SF.net SVN: postfixadmin:[862] trunk
Brought to you by:
christian_boltz,
gingerdog
From: <chr...@us...> - 2010-09-11 21:48:32
|
Revision: 862 http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=862&view=rev Author: christian_boltz Date: 2010-09-11 21:48:26 +0000 (Sat, 11 Sep 2010) Log Message: ----------- merged all fixes from the 2.3 branch into trunk (r847-860) (see CHANGELOG.TXT changes for details.) - r847 and the CHANGELOG.TXT entries for 2.3.1 were left from the 2.3.1 release - all other changes merged in this commit are the diff between 2.3.1 and 2.3.2 Modified Paths: -------------- trunk/CHANGELOG.TXT trunk/css/default.css trunk/debian/changelog trunk/debian/control trunk/delete.php trunk/functions.inc.php trunk/list-domain.php trunk/list-virtual.php trunk/login.php trunk/templates/login.tpl trunk/users/edit-alias.php Property Changed: ---------------- trunk/ trunk/debian/apache.conf trunk/debian/postfixadmin.docs Property changes on: trunk ___________________________________________________________________ Added: svn:mergeinfo + /branches/postfixadmin-2.3:847,849-860 Modified: trunk/CHANGELOG.TXT =================================================================== --- trunk/CHANGELOG.TXT 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/CHANGELOG.TXT 2010-09-11 21:48:26 UTC (rev 862) @@ -10,7 +10,6 @@ # Last update: # $Id$ - Version ***svn*** - 2009/12/26 - SVN r*** ----------------------------------- @@ -19,11 +18,66 @@ - add ability to choose activation date for vacation message in user module - merge search functionality into list-virtual.php -Version ***svn 2.3 branch*** - 2009/12/26 - SVN r*** ------------------------------------ +Version 2.3.2 - 2010/08/24 - SVN r860 (postfixadmin-2.3 branch) +--------------------------------------------------------------- -*** see 2.3 branch CHANGELOG.TXT, will be added here after 2.3.1 release *** + - SUMMARY: PostfixAdmin 2.3.2 is a bugfix-only release for Postfix Admin 2.3.1 + - SECURITY: attackers could find out if a admin exists (login pre-filled the + username after "only" a wrong password was entered) + - SECURITY: fix sql injection in list-domain (only exploitable by superadmins) + - alias targets in users/edit-alias are now validated + - invalid alias targets in users/edit-alias are shown to the user again + instead of dropping them + - fix dovecot:* password encryption (was broken in 2.3.1) + - fix displaying used quota for dovecot <= 1.1 (was broken in 2.3.1) + - when deleting a domain that is an alias domain (on the "from" side), the + alias domain is deleted +Version 2.3.1 - 2010/07/09 - SVN r847 (postfixadmin-2.3 branch) +--------------------------------------------------------------- + + - SUMMARY: PostfixAdmin 2.3.1 is a bugfix-only release for Postfix Admin 2.3. + The only visible change is displaying the alias target for mailboxes which + was a longstanding issue/"missing feature". + The ADDITIONS directory contains some new scripts. + - SECURITY: users could bypass checking the old password when changing the + password by entering a too short new password. Fortunately only + "exploitable" by authentificated users. + - merge in changes to /debain (thanks normes) from trunk + - display alias targets for mailboxes (if $CONF['special_alias_control'] = YES) + - add hook for custom maildir path generation + - add import_users_from_csv.py script (by Simone Piccardi) + - add mailbox_post* scripts for cyrus + - handle dovecot passwords without any tempfile (prevents safe_mode issues) + - fix MySQL 6.0 compatibility + - fix quota display (for dovecot >= 1.2) + - fix short open tags ("<?") + - translation updates and fixes + - documentation updates and fixes + - document commandline parameters for $CONF[*_script] options in config.inc.php + - list-virtual: added error message if the check_owner query returns more + than one result (can happen with pre-2.3 databases and prevents access for + superadmins) + - add in_array() check to avoid that superadmins can enter invalid domains + - fix delete link for alias domains (when on target domain) + - delete values from quota and quota2 table when deleting a mailbox + - fix hardcoded table names in list-domain.php + - fixed edit-alias.php not to drop alias to the mailbox if + special_alias_control = NO + - fix alias handling for mailboxes (special_alias_control vs. + alias_control_admin confusion) + - fix typo in upgrade.php that broke index creation and deletion when using + non-default table names + - fix creating 'ALL' domain (dummy for superadmins) when using non-default + table names + - fix: db_query did not return number of SELECTed rows if query starts with + with whitespace + - check for $CONF['encrypt'] = 'dovecot:md5-crypt' (postfixadmin login not + working because dovecotpw uses a new salt each time), recommend + internal md5crypt instead + - replaced terribly outdated, broken squirrelmail plugin with a fresh version. + Note: The new plugin version requires the Zend framework. + Version 2.3 - 2009/10/24 - SVN r739 ----------------------------------- @@ -99,8 +153,8 @@ - added support for domain aliases (from lenix) (can be disabled with $CONF['alias_domain']) Important: If you update from a previous version, you'll have to adapt your postfix - configuration (see DOCUMENTS/POSTFIX_CONF.txt) - or just disable alias domain support, - your postfix configuration will continue to work + configuration (see DOCUMENTS/POSTFIX_CONF.txt) - or just disable alias domain support, + your postfix configuration will continue to work - updated postfix example configuration for domain aliases and to use the new mysql map format - vacation.pl: - add option for re-notification after definable timeout (patch from Luxten) Modified: trunk/css/default.css =================================================================== --- trunk/css/default.css 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/css/default.css 2010-09-11 21:48:26 UTC (rev 862) @@ -36,7 +36,7 @@ font-size: 11px; } -.button:hover { +.button:hover, .button:focus { background: #BCFF36; color: #888888; } Property changes on: trunk/debian/apache.conf ___________________________________________________________________ Deleted: svn:mergeinfo - Modified: trunk/debian/changelog =================================================================== --- trunk/debian/changelog 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/debian/changelog 2010-09-11 21:48:26 UTC (rev 862) @@ -1,3 +1,16 @@ +postfixadmin (2.3.2) unstable; urgency=low + + * New upstream release + + -- David Goodwin <dav...@pa...> Mon, 23 Aug 2010 11:24:00 +0100 + +postfixadmin (2.3.1) unstable; urgency=low + + * New upstream release + * Updated .deb standards (thanks normes) + + -- David Goodwin <dav...@pa...> Thu, 08 Jul 2010 22:20:14 +0100 + postfixadmin (2.3) unstable; urgency=low * Initial release (Closes: #247225) Modified: trunk/debian/control =================================================================== --- trunk/debian/control 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/debian/control 2010-09-11 21:48:26 UTC (rev 862) @@ -9,7 +9,7 @@ Package: postfixadmin Architecture: all -Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends} +Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends} Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server Suggests: squirrelmail-postfixadmin, dovecot-common | courier-authlib-mysql | courier-authlib-postgresql Description: Virtual mail hosting interface for Postfix Property changes on: trunk/debian/postfixadmin.docs ___________________________________________________________________ Deleted: svn:mergeinfo - Modified: trunk/delete.php =================================================================== --- trunk/delete.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/delete.php 2010-09-11 21:48:26 UTC (rev 862) @@ -68,6 +68,7 @@ $result_domain_admins = db_delete ($table_domain_admins,$fWhere,$fDelete); $result_alias = db_delete ($table_alias,$fWhere,$fDelete); $result_mailbox = db_delete ($table_mailbox,$fWhere,$fDelete); + $result_alias_domain = db_delete($table_alias_domain,'alias_domain',$fDelete); $result_log = db_delete ($table_log,$fWhere,$fDelete); if ($CONF['vacation'] == "YES") { Modified: trunk/functions.inc.php =================================================================== --- trunk/functions.inc.