_shared'          => ['editor', 'owner'],
    'distribute'               => ['editor', 'owner', 'listmaster'],
    'add_frommod'              => ['editor', 'owner'],
    'dump_scenario'            => ['listmaster'],
    'edit'                     => ['editor', 'owner', 'listmaster'],
    'edit_list'                => ['owner'],
    'edit_list_request'        => ['owner'],
    'edit_template'            => ['listmaster'],
    'editfile'                 => ['owner', 'listmaster'],
    'editsubscriber'           => ['owner', 'editor'],
    'get_closed_lists'         => ['listmaster'],
    'get_inactive_lists'       => ['listmaster'],
    'get_latest_lists'         => ['listmaster'],
    'get_biggest_lists'        => ['listmaster'],
    'get_pending_lists'        => ['listmaster'],
    'decl_del'                 => ['owner', 'editor'],
    'decl_add'                 => ['owner', 'editor'],
    'including_lists'          => ['owner', 'listmaster'],
    'install_pending_list'     => ['listmaster'],
    'edit_config'              => ['listmaster'],
    'ls_templates'             => ['listmaster'],
    'manage_template'          => ['owner'],
683
    'mass_del'                 => ['listmaster'],
Luc Didry's avatar
Luc Didry committed
684
685
686
687
688
689
690
691
692
693
694
695
696
    'rt_create'                => ['owner'],
    'rt_delete'                => ['owner'],
    'rt_edit'                  => ['owner'],
    'rt_setdefault'            => ['owner'],
    'rt_update'                => ['owner'],
    'modindex'                 => ['editor', 'owner', 'listmaster'],
    'docindex'                 => ['editor', 'owner', 'listmaster'],
    'purge_list'               => ['privileged_owner', 'listmaster'],
    'rebuildallarc'            => ['listmaster'],
    'rebuildarc'               => ['listmaster'],
    'reject'                   => ['editor', 'owner', 'listmaster'],
    'remove_template'          => ['listmaster'],
    'move_list'                => ['privileged_owner'],
697
    'copy_list'                => ['owner', 'listmaster'],
698
    'open_list'                => ['listmaster'],
699
700
701
702
    'rename_list_request'      => ['privileged_owner'],
    'resetbounce'              => ['owner', 'editor'],
    'review_family'            => ['listmaster'],
    'reviewbouncing'           => ['owner', 'editor'],
703
    'savefile'                 => ['owner', 'listmaster'],
704
705
706
707
708
709
710
    'search_user'              => ['listmaster'],
    'serveradmin'              => ['listmaster'],
    'set_dumpvars'             => ['listmaster'],
    'set_loglevel'             => ['listmaster'],
    'set_pending_list_request' => ['listmaster'],
    'set_session_email'        => ['listmaster'],
    'show_sessions'            => ['listmaster'],
711
    'sigindex'                 => ['owner', 'editor'],
712
713
714
715
716
717
718
    'stats'                    => ['owner'],
    'subindex'                 => ['owner', 'editor'],
    'sync_include'             => ['owner', 'editor'],
    'skinsedit'                => ['listmaster'],
    'view_template'            => ['listmaster'],
    'viewbounce'               => ['owner', 'editor'],
    'viewlogs'                 => ['owner', 'editor'],
Luc Didry's avatar
Luc Didry committed
719
    'viewmod'                  => ['editor', 'owner', 'listmaster'],
720
721
    #XXX'automatic_lists_management_request' => ['listmaster'],
    #XXX'automatic_lists_management'         => ['listmaster'],
722
723
);

724
725
726
727
728
729
730
731
# An action is a candidate for this list if it modifies an object or setting.
#
# Why not just protect all actions? Many of them are used in GET requests
# without any forms, making it more difficult to supply a CSRF token.
# This list intentionally starts out small in the name of breaking as little
# as possible.

our %require_csrftoken = (
732
733
734
735
736
737
    'add'       => 1,
    'del'       => 1,
    'move_user' => 1,
    'savefile'  => 1,
    'setpasswd' => 1,
    'setpref'   => 1,
738
739
);

