From e930c9fe267bffaaaf578042671739ce4a49145e Mon Sep 17 00:00:00 2001 From: ebullient Date: Mon, 28 Nov 2005 17:12:57 +0000 Subject: [PATCH] require the hide_squirrelmail_header value to be defined as a constant to avoid manipulation via GET/POST git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@10417 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- class/deliver/Deliver.class.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/class/deliver/Deliver.class.php b/class/deliver/Deliver.class.php index a7747106..6d9427de 100644 --- a/class/deliver/Deliver.class.php +++ b/class/deliver/Deliver.class.php @@ -379,7 +379,7 @@ class Deliver { */ function prepareRFC822_Header($rfc822_header, $reply_rfc822_header, &$raw_length) { global $domain, $version, $username, $encode_header_key, - $edit_identity, $hide_auth_header, $hide_squirrelmail_header; + $edit_identity, $hide_auth_header; /* if server var SERVER_NAME not available, use $domain */ if(!sqGetGlobalVar('SERVER_NAME', $SERVER_NAME, SQ_SERVER)) { @@ -430,9 +430,11 @@ class Deliver { * * Add $hide_squirrelmail_header as a candidate for config_local.php * to allow completely hiding SquirrelMail participation in message - * processing. + * processing; This is dangerous, especially if users can modify their + * account information, as it makes mapping a sent message back to the + * original sender almost impossible. */ - $show_sm_header = ( isset($hide_squirrelmail_header) ? ! $hide_squirrelmail_header : 1 ); + $show_sm_header = ( defined('hide_squirrelmail_header') ? ! hide_squirrelmail_header : 1 ); if ( $show_sm_header ) { if (isset($encode_header_key) && -- 2.25.1