Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


#802 Whole src directory deleted when deleted

Compose (426)

I accidently added a non-existant attachment to a
message while composing by clicking the Add button
instead of Browse. No sweat, or so I thought. I
selected the blank attachment and clicked "Delete
selected attachment". I then got an error page and
subsequent efforts to get into SquirrelMail failed with a
404 trying to access src\login.php. When I checked on
my web server, the src directory was history. Not there,
zero , zilch, nada, gone!

So, I restored src from the zip. I confirmed that
everything was working fine and repeated the steps
above with the same results. I am running SquirrelMail
on IIS on a W2k server using php 4.2.1.


  • Jason Munro
    Jason Munro

    Logged In: YES

    I saw a copy of your message forwarded to the development
    list. I tested this out on a debian unstable box and instead
    of adding an emtpy attachment it gave me the apropriate
    error "could not copy/attach file" so this must be a
    windows/IIS specific problem.


  • Logged In: YES

    More important: you have permissions for your files set
    incorrectly: there could be a bug in squirrelmail but
    standard security measures prevent the effect you've seen:
    *your web server should NEVER be able to write or delete
    files/directories it doesn't have to!*
    If you have the right permissions, the only thing that could
    happen when deleting a non-existant attachment, would be
    receiving some kind of error message. Deleting your whole
    src directory should never be physically possible by the

  • Logged In: NO

    It might be Windows, but it aint IIS...

    I'm running W2K server, Apache 1.3.26, PHP 4.2.2 and I get
    the same error...

    Also, if I attach a large file >3M i get the same error.
    The attachment get listed as "filname - application/octet-
    stream (0 k)" and the SRC directory is deleted.
    I can however add more than 3M of smaller files, so if I ad 15
    300K files that would be OK.

    Same problem with both Squrrelmail 1.2.7 and 1.3.1


  • Logged In: NO

    An extra note....

    Once the empty attachment _or_ too large attachment have
    been added, the SRC directory is gone.... it has nothing to do
    with clicking the "Delete" button.


  • Logged In: NO

    I did some more checking and Kink are correct !!!

    It all has to do with the crappy security settings in Windows.
    Once I've set the general permissions to read/execute only
    and opened up the "data" directory for modification it worked
    just fine....

    Adding an non-existing attachment gives the proper
    errormessage, and a larger attachment gives a PHP-timeout
    (the 30 secs).


    • assigned_to: nobody --> kink
    • status: open --> closed-fixed
  • Logged In: YES

    Some code was trying to move the src directory into the
    attachment dir if a user pressed Add Attachment when no file
    was selected. Under Windows with bad file permissions, this
    resulted in the src directory actually being moved. This is
    now fixed.