From 32eb29fb994404a74b39e707995918f718948cfd Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Tue, 14 Oct 2008 08:55:45 -0400
Subject: [PATCH] Secure new config merging feature + remove full path disclosure

---
 installer/index.php |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/installer/index.php b/installer/index.php
index 6ece823..c7f69e3 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -45,7 +45,8 @@
   }
 }
 
-if (isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) {
+if ($RCI->configured && ($RCI->getprop('enable_installer') || $_SESSION['allowinstaller']) &&
+    isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) {
   $filename = $_GET['_mergeconfig'] . '.inc.php';
 
   header('Content-type: text/plain');
@@ -93,7 +94,7 @@
   if ($RCI->configured && !$RCI->getprop('enable_installer') && !$_SESSION['allowinstaller']) {
     // header("HTTP/1.0 404 Not Found");
     echo '<h2 class="error">The installer is disabled!</h2>';
-    echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in '.RCMAIL_CONFIG_DIR.'/main.inc.php</p>';
+    echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in RCMAIL_CONFIG_DIR/main.inc.php</p>';
     echo '</div></body></html>';
     exit;
   }

--
Gitblit v1.9.1