From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
INSTALL | 40 ++++++++++++++++++++++++++++++++++------
1 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/INSTALL b/INSTALL
index 817d98c..fd3c819 100644
--- a/INSTALL
+++ b/INSTALL
@@ -12,18 +12,16 @@
* The Apache, Lighttpd, Cherokee or Hiawatha web server
* .htaccess support allowing overrides for DirectoryIndex
* PHP Version 5.3.7 or greater including
- - PCRE, DOM, JSON, Session, Sockets (required)
+ - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring (required)
- PHP Data Objects (PDO) with driver for either MySQL, PostgreSQL or SQLite (required)
- - Libiconv, Zip (recommended)
- - OpenSSL, Fileinfo, Mcrypt, mbstring (optional)
+ - Libiconv, Zip, Fileinfo (recommended)
* PEAR packages distributed with Roundcube or external:
- - Mail_Mime 1.8.1 or newer
- - Mail_mimeDecode 1.5.5 or newer
+ - Mail_Mime 1.10.0 or newer
- Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
- Net_IDNA2 0.1.1 or newer
- Auth_SASL 1.0.6 or newer
- Net_Sieve 1.3.2 or newer (for managesieve plugin)
- - Crypt_GPG 1.2.0 or newer (for enigma plugin)
+ - Crypt_GPG 1.4.0 or newer (for enigma plugin)
* php.ini options (see .htaccess file):
- error_reporting E_ALL & ~E_NOTICE (or lower)
- memory_limit > 16MB (increase as suitable to support large attachments)
@@ -49,6 +47,9 @@
2. Install dependencies using composer:
- get composer from https://getcomposer.org/download/
- rename the composer.json-dist file into composer.json
+ - if you want to use LDAP address books, enable the LDAP libraries in your
+ composer.json file by moving the items from "suggest" to the "require"
+ section (remove the explanation texts after the version!).
- run `php composer.phar install --no-dev`
3. Make sure that the following directories (and the files within)
are writable by the webserver
@@ -63,6 +64,9 @@
CONFIGURATION HINTS
===================
+
+IMPORTANT! Read all comments in defaults.inc.php, understand them
+and configure your installation to be not surprised by default behaviour.
Roundcube writes internal errors to the 'errors' log file located in the logs
directory which can be configured in config/config.inc.php. If you want ordinary
@@ -79,6 +83,7 @@
==============
Note: Database for Roundcube must use UTF-8 character set.
+Note: See defaults.inc.php file for examples of DSN configuration.
* MySQL
-------
@@ -150,6 +155,29 @@
php_value upload_max_filesize 2M
+SECURE YOUR INSTALLATION
+========================
+
+Access through the webserver to the following directories should be denied:
+
+ /config
+ /temp
+ /logs
+
+Roundcube uses .htaccess files to protect these directories, so be sure to
+allow override of the Limit directives to get them taken into account. The
+package also ships a .htaccess file in the root directory which defines some
+rewrite rules. In order to properly secure your installation, please enable
+mod_rewrite for Apache webserver and double check access to the above listed
+directories and their contents is denied.
+
+NOTE: In Apache 2.4, support for .htaccess files has been disabled by
+default. Therefore you first need to enable this in your Apache main or
+virtual host config by with:
+
+ AllowOverride all
+
+
UPGRADING
=========
--
Gitblit v1.9.1