From 32eb29fb994404a74b39e707995918f718948cfd Mon Sep 17 00:00:00 2001 From: thomascube <thomas@roundcube.net> Date: Tue, 14 Oct 2008 08:55:45 -0400 Subject: [PATCH] Secure new config merging feature + remove full path disclosure --- installer/index.php | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/installer/index.php b/installer/index.php index 6ece823..c7f69e3 100644 --- a/installer/index.php +++ b/installer/index.php @@ -45,7 +45,8 @@ } } -if (isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) { +if ($RCI->configured && ($RCI->getprop('enable_installer') || $_SESSION['allowinstaller']) && + isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) { $filename = $_GET['_mergeconfig'] . '.inc.php'; header('Content-type: text/plain'); @@ -93,7 +94,7 @@ if ($RCI->configured && !$RCI->getprop('enable_installer') && !$_SESSION['allowinstaller']) { // header("HTTP/1.0 404 Not Found"); echo '<h2 class="error">The installer is disabled!</h2>'; - echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in '.RCMAIL_CONFIG_DIR.'/main.inc.php</p>'; + echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in RCMAIL_CONFIG_DIR/main.inc.php</p>'; echo '</div></body></html>'; exit; } -- Gitblit v1.9.1