On Wed, Mar 27, 2013 at 5:47 PM, Sergey Sidlyarenko roundcube@lefoyer.ru wrote:
This path https://github.com/roundcube/roundcubemail/commit/0fcb2b139bf0c50dec3b828984... not secure because only limit read file by extension php,ini,conf and folder /etc. Allowed read /usr/local/etc logs and other file (if hosting not limit open_basedir).
This isn't the main patch but only an additional sanity check. I'm well aware that this check isn't bullet proof but it covers the worst cases in the local Roundcube directory. And on shared hosting environments, openbasedir is mostly installed which would then avoid syste-wide access.
The more important fix is to avoid overwriting arbitrary user prefs. This is fixed in https://github.com/roundcube/roundcubemail/commit/648fcf5709
~Thomas