>> 2 plugins no longer work for me after installing squirrelmail-1.4.8, >> twc_weather and abook_group are failing. After some investigation I >> noticed the twc_weather plugin is choking on accessing the $version of >> squirrelmail being run (global $version). Upon looking at the Changelog >> of the 1.4.8 release I came across: >> >> - Improved register_globals=on handling code in order to prevent >> possible variable corruption. This also effectively rules out >> future attack vectors that require register_globals to be on. >> >> Anyone running these plugins or other plugins and notice them no >> longer working with 1.4.8? Is there a new way to access global >> variables within squirrelmail? What does the improved handling code >> do? >> >> My setup: >> courier-imap-3.0.8 >> php-common-4.4.2 >> apache-module-php-4.4.2 >> apache-1.3.31 >> Solaris 9 >> squirrelmail-1.4.8 >> Too many plugins to list (~40) >> >> Note: I have not verified the abook_group plugin is a result of the >> global variable issue I am asking about, from the php error logs I >> can't tell whether its the global variable problem or not. > > If you suspect that plugins are affected by global sanitizing code - turn > off globals. updated code places restrictions on the way files must be > loaded in register_globals = on setups. Rule is pretty simple - don't set > any variables before functions/global.php or include/validate.php is > loaded. If variables are set before loading global.php, code does it in > environment that can't be trusted. > > Code is not active, if you have register_globals turned off. > > twc_weather 1.3p2 can be affected by code changes. Turning register_globals off did indeed fix the weather plugin. > > abook_group 0.50 should not be affected. include calls are not optimal, > but they should not destroy loaded variables. This plugin was NOT broke as a result of the improved register_globals=on handling code. After perusing the mailing lists again I found that it was broke b/c we enabled ldap addressbook lookups and the abook_group-0.50 code does not take into account this remote backend. I added a 3 line hack to fix it until I get around to testing the latest abook_group-0.51rc1, which supposedly fixes this issue. Thanks Tomas. > > -- > Tomas ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
