Red Hat Bugzilla – Bug 200074
Squirrelmail 1.4.7 fixes several issues
Last modified: 2007-11-30 17:11:38 EST
Description of problem:
Squirrelmail 1.4.7 was released on July 4th 2006 which contains several fixes:
- Security: Possible cookie theft in src/redirect.php if
register_globals is enabled, and malicous site is running
in same domain.
- Fixed that loading the options page always loaded the prefs
initial_value on display, instead of the users' value.
- Enabled Ukrainian translation after updates by Serhij Dubyk.
- Fixed from address in case of MDN receipts (patch from Dimitar Pashev).
- Correct variable typo, causing Bogus sequence in FETCH errors (#1460338).
- Reduce references header in a smart way to avoid "header too long"
errors from SMTP servers in really long threads (#1167754, #1465342).
- Undo extra sanitizing in decodeHeader() function (#1460638).
- Added workaround for broken OpenBSD 3.8+ setlocale() function (#1427512).
- Fixed session lockups on large attachment downloads.
- Fixed bug_report plugin connections to mapped and secured IMAP servers.
- Fixed possibility to use single quote in provider name (#1475744).
- Improved error handling for the help pages.
- Added new color themes by Jeremy Landes, Tammi Maggard and Lucas Austin-Howe
(#1378332), (#1377567), (#1377529), (#1377528), (#1377527), (#1377526),
- Removed invalid $sendmail_path check in configuration utility.
- Backported calendar plugin updates from devel branch. Fixed display of
multiline events (#1291081) and sanitizing of quotes (#705796). Fixed
possible calendar corruption, when events contain special formating
characters. Moved html sanitizing from backend functions to display
code. Removed direct access to $_GET and $_POST variables and
simplified form variable processing.
- Fixed some mailbox caching issues, when messages are deleted or moved
not in first mailbox page. Fixed use of mailbox cache in right_main.php
- Stop URL parsing, if 8bit symbols or HTML entities are detected (#1356798).
- Improve recovery when EHLO not supported on legacy SMTP servers
- Don't move messages when target mailbox matches source mailbox (#1409453).
- Sanitized IMAP folder names in error_message() function and filters plugin.
- Take X-Forwarded-Host HTTP header in consideration when constructing
base_uri for redirects; reduces problems with transparent proxies
- Don't use trailing delimiter when sqimap_mailbox_create() subscribes
newly created mailbox.
- Undefined variable in src/right_main.php.
- Security: Local file inclusion in functions/plugin.php with
register_globals enabled, and magic_quotes disabled (reported by Denix
- Add note to conf.pl / config_default.php to warn users that set
sensitive passwords in that file to properly secure it.
- Prevent modifications in advanced identities, when editing of
identities is disabled.
- Fix incorrect parsing of From with nested parentheses (#1241506).
- Tightened code in search.php for disputed security report. We don't
believe this is exploitable, but the code is tightened anyway.
Oops, dupe of 200073. The page was not responding and I hit 'Submit' again.
*** This bug has been marked as a duplicate of 200073 ***