Changeset 79742f0 in github

Timestamp:

May 24, 2012 3:07:56 PM (12 months ago)

Author:

Thomas B. <thomas@…>

Branches:

master, HEAD, dev-browser-capabilities, pdo

Children:

c083969

Parents:

4a5c1f5 (diff), b332e79 (diff)
Note: this is a merge changeset, the changes displayed below correspond to the merge itself.
Use the (diff) links above to see all the changes relative to each parent.

Message:

Merge pull request #7 from raoulbhatia/master

improve .htaccess security rules

Files:

• .htaccess (modified) (1 diff)
• plugins/hide_blockquote/hide_blockquote.js (modified) (1 diff)
• plugins/hide_blockquote/skins/default/style.css (modified) (1 diff)
• plugins/password/config.inc.php.dist (modified) (1 diff)
• plugins/password/drivers/virtualmin.php (modified) (1 diff)
• program/include/rcmail.php (modified) (1 diff)
• program/include/rcube_imap_cache.php (modified) (2 diffs)
• program/include/rcube_imap_generic.php (modified) (1 diff)
• program/include/rcube_session.php (modified) (11 diffs)

.htaccess

@@ -31 +31 @@
 RewriteRule ^favicon\.ico$ skins/default/images/favicon.ico
 # security rules
-RewriteRule .git/ - [F]
-RewriteRule ^README|INSTALL|LICENSE|SQL|bin|CHANGELOG$ - [F]
+RewriteRule .git - [F]
+RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|SQL|bin|CHANGELOG)$ - [F]
 </IfModule>
 

plugins/hide_blockquote/hide_blockquote.js

@@ -25 +25 @@
       .text(res[0]);
 
-    link = $('<span class="blockquote-link">')
+    link = $('<span class="blockquote-link"></span>')
       .css({position: 'absolute', 'z-Index': 2})
       .text(rcmail.gettext('hide_blockquote.show'))

plugins/hide_blockquote/skins/default/style.css

@@ -18 +18 @@
   border-bottom-right-radius: 6px;
   border-bottom-left-radius: 6px;
-  background: #fff;
+  background: #f8f8f8;
   background: -moz-linear-gradient(top, #f8f8f8 0%, #e8e8e8 100%);
   background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#f8f8f8), color-stop(100%,#e8e8e8));

plugins/password/config.inc.php.dist

@@ -309 +309 @@
 // 6: username_domain
 // 7: domain_username
-$rcmail_config['password_virtualmin_format'] = 0;
+// 8: username@domain; mbox.username
+$rcmail_config['password_virtualmin_format'] = 8;
 
 

plugins/password/drivers/virtualmin.php

@@ -49 +49 @@
             $domain = $pieces[0];
             break;
+                case 8: // domain taken from alias, username left as it was
+                        $email = $rcmail->user->data['alias'];
+                        $domain = substr(strrchr($email, "@"), 1);
+                        break
         default: // username@domain
             $domain = substr(strrchr($username, "@"), 1);

program/include/rcmail.php

@@ -2011 +2011 @@
     }
 
+    public function imap_init()
+    {
+        return $this->storage_init();
+    }
+
     /**
      * Connect to the mail storage server with stored session data

program/include/rcube_imap_cache.php

@@ -312 +312 @@
             $result[$uid] = $this->build_message($sql_arr);
 
-            // save memory, we don't need message body here (?)
-            $result[$uid]->body = null;
-
             if (!empty($result[$uid])) {
+                // save memory, we don't need message body here (?)
+                $result[$uid]->body = null;
+
                 unset($msgs[$uid]);
             }
@@ -1147 +1147 @@
     }
 }
+
+// for backward compat.
+class rcube_mail_header extends rcube_message_header { }

program/include/rcube_imap_generic.php

@@ -26 +26 @@
  +-----------------------------------------------------------------------+
 */
-
-// for backward compat.
-class rcube_mail_header extends rcube_message_header { }
 
 

program/include/rcube_session.php

@@ -38 +38 @@
   private $gc_handlers = array();
   private $cookiename = 'roundcube_sessauth';
-  private $vars = false;
+  private $vars;
   private $key;
   private $now;
@@ -135 +135 @@
       $this->key     = $key;
 
-      if (!empty($this->vars))
-        return $this->vars;
-    }
-
-    return false;
+      return !empty($this->vars) ? (string) $this->vars : '';
+    }
+
+    return null;
   }
 
@@ -158 +157 @@
     // no session row in DB (db_read() returns false)
     if (!$this->key) {
-      $oldvars = false;
+      $oldvars = null;
     }
     // use internal data from read() for fast requests (up to 0.5 sec.)
@@ -168 +167 @@
     }
 
-    if ($oldvars !== false) {
+    if ($oldvars !== null) {
       $newvars = $this->_fixvars($vars, $oldvars);
 
@@ -198 +197 @@
   private function _fixvars($vars, $oldvars)
   {
-    if ($oldvars !== false) {
+    if ($oldvars !== null) {
       $a_oldvars = $this->unserialize($oldvars);
       if (is_array($a_oldvars)) {
@@ -266 +265 @@
       $this->key     = $key;
 
-      if (!empty($this->vars))
-        return $this->vars;
-    }
-
-    return false;
-  }
+      return !empty($this->vars) ? (string) $this->vars : '';
+    }
+
+    return null;
+  }
+
 
   /**
@@ -287 +286 @@
     // no session data in cache (mc_read() returns false)
     if (!$this->key)
-      $oldvars = false;
+      $oldvars = null;
     // use internal data for fast requests (up to 0.5 sec.)
     else if ($key == $this->key && (!$this->vars || $ts - $this->start < 0.5))
@@ -294 +293 @@
       $oldvars = $this->mc_read($key);
 
-    $newvars = $oldvars !== false ? $this->_fixvars($vars, $oldvars) : $vars;
-    
+    $newvars = $oldvars !== null ? $this->_fixvars($vars, $oldvars) : $vars;
+
     if ($newvars !== $oldvars || $ts - $this->changed > $this->lifetime / 2)
       return $this->memcache->set($key, serialize(array('changed' => time(), 'ip' => $this->ip, 'vars' => $newvars)), MEMCACHE_COMPRESSED, $this->lifetime);
-    
-    return true;
-  }
+
+    return true;
+  }
+
 
   /**
@@ -351 +351 @@
     session_regenerate_id($destroy);
 
-    $this->vars = false;
+    $this->vars = null;
     $this->key  = session_id();
 
@@ -374 +374 @@
     return true;
   }
-  
+
+
   /**
    * Kill this session
@@ -380 +381 @@
   public function kill()
   {
-    $this->vars = false;
+    $this->vars = null;
     $this->ip = $_SERVER['REMOTE_ADDR']; // update IP (might have changed)
     $this->destroy(session_id());