Re: [SM-DEVEL] patches for stable 20051009

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sun, 2005-10-09 at 20:59 -0500, Jonathan Angliss wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
>=20
> On Sun, October 9, 2005 12:33, Tomas Kuliavas wrote:
>=20
> > attached two patches for SquirrelMail 1.4.6cvs.
> >
> > configtest-rgon.diff - adds php register_globals check to configuration
> > test utility and causes error when globals are on. Some SquirrelMail
> > security and variable corruption issues can be reproduced only in rg=3D=
on.
> >
> > html_decode.diff - adds character set conversion to html attachments.
>=20
> Look good to me.  Don't see any reason to hold them off.

I've got one objection to the first: it causes a hard error when rg=3D1 in
configtest. Shouldn't this be a warning? We've advertised nowhere that
people are *required* to turn off register_globals, and the configtest
failing on something that isn't required doesn't seem right.

I do think we could require such a thing at some point (and e.g.
announce that no official security support is given for issues that are
only valid with rg=3D1), but that should be announced clearly and well
documented.

Conclusion: I'll downgrade it to a warning, is that ok?

Thijs