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/functions.inc.php 2010-09-11 21:48:26 UTC (rev 862) @@ -450,7 +450,8 @@ //while loop to figure index names. use page_size and loop of queries $i=0; $current=0; - $page_size = $CONF['page_size']; + $page_size = (int) $CONF['page_size']; + if ($page_size < 1) die ("\$CONF['page_size'] = '$page_size' is invalid (it may only contain digits and must be >= 1)"); $tmpstr=""; $idxlabel=""; $list['alias_pgindex_count'] = 0; Modified: trunk/list-domain.php =================================================================== --- trunk/list-domain.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/list-domain.php 2010-09-11 21:48:26 UTC (rev 862) @@ -32,7 +32,7 @@ //if (authentication_has_role('admin')) { $list_admins = list_admins (); $is_superadmin = 1; - $fUsername = safepost('fUsername', safeget('username')); # prefer POST over GET variable + $fUsername = escape_string(safepost('fUsername', safeget('username'))); # prefer POST over GET variable if ($fUsername != "") $admin_properties = get_admin_properties($fUsername); } else { $list_admins = array(authentication_get_username()); Modified: trunk/list-virtual.php =================================================================== --- trunk/list-virtual.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/list-virtual.php 2010-09-11 21:48:26 UTC (rev 862) @@ -196,7 +196,7 @@ # mailboxes # -$display_mailbox_aliases = boolconf('special_alias_control'); # TODO: is this condition correct? - I'm slightly confused with alias_control, alias_control_admin and special_alias_control +$display_mailbox_aliases = boolconf('alias_control_admin'); # build the sql query $sql_select = " SELECT $table_mailbox.* "; @@ -234,7 +234,7 @@ if (boolconf('used_quotas') && ( ! boolconf('new_quota_table') ) ) { $sql_select .= ", $table_quota.current "; $sql_join .= " LEFT JOIN $table_quota ON $table_mailbox.username=$table_quota.username "; - $sql_where .= " ( $table_quota.path='quota/storage' OR $table_quota.path IS NULL ) "; + $sql_where .= " AND ( $table_quota.path='quota/storage' OR $table_quota.path IS NULL ) "; } $query = "$sql_select\n$sql_from\n$sql_join\n$sql_where\n$sql_order\n$sql_limit"; Modified: trunk/login.php =================================================================== --- trunk/login.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/login.php 2010-09-11 21:48:26 UTC (rev 862) @@ -19,7 +19,6 @@ * Template Variables: * * tMessage - * tUsername * * Form POST \ GET Variables: * @@ -67,7 +66,6 @@ { $error = 1; $tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>'; - $tUsername = $fUsername; } } else @@ -96,7 +94,6 @@ exit(0); } - $smarty->assign ('tUsername', $tUsername); $smarty->assign ('tMessage', $tMessage, false); $smarty->assign ('smarty_template', 'login'); Modified: trunk/templates/login.tpl =================================================================== --- trunk/templates/login.tpl 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/templates/login.tpl 2010-09-11 21:48:26 UTC (rev 862) @@ -6,7 +6,7 @@ </tr> <tr> <td>{$PALANG.pLogin_username}:</td> - <td><input class="flat" type="text" name="fUsername" value="{$tUsername}" /></td> + <td><input class="flat" type="text" name="fUsername" /></td> </tr> <tr> <td>{$PALANG.pLogin_password}:</td> Modified: trunk/users/edit-alias.php =================================================================== --- trunk/users/edit-alias.php 2010-08-24 20:36:23 UTC (rev 861) +++ trunk/users/edit-alias.php 2010-09-11 21:48:26 UTC (rev 862) @@ -79,14 +79,17 @@ $goto = explode(",",$goto); + $error = 0; $goto = array_merge(array_unique($goto)); $good_goto = array(); + if($fForward_and_store == 'NO' && sizeof($goto) == 1 && $goto[0] == '') { $tMessage = $PALANG['pEdit_alias_goto_text_error1']; $error += 1; } if($error === 0) { foreach($goto as $address) { + if ($address != "") { # $goto[] may contain a "" element if(!check_email($address)) { $error += 1; $tMessage = $PALANG['pEdit_alias_goto_text_error2'] . " $address</font>"; @@ -94,8 +97,8 @@ else { $good_goto[] = $address; } + } } - $goto = $good_goto; } if ($error == 0) { @@ -103,7 +106,7 @@ if($fForward_and_store == "YES" ) { $flags = 'forward_and_store'; } - $updated = $ah->update($goto, $flags); + $updated = $ah->update($good_goto, $flags); if($updated) { header ("Location: main.php"); exit; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |