'Re: [SM-CVS] SF.net SVN: squirrelmail: [12271] trunk/squirrelmail'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    Re: [SM-CVS] SF.net SVN: squirrelmail: [12271] trunk/squirrelmail
From:       "Marc Groot Koerkamp" <marc () squirrelmail ! org>
Date:       2007-02-28 8:14:38
Message-ID: 4805.217.123.226.106.1172650478.squirrel () www ! grootkoerkamp ! net
[Download RAW message or body]

On Wed, February 28, 2007 6:22 am, Paul Lesniewski wrote:
> On 2/18/07, kink@users.sourceforge.net <kink@users.sourceforge.net>
> wrote:
>
>> Revision: 12271
>> http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=12271&view=rev
>>  Author:   kink
>> Date:     2007-02-18 04:46:47 -0800 (Sun, 18 Feb 2007)
>>
>>
>> Log Message:
>> -----------
>> HTTP_SERVER_SERVER should be HTTP_SERVER_VARS, but since
>> we require PHP >= 4.1.x, we need not use it anyware.
>>
>> Modified Paths:
>> --------------
>> trunk/squirrelmail/include/load_prefs.php
>> trunk/squirrelmail/plugins/bug_report/functions.php
>> trunk/squirrelmail/plugins/bug_report/system_specs.php
>> trunk/squirrelmail/plugins/change_password/backend/ldap.php
>> trunk/squirrelmail/plugins/filters/filters.php
>> trunk/squirrelmail/plugins/translate/functions.php
>> trunk/squirrelmail/themes/greenhouse_effect.php
>> trunk/squirrelmail/themes/in_the_pink.php
>> trunk/squirrelmail/themes/kind_of_blue.php
>> trunk/squirrelmail/themes/monostochastic.php
>> trunk/squirrelmail/themes/random.php
>> trunk/squirrelmail/themes/shades_of_grey.php
>> trunk/squirrelmail/themes/spice_of_life.php
>> trunk/squirrelmail/themes/spice_of_life_dark.php
>> trunk/squirrelmail/themes/spice_of_life_lite.php
>>
>> Modified: trunk/squirrelmail/include/load_prefs.php
>> ===================================================================
>> --- trunk/squirrelmail/include/load_prefs.php   2007-02-16 01:48:34 UTC
>> (rev 12270)
>> +++ trunk/squirrelmail/include/load_prefs.php   2007-02-18 12:46:47 UTC
>> (rev 12271)
>> @@ -17,8 +17,7 @@
>> * FIXME: PHP CGI (at least on IIS 5.1) does not set 'SCRIPT_FILENAME'
>> and * code does not handle magic_quotes_gpc=on.
>> */
>> -if ((isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME']
>> == __FILE__) ||
>> -     (isset($HTTP_SERVER_SERVER['SCRIPT_FILENAME']) &&
>> $HTTP_SERVER_SERVER['SCRIPT_FILENAME'] == __FILE__) ) {
>> +if (isset($_SERVER['SCRIPT_FILENAME']) && $_SERVER['SCRIPT_FILENAME']
>> == __FILE__) {
>>
>
> Why are we doing it this way anyway?  How about testing if SM_PATH is
> defined, if not exit.  If it is, we should be safe, but to be pedantic
> (Chris loves it), we could then proceed to check the global value of
> $php_self (which SM sets up for us), using strpos() to see if it
> contains the current filename or not.  There are probably other ways too...
> I suggest something else because of the IIS comment and we
> generally frown upon directly accessing superglobals in this manner.
>

This is to prohibit direct includes. If a browser points directly to the
file then it dies at the beginning or does a redirect to the login page.
$php_self are not defined when people directly include files.
See it as an extra security measure for files with code outside functions.

Marc.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
--
squirrelmail-cvs mailing list
List Address: squirrelmail-cvs@lists.sourceforge.net
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
http://squirrelmail.org/cvs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic