From: Thijs K. <ki...@sq...> - 2005-12-02 13:14:40
|
On Sun, 2005-10-09 at 20:59 -0500, Jonathan Angliss wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >=20 > On Sun, October 9, 2005 12:33, Tomas Kuliavas wrote: >=20 > > attached two patches for SquirrelMail 1.4.6cvs. > > > > configtest-rgon.diff - adds php register_globals check to configuration > > test utility and causes error when globals are on. Some SquirrelMail > > security and variable corruption issues can be reproduced only in rg=3D= on. > > > > html_decode.diff - adds character set conversion to html attachments. >=20 > Look good to me. Don't see any reason to hold them off. I've got one objection to the first: it causes a hard error when rg=3D1 in configtest. Shouldn't this be a warning? We've advertised nowhere that people are *required* to turn off register_globals, and the configtest failing on something that isn't required doesn't seem right. I do think we could require such a thing at some point (and e.g. announce that no official security support is given for issues that are only valid with rg=3D1), but that should be announced clearly and well documented. Conclusion: I'll downgrade it to a warning, is that ok? Thijs |