- Added size limit to signatures saved in file backend. Created error_option_save
function, that allows sending error message to options page. Thanks to Martynas
Bieliauskas for spotting big signature "option".
+ - Make SquirrelSpell work with safe_mode enabled, if using PHP >=4.3.0.
+ Patch by Ray Ferguson.
Version 1.5.0
--------------------
- Correctly fold encoded header lines.
- Fix prefs caching not working correctly in PHP 4.3 caused by a stupid
version checking mechanism.
- - Fix XXS hole that allowed JavaScript execution by sending someone
+ - Fix XSS hole that allowed JavaScript execution by sending someone
an email with specially crafted headers. Thanks Jason Munro, and
Masato Higashiyama.
-SquirrelSpell-v0.3.1
----------------------
+SquirrelSpell plugin
+--------------------
Untar SquirrelSpell into your squirrelmail/plugins directory. Modify the
sqspell_config.php file making sure you have ispell or aspell
available on your system and located in PHP's path. The squirrelspell
doesn't check for that and if it is not available, you're just going to
-get a "No errors found" message every time. :) Quite pleasing, but not
+get a "No errors found" message every time. :) Quite pleasing, but not
very useful.
Read files in "doc" directory -- they explain some features.
Enable the plugin either by hand or by running the configure script from
your squirrelmail install directory.
+NOTE: If you are using php >= 4.3.0 squirrelspell should work in safe mode.
+Otherwise, you may have to disable safe mode for the squirrelspell directory.
+ APACHE CONF EXAMPLE:
+ <Directory /webroot/squirrelmail/plugins/squirrelspell>
+ php_admin_value safe_mode 0
+ </Directory>
+
+
Enjoy and report bugs. ;)
This is an options commented sqspell_config.php
Adding until resolved.
**/
$SQSPELL_SOUP_NAZI = 'Mozilla/3, Mozilla/2, Opera 4, Opera/4, Macintosh';
-?>
\ No newline at end of file
+?>
* -------------
* Squirrelspell module.
*
- * Copyright (c) 1999-2003 The SquirrelMail development team
+ * Copyright (c) 1999-2004 The SquirrelMail development team
* Licensed under the GNU GPL. For full terms see the file COPYING.
*
* This module is the main workhorse of SquirrelSpell. It submits
*/
$sqspell_command=$SQSPELL_APP[$sqspell_use_app];
/**
- * For the simplicity's sake we'll put all text into a file in
- * attachment_dir directory, then cat it and pipe it to
- * sqspell_command. There are other ways to do it, including popen(),
- * but it's unidirectional and no fun at all.
- *
- * The name of the file is an md5 hash of the message itself plus
- * microtime. This prevents symlink attacks. The loop is here to
- * further enhance this feature, and make sure we don't overwrite
- * someone else's data, although the possibility of this happening is
- * QUITE remote.
- */
-do {
- $floc = "$attachment_dir/" . md5($sqspell_new_text . microtime());
-} while (file_exists($floc));
-/**
- * Write the contents to the file.
- */
-$fp=fopen($floc, 'w');
-fwrite($fp, $sqspell_new_text);
-fclose($fp);
-/**
- * Execute ispell/aspell and catch the output.
+ * If you have php >= 4.3.0, we can use proc_open and safe mode
+ * and not mess w/ temp files. Otherwise we will do it the old
+ * way, (minus the uneeded call to cat that messes up Wintel
+ * boxen.)
+ * Thanks Ray Ferguson for providing this patch.
*/
-exec("cat $floc | $sqspell_command 2>&1", $sqspell_output, $sqspell_exitcode);
-/**
- * Remove the temp file.
- */
-unlink($floc);
+if( check_php_version ( 4, 3 ) ) {
+ $descriptorspec = array(
+ 0 => array('pipe', 'r'), // stdin is a pipe that the child will read from
+ 1 => array('pipe', 'w'), // stdout is a pipe that the child will write to
+ 2 => array('pipe', 'w'), // stderr is a pipe that the child will write to
+ );
+ $spell_proc=proc_open($sqspell_command, $descriptorspec, $pipes);
+ fwrite($pipes[0], $sqspell_new_text);
+ fclose($pipes[0]);
+ $sqspell_output = array();
+ for($i=1; $i<=2; $i++){
+ while(!feof($pipes[$i]))
+ array_push($sqspell_output, rtrim(fgetss($pipes[$i],999),"\n"));
+ fclose($pipes[$i]);
+ }
+ $sqspell_exitcode=proc_close($spell_proc);
+} else {
+ do {
+ $floc = "$attachment_dir/" . md5($sqspell_new_text . microtime());
+ } while (file_exists($floc));
+ $fp=fopen($floc, 'w');
+ fwrite($fp, $sqspell_new_text);
+ fclose($fp);
+ exec("$sqspell_command < $floc 2>&1", $sqspell_output, $sqspell_exitcode);
+ unlink($floc);
+}
/**
* Check if the execution was successful. Bail out if it wasn't.
* Local variables:
* mode: php
* End:
- * vim: syntax=php
+ * vim: syntax=php et ts=4
*/
?>