wwsympa.fcgi.in 582 KB
Newer Older
1
#!--PERL--
2
3
4
5
# -*- indent-tabs-mode: nil; -*-
# vim:ft=perl:et:sw=4
# $Id$

6
# Sympa - SYsteme de Multi-Postage Automatique
7
8
9
10
#
# Copyright (c) 1997, 1998, 1999 Institut Pasteur & Christophe Wolfhugel
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
11
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
IKEDA Soji's avatar
IKEDA Soji committed
12
13
# Copyright 2017, 2018, 2019, 2020 The Sympa Community. See the AUTHORS.md
# file at the top-level directory of this distribution and at
14
# <https://github.com/sympa-community/sympa.git>.
15
16
17
18
19
20
21
22
23
24
25
26
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
27
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
28

29
## Copyright 1999 Comité Réseaux des Universités
root's avatar
root committed
30
## web interface to Sympa mailing lists manager
salaun's avatar
salaun committed
31
## Sympa: http://www.sympa.org/
root's avatar
root committed
32
## Authors :
salaun's avatar
   
salaun committed
33
##           Serge Aumont <sa AT cru.fr>
34
##           Olivier Salaün <os AT cru.fr>
35

36
37
use strict;
##use warnings;
38
use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';
olivier.salaun's avatar
olivier.salaun committed
39

40
use Archive::Zip qw();
41
use DateTime;
42
use DateTime::Format::Mail;
43
use Digest::MD5;
sikeda's avatar
sikeda committed
44
use Encode qw();
45
use English qw(-no_match_vars);
46
use IO::File qw();
sikeda's avatar
sikeda committed
47
use MIME::EncWords;
48
use MIME::Lite::HTML;
sikeda's avatar
sikeda committed
49
use POSIX qw();
50
use Time::Local qw();
51
use URI;
52
use Data::Dumper;    # tentative
53
BEGIN { eval 'use Crypt::OpenSSL::X509'; }
54

55
use Sympa;
sikeda's avatar
sikeda committed
56
use Sympa::Archive;
root's avatar
root committed
57
use Conf;
58
use Sympa::ConfDef;
59
use Sympa::Constants;
60
use Sympa::Crash Hook => \&_crash_handler;    # Show traceback.
61
use Sympa::Database;
62
use Sympa::DatabaseManager;
sikeda's avatar
sikeda committed
63
use Sympa::Family;
64
use Sympa::HTMLSanitizer;
65
use Sympa::Language;
66
use Sympa::List;
IKEDA Soji's avatar
IKEDA Soji committed
67
68
use Sympa::List::Config;
use Sympa::List::Users;
69
use Sympa::Log;
70
use Sympa::Message;
sikeda's avatar
sikeda committed
71
use Sympa::Regexps;
72
73
use Sympa::Robot;
use Sympa::Scenario;
74
use Sympa::Spindle::ProcessRequest;
75
use Sympa::Spindle::ResendArchive;
76
use Sympa::Spool::Archive;
77
use Sympa::Spool::Auth;
78
use Sympa::Spool::Held;
79
use Sympa::Spool::Incoming;
80
use Sympa::Spool::Listmaster;
81
use Sympa::Spool::Moderation;
82
83
use Sympa::Spool::Outgoing;
use Sympa::Spool::Topic;
84
use Sympa::Task;
85
use Sympa::Template;
86
use Sympa::Ticket;
87
88
use Sympa::Tools::Data;
use Sympa::Tools::File;
89
use Sympa::Tools::Password;
90
use Sympa::Tools::Text;
91
use Sympa::Tracking;
sikeda's avatar
sikeda committed
92
use Sympa::User;
IKEDA Soji's avatar
IKEDA Soji committed
93
use Sympa::WWW::Auth;
94
use Sympa::WWW::FastCGI;
IKEDA Soji's avatar
IKEDA Soji committed
95
96
97
98
99
use Sympa::WWW::Marc::Search;
use Sympa::WWW::Report;
use Sympa::WWW::Session;
use Sympa::WWW::SharedDocument;
use Sympa::WWW::Tools;
root's avatar
root committed
100
101

## WWSympa librairies
102
my %options;
root's avatar
root committed
103

104
my $sympa_conf_file = Sympa::Constants::CONFIG;
root's avatar
root committed
105

106
107
108
109
our $list;
our $param = {};
our $robot_id;
our $session;
110

111
my $robot;
IKEDA Soji's avatar
IKEDA Soji committed
112
my $cookie_domain;
113
my $ip;
114
my $rss;
115
my $ajax;
salaun's avatar
salaun committed
116

117
my $allow_absolute_path;    #FIXME: to be removed in the future.
118
my @other_include_path;     #FIXME: ditto.
119

root's avatar
root committed
120
## Load sympa config
121
unless (Conf::load()) {
122
    printf STDERR
123
124
        "Unable to load sympa configuration, file %s or one of the vhost robot.conf files contain errors. Exiting.\n",
        Conf::get_sympa_conf();
125
    exit 1;
root's avatar
root committed
126
127
}

128
129
130
131
132
# Open log
my $log = Sympa::Log->instance;
$log->{level} = $Conf::Conf{'log_level'};
$log->openlog($Conf::Conf{'log_facility'} || $Conf::Conf{'syslog'},
    $Conf::Conf{'log_socket_type'});
133

134
Sympa::Spool::Listmaster->instance->{use_bulk} = 1;
root's avatar
root committed
135
136
137
138
139
140
141
142
143
144
145

# hash of all the description files already loaded
# format :
#     $desc_files{pathfile}{'date'} : date of the last load
#     $desc_files{pathfile}{'desc_hash'} : hash which describes
#                         the description file

#%desc_files_map; NOT USED ANYMORE

## Shared directory and description file

146
147
#$shared = 'shared';
#$desc = '.desc';
root's avatar
root committed
148
149

## subroutines
150
our %comm = (
Luc Didry's avatar
Luc Didry committed
151
152
153
    'confirm_action' => 'do_confirm_action',
    'home'           => 'do_home',
    'logout'         => 'do_logout',
154
    #'loginrequest'           => 'do_loginrequest',
Luc Didry's avatar
Luc Didry committed
155
156
157
158
    'login'               => 'do_login',
    'sso_login'           => 'do_sso_login',
    'sso_login_succeeded' => 'do_sso_login_succeeded',
    'subscribe'           => 'do_subscribe',
159
    #'multiple_subscribe'     => 'do_multiple_subscribe',
160
    #'subrequest'             => 'do_subrequest',
161
162
163
164
165
166
    'subindex'       => 'do_subindex',
    'suboptions'     => 'do_suboptions',
    'signoff'        => 'do_signoff',
    'auto_signoff'   => 'do_auto_signoff',
    'family_signoff' => 'do_family_signoff',
    #'family_signoff_request' => 'do_family_signoff_request',
167
    #XXX'multiple_signoff'    => 'do_multiple_signoff',
168
    #'sigrequest' => 'do_sigrequest',
169
170
171
172
    'sigindex' => 'do_sigindex',
    'decl_add' => 'do_decl_add',
    'decl_del' => 'do_decl_del',
    'my'       => 'do_my',
173
    #'which' => 'do_which',
174
    'lists'            => 'do_lists',
175
    'lists_categories' => 'do_lists_categories',
176
177
    'latest_lists'     => 'do_latest_lists',
    'active_lists'     => 'do_active_lists',
178
    'including_lists'  => 'do_including_lists',
179
180
181
182
183
184
185
186
187
188
189
190
191
    'info'             => 'do_info',
    'subscriber_count' => 'do_subscriber_count',
    'review'           => 'do_review',
    'search'           => 'do_search',
    'pref',            => 'do_pref',
    'setpref'          => 'do_setpref',
    'setpasswd'        => 'do_setpasswd',
    'renewpasswd'      => 'do_renewpasswd',
    'firstpasswd'      => 'do_firstpasswd',
    'requestpasswd'    => 'do_requestpasswd',
    'choosepasswd'     => 'do_choosepasswd',
    'set'              => 'do_set',
    'admin'            => 'do_admin',
192
    'import'           => 'do_import',
193
    'add'              => 'do_add',
194
    'auth_add'         => 'do_auth_add',
195
    'del'              => 'do_del',
196
    'auth_del'         => 'do_auth_del',
197
    'mass_del'         => 'do_mass_del',
198
    'modindex'         => 'do_modindex',
199
    'docindex'         => 'do_docindex',
200
201
202
203
204
205
206
    'reject'           => 'do_reject',
    #XXX'reject_notify' => 'do_reject_notify',
    'distribute'      => 'do_distribute',
    'add_frommod'     => 'do_add_frommod',
    'viewmod'         => 'do_viewmod',
    'd_reject_shared' => 'do_d_reject_shared',
    #XXX'reject_notify_shared' => 'do_reject_notify_shared',
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
    'd_install_shared'  => 'do_d_install_shared',
    'editfile'          => 'do_editfile',
    'savefile'          => 'do_savefile',
    'arc'               => 'do_arc',
    'latest_arc'        => 'do_latest_arc',
    'latest_d_read'     => 'do_latest_d_read',
    'arc_manage'        => 'do_arc_manage',
    'remove_arc'        => 'do_remove_arc',
    'send_me'           => 'do_send_me',
    'view_source'       => 'do_view_source',
    'tracking'          => 'do_tracking',
    'arcsearch_form'    => 'do_arcsearch_form',
    'arcsearch_id'      => 'do_arcsearch_id',
    'arcsearch'         => 'do_arcsearch',
    'rebuildarc'        => 'do_rebuildarc',
    'rebuildallarc'     => 'do_rebuildallarc',
    'arc_download'      => 'do_arc_download',
    'arc_delete'        => 'do_arc_delete',
    'serveradmin'       => 'do_serveradmin',
    'set_loglevel'      => 'do_set_loglevel',
    'set_dumpvars'      => 'do_set_dumpvars',
    'show_sessions'     => 'do_show_sessions',
    'unset_dumpvars'    => 'do_unset_dumpvars',
    'set_session_email' => 'do_set_session_email',
    'restore_email'     => 'do_restore_email',
    'skinsedit'         => 'do_skinsedit',
233
    #XXX'css' => 'do_css',
234
235
236
237
238
239
240
241
242
243
244
245
246
247
    'help'                     => 'do_help',
    'edit_list_request'        => 'do_edit_list_request',
    'edit_list'                => 'do_edit_list',
    'create_list_request'      => 'do_create_list_request',
    'create_list'              => 'do_create_list',
    'get_pending_lists'        => 'do_get_pending_lists',
    'get_closed_lists'         => 'do_get_closed_lists',
    'get_latest_lists'         => 'do_get_latest_lists',
    'get_inactive_lists'       => 'do_get_inactive_lists',
    'get_biggest_lists'        => 'do_get_biggest_lists',
    'set_pending_list_request' => 'do_set_pending_list_request',
    'install_pending_list'     => 'do_install_pending_list',
    'edit_config'              => 'do_edit_config',
    #XXX'submit_list' => 'do_submit_list',
Luc Didry's avatar
Luc Didry committed
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
    'editsubscriber'      => 'do_editsubscriber',
    'edit'                => 'do_edit',
    'viewbounce'          => 'do_viewbounce',
    'redirect'            => 'do_redirect',
    'rename_list_request' => 'do_rename_list_request',
    'move_list'           => 'do_move_list',
    'copy_list'           => 'do_copy_list',
    'reviewbouncing'      => 'do_reviewbouncing',
    'resetbounce'         => 'do_resetbounce',
    'scenario_test'       => 'do_scenario_test',
    'search_list'         => 'do_search_list',
    'search_list_request' => 'do_search_list_request',
    'show_cert'           => 'do_show_cert',
    'close_list'          => 'do_close_list',
    'open_list'           => 'do_open_list',
    'purge_list'          => 'do_purge_list',
    'upload_pictures'     => 'do_upload_pictures',
    'delete_pictures'     => 'do_delete_pictures',
    'd_read'              => 'do_d_read',
    'd_create_child'      => 'do_d_create_child',
    'd_unzip'             => 'do_d_unzip',
    'd_editfile'          => 'do_d_editfile',
    'd_properties'        => 'do_d_properties',
    'd_update'            => 'do_d_update',
    'd_describe'          => 'do_d_describe',
    'd_delete'            => 'do_d_delete',
    'd_rename'            => 'do_d_rename',
    'd_control'           => 'do_d_control',
    'd_change_access'     => 'do_d_change_access',
    'd_set_owner'         => 'do_d_set_owner',
    'd_admin'             => 'do_d_admin',
    'dump_scenario'       => 'do_dump_scenario',
    'export_member'       => 'do_export_member',
    'remind'              => 'do_remind',
    'move_user'           => 'do_move_user',
    'load_cert'           => 'do_load_cert',
    'compose_mail'        => 'do_compose_mail',
    'send_mail'           => 'do_send_mail',
    'request_topic'       => 'do_request_topic',
    'tag_topic_by_sender' => 'do_tag_topic_by_sender',
    'search_user'         => 'do_search_user',
    'set_lang'            => 'do_set_lang',
    'attach'              => 'do_attach',
    'stats'               => 'do_stats',
    'viewlogs'            => 'do_viewlogs',
    'wsdl'                => 'do_wsdl',
    'sync_include'        => 'do_sync_include',
    'review_family'       => 'do_review_family',
    'ls_templates'        => 'do_ls_templates',
    'remove_template'     => 'do_remove_template',
    'copy_template'       => 'do_copy_template',
    'view_template'       => 'do_view_template',
    'edit_template'       => 'do_edit_template',
301
302
303
304
305
306
307
    #'rss' => 'do_rss', #FIXME:Currently processed in differenct way.
    'rss_request'     => 'do_rss_request',
    'maintenance'     => 'do_maintenance',
    'blacklist'       => 'do_blacklist',
    'edit_attributes' => 'do_edit_attributes',
    'ticket'          => 'do_ticket',
    'manage_template' => 'do_manage_template',
308
309
310
311
312
    'rt_create'       => 'do_rt_create',
    'rt_delete'       => 'do_rt_delete',
    'rt_edit'         => 'do_rt_edit',
    'rt_setdefault'   => 'do_rt_setdefault',
    'rt_update'       => 'do_rt_update',
313
    #XXX'send_newsletter' => 'do_send_newsletter',
sikeda's avatar
sikeda committed
314
    'suspend'                => 'do_suspend',
315
316
317
318
319
320
321
322
323
    'suspend_request'        => 'do_suspend_request',
    'suspend_request_action' => 'do_suspend_request_action',
    'show_exclude'           => 'do_show_exclude',
    # 'ca' stands for 'custom_action'. I used a short name to make it discrete
    # in a URL.
    'ca' => 'do_ca',
    # 'lca' stands for 'list_custom_action'. I used a short name to make it
    # discrete in a URL.
    'lca' => 'do_lca',
324
325
326
327
328
329
    #XXX'automatic_lists_management_request' =>
    #XXX    'do_automatic_lists_management_request',
    #XXX'automatic_lists_management'    => 'do_automatic_lists_management',
    'create_automatic_list'         => 'do_create_automatic_list',
    'create_automatic_list_request' => 'do_create_automatic_list_request',
    'auth'                          => 'do_auth',
330
    'delete_account'                => 'do_delete_account',
331
332
);

