From 061108dc8fa576659c23923806e23c4086334912 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Sun, 13 Jan 2008 04:09:43 +0000 Subject: [PATCH] Added "Secured Configuration" mode git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@12880 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- ChangeLog | 1 + config/conf.pl | 30 +++++++++++++++++++++ functions/global.php | 63 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+) diff --git a/ChangeLog b/ChangeLog index 0477a97f..d36007d6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -242,6 +242,7 @@ Version 1.5.2 - SVN patch by Walter Huijbers (#1833123). - Fix for IMAP servers that were having problems saving sent messages - Added multiple select folder list option widgets (SMOPT_TYPE_FLDRLIST_MULTI). + - Added "Secured Configuration" mode. Version 1.5.1 (branched on 2006-02-12) diff --git a/config/conf.pl b/config/conf.pl index abeffb8d..c5460f1b 100755 --- a/config/conf.pl +++ b/config/conf.pl @@ -424,6 +424,7 @@ $use_icons = 'false' if ( !$use_icons ); $use_iframe = 'false' if ( !$use_iframe ); $lossy_encoding = 'false' if ( !$lossy_encoding ); $allow_remote_configtest = 'false' if ( !$allow_remote_configtest ); +$secured_config = 'true' if ( !$secured_config ); $sm_debug_mode = 'SM_DEBUG_MODE_MODERATE' if ( !$sm_debug_mode ); #FIXME: When this is STABLE software, remove the line above and uncomment the one below: @@ -821,6 +822,7 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) { print $WHT. "Configuration tweaks\n" . $NRM; print "6. Allow remote configtest : $WHT$allow_remote_configtest$NRM\n"; print "7. Debug mode : $WHT$sm_debug_mode$NRM\n"; + print "8. Secured configuration mode : $WHT$secured_config$NRM\n"; print "\n"; print "R Return to Main Menu\n"; } @@ -994,6 +996,7 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) { elsif ( $command == 5 ) { $use_php_iconv = commandB5(); } elsif ( $command == 6 ) { $allow_remote_configtest = commandB6(); } elsif ( $command == 7 ) { $sm_debug_mode = commandB8(); } + elsif ( $command == 8 ) { $secured_config = commandB9(); } } } } @@ -4429,6 +4432,32 @@ sub commandB8 { return $sm_debug_mode; } +# Secured configuration mode (since 1.5.2) +sub commandB9 { + print "This option allows you to enable \"Secured Configuration\" mode,\n"; + print "which will guarantee that certain settings made herein will be\n"; + print "made immutable and will not be subject to override by either friendly\n"; + print "or unfriendly code/plugins. Only a small number of settings herein\n"; + print "will be used in this manner - just those that are deemed to be a\n"; + print "potential security threat when rouge plugin or other code may be\n"; + print "executed inside SquirrelMail.\n"; + print "\n"; + + if ( lc($secured_config) eq 'true' ) { + $default_value = "y"; + } else { + $default_value = "n"; + } + print "Enable secured configuration mode? (y/n) [$WHT$default_value$NRM]: $WHT"; + $secured_config = ; + if ( ( $secured_config =~ /^y\n/i ) || ( ( $secured_config =~ /^\n/ ) && ( $default_value eq "y" ) ) ) { + $secured_config = 'true'; + } else { + $secured_config = 'false'; + } + return $secured_config; +} + sub save_data { $tab = " "; if ( open( CF, ">config.php" ) ) { @@ -4824,6 +4853,7 @@ sub save_data { print CF "\n"; # boolean print CF "\$allow_remote_configtest = $allow_remote_configtest;\n"; + print CF "\$secured_config = $secured_config;\n"; # (binary) integer or constant - convert integer # values to constants before output $sm_debug_mode = convert_debug_binary_integer_to_constants($sm_debug_mode); diff --git a/functions/global.php b/functions/global.php index 1faeac33..d211773c 100644 --- a/functions/global.php +++ b/functions/global.php @@ -348,6 +348,69 @@ function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $ return $result; } +/** + * Get an immutable copy of a configuration variable if SquirrelMail + * is in "secured configuration" mode. This guarantees the caller + * gets a copy of the requested value as it is set in the main + * application configuration (including config_local overrides), and + * not what it might be after possibly having been modified by some + * other code (usually a plugin overriding configuration values for + * one reason or another). + * + * WARNING: Please use this function as little as possible, because + * every time it is called, it forcibly reloads the main configuration + * file(s). + * + * Caller beware that this function will do nothing if SquirrelMail + * is not in "secured configuration" mode per the $secured_config + * setting. + * + * @param string $var_name The name of the desired variable + * + * @return mixed The desired value + * + * @since 1.5.2 + * + */ +function get_secured_config_value($var_name) { + + static $return_values = array(); + + // if we can avoid it, return values that have + // already been retrieved (so we don't have to + // include the config file yet again) + // + if (isset($return_values[$var_name])) { + return $return_values[$var_name]; + } + + + // load site configuration + // + require(SM_PATH . 'config/config.php'); + + // load local configuration overrides + // + if (file_exists(SM_PATH . 'config/config_local.php')) { + require(SM_PATH . 'config/config_local.php'); + } + + // if SM isn't in "secured configuration" mode, + // just return the desired value from the global scope + // + if (!$secured_config) { + global $$var_name; + $return_values[$var_name] = $$var_name; + return $$var_name; + } + + // else we return what we got from the config file + // + $return_values[$var_name] = $$var_name; + return $$var_name; + +} + /** * Deletes an existing session, more advanced than the standard PHP * session_destroy(), it explicitly deletes the cookies and global vars. -- 2.25.1