On Wed, Mar 27, 2013 at 5:47 PM, Sergey Sidlyarenko <[email protected]> wrote: > This path > https://github.com/roundcube/roundcubemail/commit/0fcb2b139bf0c50dec3b82898434f203c21d847f > not secure because only limit read file by extension php,ini,conf and folder > /etc. Allowed read /usr/local/etc logs and other file (if hosting not limit > open_basedir).
This isn't the main patch but only an additional sanity check. I'm well aware that this check isn't bullet proof but it covers the worst cases in the local Roundcube directory. And on shared hosting environments, openbasedir is mostly installed which would then avoid syste-wide access. The more important fix is to avoid overwriting arbitrary user prefs. This is fixed in https://github.com/roundcube/roundcubemail/commit/648fcf5709 ~Thomas _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