740
741
742
# this definition is used to choose the left side menu type (admin ->
# listowner admin menu | serveradmin -> server_admin menu | none list or
# your_list menu)
743
my %action_type = (
Luc Didry's avatar
Luc Didry committed
744
745
746
747
748
749
    'review' => 'admin',
    'search' => 'admin',
    'admin'  => 'admin',
    'import' => 'admin',
    'add'    => 'admin',
    'del'    => 'admin',
750
    # 'modindex' =>'admin',
Luc Didry's avatar
Luc Didry committed
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
    'reject'            => 'admin',
    'reject_notify'     => 'admin',
    'distribute'        => 'admin',
    'add_frommod'       => 'admin',
    'viewmod'           => 'admin',
    'savefile'          => 'admin',
    'rebuildallarc'     => 'admin',    #FIXME: serveradmin?
    'reviewbouncing'    => 'admin',
    'edit'              => 'admin',
    'edit_list_request' => 'admin',
    'edit_list'         => 'admin',
    'editsubscriber'    => 'admin',
    'viewbounce'        => 'admin',
    'resetbounce'       => 'admin',
    'scenario_test'     => 'admin',
    'close_list'        => 'admin',
    'd_admin'           => 'admin',
    'd_reject_shared'   => 'admin',
    'd_install_shared'  => 'admin',
    'dump_scenario'     => 'admin',
    'export_member'     => 'admin',
    'open_list'         => 'admin',
    'remind'            => 'admin',
774
    #'subindex' => 'admin',
Luc Didry's avatar
Luc Didry committed
775
776
777
778
779
780
781
782
783
784
785
786
    'stats'               => 'admin',
    'decl_del'            => 'admin',
    'decl_add'            => 'admin',
    'move_list'           => 'admin',
    'copy_list'           => 'admin',
    'rename_list_request' => 'admin',
    'arc_manage'          => 'admin',
    'sync_include'        => 'admin',
    'view_template'       => 'admin',
    'remove_template'     => 'admin',
    'copy_template'       => 'admin',
    'edit_template'       => 'admin',
787
    'blocklist'           => 'admin',
Luc Didry's avatar
Luc Didry committed
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
    'viewlogs'            => 'admin',
    'serveradmin'         => 'serveradmin',
    'get_pending_lists'   => 'serveradmin',
    'get_closed_lists'    => 'serveradmin',
    'get_inactive_lists'  => 'serveradmin',
    'get_latest_lists'    => 'serveradmin',
    'get_biggest_lists'   => 'serveradmin',
    'ls_templates'        => 'serveradmin',
    'skinsedit'           => 'serveradmin',
    'review_family'       => 'serveradmin',
    'search_user'         => 'serveradmin',
    'show_sessions'       => 'serveradmin',
    'show_exclude'        => 'admin',
    'rebuildarc'          => 'serveradmin',
    'set_session_email'   => 'serveradmin',
    'set_loglevel'        => 'serveradmin',
    'editfile'            => 'serveradmin',    #FIXME: admin?
    'unset_dumpvars'      => 'serveradmin',
    'set_dumpvars'        => 'serveradmin',
807
808
    #XXX'automatic_lists_management_request' => 'serveradmin',
    #XXX'automatic_lists_management'         => 'serveradmin',
809
);
root's avatar
root committed
810

811
# Actions that are not used in return of login,
812
my %temporary_actions = (
813
    'confirm_action'      => 1,
814
815
816
817
818
819
    'logout'              => 1,
    'loginrequest'        => 1,
    'login'               => 1,
    'sso_login'           => 1,
    'sso_login_succeeded' => 1,
    'ticket'              => 1,
820
    #XXX'css' => 1,
821
822
823
824
    'rss'      => 1,    # FIXME:currently not used.
    'ajax'     => 1,
    'wsdl'     => 1,
    'redirect' => 1,
825
);
826

827
828
829
## Regexp applied on incoming parameters (%in)
## The aim is not a strict definition of parameter format
## but rather a security check
830
our %in_regexp = (
831
832
833
834
835
836
    ## Default regexp
    '*' => '[\w\-\.]+',

    ## List config parameters
    'single_param'   => '.+',
    'multiple_param' => '.+',
IKEDA Soji's avatar
IKEDA Soji committed
837
    'deleted_param'  => '.+',
838
839
840
841
842
843
844

    ## Textarea content
    'template_content'     => '.+',
    'content'              => '.+',
    'body'                 => '.+',
    'info'                 => '.+',
    'new_scenario_content' => '.+',
845
    'blacklist'            => '.*',    # Compat.<=6.2.60
846
    'blocklist'            => '.*',
847
848

    ## Integer
849
    'page' => '\d+|owner|editor',
850
851
852
853
854
855
856
857
858
859
    'size' => '\d+',

    ## Free data
    'subject'          => '.*',
    'gecos'            => '[^<>\\\*\$\n]+',
    'fromname'         => '[^<>\\\*\$\n]+',
    'additional_field' => '[^<>\\\*\$\n]+',
    'dump'             => '[^<>\\\*\$]+',     # contents email + gecos

    ## Search
860
    'filter'      => '.*',                    # search subscriber
sikeda's avatar
sikeda committed
861
    'filter_list' => '.*',                    # search list
862
863
    'key_word'    => '.*',
    'format'      => '[^<>\\\$\n]+',          # dump format/filter string
864
865
866
867
868
869
870
871
872

    ## File names
    'file'          => '[^<>\*\$\n]+',
    'template_path' => '[\w\-\.\/_]+',
    'arc_file'      => '[^<>\\\*\$\n]+',
    'path'          => '[^<>\\\*\$\n]+',
    'uploaded_file' =>
        '(.*[\/\\\\])?[^<>\*\$\n]+',          # Could be precised (use of "'")
    'dir'               => '[^<>\\\*\$\n]+',
873
    'new_name'          => '[^<>\\\*\$\[\]\/\n]+',
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
    'shortname'         => '[^<>\\\*\$\n]+',
    'id'                => '[^<>\\\*\$\n]+',
    'template_name'     => Sympa::Regexps::template_name(),
    'new_template_name' => Sympa::Regexps::template_name(),
    'message_template'  => Sympa::Regexps::template_name(),
    'new_default'       => Sympa::Regexps::template_name(),

    ## Archives
    ## format is yyyy-mm for 'arc' and mm for 'send_me'
    'month' => '\d{2}|\d{4}\-\d{2}',

    ## URL
    'referer'         => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'failure_referer' => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'url'             => '[^\\\$\*\"\'\`\^\|\<\>\n]+',

    ## Msg ID
    'msgid'       => '[^\\\*\"\'\`\^\|\n]+',
    'in_reply_to' => '[^\\\*\"\'\`\^\|\n]+',
    'message_id'  => '[^\\\*\"\'\`\^\|\n]+',
894
    'msg_subject' => '.*',
895
896
897
898
899
900
901
902
903

    ## Password
    'passwd'       => '.+',
    'password'     => '.+',
    'newpasswd1'   => '.+',
    'newpasswd2'   => '.+',
    'new_password' => '.+',

    ## Topics
904
    'topic'    => '\@?[\-\w\/]+',
905
906
907
908
909
910
911
912
913
914
915
916
917
918
    'topics'   => '[\-\w\/]+',
    'subtopic' => '[\-\w\/]+',

    ## List names
    'list' => '[\w\-\.\+]*',    ## Sympa::Regexps::listname() + uppercase
    'previous_list'  => '[\w\-\.\+]*',
    'listname'       => '[\w\-\.\+]*',
    'new_listname'   => '[\w\-\.\+]*',
    'selected_lists' => '[\w\-\.\+]*',

    ## Family names
    'family_name' => Sympa::Regexps::family_name(),
    'family'      => Sympa::Regexps::family_name(),

919
    # Email addresses
920
    'current_email' => Sympa::Regexps::email(),
Luc Didry's avatar
Luc Didry committed
921
922
923
924
925
926
927
    'email'         => Sympa::Regexps::email() . '|' . Sympa::Regexps::uid(),
    'init_email'    => Sympa::Regexps::email(),
    'old_email'     => Sympa::Regexps::email(),
    'new_email'     => Sympa::Regexps::email(),
    'sender'        => Sympa::Regexps::email(),
    'fromaddr'      => Sympa::Regexps::email(),
    'del_emails'    => '.*',
928
    'to' => '(([\w\-\_\.\/\+\=\']+|\".*\")\s[\w\-]+(\.[\w\-]+)+(,?))*',
929
930
931
932
933
934
935
936
    'automatic_list_part_*' => '[\w\-\.\+]*',

    ## Host
    'new_robot'   => Sympa::Regexps::host(),
    'remote_host' => Sympa::Regexps::host(),
    'remote_addr' => Sympa::Regexps::host(),

    ## Scenario name
937
938
939
    'scenario'    => Sympa::Regexps::scenario_name(),
    'read_access' => Sympa::Regexps::scenario_name(),
    'edit_access' => Sympa::Regexps::scenario_name(),
940
941
942
943
944
945
946
947
948
949
950
951
952
953
    ## RSS URL or blank
    'active_lists'  => '.*',
    'latest_lists'  => '.*',
    'latest_arc'    => '.*',
    'latest_d_read' => '.*',

    ##Logs
    'target_type' => '[\w\-\.\:]*',
    'target'      => Sympa::Regexps::email(),
    'date_from'   => '[\d\/\-]+',
    'date_to'     => '[\d\/\-]+',
    'ip'          => Sympa::Regexps::host(),

    ## colors
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
    'subaction_test'    => '.*',
    'subaction_reset'   => '.*',
    'subaction_install' => '.*',
    'color_0'           => '\#[0-9a-fA-F]+',
    'color_1'           => '\#[0-9a-fA-F]+',
    'color_2'           => '\#[0-9a-fA-F]+',
    'color_3'           => '\#[0-9a-fA-F]+',
    'color_4'           => '\#[0-9a-fA-F]+',
    'color_5'           => '\#[0-9a-fA-F]+',
    'color_6'           => '\#[0-9a-fA-F]+',
    'color_7'           => '\#[0-9a-fA-F]+',
    'color_8'           => '\#[0-9a-fA-F]+',
    'color_9'           => '\#[0-9a-fA-F]+',
    'color_10'          => '\#[0-9a-fA-F]+',
    'color_11'          => '\#[0-9a-fA-F]+',
    'color_12'          => '\#[0-9a-fA-F]+',
    'color_13'          => '\#[0-9a-fA-F]+',
    'color_14'          => '\#[0-9a-fA-F]+',
    'color_15'          => '\#[0-9a-fA-F]+',
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

    ## Custom attribute
    'custom_attribute' => '.*',

    ## Templates
    'scope' => 'distrib|robot|family|list|site',

    ## Custom Inputs from create_list_request.tt2
    'custom_input' => '.*',

    ## conf parameters
    'conf_new_value' => '.*',

    ## custom actions
    'cap'  => '.*',
    'lcap' => '.*',

    'plugin' => '.*',
991
992
993

    ## Envelope ID
    'envid' => '\w+',
994
995
996

    ## Authentication/moderation key
    'authkey' => '\w+',
997
998
999

    # Role
    'role' => 'member|editor|owner',
1000
);
1001

1002
## Regexp applied on incoming parameters (%in)
1003
1004
1005
1006
1007
1008
## This regular expression defines forbidden expressions applied on all
## incoming parameters
## Note that you can use the ^ and $ expressions to match beginning and ending
## of expressions
our %in_negative_regexp = ('arc_file' => '^(arctxt|\.)');

1009
1010
# No longer used as of 6.2.19b.
#my %filtering;
1011
1012

## Set locale configuration
1013
1014
my $language = Sympa::Language->instance;
$language->set_lang($Conf::Conf{'lang'}, 'en');
salaun's avatar
salaun committed
1015

1016
1017
1018
1019
# Important to leave this there because it defined defaults for
# user_data_source
#FIXME: Is it really required?
Sympa::DatabaseManager->instance;
1020

1021
1022
1023
## Check that the data structure is uptodate
## If not, set the web interface to maintenance mode
my $maintenance_mode;
sikeda's avatar
sikeda committed
1024
unless (Conf::data_structure_uptodate()) {
1025
    $maintenance_mode = 1;
1026
    $log->syslog('err',
1027
        'WWSympa set to maintenance mode; you should run sympa.pl --upgrade');
1028
1029
}

1030
1031
our %in;
my $query;
root's avatar
root committed
1032

1033
my $birthday = [stat $PROGRAM_NAME]->[9];
1034

1035
my $bulk = Sympa::Spool::Outgoing->new;
1036

1037
$log->syslog('info', 'WWSympa started, process %d', $PID);
1038

1039
1040
1041
1042
# Now internal encoding is same as input/output.
#XXX## Set output encoding
#XXX## All outgoing strings will be recoded transparently using this charset
#XXXbinmode STDOUT, ":utf8";
1043

1044
1045
#XXX## Incoming data is utf8-encoded
#XXXbinmode STDIN, ":utf8";
1046

1047
1048
# Main loop.
my $loop_count = 0;
1049
my $start_time = time;
1050
while ($query = Sympa::WWW::FastCGI->new) {
1051
    $loop_count++;
1052

1053
1054
1055
    undef $param;
    undef $list;
    undef $robot;
IKEDA Soji's avatar
IKEDA Soji committed
1056
    undef $cookie_domain;
1057
1058
1059
1060
    undef $ip;
    undef $rss;
    undef $ajax;
    undef $session;
1061

1062
    $log->{level} = $Conf::Conf{'log_level'};
1063
    $language->set_lang(Sympa::best_language('*'));
1064

1065
    # Process grouped notifications.
1066
    Sympa::Spool::Listmaster->instance->flush;
1067
1068

    ## Check effective ID
1069
    unless ($EUID eq (getpwnam(Sympa::Constants::USER))[2]) {
1070
        $maintenance_mode = 1;
IKEDA Soji's avatar
IKEDA Soji committed
1071
        Sympa::WWW::Report::reject_report_web('intern_quiet',
sikeda's avatar
sikeda committed
1072
            'incorrect_server_config', {}, '', '');
1073
1074
        wwslog(
            'err',
1075
            'Config error: WWSympa should run with UID %s (instead of %s). *** Switching to maintenance mode. ***',
1076
            (getpwnam(Sympa::Constants::USER))[2],
1077
            $EUID
1078
1079
        );
    }
1080

1081
    ## We set the real UID with the effective UID value
1082
    ## It is useful to allow execution of scripts like alias_manager
1083
    ## that otherwise might loose the benefit of SetUID
1084
1085
    $UID = $EUID;    ## UID
    $GID = $EGID;    ## GID
1086

1087
    unless (Sympa::DatabaseManager->instance) {
Luc Didry's avatar
Luc Didry committed
1088
1089
        Sympa::WWW::Report::reject_report_web('system_quiet', 'no_database',
            {}, '', '');
1090
        $log->syslog('info', 'WWSympa requires a RDBMS to run');
1091
    }
1092

1093
    ## If in maintenance mode, check if the data structure is now uptodate
sikeda's avatar
sikeda committed
1094
1095
1096
    if (    $maintenance_mode
        and Conf::data_structure_uptodate()
        and ($EUID eq (getpwnam(Sympa::Constants::USER))[2])) {
1097
        $maintenance_mode = undef;
1098
        $log->syslog('notice',
1099
1100
            "Data structure seem updated, setting OFF maintenance mode");
    }
1101

1102
    ## Generate traceback if crashed.
1103
1104
    ## Though I don't know why, __DIE__ handler is cleared after INIT.
    Sympa::Crash::register_handler();
1105

1106
1107
1108
1109
1110
1111
1112
1113
1114
    foreach my $envvar (
        qw(ORIG_PATH_INFO ORIG_SCRIPT_NAME
        PATH_INFO QUERY_STRING REMOTE_ADDR REMOTE_HOST REQUEST_METHOD
        SCRIPT_NAME SERVER_NAME SERVER_PORT
        SYMPA_DOMAIN)
    ) {
        $log->syslog('debug', '%s=%s', $envvar, $ENV{$envvar});
    }

1115
1116
1117
    ## Get params in a hash
    %in = $query->Vars;

1118
    # Determin robot.
1119
1120
1121
1122
    $robot = $ENV{SYMPA_DOMAIN};
    unless ($robot) {
        # No robot providing web service found.
        print "Status: 421 Misdirected Request\n";
1123
1124
1125
        print "\n\n";
        next;
    }
1126

1127
1128
1129
    # Default robot.
    $param->{'default_robot'} = 1
        if $robot eq $Conf::Conf{'domain'};
1130

1131
    $ip = $ENV{'REMOTE_HOST'} || $ENV{'REMOTE_ADDR'} || 'undef';
1132

IKEDA Soji's avatar
IKEDA Soji committed
1133
    $cookie_domain = Sympa::WWW::Tools::get_cookie_domain($robot);
1134

1135
    $log->{level} = Conf::get_robot_conf($robot, 'log_level');
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154

    ## Sympa parameters in $param->{'conf'}
    $param->{'conf'} = {};
    foreach my $p (
        'email',
        'soap_url',
        'wwsympa_url',
        'listmaster_email',
        'logo_html_definition',
        'favicon_url',
        'main_menu_custom_button_1_url',
        'main_menu_custom_button_1_title',
        'main_menu_custom_button_1_target',
        'main_menu_custom_button_2_url',
        'main_menu_custom_button_2_title',
        'main_menu_custom_button_2_target',
        'main_menu_custom_button_3_url',
        'main_menu_custom_button_3_title',
        'main_menu_custom_button_3_target',
1155
        'static_content_url',
1156
        'use_blocklist',
1157
1158
1159
1160
        'antispam_feature',
        'custom_robot_parameter',
        'reporting_spam_script_path',
        'automatic_list_families',
1161
        'spam_protection',
1162
        'pictures_max_size',
1163
        'show_report_abuse',
1164
        'quiet_subscription',
1165
        'allow_account_deletion',
Luc Didry's avatar
Luc Didry committed
1166
    ) {
1167
1168
1169

