#380 data_dir not found for plugins, register_globals issue

open
nobody
None
5
2005-12-09
2005-12-09
Paolo
No

hello,

pls forgive if that's already been covered, but I did
not find refs quickly browsing the last postings.

Here's the problems:

1) tried configtest.php on 1.4.5, and was fine then
tried 20051207_0003-CVS and test got stuck on the
register_globals test (which is set on the HSP server
running SM). I think that's not an error, not a
blocking one at least, so I changed the proc to not
exit, and made do_error(*,false) to issue a warning.

2) abook and some plugins I've installed and tried
(calendar, filters, msg_details) stumble on a
default_prefs/user_prefs file not found in the
case SM dirs are as follows (default on such HSP):
DOCROOT/squirrelmail
DOCROOT/squirrelmail-data
DOCROOT/squirrelmail-files
The kludge in the attached diff is just that, devels
might be able to provide a better answer.

3) I seem not able to convince abook to create the
shared abook. I played with config opts but got just
different errors. I ended up tweaking a bit the
code. I may well succeeded to test all the wrong
params combinations, though. But now it WFM.

4) on a 800x600 screen it's pretty annoying a 800x600
popup, so I changed default to 640x480 for
msg_details and pr_friendly windows.
That's a sidenote, clearly my taste/needs here.

Pls see attached diff, which - rather than a 'patch' -
is meant to show above points in code.

thanks
-- paolo

Discussion

  • Paolo

    Paolo - 2005-12-10

    Logged In: YES
    user_id=935319

    same kludge is needed in calendar plugin - see attached diff
    against 20051209_0003-CVS for refs.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2005-12-15

    Logged In: YES
    user_id=225877

    Re: register_globals fatal error.

    SquirrelMail should be able to run in register_globals = off
    setup since 1.2.9. Running SquirrelMail with
    register_globals = on can cause variable corruption and
    security issues. configtest.php is intentionally set to
    treat rg=on as fatal error. You can ignore this error in
    1.4.6cvs and try using SquirrelMail 1.4.6cvs in rg=on setup,
    but you won't pass configtest.php. Check squirrelmail-devel
    list discussion on this setting.

    If you have any information that stock SquirrelMail plugins
    break in rg=off setup, please provide information that
    allows to reproduce your problem.

    ----
    Re: your diffs.
    Your patches are trying to locate data directory by making
    default_pref file tests. If $data_dir is corrupted, then
    your fixes don't solve problem and provide workarounds only
    for some setups.

    Please provide information that explains why $data_dir is
    corrupted/unavailable in your rg=off setup.

    functions/addressbook.php patch adds automatic address book
    creation option, when install instructions say that address
    book file must be present. This address book is not fixed to
    some username and provides too many configuration options.
    Automatic address book creation is not acceptable.

    If you want to fix your problem, please show error messages,
    address book file permissions, used global address book
    configuration options, php safe_mode and open_basedir settings.

    functions/page_header.php is modified to add username. Have
    you checked username plugin?

    800x600 -> 640x480 patches make hardcoded modification
    instead of making it configurable.

     
  • Paolo

    Paolo - 2005-12-15

    Logged In: YES
    user_id=935319

    [sorry, this is a bit long]

    register_globals: I'm hosted, I don't have sysadmin power, it's a virtual
    server. I uderstand the point has been extensively discussed, but I think
    that issueing a fatal error and exit the test is wrong.
    To be coherent with the FE idea, SM should then refuse to run. To a
    'normal' user that sounds like rg=on ? drop SM look elsewhere : SM ok.
    I prefer my solution, which gives a proper warning and go on.

    $data_dir and g_abook issues: as said, I cannot control everything,
    here's the as provided docroot (id 48 = httpd):

    ls -l /var/www
    drwxr-xr-x 11 user user 4096 Dec 7 23:07 cgi-bin
    drwxr-xr-x 12 user user 4096 Dec 7 23:07 html
    drwxr-xr-x 2 user user 4096 Sep 20 00:20 mivadata
    drwxr-xr-x 2 user user 4096 Sep 20 00:20 perl
    drwxr-xr-x 17 user user 4096 Dec 9 16:57 squirrelmail
    drwxrwxr-x 2 user 48 4096 Dec 8 12:10 squirrelmail-attachments
    drwxrwxr-x 2 user 48 4096 Dec 15 17:44 squirrelmail-data

    ls -l /var/www/squirrelmail-data
    -rw-r--r-- 1 48 48 80 Sep 20 00:20 default_pref
    -rw------- 1 48 48 75 Dec 6 11:54 user.pref
    -rw-r--r-- 1 48 48 0 Dec 15 17:43 user.2005.cal
    -rw-r--r-- 1 48 48 0 Dec 13 22:24 user.abook
    -rw-r--r-- 1 48 48 28 Dec 7 22:37 user.sig
    -rw-r--r-- 1 48 48 46 Dec 8 17:27 global_abook

    hence I'd need to create by hand global_abook 666, which I don't like,
    or have the httpd do it 6?? through a cgi, which I chose to be the
    abook.php itself. I'm open to a better solution, of course.

    and some config:

    local master
    register_globals On On
    safe_mode On Off

    $data_dir = '../../squirrelmail-data/';
    $attachment_dir = '../../squirrelmail-attachments/';
    $abook_global_file = 'global_abook';
    $abook_global_file_writeable = true;

    note that abs (virtual) path won't work, and real path won't be a wise
    choice.
    Default calendar, unpatched, trying to save a new event:

    Warning: fopen("../../squirrelmail-data/user.2005.cal.tmp", "w") - No such file or directory in /home/virtual/site3/fst/var/www/squirrelmail/plugins/calendar/calendar_data.php on line 60

    sure, as stated my fixes are really kludges, and any upgrade need be
    patched - but now SM WFM fine now. A proper solution is due but I'm not
    familiar with SM code.

    hmmm... seems that the following works though (and looks the right fix,
    just need config.pl be aware of SITE_ROOT):

    $data_dir = $_SERVER['SITE_ROOT'].'/var/www/squirrelmail-data/';
    $attachment_dir = $_SERVER['SITE_ROOT'].'/var/www/squirrelmail-attachments/';

    at least the stock calendar works. This looks correct for both rg=on/off.
    Anyway, perhaps the following should be applied to calendar.php as well
    as others:

    - define('SM_PATH','../../');
    + if (!defined('SM_PATH')) define('SM_PATH','../../');

    page header: pls diregard, diff wasn't meant to be there - did not know of
    the plugin, but anyway having the code open in vi it was a quicker hack
    than even lookup plugin page ;)

    640x480: agreed - hardcoded fix to hardcoded bad (for _myself_) defaults.
    Definitely better if configurable, but for me it's more irritating a popup
    window that unexpectedly takes the whole screen than resizing, in case, a
    smaller one. Perhaps just a matter of tastes.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2005-12-16

    Logged In: YES
    user_id=225877

    If shared server admins want to remove some support issues
    and requirement to restart apache on every site
    configuration change, they allow use of configuration
    directives in .htaccess files. Have you tried disabling
    globals in .htaccess? 'php_flag register_globals off' or
    'php_flag register_globals 0'. If you can't - ask site
    admins to enable use of .htaccess files or ask to disable
    globals in your setup.

    Running SquirrelMail with global turned on is dangerous.
    SquirrelMail is coded in rg=off environment and developers
    make some assumptions that are not secure in rg=on setups.
    Some of the latest SquirrelMail exploits and bugs work only
    in rg=on setups. I will oppose making this error not fatal
    unless rg=on cleanup code is ported from devel. Fatal error
    can reduce number of vulnerable SquirrelMail installations
    and make admins think before enabling insecure php
    configuration option.

    I think, paths with '../../' do not work in safe_mode. Will
    check that.

    Automatic address book creation is needed only in restricted
    environment. In any other environment it is not needed and
    can cause creation of address book files in unexpected
    places. Use of 'detect_writable' parameter disables address
    book write controls. I think I'll try making it configurable
    option disabled by default.

    Issues are not specific to stable SquirrelMail install.
    Moving it to Patches section.

     
  • Tomas Kuliavas

    Tomas Kuliavas - 2005-12-16

    Logged In: YES
    user_id=225877

    Could you add SM_PATH to data and attachment directories?

    $data_dir = SM_PATH . '../squirrelmail-data/';
    $attachment_dir = SM_PATH . '../squirrelmail-attachments/';

     
  • Paolo

    Paolo - 2005-12-17

    Logged In: YES
    user_id=935319

    > Could you add SM_PATH to data and attachment directories?

    yep, that seems to work too :).

    > directives in .htaccess files. Have you tried disabling
    > globals in .htaccess? 'php_flag register_globals off'

    nope, tried also tricks on php.net but no effect. Need to ask
    sysadmin then.

    > I think, paths with '../../' do not work in safe_mode.

    that was default with safe_mode=on and 1.2.5 (base) working
    (no calendar).

    > Automatic address book creation is needed only in restricted
    > environment.

    well, that's my case - at least I know who's gonna use what.

    thanks

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks