[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-cvs
Subject:    [SM-CVS] SF.net SVN: squirrelmail:[13820]
From:       pdontthink () users ! sourceforge ! net
Date:       2009-08-12 8:32:10
Message-ID: E1Mb9Fi-0000oj-Bf () d5vjzd1 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Revision: 13820
          http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13820&view=rev
Author:   pdontthink
Date:     2009-08-12 08:32:10 +0000 (Wed, 12 Aug 2009)

Log Message:
-----------
Add controls for page referal verification and security token system to the \
configuration tool

Modified Paths:
--------------
    branches/SM-1_4-STABLE/squirrelmail/config/conf.pl

Modified: branches/SM-1_4-STABLE/squirrelmail/config/conf.pl
===================================================================
--- branches/SM-1_4-STABLE/squirrelmail/config/conf.pl	2009-08-12 08:30:59 UTC (rev \
                13819)
+++ branches/SM-1_4-STABLE/squirrelmail/config/conf.pl	2009-08-12 08:32:10 UTC (rev \
13820) @@ -346,16 +346,20 @@
 }
 
 # Added in 1.4.11
-$smtp_sitewide_user = ''				if ( !$smtp_sitewide_user );
-$smtp_sitewide_pass = ''				if ( !$smtp_sitewide_pass );
+$smtp_sitewide_user = ''                if ( !$smtp_sitewide_user );
+$smtp_sitewide_pass = ''                if ( !$smtp_sitewide_pass );
 
 # Added in 1.4.9
 $abook_global_file_listing = 'true'     if ( !$abook_global_file_listing );
 $abook_file_line_length = 2048          if ( !$abook_file_line_length );
 
 # Added in 1.4.16
-$only_secure_cookies = 'true'     if ( !$only_secure_cookies );
+$only_secure_cookies = 'true'           if ( !$only_secure_cookies );
 
+# Added in 1.4.20RC1
+$disable_security_tokens = 'false'      if ( !$disable_security_tokens );
+$check_referrer = ''                    if ( !$check_referrer );
+
 if ( $ARGV[0] eq '--install-plugin' ) {
     print "Activating plugin " . $ARGV[1] . "\n";
     if ( -d "../plugins/" . $ARGV[1]) {
@@ -549,6 +553,8 @@
         print "14. PHP session name             : $WHT$session_name$NRM\n";
         print "15. Location base                : $WHT$config_location_base$NRM\n";
         print "16. Only secure cookies if poss. : $WHT$only_secure_cookies$NRM\n";
+        print "17. Disable secure forms         : \
$WHT$disable_security_tokens$NRM\n"; +        print "18. Page referal requirement     \
: $WHT$check_referrer$NRM\n";  print "\n";
         print "R   Return to Main Menu\n";
     } elsif ( $menu == 5 ) {
@@ -766,6 +772,8 @@
             elsif ( $command == 14 ) { $session_name             = command314(); }
             elsif ( $command == 15 ) { $config_location_base     = \
                command_config_location_base(); }
             elsif ( $command == 16 ) { $only_secure_cookies      = command316(); }
+            elsif ( $command == 17 ) { $disable_security_tokens  = command317(); }
+            elsif ( $command == 18 ) { $check_referrer           = command318(); }
         } elsif ( $menu == 5 ) {
             if ( $command == 1 ) { command41(); }
             elsif ( $command == 2 ) { $theme_css = command42(); }
@@ -2455,6 +2463,63 @@
 
 
 
+# disable_security_tokens (since 1.4.20RC1)
+sub command317 {
+    print "This option allows you to turn off the security checks in the forms\n";
+    print "that SquirrelMail generates.  It is NOT RECOMMENDED that you disable\n";
+    print "this feature - otherwise, your users may be exposed to phishing and\n";
+    print "other attacks.\n";
+    print "Unless you know what you are doing, you should leave this set to \
\"NO\".\n"; +    print "\n";
+
+    if ( lc($disable_security_tokens) eq 'true' ) {
+        $default_value = "y";
+    } else {
+        $default_value = "n";
+    }
+    print "Disable secure forms? (y/n) [$WHT$default_value$NRM]: $WHT";
+    $disable_security_tokens = <STDIN>;
+    if ( ( $disable_security_tokens =~ /^y\n/i ) || ( ( $disable_security_tokens =~ \
/^\n/ ) && ( $default_value eq "y" ) ) ) { +        $disable_security_tokens = \
'true'; +    } else {
+        $disable_security_tokens = 'false';
+    }
+    return $disable_security_tokens;
+}
+
+
+
+# check_referrer (since 1.4.20RC1)
+sub command318 {
+    print "This option allows you to enable referal checks for all page requests\n";
+    print "made to SquirrelMail.  This can help ensure that page requests came\n";
+    print "from the same server and not from an attacker's site (usually the\n";
+    print "result of a XSS or phishing attack).  To enable referal checking,\n";
+    print "this setting can be set to the domain where your SquirrelMail is\n";
+    print "being hosted (usually the same as the Domain setting under Server\n";
+    print "Settings).  For example, it could be \"example.com\", or if you\n";
+    print "use a plugin (such as Login Manager) to host SquirrelMail on more\n";
+    print "than one domain, you can set this to \"###DOMAIN###\" to tell it\n";
+    print "to use the current domain.\n";
+    print "\n";
+    print "However, in some cases (where proxy servers are in use, etc.), the\n";
+    print "domain might be different.\n";
+    print "\n";
+    print "NOTE that referal checks are not foolproof - they can be spoofed by\n";
+    print "browsers, and some browsers intentionally don't send referal\n";
+    print "information (in which case, the check is silently bypassed)\n";
+    print "\n";
+
+    print "Referal requirement? [$WHT$check_referrer$NRM]: $WHT";
+    $new_check_referrer = <STDIN>;
+    chomp($new_check_referrer);
+    $check_referrer = $new_check_referrer;
+
+    return $check_referrer;
+}
+
+
+
 ####################################################################################
 #### THEMES ####
 sub command41 {
@@ -3502,10 +3567,14 @@
         print CF "\$session_name = '$session_name';\n";
 
     # boolean
-        print CF "\$only_secure_cookies   = $only_secure_cookies;\n";
+        print CF "\$only_secure_cookies     = $only_secure_cookies;\n";
+        print CF "\$disable_security_tokens = $disable_security_tokens;\n";
 
+    # string
+        print CF "\$check_referrer          = '$check_referrer';\n";
+
         print CF "\n";
-        print CF "\$config_location_base     = '$config_location_base';\n";
+        print CF "\$config_location_base    = '$config_location_base';\n";
 
         print CF "\n";
         print CF "\@include SM_PATH . 'config/config_local.php';\n";


This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
-----
squirrelmail-cvs mailing list
List address: squirrelmail-cvs@lists.sourceforge.net
List info (subscribe/unsubscribe/change options): \
                https://lists.sourceforge.net/lists/listinfo/squirrelmail-cvs
Repository: http://squirrelmail.org/svn


[prev in list] [next in list] [prev in thread] [next in thread]