Hello all,
I have two short suggestions regarding include-files:
IMHO the include files (in program/include/ e.g.) should have an ".inc.php" ending to avoid calling them directly in the browser. Since those are not config files it might not be a big security problem, but it might still be possible to identify the roundcube version or other "sensitive" data by having a look at them.
Another idea for those files is to disable access completely:
The files that are allowed to be called in the browser should have a simple define at the beginning:
<?php define('ROUNDCUBE', true); ?>
The include files, etc. can now check for this define and handle it somehow - e.g.:
<?php if (!defined('APPLICATION')) exit('You are not allowed to call this file directly.'); ?>
Another solution could be a redirect to the index page using header()?
Balu
PS: I know, coding-style is a very picky topic and of course personal preference, but is there any chance to make you switch to the PEAR coding standards regarding indents, brackets, ...? :-) -> http://pear.php.net/manual/en/standards.php