333
my %comm_aliases = (
334
335
336
337
338
339
    'add_fromsub'             => 'auth_add',
    'add_request'             => 'import',
    'automatic_lists'         => 'create_automatic_list',
    'automatic_lists_request' => 'create_automatic_list_request',
    'change_email'            => 'move_user',
    'change_email_request'    => 'move_user',
340
    'del_fromsig'             => 'auth_del',
341
    'dump'                    => 'export_member',
342
    'family_signoff_request'  => 'family_signoff',
343
344
    'ignoresig'               => 'decl_del',
    'ignoresub'               => 'decl_add',
345
    'loginrequest'            => 'login',
346
    'rename_list'             => 'move_list',
347
    'restore_list'            => 'open_list',
348
349
    'sigrequest'              => 'signoff',
    'subrequest'              => 'subscribe',
350
351
);

352
353
# No longer used.
#my %auth_action;
354

355
356
357
358
359
360
# Arguments awaited in the PATH_INFO, depending on the action.
# NOTE:
# * The email addresses should NOT be embedded in PATH_INFO, because included
#   slashes (/) cannot be handled correctly by web servers. They are kept just
#   for compatibility to earlier releases of Sympa.  Use query parameters
#   instead.
361
our %action_args = (
Luc Didry's avatar
Luc Didry committed
362
363
364
    'default'         => ['list'],
    'editfile'        => ['list', 'file', 'previous_action'],
    'requestpasswd'   => ['email'],
sikeda's avatar
sikeda committed
365
366
367
368
    'choosepasswd'    => ['email', 'passwd'],
    'lists'           => ['topic', 'subtopic'],
    'latest_lists'    => ['topic', 'subtopic'],
    'active_lists'    => ['topic', 'subtopic'],
369
    'including_lists' => ['list'],
Luc Didry's avatar
Luc Didry committed
370
    'login'           => ['previous_action', 'previous_list'],
371
372
373
    'sso_login' => ['auth_service_name', 'subaction', 'email', 'ticket'],
    'sso_login_succeeded' =>
        ['auth_service_name', 'previous_action', 'previous_list'],
374
    #'loginrequest' => ['previous_action', 'previous_list'],
Luc Didry's avatar
Luc Didry committed
375
376
377
    'logout'      => ['previous_action', 'previous_list'],
    'renewpasswd' => ['previous_action', 'previous_list'],
    'firstpasswd' => ['previous_action', 'previous_list'],
378
    #XXX'css' => ['file'],
379
380
381
382
    'pref'             => ['previous_action', 'previous_list'],
    'reject'           => ['list',            'id'],
    'distribute'       => ['list',            'id'],
    'add_frommod'      => ['list',            'id'],
383
    'dump_scenario'    => ['list',            'scenario_function'],
384
385
386
    'd_reject_shared'  => ['list',            'id'],
    'd_install_shared' => ['list',            'id'],
    'modindex'         => ['list'],
387
    'docindex'         => ['list'],
Luc Didry's avatar
Luc Didry committed
388
389
390
391
    'viewmod'          => ['list',            'id', '@file'],
    'add'              => ['list',            'email'],
    'import' => ['list'],
    'del'    => ['list', 'email'],
392
393
394
    #'editsubscriber' =>
    #    ['list', 'email', 'previous_action', 'custom_attribute'],
    #'editsubscriber' => ['list', 'email', 'previous_action'],
395
    'editsubscriber' => ['list'],
396
    'edit'           => ['list', 'role'],
397
398
    #'viewbounce' => ['list', 'email', '@file'],
    'viewbounce' => ['list', 'dir', '@file'],
399
    #'resetbounce'    => ['list', 'email'],
400
    'review'         => ['list', 'page',  'size', 'sortby'],
401
402
403
404
405
    'reviewbouncing' => ['list', 'page',  'size'],
    'arc'            => ['list', 'month', '@arc_file'],
    'latest_arc'     => ['list'],
    'arc_manage'     => ['list'],
    'arcsearch_form' => ['list', 'archive_name'],
406
    'arcsearch_id'   => ['list', 'archive_name', '@msgid'],
407
408
409
410
411
412
413
    'rebuildarc'     => ['list', 'month'],
    'rebuildallarc' => [],
    'arc_download'  => ['list'],
    'arc_delete'    => ['list', 'zip'],
    'home'          => [],
    'help'          => ['help_topic'],
    'show_cert'     => [],
414
    'subscribe'     => ['list'],
415
    #'subrequest' => ['list','email'],
416
417
418
419
420
421
    'subindex'       => ['list'],
    'decl_add'       => ['list'],
    'signoff'        => ['list'],
    'auto_signoff'   => ['list'],
    'family_signoff' => ['family'],
    #'family_signoff_request' => ['family', 'email'],
422
    #'sigrequest'             => ['list',   'email'],
Luc Didry's avatar
Luc Didry committed
423
424
    'sigindex'           => ['list'],
    'decl_del'           => ['list'],
425
    'set'                => ['list', 'email', 'reception', 'gecos'],
426
427
428
429
430
431
432
433
    'serveradmin'        => ['subaction'],
    'set_session_email'  => ['email'],
    'skinsedit'          => [],
    'get_pending_lists'  => [],
    'get_closed_lists'   => [],
    'get_latest_lists'   => [],
    'get_inactive_lists' => [],
    'get_biggest_lists'  => [],
sikeda's avatar
sikeda committed
434
    'search_list'        => ['filter_list'],
Luc Didry's avatar
Luc Didry committed
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
    'shared'            => ['list', '@path'],        #FIXME: no such function.
    'd_read'            => ['list', '@path'],
    'latest_d_read'     => ['list'],
    'd_admin'           => ['list', 'd_admin'],
    'd_delete'          => ['list', '@path'],
    'd_rename'          => ['list', '@path'],
    'd_create_child'    => ['list', '@path'],
    'd_update'          => ['list', '@path'],
    'd_describe'        => ['list', '@path'],
    'd_editfile'        => ['list', '@path'],
    'd_properties'      => ['list', '@path'],
    'd_control'         => ['list', '@path'],
    'd_change_access'   => ['list', '@path'],
    'd_set_owner'       => ['list', '@path'],
    'export_member'     => ['list', 'format'],
    'search'            => ['list', 'filter'],
    'search_user'       => ['email'],
    'set_lang'          => ['lang'],
    'attach'            => ['list', 'dir', 'file'],
    'stats'             => ['list'],
455
    'edit_list_request' => ['list', 'group'],
Luc Didry's avatar
Luc Didry committed
456
457
458
459
460
461
462
463
464
465
466
467
468
    'move_list'           => ['list', 'new_listname', 'new_robot'],
    'copy_list'           => ['list', 'new_listname', 'new_robot'],
    'redirect'            => [],
    'viewlogs'            => ['list', 'page', 'size', 'sortby'],
    'wsdl'                => [],
    'sync_include'        => ['list'],
    'review_family'       => ['family_name'],
    'ls_templates'        => ['list'],
    'view_template'       => [],
    'remove_template'     => [],
    'copy_template'       => ['list'],
    'edit_template'       => ['list'],
    'rss_request'         => ['list'],
469
470
471
    'request_topic'       => ['list', 'authkey'],
    'tag_topic_by_sender' => ['list'],
    'ticket'              => ['ticket'],
472
    'move_user'           => [],
Luc Didry's avatar
Luc Didry committed
473
474
475
476
477
478
479
480
481
482
    'manage_template'     => ['subaction', 'list', 'message_template'],
    'rt_delete'           => ['list', 'message_template'],
    'rt_edit'             => ['list', 'message_template'],
    'send_newsletter'     => [],
    'compose_mail'        => ['list', 'subaction'],
    'suspend'             => ['list'],
    'suspend_request'     => ['subaction'],
    'show_exclude'        => ['list'],
    'ca'                  => ['custom_action', '@cap'],
    'lca'                 => ['custom_action', 'list', '@cap'],
483
484
    #XXX'automatic_lists_management_request' => [],
    #XXX'automatic_lists_management'         => [],
Luc Didry's avatar
Luc Didry committed
485
486
487
488
489
    'create_automatic_list'         => ['family'],
    'create_automatic_list_request' => ['family'],
    'auth'                          => ['id', 'heldaction', 'listname'],
    'auth_add'                      => ['list'],
    'auth_del'                      => ['list'],
490
);
root's avatar
root committed
491

492
## Define the required parameters for each action
493
494
## Parameter names refer to the %in structure of to $param if mentionned as
## 'param.x'
495
496
## This structure is used to determine if any parameter is missing
## The list of parameters is not ordered
497
498
499
## Some keywords are reserved: param.list and param.user.email
## Alternate parameters can be defined with the '|' character
## Limits of this structure: it does not define optional parameters (a or b)
500
501
502
## Limit: it does not allow to have a specific error message and redirect to a
## given page if the parameter is missing
our %required_args = (
Luc Didry's avatar
Luc Didry committed
503
504
505
506
507
508
509
510
511
512
513
514
    'active_lists'   => ['for|count'],
    'admin'          => ['param.list', 'param.user.email'],
    'add'            => ['param.list', 'param.user.email'],
    'import'         => ['param.list', 'param.user.email'],
    'arc'            => ['param.list'],
    'arc_delete'     => ['param.user.email', 'param.list'],
    'arc_download'   => ['param.user.email', 'param.list'],
    'arc_manage'     => ['param.list'],
    'arcsearch'      => ['param.list'],
    'arcsearch_form' => ['param.list'],
    'arcsearch_id'   => ['param.list'],
    'auth'           => ['id', 'heldaction', 'email'],
515
516
    'auth_add'       => ['param.list', 'param.user.email', 'id'],
    'auth_del'       => ['param.list', 'param.user.email', 'id'],
Luc Didry's avatar
Luc Didry committed
517
518
519
520
521
522
523
524
    'auto_signoff'   => ['param.list', 'email'],
    'attach'         => ['param.list'],
    'blacklist'      => ['param.list'],
    'move_user' =>
        ['param.user.email', 'current_email|old_email', 'email|new_email'],
    'close_list'    => ['param.user.email', 'param.list'],
    'compose_mail'  => ['param.user.email', 'param.list'],
    'copy_template' => ['webormail'],
525
    ## other required parameters are checked in the subroutine
526
527
    'create_automatic_list'         => ['param.user.email', 'family'],
    'create_automatic_list_request' => ['param.user.email', 'family'],
528
    'create_list'                   => ['param.user.email', 'info'],
529
    'create_list_request'           => ['param.user.email'],
530
    #XXX'css' => [],
531
532
533
534
535
    'd_admin'         => ['param.list', 'param.user.email'],
    'd_change_access' => ['param.list', 'param.user.email'],
    'd_control'       => ['param.list', 'param.user.email'],
    'd_create_child' =>
        ['param.list', 'param.user.email', 'new_name|uploaded_file'],
536
537
538
539
540
541
542
543
    'd_delete'         => ['param.list', 'param.user.email'],
    'd_describe'       => ['param.list', 'param.user.email', 'content'],
    'd_editfile'       => ['param.list', 'param.user.email'],
    'd_install_shared' => ['param.list', 'param.user.email', 'id'],
    'd_properties'     => ['param.list', 'param.user.email'],
    'd_read'          => ['param.list'],
    'd_reject_shared' => ['param.list', 'param.user.email', 'id'],
    'd_rename'        => ['param.list', 'param.user.email', 'new_name'],
544
    'd_update' =>
545
        ['param.list', 'param.user.email', 'content|url|uploaded_file'],
546
    'd_set_owner'     => ['param.list', 'param.user.email'],
sikeda's avatar
sikeda committed
547
    'd_unzip'         => ['param.list', 'param.user.email', 'uploaded_file'],
548
549
550
551
    'del'             => ['param.list', 'param.user.email', 'email'],
    'delete_pictures' => ['param.list', 'param.user.email'],
    'distribute'      => ['param.list', 'param.user.email', 'id|idspam'],
    'add_frommod'     => ['param.list', 'param.user.email', 'id'],
552
    'dump_scenario'   => ['param.list', 'scenario_function|pname'],
553
    'edit'            => ['param.list', 'param.user.email', 'role', 'email'],
Luc Didry's avatar
Luc Didry committed
554
555
556
557
558
559
    'edit_list'         => ['param.user.email', 'param.list'],
    'edit_list_request' => ['param.user.email', 'param.list'],
    'edit_template'     => ['webormail'],
    'editfile'          => ['param.user.email'],
    'editsubscriber'    => ['param.list',       'param.user.email', 'email'],
    'export_member'        => ['param.list'],
560
    'family_signoff'       => ['family', 'email'],
Luc Didry's avatar
Luc Didry committed
561
562
563
564
565
    'get_closed_lists'     => ['param.user.email'],
    'get_inactive_lists'   => ['param.user.email'],
    'get_latest_lists'     => ['param.user.email'],
    'get_biggest_lists'    => ['param.user.email'],
    'get_pending_lists'    => ['param.user.email'],
566
567
    'decl_del'             => ['param.list', 'param.user.email', 'id'],
    'decl_add'             => ['param.list', 'param.user.email', 'id'],
568
    'delete_account'       => ['passwd', 'i_understand_the_consequences'],
569
    'including_lists'      => ['param.list', 'param.user.email'],
570
571
572
573
    'info'                 => ['param.list'],
    'install_pending_list' => ['param.user.email'],
    'edit_config'          => ['param.user.email'],
    'latest_arc'           => ['param.list', 'for|count'],
Luc Didry's avatar
Luc Didry committed
574
575
576
577
578
579
    'latest_d_read'        => ['param.list', 'for', 'count'],
    'latest_lists'         => ['for|count'],
    'load_cert'            => ['param.list'],
    'logout'               => ['param.user.email'],
    'manage_template'      => ['param.list', 'param.user.email'],
    'my'                   => ['param.user.email'],
580
    'rt_create' => ['param.list', 'param.user.email', 'new_template_name'],
Luc Didry's avatar
Luc Didry committed
581
582
    'rt_delete' => ['param.list', 'param.user.email', 'message_template'],
    'rt_edit'   => ['param.list', 'param.user.email', 'message_template'],
583
584
585
    'rt_setdefault' => ['param.list', 'param.user.email', 'new_default'],
    'rt_update' =>
        ['param.list', 'param.user.email', 'message_template', 'content'],
Luc Didry's avatar
Luc Didry committed
586
587
588
589
590
591
592
593
    'modindex'      => ['param.list',       'param.user.email'],
    'docindex'      => ['param.list',       'param.user.email'],
    'pref'          => ['param.user.email'],
    'purge_list'    => ['param.user.email', 'selected_lists'],
    'rebuildallarc' => ['param.user.email'],
    'rebuildarc'    => ['param.user.email', 'param.list'],
    'reject'        => ['param.list',       'param.user.email', 'id|idspam'],
    'remind'        => ['param.list',       'param.user.email'],
594
595
    'remove_arc'      => ['param.list'],
    'remove_template' => ['webormail'],
596
    'move_list' =>
597
598
599
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
    'copy_list' =>
        ['param.user.email', 'param.list', 'new_listname', 'new_robot'],
600
    'open_list'           => ['param.user.email', 'param.list'],
601
602
    'rename_list_request' => ['param.user.email', 'param.list'],
    'request_topic'       => ['param.list',       'authkey'],
Luc Didry's avatar
Luc Didry committed
603
    'resetbounce'     => ['param.list', 'param.user.email', 'email'],
604
605
606
607
608
    'review'          => ['param.list'],
    'review_family'   => ['param.user.email', 'family_name'],
    'reviewbouncing'  => ['param.list'],
    'rss_request'     => [],
    'savefile'        => ['param.user.email', 'file'],
609
    'search'          => ['param.list'],
610
611
612
613
614
615
616
617
    'search_user'     => ['param.user.email', 'email'],
    'send_mail'       => ['param.user.email'],
    'send_newsletter' => ['param.list', 'param.user.email', 'url'],
    'send_me'         => ['param.list'],
    'view_source'     => ['param.list'],
    'tracking'        => ['param.list'],
    'requestpasswd'   => ['email'],
    'serveradmin'     => ['param.user.email'],
618
    'set'      => ['param.user.email', 'param.list', 'reception|visibility'],
619
620
    'set_lang' => [],
    'set_pending_list_request' => ['param.user.email'],
Luc Didry's avatar
Luc Didry committed
621
622
623
624
625
626
627
628
629
630
631
632
633
    'setpasswd'        => ['param.user.email', 'newpasswd1', 'newpasswd2'],
    'setpref'          => ['param.user.email'],
    'sigindex'         => ['param.list', 'param.user.email'],
    'signoff'          => ['param.list'],
    'skinsedit'        => ['param.user.email'],
    'sso_login'        => ['auth_service_name'],
    'stats'            => ['param.list'],
    'subindex'         => ['param.list', 'param.user.email'],
    'suboptions'       => ['param.list', 'param.user.email'],
    'subscribe'        => ['param.list'],
    'subscriber_count' => ['param.list'],
    'suspend'          => ['param.list', 'param.user.email'],
    'suspend_request'  => [],
634
635
    'suspend_request_action' => [],
    'show_exclude'           => ['param.list'],
Luc Didry's avatar
Luc Didry committed
636
    'sync_include'           => ['param.list', 'param.user.email'],
637
638
639
    'tag_topic_by_sender'    => ['param.list'],
    'upload_pictures'        => ['param.user.email', 'param.list'],
    'view_template'          => ['webormail'],
Luc Didry's avatar
Luc Didry committed
640
    'viewbounce'             => ['param.list', 'email|file'],
641
642
643
    'viewlogs'               => ['param.list'],
    'viewmod' => ['param.list', 'param.user.email', 'id|idspam'],
    'wsdl'    => [],
644
    #'which' => ['param.user.email'],
645
);
646
647
648

## Defines the required privileges to access privileged actions
## You can define a set ofequiivalent privileges in the ARRAYREF
649
our %required_privileges = (
Luc Didry's avatar
Luc Didry committed
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
    'admin'                    => ['owner', 'editor'],
    'arc_delete'               => ['owner'],
    'arc_download'             => ['owner'],
    'arc_manage'               => ['owner'],
    'auth_add'                 => ['owner', 'editor'],
    'auth_del'                 => ['owner', 'editor'],
    'blacklist'                => ['owner', 'editor'],
    'close_list'               => ['privileged_owner'],
    'copy_template'            => ['listmaster'],
    'd_install_shared'         => ['editor', 'owner'],
    'd_reject_shared'          => ['editor', 'owner'],
    'distribute'               => ['editor', 'owner', 'listmaster'],
    'add_frommod'              => ['editor', 'owner'],
    'dump_scenario'            => ['listmaster'],
    'edit'                     => ['editor', 'owner', 'listmaster'],
    'edit_list'                => ['owner'],
    'edit_list_request'        => ['owner'],
    'edit_template'            => ['listmaster'],
    'editfile'                 => ['owner', 'listmaster'],
    'editsubscriber'           => ['owner', 'editor'],
    'get_closed_lists'         => ['listmaster'],
    'get_inactive_lists'       => ['listmaster'],
    'get_latest_lists'         => ['listmaster'],
    'get_biggest_lists'        => ['listmaster'],
    'get_pending_lists'        => ['listmaster'],
    'decl_del'                 => ['owner', 'editor'],
    'decl_add'                 => ['owner', 'editor'],
    'including_lists'          => ['owner', 'listmaster'],
    'install_pending_list'     => ['listmaster'],
    'edit_config'              => ['listmaster'],
    'ls_templates'             => ['listmaster'],
    'manage_template'          => ['owner'],
682
    'mass_del'                 => ['listmaster'],
Luc Didry's avatar
Luc Didry committed
683
684
685
686
687
688
689
690
691
692
693
694
695
    'rt_create'                => ['owner'],
    'rt_delete'                => ['owner'],
    'rt_edit'                  => ['owner'],
    'rt_setdefault'            => ['owner'],
    'rt_update'                => ['owner'],
    'modindex'                 => ['editor', 'owner', 'listmaster'],
    'docindex'                 => ['editor', 'owner', 'listmaster'],
    'purge_list'               => ['privileged_owner', 'listmaster'],
    'rebuildallarc'            => ['listmaster'],
    'rebuildarc'               => ['listmaster'],
    'reject'                   => ['editor', 'owner', 'listmaster'],
    'remove_template'          => ['listmaster'],
    'move_list'                => ['privileged_owner'],
696
    'copy_list'                => ['owner', 'listmaster'],
697
    'open_list'                => ['listmaster'],
698
699
700
701
    'rename_list_request'      => ['privileged_owner'],
    'resetbounce'              => ['owner', 'editor'],
    'review_family'            => ['listmaster'],
    'reviewbouncing'           => ['owner', 'editor'],
702
    'savefile'                 => ['owner', 'listmaster'],
703
704
705
706
707
708
709
    'search_user'              => ['listmaster'],
    'serveradmin'              => ['listmaster'],
    'set_dumpvars'             => ['listmaster'],
    'set_loglevel'             => ['listmaster'],
    'set_pending_list_request' => ['listmaster'],
    'set_session_email'        => ['listmaster'],
    'show_sessions'            => ['listmaster'],
710
    'sigindex'                 => ['owner', 'editor'],
711
712
713
714
715
716
717
    'stats'                    => ['owner'],
    'subindex'                 => ['owner', 'editor'],
    'sync_include'             => ['owner', 'editor'],
    'skinsedit'                => ['listmaster'],
    'view_template'            => ['listmaster'],
    'viewbounce'               => ['owner', 'editor'],
    'viewlogs'                 => ['owner', 'editor'],
Luc Didry's avatar
Luc Didry committed
718
    'viewmod'                  => ['editor', 'owner', 'listmaster'],
719
720
    #XXX'automatic_lists_management_request' => ['listmaster'],
    #XXX'automatic_lists_management'         => ['listmaster'],
721
722
);

723
724
725
726
727
728
729
730
# An action is a candidate for this list if it modifies an object or setting.
#
# Why not just protect all actions? Many of them are used in GET requests
# without any forms, making it more difficult to supply a CSRF token.
# This list intentionally starts out small in the name of breaking as little
# as possible.

our %require_csrftoken = (
731
732
733
734
735
736
    'add'       => 1,
    'del'       => 1,
    'move_user' => 1,
    'savefile'  => 1,
    'setpasswd' => 1,
    'setpref'   => 1,
737
738
);

739
740
741
# this definition is used to choose the left side menu type (admin ->
# listowner admin menu | serveradmin -> server_admin menu | none list or
# your_list menu)
742
my %action_type = (
Luc Didry's avatar
Luc Didry committed
743
744
745
746
747
748
    'review' => 'admin',
    'search' => 'admin',
    'admin'  => 'admin',
    'import' => 'admin',
    'add'    => 'admin',
    'del'    => 'admin',
749
    # 'modindex' =>'admin',
Luc Didry's avatar
Luc Didry committed
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
    'reject'            => 'admin',
    'reject_notify'     => 'admin',
    'distribute'        => 'admin',
    'add_frommod'       => 'admin',
    'viewmod'           => 'admin',
    'savefile'          => 'admin',
    'rebuildallarc'     => 'admin',    #FIXME: serveradmin?
    'reviewbouncing'    => 'admin',
    'edit'              => 'admin',
    'edit_list_request' => 'admin',
    'edit_list'         => 'admin',
    'editsubscriber'    => 'admin',
    'viewbounce'        => 'admin',
    'resetbounce'       => 'admin',
    'scenario_test'     => 'admin',
    'close_list'        => 'admin',
    'd_admin'           => 'admin',
    'd_reject_shared'   => 'admin',
    'd_install_shared'  => 'admin',
    'dump_scenario'     => 'admin',
    'export_member'     => 'admin',
    'open_list'         => 'admin',
    'remind'            => 'admin',
773
    #'subindex' => 'admin',
Luc Didry's avatar
Luc Didry committed
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
    'stats'               => 'admin',
    'decl_del'            => 'admin',
    'decl_add'            => 'admin',
    'move_list'           => 'admin',
    'copy_list'           => 'admin',
    'rename_list_request' => 'admin',
    'arc_manage'          => 'admin',
    'sync_include'        => 'admin',
    'view_template'       => 'admin',
    'remove_template'     => 'admin',
    'copy_template'       => 'admin',
    'edit_template'       => 'admin',
    'blacklist'           => 'admin',
    'viewlogs'            => 'admin',
    'serveradmin'         => 'serveradmin',
    'get_pending_lists'   => 'serveradmin',
    'get_closed_lists'    => 'serveradmin',
    'get_inactive_lists'  => 'serveradmin',
    'get_latest_lists'    => 'serveradmin',
    'get_biggest_lists'   => 'serveradmin',
    'ls_templates'        => 'serveradmin',
    'skinsedit'           => 'serveradmin',
    'review_family'       => 'serveradmin',
    'search_user'         => 'serveradmin',
    'show_sessions'       => 'serveradmin',
    'show_exclude'        => 'admin',
    'rebuildarc'          => 'serveradmin',
    'set_session_email'   => 'serveradmin',
    'set_loglevel'        => 'serveradmin',
    'editfile'            => 'serveradmin',    #FIXME: admin?
    'unset_dumpvars'      => 'serveradmin',
    'set_dumpvars'        => 'serveradmin',
806
807
    #XXX'automatic_lists_management_request' => 'serveradmin',
    #XXX'automatic_lists_management'         => 'serveradmin',
808
);
root's avatar
root committed
809

810
# Actions that are not used in return of login,
811
my %temporary_actions = (
812
    'confirm_action'      => 1,
813
814
815
816
817
818
    'logout'              => 1,
    'loginrequest'        => 1,
    'login'               => 1,
    'sso_login'           => 1,
    'sso_login_succeeded' => 1,
    'ticket'              => 1,
819
    #XXX'css' => 1,
820
821
822
823
    'rss'      => 1,    # FIXME:currently not used.
    'ajax'     => 1,
    'wsdl'     => 1,
    'redirect' => 1,
824
);
825

826
827
828
## Regexp applied on incoming parameters (%in)
## The aim is not a strict definition of parameter format
## but rather a security check
829
our %in_regexp = (
830
831
832
833
834
835
    ## Default regexp
    '*' => '[\w\-\.]+',

    ## List config parameters
    'single_param'   => '.+',
    'multiple_param' => '.+',
IKEDA Soji's avatar
IKEDA Soji committed
836
    'deleted_param'  => '.+',
837
838
839
840
841
842
843
844
845
846

    ## Textarea content
    'template_content'     => '.+',
    'content'              => '.+',
    'body'                 => '.+',
    'info'                 => '.+',
    'new_scenario_content' => '.+',
    'blacklist'            => '.*',

    ## Integer
847
    'page' => '\d+|owner|editor',
848
849
850
851
852
853
854
855
856
857
    'size' => '\d+',

    ## Free data
    'subject'          => '.*',
    'gecos'            => '[^<>\\\*\$\n]+',
    'fromname'         => '[^<>\\\*\$\n]+',
    'additional_field' => '[^<>\\\*\$\n]+',
    'dump'             => '[^<>\\\*\$]+',     # contents email + gecos

    ## Search
858
    'filter'      => '.*',                    # search subscriber
sikeda's avatar
sikeda committed
859
    'filter_list' => '.*',                    # search list
860
861
    'key_word'    => '.*',
    'format'      => '[^<>\\\$\n]+',          # dump format/filter string
862
863
864
865
866
867
868
869
870

    ## File names
    'file'          => '[^<>\*\$\n]+',
    'template_path' => '[\w\-\.\/_]+',
    'arc_file'      => '[^<>\\\*\$\n]+',
    'path'          => '[^<>\\\*\$\n]+',
    'uploaded_file' =>
        '(.*[\/\\\\])?[^<>\*\$\n]+',          # Could be precised (use of "'")
    'dir'               => '[^<>\\\*\$\n]+',
871
    'new_name'          => '[^<>\\\*\$\[\]\/\n]+',
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
    'shortname'         => '[^<>\\\*\$\n]+',
    'id'                => '[^<>\\\*\$\n]+',
    'template_name'     => Sympa::Regexps::template_name(),
    'new_template_name' => Sympa::Regexps::template_name(),
    'message_template'  => Sympa::Regexps::template_name(),
    'new_default'       => Sympa::Regexps::template_name(),

    ## Archives
    ## format is yyyy-mm for 'arc' and mm for 'send_me'
    'month' => '\d{2}|\d{4}\-\d{2}',

    ## URL
    'referer'         => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'failure_referer' => '[^\\\$\*\"\'\`\^\|\<\>\n]+',
    'url'             => '[^\\\$\*\"\'\`\^\|\<\>\n]+',

    ## Msg ID
    'msgid'       => '[^\\\*\"\'\`\^\|\n]+',
    'in_reply_to' => '[^\\\*\"\'\`\^\|\n]+',
    'message_id'  => '[^\\\*\"\'\`\^\|\n]+',

    ## Password
    'passwd'       => '.+',
    'password'     => '.+',
    'newpasswd1'   => '.+',
    'newpasswd2'   => '.+',
    'new_password' => '.+',

    ## Topics
901
    'topic'    => '\@?[\-\w\/]+',
902
903
904
905
906
907
908
909
910
911
912
913
914
915
    'topics'   => '[\-\w\/]+',
    'subtopic' => '[\-\w\/]+',

    ## List names
    'list' => '[\w\-\.\+]*',    ## Sympa::Regexps::listname() + uppercase
    'previous_list'  => '[\w\-\.\+]*',
    'listname'       => '[\w\-\.\+]*',
    'new_listname'   => '[\w\-\.\+]*',
    'selected_lists' => '[\w\-\.\+]*',

    ## Family names
    'family_name' => Sympa::Regexps::family_name(),
    'family'      => Sympa::Regexps::family_name(),

916
    # Email addresses
917
    'current_email' => Sympa::Regexps::email(),
Luc Didry's avatar
Luc Didry committed
918
919
920
921
922
923
924
    'email'         => Sympa::Regexps::email() . '|' . Sympa::Regexps::uid(),
    'init_email'    => Sympa::Regexps::email(),
    'old_email'     => Sympa::Regexps::email(),
    'new_email'     => Sympa::Regexps::email(),
    'sender'        => Sympa::Regexps::email(),
    'fromaddr'      => Sympa::Regexps::email(),
    'del_emails'    => '.*',
925
    'to' => '(([\w\-\_\.\/\+\=\']+|\".*\")\s[\w\-]+(\.[\w\-]+)+(,?))*',
926
927
928
929
930
931
932
933
    'automatic_list_part_*' => '[\w\-\.\+]*',

    ## Host
    'new_robot'   => Sympa::Regexps::host(),
    'remote_host' => Sympa::Regexps::host(),
    'remote_addr' => Sympa::Regexps::host(),

    ## Scenario name
934
935
936
    'scenario'    => Sympa::Regexps::scenario_name(),
    'read_access' => Sympa::Regexps::scenario_name(),
    'edit_access' => Sympa::Regexps::scenario_name(),
937
938
939
940
941
942
943
944
945
946
947
948
949
950
    ## RSS URL or blank
    'active_lists'  => '.*',
    'latest_lists'  => '.*',
    'latest_arc'    => '.*',
    'latest_d_read' => '.*',

    ##Logs
    'target_type' => '[\w\-\.\:]*',
    'target'      => Sympa::Regexps::email(),
    'date_from'   => '[\d\/\-]+',
    'date_to'     => '[\d\/\-]+',
    'ip'          => Sympa::Regexps::host(),

    ## colors
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
    'subaction_test'    => '.*',
    'subaction_reset'   => '.*',
    'subaction_install' => '.*',
    'color_0'           => '\#[0-9a-fA-F]+',
    'color_1'           => '\#[0-9a-fA-F]+',
    'color_2'           => '\#[0-9a-fA-F]+',
    'color_3'           => '\#[0-9a-fA-F]+',
    'color_4'           => '\#[0-9a-fA-F]+',
    'color_5'           => '\#[0-9a-fA-F]+',
    'color_6'           => '\#[0-9a-fA-F]+',
    'color_7'           => '\#[0-9a-fA-F]+',
    'color_8'           => '\#[0-9a-fA-F]+',
    'color_9'           => '\#[0-9a-fA-F]+',
    'color_10'          => '\#[0-9a-fA-F]+',
    'color_11'          => '\#[0-9a-fA-F]+',
    'color_12'          => '\#[0-9a-fA-F]+',
    'color_13'          => '\#[0-9a-fA-F]+',
    'color_14'          => '\#[0-9a-fA-F]+',
    'color_15'          => '\#[0-9a-fA-F]+',
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987

    ## Custom attribute
    'custom_attribute' => '.*',

    ## Templates
    'scope' => 'distrib|robot|family|list|site',

    ## Custom Inputs from create_list_request.tt2
    'custom_input' => '.*',

    ## conf parameters
    'conf_new_value' => '.*',

    ## custom actions
    'cap'  => '.*',
    'lcap' => '.*',

    'plugin' => '.*',
988
989
990

    ## Envelope ID
    'envid' => '\w+',
991
992
993

    ## Authentication/moderation key
    'authkey' => '\w+',
994
995
996

    # Role
    'role' => 'member|editor|owner',
997
);
998

999
## Regexp applied on incoming parameters (%in)
1000
1001
1002
1003
1004
1005
## This regular expression defines forbidden expressions applied on all
## incoming parameters
## Note that you can use the ^ and $ expressions to match beginning and ending
## of expressions
our %in_negative_regexp = ('arc_file' => '^(arctxt|\.)');

1006
1007
# No longer used as of 6.2.19b.
#my %filtering;
1008
1009

## Set locale configuration
1010
1011
my $language = Sympa::Language->instance;
$language->set_lang($Conf::Conf{'lang'}, 'en');
salaun's avatar
salaun committed
1012

1013
1014
1015
1016
# Important to leave this there because it defined defaults for
# user_data_source
#FIXME: Is it really required?
Sympa::DatabaseManager->instance;
1017

1018
1019
1020
## Check that the data structure is uptodate
## If not, set the web interface to maintenance mode
my $maintenance_mode;
sikeda's avatar
sikeda committed
1021
unless (Conf::data_structure_uptodate()) {
1022
    $maintenance_mode = 1;
1023
    $log->syslog('err',
1024
        'WWSympa set to maintenance mode; you should run sympa.pl --upgrade');
1025
} elsif (Conf::cookie_changed()) {
1026
1027
    $maintenance_mode = 1;
    $log->syslog('err',
1028
1029
        'WWSympa set to maintenance mode; sympa.conf/cookie parameter has changed.'
    );
1030
1031
}

1032
1033
our %in;
my $query;
root's avatar
root committed
1034

1035
my $birthday = [stat $PROGRAM_NAME]->[9];
1036

1037
my $bulk = Sympa::Spool::Outgoing->new;
1038

1039
$log->syslog('info', 'WWSympa started, process %d', $PID);
1040

1041
1042
1043
1044
# Now internal encoding is same as input/output.
#XXX## Set output encoding
#XXX## All outgoing strings will be recoded transparently using this charset
#XXXbinmode STDOUT, ":utf8";
1045

1046
1047
#XXX## Incoming data is utf8-encoded
#XXXbinmode STDIN, ":utf8";
1048

1049
1050
# Main loop.
my $loop_count = 0;
1051
my $start_time = time;
1052
while ($query = Sympa::WWW::FastCGI->new) {
1053
    $loop_count++;
1054

1055
1056
1057
    undef $param;
    undef $list;
    undef $robot;
IKEDA Soji's avatar
IKEDA Soji committed
1058
    undef $cookie_domain;
1059
1060
1061
1062
    undef $ip;
    undef $rss;
    undef $ajax;
    undef $session;
1063

1064
    $log->{level} = $Conf::Conf{'log_level'};
1065
    $language->set_lang(Sympa::best_language('*'));
1066

1067
    # Process grouped notifications.
1068
    Sympa::Spool::Listmaster->instance->flush;
1069
1070

    ## Check effective ID
1071
    unless ($EUID eq (getpwnam(Sympa::Constants::USER))[2]) {
1072
        $maintenance_mode = 1;
IKEDA Soji's avatar
IKEDA Soji committed
1073
        Sympa::WWW::Report::reject_report_web('intern_quiet',
sikeda's avatar
sikeda committed
1074
            'incorrect_server_config', {}, '', '');
1075
1076
        wwslog(
            'err',
1077
            'Config error: WWSympa should run with UID %s (instead of %s). *** Switching to maintenance mode. ***',
1078
            (getpwnam(Sympa::Constants::USER))[2],
1079
            $EUID
1080
1081
        );
    }
1082

1083
    ## We set the real UID with the effective UID value
1084
    ## It is useful to allow execution of scripts like alias_manager
1085
    ## that otherwise might loose the benefit of SetUID
1086
1087
    $UID = $EUID;    ## UID
    $GID = $EGID;    ## GID
1088

1089
    unless (Sympa::DatabaseManager->instance) {
Luc Didry's avatar
Luc Didry committed
1090
1091
        Sympa::WWW::Report::reject_report_web('system_quiet', 'no_database',
            {}, '', '');
1092
        $log->syslog('info', 'WWSympa requires a RDBMS to run');
1093
    }
1094

1095
    ## If in maintenance mode, check if the data structure is now uptodate
sikeda's avatar
sikeda committed
1096
1097
    if (    $maintenance_mode
        and Conf::data_structure_uptodate()
1098
        and not Conf::cookie_changed()
sikeda's avatar
sikeda committed
1099
        and ($EUID eq (getpwnam(Sympa::Constants::USER))[2])) {
1100
        $maintenance_mode = undef;
1101
        $log->syslog('notice',
1102
1103
            "Data structure seem updated, setting OFF maintenance mode");
    }
1104

1105
    ## Generate traceback if crashed.
1106
1107
    ## Though I don't know why, __DIE__ handler is cleared after INIT.
    Sympa::Crash::register_handler();
1108

1109
1110
1111
1112
1113
1114
1115
1116
1117
    foreach my $envvar (
        qw(ORIG_PATH_INFO ORIG_SCRIPT_NAME
        PATH_INFO QUERY_STRING REMOTE_ADDR REMOTE_HOST REQUEST_METHOD
        SCRIPT_NAME SERVER_NAME SERVER_PORT
        SYMPA_DOMAIN)
    ) {
        $log->syslog('debug', '%s=%s', $envvar, $ENV{$envvar});
    }

1118
1119
1120
    ## Get params in a hash
    %in = $query->Vars;

1121
    # Determin robot.
1122
1123
1124
1125
    $robot = $ENV{SYMPA_DOMAIN};
    unless ($robot) {
        # No robot providing web service found.
        print "Status: 421 Misdirected Request\n";
1126
1127
1128
        print "\n\n";
        next;
    }
1129

1130
1131
1132
    # Default robot.
    $param->{'default_robot'} = 1
        if $robot eq $Conf::Conf{'domain'};
1133

1134
    $ip = $ENV{'REMOTE_HOST'} || $ENV{'REMOTE_ADDR'} || 'undef';
1135

IKEDA Soji's avatar
IKEDA Soji committed
1136
    $cookie_domain = Sympa::WWW::Tools::get_cookie_domain($robot);
1137

1138
    $log->{level} = Conf::get_robot_conf($robot, 'log_level');
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157

    ## Sympa parameters in $param->{'conf'}
    $param->{'conf'} = {};
    foreach my $p (
        'email',
        'soap_url',
        'wwsympa_url',
        'listmaster_email',
        'logo_html_definition',
        'favicon_url',
        'main_menu_custom_button_1_url',
        'main_menu_custom_button_1_title',
        'main_menu_custom_button_1_target',
        'main_menu_custom_button_2_url',
        'main_menu_custom_button_2_title',
        'main_menu_custom_button_2_target',
        'main_menu_custom_button_3_url',
        'main_menu_custom_button_3_title',
        'main_menu_custom_button_3_target',
1158
        'static_content_url',
1159
1160
1161
1162
1163
        'use_blacklist',
        'antispam_feature',
        'custom_robot_parameter',
        'reporting_spam_script_path',
        'automatic_list_families',
1164
        'spam_protection',
1165
        'pictures_max_size',
1166
        'show_report_abuse',
1167
        'quiet_subscription',
1168
        'allow_account_deletion',
Luc Didry's avatar
Luc Didry committed
1169
    ) {
1170
1171
1172

        $param->{'conf'}{$p} = Conf::get_robot_conf($robot, $p);
        $param->{$p} = Conf::get_robot_conf($robot, $p)
1173
            if $p =~ /_url\z/;
1174
    }
1175
    # Compat.: deprecated attributes of Robot.
1176
    $param->{'conf'}{'sympa'} = Sympa::get_address($robot);
1177
    $param->{'conf'}{'request'} = Sympa::get_address($robot, 'owner');
1178
1179
    # Compat <= 6.2.16: CSS related.
    $param->{'css_path'} = sprintf '%s/%s', $Conf::Conf{'css_path'}, $robot;
Luc Didry's avatar
Luc Didry committed
1180
    $param->{'css_url'}  = sprintf '%s/%s', $Conf::Conf{'css_url'},  $robot;
1181
1182
    # Compat. < 6.2.32: "host" parameter was deprecated.
    $param->{'conf'}{'host'} = Conf::get_robot_conf($robot, 'domain');
1183
1184

    foreach my $auth (keys %{$Conf::Conf{'cas_id'}{$robot}}) {
1185
        $log->syslog('debug2', 'CAS authentication service %s', $auth);
1186
1187
1188
1189
1190
1191
        $param->{'sso'}{$auth} =
            $Conf::Conf{'cas_id'}{$robot}{$auth}
            {'auth_service_friendly_name'};
    }

    foreach my $auth (keys %{$Conf::Conf{'generic_sso_id'}{$robot}}) {
1192
        $log->syslog('debug', 'Generic SSO authentication service %s', $auth);
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
        $param->{'sso'}{$auth} =
            $Conf::Conf{'auth_services'}{$robot}
            [$Conf::Conf{'generic_sso_id'}{$robot}{$auth}]{'service_name'};
    }

    $param->{'sso_number'} =
        $Conf::Conf{'cas_number'}{$robot} +
        $Conf::Conf{'generic_sso_number'}{$robot};
    $param->{'use_passwd'} = $Conf::Conf{'use_passwd'}{$robot};
    $param->{'use_sso'} = 1 if ($param->{'sso_number'});
    $param->{'authentication_info_url'} =
        $Conf::Conf{'authentication_info_url'}{$robot};
    $param->{'wwsconf'} = Conf::_load_wwsconf;    #FXIME: no longer used?

    $param->{'version'} = Sympa::Constants::VERSION;
    $param->{'date'} =
        $language->gettext_strftime("%d %b %Y at %H:%M:%S", localtime time);
    $param->{'time'} =
        $language->gettext_strftime("%H:%M:%S", localtime time);

    ## Hash defining the parameters where no control is performed (because
    ## they are supposed to contain html and/or javascript).
    $param->{'htmlAllowedParam'} = {
1216
1217
1218
        #'hidden_head'          => 1,
        #'hidden_end'           => 1,
        #'hidden_at'            => 1,
1219
1220
1221
1222
        'selected'             => 1,
        'logo_html_definition' => 1,
        'html_dumpvars'        => 1,
        'html_editor_init'     => 1,
sikeda's avatar
sikeda committed
1223
        'html_content'         => 1,
1224
1225
1226
1227
1228
1229
1230
1231
    };
    ## Hash defining the parameters where HTML must be filtered.
    $param->{'htmlToFilter'} = {
        'homepage_content' => 1,
        'info_content'     => 1,
    };

    ## Change to list root
1232
    unless (chdir $Conf::Conf{'home'}) {
Luc Didry's avatar
Luc Didry committed
1233
1234
        Sympa::WWW::Report::reject_report_web('intern', 'chdir_error', {},
            '', '', '', $robot);
1235
        wwslog('info', 'Unable to change directory');
1236
        exit -1;
1237
1238
1239
1240
1241
1242
    }

    ## Sets the UMASK
    umask(oct($Conf::Conf{'umask'}));

    ## Authentication
1243
    ## use https client certificate information if define.
1244
1245
1246
1247

    ## Default auth method (for scenarios)
    $param->{'auth_method'} = 'md5';

IKEDA Soji's avatar
IKEDA Soji committed
1248
    Sympa::WWW::Report::init_report_web();
1249
1250

    ## Get PATH_INFO parameters
1251
    get_parameters($robot);
1252
1253
1254
1255

    # Propagate plugins parameters
    $param->{'plugin'} = $in{'plugin'};

IKEDA Soji's avatar
IKEDA Soji committed
1256
    $session = Sympa::WWW::Session->new(
1257
        $robot,
sikeda's avatar
sikeda committed