From 223cc0f5d085be90f26b6637afafe1223c12a1d4 Mon Sep 17 00:00:00 2001
From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Thu, 8 Jun 2006 15:45:28 +0000
Subject: [PATCH] - Add note to conf.pl / config_default.php to warn users that
 set   sensitive passwords in that file to properly secure it.

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@11184 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 ChangeLog                 |  2 ++
 config/conf.pl            | 20 ++++++++++++++------
 config/config_default.php | 13 ++++++++++++-
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 309f16ad..32182780 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -78,6 +78,8 @@ Version 1.5.2 - CVS
     html output code. If third party code displays errors from address
     book object in html, errors must be sanitized and ASCII line feeds
     should be converted to html line breaks.
+  - Add note to conf.pl / config_default.php to warn users that set
+    sensitive passwords in that file to properly secure it.
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
diff --git a/config/conf.pl b/config/conf.pl
index 4ca3a082..7f5af21f 100755
--- a/config/conf.pl
+++ b/config/conf.pl
@@ -2896,6 +2896,8 @@ sub command_fontsets {
 
 sub command61 {
     print "You can now define different LDAP servers.\n";
+    print "Please ensure proper permissions for config.php when including\n";
+    print "sensitive passwords.\n\n";
     print "[ldap] command (?=help) > ";
     $input = <STDIN>;
     $input =~ s/[\r\n]//g;
@@ -3313,9 +3315,11 @@ sub command91 {
     print "you need to set this DSN to a valid value. The format for this is:\n";
     print "mysql://user:pass\@hostname/dbname\n";
     print "Where mysql can be one of the databases PHP supports, the most common\n";
-    print "of these are mysql, msql and pgsql\n";
+    print "of these are mysql, msql and pgsql.\n";
+    print "Please ensure proper permissions for config.php when including\n";
+    print "sensitive passwords.\n\n";
     print "If the DSN is left empty (hit space and then return) the database\n";
-    print "related code for address books will not be used\n";
+    print "related code for address books will not be used.\n";
     print "\n";
 
     if ( $addrbook_dsn eq "" ) {
@@ -3353,9 +3357,11 @@ sub command93 {
     print "you need to set this DSN to a valid value. The format for this is:\n";
     print "mysql://user:pass\@hostname/dbname\n";
     print "Where mysql can be one of the databases PHP supports, the most common\n";
-    print "of these are mysql, msql and pgsql\n";
+    print "of these are mysql, msql and pgsql.\n";
+    print "Please ensure proper permissions for config.php when including\n";
+    print "sensitive passwords.\n\n";
     print "If the DSN is left empty (hit space and then return) the database\n";
-    print "related code for address books will not be used\n";
+    print "related code for address books will not be used.\n";
     print "\n";
 
     if ( $prefs_dsn eq "" ) {
@@ -3456,9 +3462,11 @@ sub command98 {
     print "you need to set this DSN to a valid value. The format for this is:\n";
     print "mysql://user:pass\@hostname/dbname\n";
     print "Where mysql can be one of the databases PHP supports, the most common\n";
-    print "of these are mysql, msql and pgsql\n";
+    print "of these are mysql, msql and pgsql.\n";
+    print "Please ensure proper permissions for config.php when including\n";
+    print "sensitive passwords.\n\n";
     print "If the DSN is left empty (hit space and then return) the database\n";
-    print "related code for global SQL address book will not be used\n";
+    print "related code for global SQL address book will not be used.\n";
     print "\n";
 
     if ( $addrbook_global_dsn eq "" ) {
diff --git a/config/config_default.php b/config/config_default.php
index 00fb5fd8..249d23d1 100644
--- a/config/config_default.php
+++ b/config/config_default.php
@@ -10,6 +10,11 @@
  * conf.pl if at all possible.  That is the easiest and cleanest way
  * to configure.
  *
+ * Note on SECURITY: some options require putting a password in this file.
+ * Please make sure that you adapt its permissions appropriately to avoid
+ * passwords being leaked to e.g. other system users. Take extra care when
+ * the webserver is shared with untrusted users.
+ *
  * @copyright &copy; 2000-2006 The SquirrelMail Project Team
  * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  * @version $Id$
@@ -873,6 +878,9 @@ $fontsets['tahoma'] = 'tahoma,sans-serif';
  *       'name' => 'Netcenter Member Directory',
  *       'base' => 'ou=member_directory,o=netcenter.com'
  *   );
+ *
+ *   NOTE: please see security note at the top of this file when
+ *   entering a password.
  */
 // Add your ldap server options here
 
@@ -943,6 +951,9 @@ $motd = "";
  *   The DSN is in the format: mysql://user:pass@hostname/dbname
  *   The table is the name of the table to use within the
  *   specified database.
+ *
+ *   NOTE: please see security note at the top of this file when
+ *   entering a password.
  */
 $addrbook_dsn = '';
 $addrbook_table = 'address';
@@ -1179,4 +1190,4 @@ $config_use_color = 2;
  * sent and regular output to begin, which will majorly screw
  * things up when we try to send more headers later.
  */
-?>
\ No newline at end of file
+?>
-- 
2.25.1