From 38c5802facc2ab80b03eef5496f7c6ba9152764a Mon Sep 17 00:00:00 2001 From: kink Date: Tue, 3 Aug 2004 11:06:18 +0000 Subject: [PATCH] If we have PHP 4.3.0, we can make SquirrelSpell work with safe_mode. This also removes the need for the 'cat' program when using older PHP, easing the use of this plugin under Windows. The patch is provided by Ray Ferguson, #752314. As I have only PHP 4.1.2, this is not thoroughly tested code; please test it all so it will be verified to work in many different environments. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@7819 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 4 +- plugins/squirrelspell/INSTALL | 16 ++++-- plugins/squirrelspell/modules/check_me.mod | 62 ++++++++++++---------- 3 files changed, 48 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d3d806a..ee7291b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -80,6 +80,8 @@ Version 1.5.1 -- CVS - Added size limit to signatures saved in file backend. Created error_option_save function, that allows sending error message to options page. Thanks to Martynas Bieliauskas for spotting big signature "option". + - Make SquirrelSpell work with safe_mode enabled, if using PHP >=4.3.0. + Patch by Ray Ferguson. Version 1.5.0 -------------------- @@ -284,7 +286,7 @@ Version 1.4.0 RC 2a - Correctly fold encoded header lines. - Fix prefs caching not working correctly in PHP 4.3 caused by a stupid version checking mechanism. - - Fix XXS hole that allowed JavaScript execution by sending someone + - Fix XSS hole that allowed JavaScript execution by sending someone an email with specially crafted headers. Thanks Jason Munro, and Masato Higashiyama. diff --git a/plugins/squirrelspell/INSTALL b/plugins/squirrelspell/INSTALL index 808dec0c..478380b0 100644 --- a/plugins/squirrelspell/INSTALL +++ b/plugins/squirrelspell/INSTALL @@ -1,11 +1,11 @@ -SquirrelSpell-v0.3.1 ---------------------- +SquirrelSpell plugin +-------------------- Untar SquirrelSpell into your squirrelmail/plugins directory. Modify the sqspell_config.php file making sure you have ispell or aspell available on your system and located in PHP's path. The squirrelspell doesn't check for that and if it is not available, you're just going to -get a "No errors found" message every time. :) Quite pleasing, but not +get a "No errors found" message every time. :) Quite pleasing, but not very useful. Read files in "doc" directory -- they explain some features. @@ -13,6 +13,14 @@ Read files in "doc" directory -- they explain some features. Enable the plugin either by hand or by running the configure script from your squirrelmail install directory. +NOTE: If you are using php >= 4.3.0 squirrelspell should work in safe mode. +Otherwise, you may have to disable safe mode for the squirrelspell directory. + APACHE CONF EXAMPLE: + + php_admin_value safe_mode 0 + + + Enjoy and report bugs. ;) This is an options commented sqspell_config.php @@ -113,4 +121,4 @@ This is an options commented sqspell_config.php Adding until resolved. **/ $SQSPELL_SOUP_NAZI = 'Mozilla/3, Mozilla/2, Opera 4, Opera/4, Macintosh'; -?> \ No newline at end of file +?> diff --git a/plugins/squirrelspell/modules/check_me.mod b/plugins/squirrelspell/modules/check_me.mod index ebc1dc1f..a6cb6e8a 100644 --- a/plugins/squirrelspell/modules/check_me.mod +++ b/plugins/squirrelspell/modules/check_me.mod @@ -4,7 +4,7 @@ * ------------- * Squirrelspell module. * - * Copyright (c) 1999-2003 The SquirrelMail development team + * Copyright (c) 1999-2004 The SquirrelMail development team * Licensed under the GNU GPL. For full terms see the file COPYING. * * This module is the main workhorse of SquirrelSpell. It submits @@ -80,34 +80,38 @@ $sqspell_new_text=implode("\n", $sqspell_new_lines); */ $sqspell_command=$SQSPELL_APP[$sqspell_use_app]; /** - * For the simplicity's sake we'll put all text into a file in - * attachment_dir directory, then cat it and pipe it to - * sqspell_command. There are other ways to do it, including popen(), - * but it's unidirectional and no fun at all. - * - * The name of the file is an md5 hash of the message itself plus - * microtime. This prevents symlink attacks. The loop is here to - * further enhance this feature, and make sure we don't overwrite - * someone else's data, although the possibility of this happening is - * QUITE remote. - */ -do { - $floc = "$attachment_dir/" . md5($sqspell_new_text . microtime()); -} while (file_exists($floc)); -/** - * Write the contents to the file. - */ -$fp=fopen($floc, 'w'); -fwrite($fp, $sqspell_new_text); -fclose($fp); -/** - * Execute ispell/aspell and catch the output. + * If you have php >= 4.3.0, we can use proc_open and safe mode + * and not mess w/ temp files. Otherwise we will do it the old + * way, (minus the uneeded call to cat that messes up Wintel + * boxen.) + * Thanks Ray Ferguson for providing this patch. */ -exec("cat $floc | $sqspell_command 2>&1", $sqspell_output, $sqspell_exitcode); -/** - * Remove the temp file. - */ -unlink($floc); +if( check_php_version ( 4, 3 ) ) { + $descriptorspec = array( + 0 => array('pipe', 'r'), // stdin is a pipe that the child will read from + 1 => array('pipe', 'w'), // stdout is a pipe that the child will write to + 2 => array('pipe', 'w'), // stderr is a pipe that the child will write to + ); + $spell_proc=proc_open($sqspell_command, $descriptorspec, $pipes); + fwrite($pipes[0], $sqspell_new_text); + fclose($pipes[0]); + $sqspell_output = array(); + for($i=1; $i<=2; $i++){ + while(!feof($pipes[$i])) + array_push($sqspell_output, rtrim(fgetss($pipes[$i],999),"\n")); + fclose($pipes[$i]); + } + $sqspell_exitcode=proc_close($spell_proc); +} else { + do { + $floc = "$attachment_dir/" . md5($sqspell_new_text . microtime()); + } while (file_exists($floc)); + $fp=fopen($floc, 'w'); + fwrite($fp, $sqspell_new_text); + fclose($fp); + exec("$sqspell_command < $floc 2>&1", $sqspell_output, $sqspell_exitcode); + unlink($floc); +} /** * Check if the execution was successful. Bail out if it wasn't. @@ -442,6 +446,6 @@ if ($errors){ * Local variables: * mode: php * End: - * vim: syntax=php + * vim: syntax=php et ts=4 */ ?> -- 2.25.1