Re: SquirrelMail Sending Under Wrong Username

Joe Pruett <joey@xxxxxxxxxxxx> · Fri, 23 Jan 2009 08:59:06 -0800 (PST)

the problem is mixed up session ids.  i have made a quick patch based on 
the upstream update.  i've attached it.  it is for the c4 version, 
but probably would apply to c5.  apply it with:

cd /usr/share/squirrelmail
patch -p3 < FILE

also, after this sometimes customers will have to clear the SQMSESSID 
cookie from their browser or they won't be able to login.diff -ru /usr/share/squirrelmail/functions/global.php usr/share/squirrelmail/functions/global.php

--- /usr/share/squirrelmail/functions/global.php	2009-01-14 13:40:23.000000000 -0800
+++ usr/share/squirrelmail/functions/global.php	2009-01-21 13:49:14.000000000 -0800
@@ -123,6 +123,10 @@
     ini_set('session.use_cookies','1');
 }
 
+/* Make sure to have $base_uri always initialized to avoid having session
+   cookie set twice (for $base_uri and $base_uri/src. */
+$base_uri = sqm_baseuri();
+
 /* convert old-style superglobals to current method
  * this is executed if you are running PHP 4.0.x.
  * it is run via a require_once directive in validate.php
@@ -379,9 +383,12 @@
 
     global $base_uri;
 
-    if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), '', 0, $base_uri);
-    if (isset($_COOKIE['username'])) sqsetcookie('username', '', 0, $base_uri);
-    if (isset($_COOKIE['key'])) sqsetcookie('key', '', 0, $base_uri);
+    if (isset($_COOKIE[session_name()])) {
+        sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
+        sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri."src/");
+    }
+    if (isset($_COOKIE['username'])) sqsetcookie('username', '', 1, $base_uri);
+    if (isset($_COOKIE['key'])) sqsetcookie('key', '', 1, $base_uri);
 
     $sessid = session_id();
     if (!empty( $sessid )) {
@@ -428,6 +435,12 @@
     // could be: sq_call_function_suppress_errors('session_start');
     $session_id = session_id();
 
+    // make sure 'deleted' is never a valid session identifier
+    if ($session_id == 'deleted') {
+        session_regenerate_id();
+        $session_id = session_id();
+    }
+
     // session_starts sets the sessionid cookie but without the httponly var
     // setting the cookie again sets the httponly cookie attribute
     //
diff -ru /usr/share/squirrelmail/functions/strings.php usr/share/squirrelmail/functions/strings.php
--- /usr/share/squirrelmail/functions/strings.php	2009-01-14 13:40:25.000000000 -0800
+++ usr/share/squirrelmail/functions/strings.php	2009-01-21 13:49:16.000000000 -0800
@@ -16,7 +16,7 @@
  * SquirrelMail version number -- DO NOT CHANGE
  */
 global $version;
-$version = '1.4.8-5.el4.centos.2';
+$version = '1.4.8-5.3';
 
 /**
  * SquirrelMail internal version number -- DO NOT CHANGE
Binary files /usr/share/squirrelmail/images/sm_logo.png and usr/share/squirrelmail/images/sm_logo.png differ
Only in /usr/share/squirrelmail/plugins: abook_import_export
Only in /usr/share/squirrelmail/plugins: address_add
Only in /usr/share/squirrelmail/plugins: change_pass
Only in /usr/share/squirrelmail/plugins: gpg
Only in /usr/share/squirrelmail/plugins: vacation_local
Only in /usr/share/squirrelmail/plugins: vacation_spire
Only in /usr/share/squirrelmail/plugins: virtualtable
diff -ru /usr/share/squirrelmail/src/redirect.php usr/share/squirrelmail/src/redirect.php
--- /usr/share/squirrelmail/src/redirect.php	2009-01-14 13:40:23.000000000 -0800
+++ usr/share/squirrelmail/src/redirect.php	2009-01-21 13:49:14.000000000 -0800
@@ -71,6 +71,9 @@
 if (!sqsession_is_registered('user_is_logged_in')) {
     do_hook ('login_before');
 
+    // make sure to regenerate session id upon user login
+    session_regenerate_id();
+
     $onetimepad = OneTimePadCreate(strlen($secretkey));
     $key = OneTimePadEncrypt($secretkey, $onetimepad);
     sqsession_register($onetimepad, 'onetimepad');
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




