'Re: [SM-DEVEL] src/login.php patch for setting username via url'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squirrelmail-devel
Subject:    Re: [SM-DEVEL] src/login.php patch for setting username via url
From:       "Tomas Kuliavas" <tokul () users ! sourceforge ! net>
Date:       2006-01-28 9:45:45
Message-ID: 34109.85.206.142.186.1138441545.squirrel () internet ! eik ! lt
[Download RAW message or body]

> This is a patch for filling username in login page directly from url like
>
>
> http://mail-server/src/login.php?loginname=admin
>
>
> (usable for elementary-level-users, but for me too, because I have 27
> chars in login name;)
>
> This patch also solves problem with formatting plugins text (hook
> login_form; concat_hook_function in table instead of do_hook after table).
>
>
> Daniel Kahoun
>
>
>
> --- src/login.php.orig  2005-12-03 09:32:03.000000000 +0100
> +++ src/login.php       2006-01-27 12:38:23.000000000 +0100
> @@ -55,7 +55,7 @@ header('Pragma: no-cache');
>
>
> do_hook('login_cookie');
>
> -$loginname_value = (sqGetGlobalVar('loginname', $loginname) ?
> htmlspecialchars($loginname) : '');
> +if (!sqGetGlobalVar('loginname', $loginname)) $loginname =
> $_GET['login_username'];

SquirrelMail documentation states that you should not access GET and POST
variables directly. You are trying to access unchecked
$_GET['login_username'] variable. sqGetGlobalVar should retrieve loginname
variable from GET request if third argument in not specified.

Second part of patch was already discussed in stable tracker and plugins
list. Your hook changes break four SquirrelMail plugins.

-- 
Tomas


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
--
squirrelmail-devel mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-devel@lists.sourceforge.net
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.devel
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=7139
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic