[prev in list] [next in list] [prev in thread] [next in thread]
List: squirrelmail-cvs
Subject: [SM-CVS] SF.net SVN: squirrelmail:[13819]
From: pdontthink () users ! sourceforge ! net
Date: 2009-08-12 8:30:59
Message-ID: E1Mb9EZ-0000n9-VQ () d5vjzd1 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 13819
http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13819&view=rev
Author: pdontthink
Date: 2009-08-12 08:30:59 +0000 (Wed, 12 Aug 2009)
Log Message:
-----------
Add controls for page referal verification and security token system to the \
configuration tool
Modified Paths:
--------------
trunk/squirrelmail/config/conf.pl
Modified: trunk/squirrelmail/config/conf.pl
===================================================================
--- trunk/squirrelmail/config/conf.pl 2009-08-12 08:29:53 UTC (rev 13818)
+++ trunk/squirrelmail/config/conf.pl 2009-08-12 08:30:59 UTC (rev 13819)
@@ -491,6 +491,8 @@
$disable_plugins = 'false' if ( !$disable_plugins );
$disable_plugins_user = '' if ( !$disable_plugins_user );
$only_secure_cookies = 'true' if ( !$only_secure_cookies );
+$disable_security_tokens = 'false' if ( !$disable_security_tokens );
+$check_referrer = '' if ( !$check_referrer );
$ask_user_info = 'true' if ( !$ask_user_info );
if ( $ARGV[0] eq '--install-plugin' ) {
@@ -720,6 +722,8 @@
print "15. Time zone configuration : $WHT$time_zone_type$NRM\n";
print "16. Location base : $WHT$config_location_base$NRM\n";
print "17. Only secure cookies if poss. : $WHT$only_secure_cookies$NRM\n";
+ print "18. Disable secure forms : \
$WHT$disable_security_tokens$NRM\n"; + print "19. Page referal requirement \
: $WHT$check_referrer$NRM\n"; print "\n";
print "R Return to Main Menu\n";
} elsif ( $menu == 5 ) {
@@ -994,6 +998,8 @@
elsif ( $command == 15 ) { $time_zone_type = command318(); }
elsif ( $command == 16 ) { $config_location_base = \
command_config_location_base(); }
elsif ( $command == 17 ) { $only_secure_cookies = command319(); }
+ elsif ( $command == 18 ) { $disable_security_tokens = command320(); }
+ elsif ( $command == 19 ) { $check_referrer = command321(); }
} elsif ( $menu == 5 ) {
if ( $command == 1 ) { $use_icons = commandB3(); }
# elsif ( $command == 3 ) { $icon_theme_def = command53(); }
@@ -2770,6 +2776,63 @@
}
+# disable_security_tokens (since 1.5.2)
+sub command320 {
+ print "This option allows you to turn off the security checks in the forms\n";
+ print "that SquirrelMail generates. It is NOT RECOMMENDED that you disable\n";
+ print "this feature - otherwise, your users may be exposed to phishing and\n";
+ print "other attacks.\n";
+ print "Unless you know what you are doing, you should leave this set to \
\"NO\".\n"; + print "\n";
+
+ if ( lc($disable_security_tokens) eq 'true' ) {
+ $default_value = "y";
+ } else {
+ $default_value = "n";
+ }
+ print "Disable secure forms? (y/n) [$WHT$default_value$NRM]: $WHT";
+ $disable_security_tokens = <STDIN>;
+ if ( ( $disable_security_tokens =~ /^y\n/i ) || ( ( $disable_security_tokens =~ \
/^\n/ ) && ( $default_value eq "y" ) ) ) { + $disable_security_tokens = \
'true'; + } else {
+ $disable_security_tokens = 'false';
+ }
+ return $disable_security_tokens;
+}
+
+
+
+# check_referrer (since 1.1.5.2)
+sub command321 {
+ print "This option allows you to enable referal checks for all page requests\n";
+ print "made to SquirrelMail. This can help ensure that page requests came\n";
+ print "from the same server and not from an attacker's site (usually the\n";
+ print "result of a XSS or phishing attack). To enable referal checking,\n";
+ print "this setting can be set to the domain where your SquirrelMail is\n";
+ print "being hosted (usually the same as the Domain setting under Server\n";
+ print "Settings). For example, it could be \"example.com\", or if you\n";
+ print "use a plugin (such as Login Manager) to host SquirrelMail on more\n";
+ print "than one domain, you can set this to \"###DOMAIN###\" to tell it\n";
+ print "to use the current domain.\n";
+ print "\n";
+ print "However, in some cases (where proxy servers are in use, etc.), the\n";
+ print "domain might be different.\n";
+ print "\n";
+ print "NOTE that referal checks are not foolproof - they can be spoofed by\n";
+ print "browsers, and some browsers intentionally don't send referal\n";
+ print "information (in which case, the check is silently bypassed)\n";
+ print "\n";
+
+ print "Referal requirement? [$WHT$check_referrer$NRM]: $WHT";
+ $new_check_referrer = <STDIN>;
+ chomp($new_check_referrer);
+ $check_referrer = $new_check_referrer;
+
+ return $check_referrer;
+}
+
+
+
sub command_userThemes {
print "\nDefine the user themes that you wish to use. If you have added\n";
print "a theme of your own, just follow the instructions (?) about\n";
@@ -5090,8 +5153,12 @@
# string
print CF "\$session_name = '$session_name';\n";
# boolean
- print CF "\$only_secure_cookies = $only_secure_cookies;\n";
+ print CF "\$only_secure_cookies = $only_secure_cookies;\n";
+ print CF "\$disable_security_tokens = $disable_security_tokens;\n";
+ # string
+ print CF "\$check_referrer = '$check_referrer';\n";
+
print CF "\n";
# boolean
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic