SF.net SVN: postfixadmin:[862] trunk
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
SF.net SVN: postfixadmin:[862] trunk
|
From: <chr...@us...> - 2010-09-11 21:48:32
|
Revision: 862
http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=862&view=rev
Author: christian_boltz
Date: 2010-09-11 21:48:26 +0000 (Sat, 11 Sep 2010)
Log Message:
-----------
merged all fixes from the 2.3 branch into trunk (r847-860)
(see CHANGELOG.TXT changes for details.)
- r847 and the CHANGELOG.TXT entries for 2.3.1 were left from the 2.3.1 release
- all other changes merged in this commit are the diff between 2.3.1 and 2.3.2
Modified Paths:
--------------
trunk/CHANGELOG.TXT
trunk/css/default.css
trunk/debian/changelog
trunk/debian/control
trunk/delete.php
trunk/functions.inc.php
trunk/list-domain.php
trunk/list-virtual.php
trunk/login.php
trunk/templates/login.tpl
trunk/users/edit-alias.php
Property Changed:
----------------
trunk/
trunk/debian/apache.conf
trunk/debian/postfixadmin.docs
Property changes on: trunk
___________________________________________________________________
Added: svn:mergeinfo
+ /branches/postfixadmin-2.3:847,849-860
Modified: trunk/CHANGELOG.TXT
===================================================================
--- trunk/CHANGELOG.TXT 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/CHANGELOG.TXT 2010-09-11 21:48:26 UTC (rev 862)
@@ -10,7 +10,6 @@
# Last update:
# $Id$
-
Version ***svn*** - 2009/12/26 - SVN r***
-----------------------------------
@@ -19,11 +18,66 @@
- add ability to choose activation date for vacation message in user module
- merge search functionality into list-virtual.php
-Version ***svn 2.3 branch*** - 2009/12/26 - SVN r***
------------------------------------
+Version 2.3.2 - 2010/08/24 - SVN r860 (postfixadmin-2.3 branch)
+---------------------------------------------------------------
-*** see 2.3 branch CHANGELOG.TXT, will be added here after 2.3.1 release ***
+ - SUMMARY: PostfixAdmin 2.3.2 is a bugfix-only release for Postfix Admin 2.3.1
+ - SECURITY: attackers could find out if a admin exists (login pre-filled the
+ username after "only" a wrong password was entered)
+ - SECURITY: fix sql injection in list-domain (only exploitable by superadmins)
+ - alias targets in users/edit-alias are now validated
+ - invalid alias targets in users/edit-alias are shown to the user again
+ instead of dropping them
+ - fix dovecot:* password encryption (was broken in 2.3.1)
+ - fix displaying used quota for dovecot <= 1.1 (was broken in 2.3.1)
+ - when deleting a domain that is an alias domain (on the "from" side), the
+ alias domain is deleted
+Version 2.3.1 - 2010/07/09 - SVN r847 (postfixadmin-2.3 branch)
+---------------------------------------------------------------
+
+ - SUMMARY: PostfixAdmin 2.3.1 is a bugfix-only release for Postfix Admin 2.3.
+ The only visible change is displaying the alias target for mailboxes which
+ was a longstanding issue/"missing feature".
+ The ADDITIONS directory contains some new scripts.
+ - SECURITY: users could bypass checking the old password when changing the
+ password by entering a too short new password. Fortunately only
+ "exploitable" by authentificated users.
+ - merge in changes to /debain (thanks normes) from trunk
+ - display alias targets for mailboxes (if $CONF['special_alias_control'] = YES)
+ - add hook for custom maildir path generation
+ - add import_users_from_csv.py script (by Simone Piccardi)
+ - add mailbox_post* scripts for cyrus
+ - handle dovecot passwords without any tempfile (prevents safe_mode issues)
+ - fix MySQL 6.0 compatibility
+ - fix quota display (for dovecot >= 1.2)
+ - fix short open tags ("<?")
+ - translation updates and fixes
+ - documentation updates and fixes
+ - document commandline parameters for $CONF[*_script] options in config.inc.php
+ - list-virtual: added error message if the check_owner query returns more
+ than one result (can happen with pre-2.3 databases and prevents access for
+ superadmins)
+ - add in_array() check to avoid that superadmins can enter invalid domains
+ - fix delete link for alias domains (when on target domain)
+ - delete values from quota and quota2 table when deleting a mailbox
+ - fix hardcoded table names in list-domain.php
+ - fixed edit-alias.php not to drop alias to the mailbox if
+ special_alias_control = NO
+ - fix alias handling for mailboxes (special_alias_control vs.
+ alias_control_admin confusion)
+ - fix typo in upgrade.php that broke index creation and deletion when using
+ non-default table names
+ - fix creating 'ALL' domain (dummy for superadmins) when using non-default
+ table names
+ - fix: db_query did not return number of SELECTed rows if query starts with
+ with whitespace
+ - check for $CONF['encrypt'] = 'dovecot:md5-crypt' (postfixadmin login not
+ working because dovecotpw uses a new salt each time), recommend
+ internal md5crypt instead
+ - replaced terribly outdated, broken squirrelmail plugin with a fresh version.
+ Note: The new plugin version requires the Zend framework.
+
Version 2.3 - 2009/10/24 - SVN r739
-----------------------------------
@@ -99,8 +153,8 @@
- added support for domain aliases (from lenix) (can be disabled with $CONF['alias_domain'])
Important: If you update from a previous version, you'll have to adapt your postfix
- configuration (see DOCUMENTS/POSTFIX_CONF.txt) - or just disable alias domain support,
- your postfix configuration will continue to work
+ configuration (see DOCUMENTS/POSTFIX_CONF.txt) - or just disable alias domain support,
+ your postfix configuration will continue to work
- updated postfix example configuration for domain aliases and to use the new mysql map format
- vacation.pl:
- add option for re-notification after definable timeout (patch from Luxten)
Modified: trunk/css/default.css
===================================================================
--- trunk/css/default.css 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/css/default.css 2010-09-11 21:48:26 UTC (rev 862)
@@ -36,7 +36,7 @@
font-size: 11px;
}
-.button:hover {
+.button:hover, .button:focus {
background: #BCFF36;
color: #888888;
}
Property changes on: trunk/debian/apache.conf
___________________________________________________________________
Deleted: svn:mergeinfo
-
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/debian/changelog 2010-09-11 21:48:26 UTC (rev 862)
@@ -1,3 +1,16 @@
+postfixadmin (2.3.2) unstable; urgency=low
+
+ * New upstream release
+
+ -- David Goodwin <dav...@pa...> Mon, 23 Aug 2010 11:24:00 +0100
+
+postfixadmin (2.3.1) unstable; urgency=low
+
+ * New upstream release
+ * Updated .deb standards (thanks normes)
+
+ -- David Goodwin <dav...@pa...> Thu, 08 Jul 2010 22:20:14 +0100
+
postfixadmin (2.3) unstable; urgency=low
* Initial release (Closes: #247225)
Modified: trunk/debian/control
===================================================================
--- trunk/debian/control 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/debian/control 2010-09-11 21:48:26 UTC (rev 862)
@@ -9,7 +9,7 @@
Package: postfixadmin
Architecture: all
-Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends}
+Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends}
Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server
Suggests: squirrelmail-postfixadmin, dovecot-common | courier-authlib-mysql | courier-authlib-postgresql
Description: Virtual mail hosting interface for Postfix
Property changes on: trunk/debian/postfixadmin.docs
___________________________________________________________________
Deleted: svn:mergeinfo
-
Modified: trunk/delete.php
===================================================================
--- trunk/delete.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/delete.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -68,6 +68,7 @@
$result_domain_admins = db_delete ($table_domain_admins,$fWhere,$fDelete);
$result_alias = db_delete ($table_alias,$fWhere,$fDelete);
$result_mailbox = db_delete ($table_mailbox,$fWhere,$fDelete);
+ $result_alias_domain = db_delete($table_alias_domain,'alias_domain',$fDelete);
$result_log = db_delete ($table_log,$fWhere,$fDelete);
if ($CONF['vacation'] == "YES")
{
Modified: trunk/functions.inc.php
===================================================================
--- trunk/functions.inc.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/functions.inc.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -450,7 +450,8 @@
//while loop to figure index names. use page_size and loop of queries
$i=0;
$current=0;
- $page_size = $CONF['page_size'];
+ $page_size = (int) $CONF['page_size'];
+ if ($page_size < 1) die ("\$CONF['page_size'] = '$page_size' is invalid (it may only contain digits and must be >= 1)");
$tmpstr="";
$idxlabel="";
$list['alias_pgindex_count'] = 0;
Modified: trunk/list-domain.php
===================================================================
--- trunk/list-domain.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/list-domain.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -32,7 +32,7 @@
//if (authentication_has_role('admin')) {
$list_admins = list_admins ();
$is_superadmin = 1;
- $fUsername = safepost('fUsername', safeget('username')); # prefer POST over GET variable
+ $fUsername = escape_string(safepost('fUsername', safeget('username'))); # prefer POST over GET variable
if ($fUsername != "") $admin_properties = get_admin_properties($fUsername);
} else {
$list_admins = array(authentication_get_username());
Modified: trunk/list-virtual.php
===================================================================
--- trunk/list-virtual.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/list-virtual.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -196,7 +196,7 @@
# mailboxes
#
-$display_mailbox_aliases = boolconf('special_alias_control'); # TODO: is this condition correct? - I'm slightly confused with alias_control, alias_control_admin and special_alias_control
+$display_mailbox_aliases = boolconf('alias_control_admin');
# build the sql query
$sql_select = " SELECT $table_mailbox.* ";
@@ -234,7 +234,7 @@
if (boolconf('used_quotas') && ( ! boolconf('new_quota_table') ) ) {
$sql_select .= ", $table_quota.current ";
$sql_join .= " LEFT JOIN $table_quota ON $table_mailbox.username=$table_quota.username ";
- $sql_where .= " ( $table_quota.path='quota/storage' OR $table_quota.path IS NULL ) ";
+ $sql_where .= " AND ( $table_quota.path='quota/storage' OR $table_quota.path IS NULL ) ";
}
$query = "$sql_select\n$sql_from\n$sql_join\n$sql_where\n$sql_order\n$sql_limit";
Modified: trunk/login.php
===================================================================
--- trunk/login.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/login.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -19,7 +19,6 @@
* Template Variables:
*
* tMessage
- * tUsername
*
* Form POST \ GET Variables:
*
@@ -67,7 +66,6 @@
{
$error = 1;
$tMessage = '<span class="error_msg">' . $PALANG['pLogin_failed'] . '</span>';
- $tUsername = $fUsername;
}
}
else
@@ -96,7 +94,6 @@
exit(0);
}
- $smarty->assign ('tUsername', $tUsername);
$smarty->assign ('tMessage', $tMessage, false);
$smarty->assign ('smarty_template', 'login');
Modified: trunk/templates/login.tpl
===================================================================
--- trunk/templates/login.tpl 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/templates/login.tpl 2010-09-11 21:48:26 UTC (rev 862)
@@ -6,7 +6,7 @@
</tr>
<tr>
<td>{$PALANG.pLogin_username}:</td>
- <td><input class="flat" type="text" name="fUsername" value="{$tUsername}" /></td>
+ <td><input class="flat" type="text" name="fUsername" /></td>
</tr>
<tr>
<td>{$PALANG.pLogin_password}:</td>
Modified: trunk/users/edit-alias.php
===================================================================
--- trunk/users/edit-alias.php 2010-08-24 20:36:23 UTC (rev 861)
+++ trunk/users/edit-alias.php 2010-09-11 21:48:26 UTC (rev 862)
@@ -79,14 +79,17 @@
$goto = explode(",",$goto);
+ $error = 0;
$goto = array_merge(array_unique($goto));
$good_goto = array();
+
if($fForward_and_store == 'NO' && sizeof($goto) == 1 && $goto[0] == '') {
$tMessage = $PALANG['pEdit_alias_goto_text_error1'];
$error += 1;
}
if($error === 0) {
foreach($goto as $address) {
+ if ($address != "") { # $goto[] may contain a "" element
if(!check_email($address)) {
$error += 1;
$tMessage = $PALANG['pEdit_alias_goto_text_error2'] . " $address</font>";
@@ -94,8 +97,8 @@
else {
$good_goto[] = $address;
}
+ }
}
- $goto = $good_goto;
}
if ($error == 0) {
@@ -103,7 +106,7 @@
if($fForward_and_store == "YES" ) {
$flags = 'forward_and_store';
}
- $updated = $ah->update($goto, $flags);
+ $updated = $ah->update($good_goto, $flags);
if($updated) {
header ("Location: main.php");
exit;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|