From: ebullient <ebullient@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Mon, 28 Nov 2005 17:12:57 +0000 (+0000)
Subject: require the hide_squirrelmail_header value to be defined as a constant
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e930c9fe267bffaaaf578042671739ce4a49145e;p=squirrelmail.git

require the hide_squirrelmail_header value to be defined as a constant
to avoid manipulation via GET/POST


git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10417 7612ce4b-ef26-0410-bec9-ea0150e637f0
---

diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php
index a7747106..6d9427de 100644
--- a/class/deliver/Deliver.class.php
+++ b/class/deliver/Deliver.class.php
@@ -379,7 +379,7 @@ class Deliver {
      */
     function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) {
         global $domain, $version, $username, $encode_header_key, 
-               $edit_identity, $hide_auth_header, $hide_squirrelmail_header;
+               $edit_identity, $hide_auth_header;
 
         /* if server var SERVER_NAME not available, use $domain */
         if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) {
@@ -430,9 +430,11 @@ class Deliver {
          *
          * Add $hide_squirrelmail_header as a candidate for config_local.php
          * to allow completely hiding SquirrelMail participation in message
-         * processing.
+         * processing; This is dangerous, especially if users can modify their 
+         * account information, as it makes mapping a sent message back to the
+         * original sender almost impossible.
          */
-        $show_sm_header = ( isset($hide_squirrelmail_header) ? ! $hide_squirrelmail_header : 1 );
+        $show_sm_header = ( defined('hide_squirrelmail_header') ? ! hide_squirrelmail_header : 1 );
 
         if ( $show_sm_header ) {
           if (isset($encode_header_key) &&