Re: [SM-DEVEL] Bug in digest_md5_parse_challenge

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> This is my first mail to the list, so I'm going to present myself. My name
> is Pablo and I'm an spanish (not only web) developer which some years of
> experience in PHP.

Welcome

> I've contacted to you because, installing squirrelmail in a mail server,
> I've found a little bug in the digest_md5_parse_challenge function. I get
> the squirrelmail this night from sourceforge's subversion

Please make sure to state the version you are using.  Looks like you
are using 1.5.2SVN

> and I've
> installed it in a Debian stable + Apache 2 + php5 server up to date.
>
> The specific problem is that, in the file functions/auth.php, at the line
> 202, checks only if the $challenge variable is set, and don't check if it's
> set to FALSE, producing a warning message in the lines 203 and 207 when this
> occurs. This assignment can happen in the line 201, cause the function
> base64_decode, as the documentation [1] shows, returns FALSE on failure.

Looks like you're right.  SM has many places where isset() is used
incorrectly, and this does look like one.  The loop control in this
example is IMO poorly written (should not be the same as the data
being manipulated), but this code is also used in our stable branch,
so..... can you please replace that line with the following and
confirm no notices occur?

while (isset($challenge) && $challenge !== FALSE) {

> I expect to be clear in the explanation. I don't know yet how are you doing
> to submit bugs and patches (I didn't have time to read it in the
> documentation of the project), so I'll be grateful if someone explains it to

Unified diffs are best, sent to this list or submitted to our sf.net tracker.

> me. I know that many projects only give access at the repository to the most
> active people, but in the other case I have an account at sourceforge

We don't give repository access to just anyone.  But if you stick
around, familiarize yourself with the code and plan to help move the
project forward, we'd LOVE to add you to our team.

> (i02sopop). I don't have many time to develop new features, but I'll use it
> at home and at work, so I can be a good beta tester and I can also solve
> some bugs.
>
> Thanks and regards

Thank you

> [1] - http://es.php.net/manual/en/function.base64-decode.php