patch by Walter Huijbers (#1833123).
- Fix for IMAP servers that were having problems saving sent messages
- Added multiple select folder list option widgets (SMOPT_TYPE_FLDRLIST_MULTI).
+ - Added "Secured Configuration" mode.
Version 1.5.1 (branched on 2006-02-12)
$use_iframe = 'false' if ( !$use_iframe );
$lossy_encoding = 'false' if ( !$lossy_encoding );
$allow_remote_configtest = 'false' if ( !$allow_remote_configtest );
+$secured_config = 'true' if ( !$secured_config );
$sm_debug_mode = 'SM_DEBUG_MODE_MODERATE' if ( !$sm_debug_mode );
#FIXME: When this is STABLE software, remove the line above and uncomment the one below:
print $WHT. "Configuration tweaks\n" . $NRM;
print "6. Allow remote configtest : $WHT$allow_remote_configtest$NRM\n";
print "7. Debug mode : $WHT$sm_debug_mode$NRM\n";
+ print "8. Secured configuration mode : $WHT$secured_config$NRM\n";
print "\n";
print "R Return to Main Menu\n";
}
elsif ( $command == 5 ) { $use_php_iconv = commandB5(); }
elsif ( $command == 6 ) { $allow_remote_configtest = commandB6(); }
elsif ( $command == 7 ) { $sm_debug_mode = commandB8(); }
+ elsif ( $command == 8 ) { $secured_config = commandB9(); }
}
}
}
return $sm_debug_mode;
}
+# Secured configuration mode (since 1.5.2)
+sub commandB9 {
+ print "This option allows you to enable \"Secured Configuration\" mode,\n";
+ print "which will guarantee that certain settings made herein will be\n";
+ print "made immutable and will not be subject to override by either friendly\n";
+ print "or unfriendly code/plugins. Only a small number of settings herein\n";
+ print "will be used in this manner - just those that are deemed to be a\n";
+ print "potential security threat when rouge plugin or other code may be\n";
+ print "executed inside SquirrelMail.\n";
+ print "\n";
+
+ if ( lc($secured_config) eq 'true' ) {
+ $default_value = "y";
+ } else {
+ $default_value = "n";
+ }
+ print "Enable secured configuration mode? (y/n) [$WHT$default_value$NRM]: $WHT";
+ $secured_config = <STDIN>;
+ if ( ( $secured_config =~ /^y\n/i ) || ( ( $secured_config =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+ $secured_config = 'true';
+ } else {
+ $secured_config = 'false';
+ }
+ return $secured_config;
+}
+
sub save_data {
$tab = " ";
if ( open( CF, ">config.php" ) ) {
print CF "\n";
# boolean
print CF "\$allow_remote_configtest = $allow_remote_configtest;\n";
+ print CF "\$secured_config = $secured_config;\n";
# (binary) integer or constant - convert integer
# values to constants before output
$sm_debug_mode = convert_debug_binary_integer_to_constants($sm_debug_mode);
return $result;
}
+/**
+ * Get an immutable copy of a configuration variable if SquirrelMail
+ * is in "secured configuration" mode. This guarantees the caller
+ * gets a copy of the requested value as it is set in the main
+ * application configuration (including config_local overrides), and
+ * not what it might be after possibly having been modified by some
+ * other code (usually a plugin overriding configuration values for
+ * one reason or another).
+ *
+ * WARNING: Please use this function as little as possible, because
+ * every time it is called, it forcibly reloads the main configuration
+ * file(s).
+ *
+ * Caller beware that this function will do nothing if SquirrelMail
+ * is not in "secured configuration" mode per the $secured_config
+ * setting.
+ *
+ * @param string $var_name The name of the desired variable
+ *
+ * @return mixed The desired value
+ *
+ * @since 1.5.2
+ *
+ */
+function get_secured_config_value($var_name) {
+
+ static $return_values = array();
+
+ // if we can avoid it, return values that have
+ // already been retrieved (so we don't have to
+ // include the config file yet again)
+ //
+ if (isset($return_values[$var_name])) {
+ return $return_values[$var_name];
+ }
+
+
+ // load site configuration
+ //
+ require(SM_PATH . 'config/config.php');
+
+ // load local configuration overrides
+ //
+ if (file_exists(SM_PATH . 'config/config_local.php')) {
+ require(SM_PATH . 'config/config_local.php');
+ }
+
+ // if SM isn't in "secured configuration" mode,
+ // just return the desired value from the global scope
+ //
+ if (!$secured_config) {
+ global $$var_name;
+ $return_values[$var_name] = $$var_name;
+ return $$var_name;
+ }
+
+ // else we return what we got from the config file
+ //
+ $return_values[$var_name] = $$var_name;
+ return $$var_name;
+
+}
+
/**
* Deletes an existing session, more advanced than the standard PHP
* session_destroy(), it explicitly deletes the cookies and global vars.
projects / squirrelmail.git / commitdiff