> 2 plugins no longer work for me after installing squirrelmail-1.4.8, > twc_weather and abook_group are failing. After some investigation I > noticed the twc_weather plugin is choking on accessing the $version of > squirrelmail being run (global $version). Upon looking at the Changelog > of the 1.4.8 release I came across: > > - Improved register_globals=on handling code in order to prevent > possible variable corruption. This also effectively rules out > future attack vectors that require register_globals to be on. > > Anyone running these plugins or other plugins and notice them no > longer working with 1.4.8? Is there a new way to access global > variables within squirrelmail? What does the improved handling code > do? > > My setup: > courier-imap-3.0.8 > php-common-4.4.2 > apache-module-php-4.4.2 > apache-1.3.31 > Solaris 9 > squirrelmail-1.4.8 > Too many plugins to list (~40) > > Note: I have not verified the abook_group plugin is a result of the > global variable issue I am asking about, from the php error logs I > can't tell whether its the global variable problem or not. If you suspect that plugins are affected by global sanitizing code - turn off globals. updated code places restrictions on the way files must be loaded in register_globals = on setups. Rule is pretty simple - don't set any variables before functions/global.php or include/validate.php is loaded. If variables are set before loading global.php, code does it in environment that can't be trusted. Code is not active, if you have register_globals turned off. twc_weather 1.3p2 can be affected by code changes. abook_group 0.50 should not be affected. include calls are not optimal, but they should not destroy loaded variables. -- Tomas ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
