[Svn] r2002 - trunk/roundcubemail/bin

till till at php.net
Wed Oct 22 19:39:08 CEST 2008


On Wed, Oct 22, 2008 at 7:32 PM, till <till at php.net> wrote:
> On Wed, Oct 22, 2008 at 4:25 PM, Dennis P. Nikolaenko
> <dennis at nikolaenko.ru> wrote:
>> trac at roundcube.net wrote:
>>> Author: till
>>> Date: 2008-10-22 09:18:47 -0500 (Wed, 22 Oct 2008)
>>> New Revision: 2002
>>>
>>> Modified:
>>>    trunk/roundcubemail/bin/quotaimg.php
>>> Log:
>>>  * checking if a user session is active in quotaimg.php
>>>   * this is an expensive operation
>>>   * but it fixes a possible DoS
>>>  * implement max-width and -height for the image (subject to change)
>>>
>>>
>>>
>>> Modified: trunk/roundcubemail/bin/quotaimg.php
>>> ===================================================================
>>> --- trunk/roundcubemail/bin/quotaimg.php      2008-10-22 07:40:04 UTC (rev 2001)
>>> +++ trunk/roundcubemail/bin/quotaimg.php      2008-10-22 14:18:47 UTC (rev 2002)
>>> @@ -18,11 +18,30 @@
>>>
>>>  */
>>>
>>> +// define INSTALL_PATH since it's sort of custom from /bin/quotaimg.php
>>> +define('INSTALL_PATH', str_replace('bin', '', dirname(__FILE__)));
>>> +
>>> +// include environment
>>> +require_once INSTALL_PATH . 'program/include/iniset.php';
>>> +
>>> +// init application and start session with requested task
>>> +$RCMAIL = rcmail::get_instance();
>>> +if (empty($RCMAIL->user->ID)) {
>>> +    die('You are not logged in, there is no need you are allowed to render the quota image.');
>>> +}
>>> +
>>>  $used   = ((isset($_GET['u']) && !empty($_GET['u'])) || $_GET['u']=='0')?(int)$_GET['u']:'??';
>>>  $quota  = ((isset($_GET['q']) && !empty($_GET['q'])) || $_GET['q']=='0')?(int)$_GET['q']:'??';
>>>  $width  = empty($_GET['w']) ? 100 : (int)$_GET['w'];
>>>  $height = empty($_GET['h']) ? 14 : (int)$_GET['h'];
>>>
>>> +// let's apply some sanity
>>> +// @todo Maybe a config option?
>>> +if ($width > 200 || $height > 50) {
>>> +    $width = 100;
>>> +    $height = 14;
>>> +}
>>> +
>>>  /**
>>>   * Quota display
>>>   *
>>> @@ -180,4 +199,4 @@
>>>
>>>  genQuota($used, $quota, $width, $height);
>>>  exit;
>>> -?>
>>> \ No newline at end of file
>>> +?>
>>>
>
> I didn't discover it. If Stephan wants to do that, he can feel free to.
>
> If it's necessary for "full disclosure", I have no issues with it.
>
> Till
>

I forgot to add this, but I also think we should roll a security release.

@Thomas: If you are available tomorrow, I'd apply my fix to the
branch/tag and do a release 0.2.1-beta release. I'd like you to be
around so we can document the process.

Let me know what you think,
Till
_______________________________________________
http://lists.roundcube.net/mailman/listinfo/svn



More information about the Svn mailing list