[prev in list] [next in list] [prev in thread] [next in thread]
List: squirrelmail-cvs
Subject: [SM-CVS] SF.net SVN: squirrelmail:[13804]
From: pdontthink () users ! sourceforge ! net
Date: 2009-07-31 5:22:35
Message-ID: E1MWkZf-0004rw-Pa () bj8yhf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 13804
http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13804&view=rev
Author: pdontthink
Date: 2009-07-31 05:22:35 +0000 (Fri, 31 Jul 2009)
Log Message:
-----------
Provide option for complete removal of usernames and user IP addresses from message \
headers, and remove personal data from Message ID seed. (#880029/847107)
Modified Paths:
--------------
branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php
branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
Modified: branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php 2009-07-29 \
03:35:07 UTC (rev 13803)
+++ branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php 2009-07-31 \
05:22:35 UTC (rev 13804) @@ -586,15 +586,9 @@
/* Create a message-id */
$message_id = 'MESSAGE ID GENERATION ERROR! PLEASE CONTACT SQUIRRELMAIL \
DEVELOPERS'; if (empty($rfc822_header->message_id)) {
- $message_id = '<';
- /* user-specifc data to decrease collision chance */
- $seed_data = $username . '.';
- $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : '');
- $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : '');
- /* add the current time in milliseconds and randomness */
- $seed_data .= uniqid(mt_rand(),true);
- /* put it through one-way hash and add it to the ID */
- $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>';
+ $message_id = '<'
+ . md5(GenerateRandomString(16, '', 7) . \
uniqid(mt_rand(),true)) + . '.squirrel@' . $SERVER_NAME .'>';
}
/* Make an RFC822 Received: line */
@@ -619,22 +613,33 @@
* unless you understand all possible forging issues or your
* webmail installation does not prevent changes in user's email address.
* See SquirrelMail bug tracker #847107 for more details about it.
+ *
+ * Add hide_squirrelmail_header as a candidate for config_local.php
+ * (must be defined as a constant: define('hide_squirrelmail_header', 1);
+ * to allow completely hiding SquirrelMail participation in message
+ * processing; This is dangerous, especially if users can modify their
+ * account information, as it makes mapping a sent message back to the
+ * original sender almost impossible.
*/
+ $show_sm_header = ( defined('hide_squirrelmail_header') ? ! \
hide_squirrelmail_header : 1 ); +
// FIXME: The following headers may generate slightly differently between \
the message sent to the destination and that stored in the Sent folder because this \
code will be called before both actions. This is not necessarily a big problem, but \
other headers such as Message-ID and Date are preserved between both \
actions
- if (isset($encode_header_key) &&
+ if ( $show_sm_header ) {
+ if (isset($encode_header_key) &&
trim($encode_header_key)!='') {
// use encoded headers, if encryption key is set and not empty
$header[] = 'X-Squirrel-UserHash: \
'.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn;
$header[] = 'X-Squirrel-FromHash: \
'.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn;
if (isset($HTTP_X_FORWARDED_FOR))
$header[] = \
'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn;
- } else {
+ } else {
// use default received headers
$header[] = "Received: from $received_from" . $rn;
if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header)
$header[] = " (SquirrelMail authenticated user $username)" . \
$rn; $header[] = " by $SERVER_NAME with HTTP;" . $rn;
$header[] = " $date" . $rn;
+ }
}
/* Insert the rest of the header fields */
Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-29 03:35:07 UTC (rev \
13803)
+++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-31 05:22:35 UTC (rev \
13804) @@ -9,6 +9,9 @@
- Updated INSTALL doc to remove possible bad system admin typos (#2827153).
- PHP 5.3 deprecates ereg functions (#2820952).
- Filters plugin uses badly formatted literals request (#2805201).
+ - Provide option for complete removal of usernames and user IP addresses
+ from message headers, and remove personal data from Message ID seed.
+ (#880029/847107)
Version 1.4.19 - 21 May 2009
----------------------------
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic