http://trac.roundcube.net/trac.cgi/ticket/1484254
This should get immediate attention.
~Mik
Michael Bueker wrote:
http://trac.roundcube.net/trac.cgi/ticket/1484254
This should get immediate attention.
Proposed fix added to the ticket.
The only thing I'm not sure about is charset conversions. I have no experience with those. Are special charset thingies used in mailbox names?
Robin
On 2/16/07, Robin Elfrink elfrink@introweb.nl wrote:
Michael Bueker wrote:
http://trac.roundcube.net/trac.cgi/ticket/1484254
This should get immediate attention.
Proposed fix added to the ticket.
The only thing I'm not sure about is charset conversions. I have no experience with those. Are special charset thingies used in mailbox names?
Maybe? We *should* probably test and see what happens when.
I also added a comment to the ticket.
Till Klampaeckel e: mailto:klimpong@gmail.com p: +491704018676 l: http://beta.plazes.com/whereis/till
Want to know what's up in Berlin?
2007/2/16, till klimpong@gmail.com:
On 2/16/07, Robin Elfrink elfrink@introweb.nl wrote:
The only thing I'm not sure about is charset conversions. I have no experience with those. Are special charset thingies used in mailbox names?
Maybe? We *should* probably test and see what happens when.
The mbox parameter should only contain UTF-7 representations of the mailboxes. We don't need to care about charset conversion here. if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GET)) should fix this isse.
~Thomas
Thomas Bruederli wrote:
The mbox parameter should only contain UTF-7 representations of the mailboxes. We don't need to care about charset conversion here. if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GET)) should fix this isse.
OK, committed.
I really need to get me some reading material regarding character sets. Or set up a Linux box to talk German to me and learn the hard way :)
Robin
On Feb 16, 2007, at 8:34 AM, Robin Elfrink wrote:
OK, committed.
and the Trac page was updated --
02/16/07 08:39:13: Modified by robin
* status changed from new to closed. * resolution set to fixed.
Fixed in SVN revision 482.
Was the fix incorporated into the "roundcube_webmail_0.1-
beta2.2.tar.gz" file in the downloads section ?
That way, new users won't have to patch the vulnerability right from
the first install.
Should there be a "roundcube_webmail_0.1-beta2.3.tar.gz" download
with the fix instead ?
Also, the "latest" nightly SVN at http://sourceforge.net/project/showfiles.php?group_id=139281 is from January, so I assume the fix isn't there ?
Shouldn't a new SVN snapshot be pushed out with the fix ? Besides the "Unofficial" one at <http://www.flosoft.biz/roundcube/ roundcube-rev495.tar.gz> ?
I think it is great that the last two vulnerabilities were patched
very quickly. However, it seems most of the developers assume that
all users check out the latest SVN every day and run that in
production. Fixing a vulnerability in SVN is a great first step, but
letting your users know the update exists ( no mention about this in
the "News" on the home page ) and providing at least one way to get
at the fix without checking out SVN is prudent, IMHO.
I realize that the priority development focus of RoundCube is to move
toward 1.0 ( or even beta3 ), but I think project developers should
be a bit more attentive to getting vulnerabilities fixed for all user
installs, not just bleeding edge SVN users.
Thanks,
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
On Feb 16, 2007, at 8:34 AM, Robin Elfrink wrote:
Thomas Bruederli wrote:
The mbox parameter should only contain UTF-7 representations of the mailboxes. We don't need to care about charset conversion here. if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GET)) should fix this isse.
OK, committed.
While manually making the change to my install, I noticed that the
committed change was
if ($mbox = get_input_value('_mbox', RCUBE_INPUT_GPC))
instead of the recommended change as above.
Which is correct ?
( file ID is $Id: func.inc 483 2007-02-16 19:35:03Z thomasb $ )
Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265