        $param->{'conf'}{$p} = Conf::get_robot_conf($robot, $p);
        $param->{$p} = Conf::get_robot_conf($robot, $p)
1170
            if $p =~ /_url\z/;
1171
    }
1172
    # Compat.: deprecated attributes of Robot.
1173
    $param->{'conf'}{'sympa'} = Sympa::get_address($robot);
1174
    $param->{'conf'}{'request'} = Sympa::get_address($robot, 'owner');
1175
1176
    # Compat <= 6.2.16: CSS related.
    $param->{'css_path'} = sprintf '%s/%s', $Conf::Conf{'css_path'}, $robot;
Luc Didry's avatar
Luc Didry committed
1177
    $param->{'css_url'}  = sprintf '%s/%s', $Conf::Conf{'css_url'},  $robot;
1178
1179
    # Compat. < 6.2.32: "host" parameter was deprecated.
    $param->{'conf'}{'host'} = Conf::get_robot_conf($robot, 'domain');
1180
    # Compat. < 6.2.62: Renamed parameters.
Sympa authors's avatar
tidyall    
Sympa authors committed
1181
1182
    $param->{'conf'}{'use_blacklist'} =
        Conf::get_robot_conf($robot, 'use_blocklist');
1183
1184

    foreach my $auth (keys %{$Conf::Conf{'cas_id'}{$robot}}) {
1185
        $log->syslog('debug2', 'CAS authentication service %s', $auth);
1186
1187
1188
1189
1190
1191
        $param->{'sso'}{$auth} =
            $Conf::Conf{'cas_id'}{$robot}{$auth}
            {'auth_service_friendly_name'};
    }

    foreach my $auth (keys %{$Conf::Conf{'generic_sso_id'}{$robot}}) {
1192
        $log->syslog('debug', 'Generic SSO authentication service %s', $auth);
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
        $param->{'sso'}{$auth} =
            $Conf::Conf{'auth_services'}{$robot}
            [$Conf::Conf{'generic_sso_id'}{$robot}{$auth}]{'service_name'};
    }

    $param->{'sso_number'} =
        $Conf::Conf{'cas_number'}{$robot} +
        $Conf::Conf{'generic_sso_number'}{$robot};
    $param->{'use_passwd'} = $Conf::Conf{'use_passwd'}{$robot};
    $param->{'use_sso'} = 1 if ($param->{'sso_number'});
    $param->{'authentication_info_url'} =
        $Conf::Conf{'authentication_info_url'}{$robot};
    $param->{'wwsconf'} = Conf::_load_wwsconf;    #FXIME: no longer used?

    $param->{'version'} = Sympa::Constants::VERSION;
    $param->{'date'} =
        $language->gettext_strftime("%d %b %Y at %H:%M:%S", localtime time);
    $param->{'time'} =
        $language->gettext_strftime("%H:%M:%S", localtime time);

    ## Hash defining the parameters where no control is performed (because
    ## they are supposed to contain html and/or javascript).
    $param->{'htmlAllowedParam'} = {
1216
1217
1218
        #'hidden_head'          => 1,
        #'hidden_end'           => 1,
        #'hidden_at'            => 1,
1219
1220
1221
1222
        'selected'             => 1,
        'logo_html_definition' => 1,
        'html_dumpvars'        => 1,
        'html_editor_init'     => 1,
sikeda's avatar
sikeda committed
1223
        'html_content'         => 1,
1224
1225
1226
1227
1228
1229
1230
1231
    };
    ## Hash defining the parameters where HTML must be filtered.
    $param->{'htmlToFilter'} = {
        'homepage_content' => 1,
        'info_content'     => 1,
    };

    ## Change to list root
1232
    unless (chdir $Conf::Conf{'home'}) {
Luc Didry's avatar
Luc Didry committed
1233
1234
        Sympa::WWW::Report::reject_report_web('intern', 'chdir_error', {},
            '', '', '', $robot);
1235
        wwslog('info', 'Unable to change directory');
1236
        exit -1;