From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports

---
 INSTALL |   37 +++++++++++++++++++++++++++++++------
 1 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/INSTALL b/INSTALL
index 67c0c05..fd3c819 100644
--- a/INSTALL
+++ b/INSTALL
@@ -12,18 +12,16 @@
 * The Apache, Lighttpd, Cherokee or Hiawatha web server
 * .htaccess support allowing overrides for DirectoryIndex
 * PHP Version 5.3.7 or greater including
-   - PCRE, DOM, JSON, Session, Sockets (required)
+   - PCRE, DOM, JSON, Session, Sockets, OpenSSL, Mbstring (required)
    - PHP Data Objects (PDO) with driver for either MySQL, PostgreSQL or SQLite (required)
-   - Libiconv, Zip (recommended)
-   - OpenSSL, Fileinfo, Mcrypt, mbstring (optional)
+   - Libiconv, Zip, Fileinfo (recommended)
 * PEAR packages distributed with Roundcube or external:
-   - Mail_Mime 1.8.1 or newer
-   - Mail_mimeDecode 1.5.5 or newer
+   - Mail_Mime 1.10.0 or newer
    - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
    - Net_IDNA2 0.1.1 or newer
    - Auth_SASL 1.0.6 or newer
    - Net_Sieve 1.3.2 or newer (for managesieve plugin)
-   - Crypt_GPG 1.2.0 or newer (for enigma plugin)
+   - Crypt_GPG 1.4.0 or newer (for enigma plugin)
 * php.ini options (see .htaccess file):
    - error_reporting E_ALL & ~E_NOTICE (or lower)
    - memory_limit > 16MB (increase as suitable to support large attachments)
@@ -67,6 +65,9 @@
 CONFIGURATION HINTS
 ===================
 
+IMPORTANT! Read all comments in defaults.inc.php, understand them
+and configure your installation to be not surprised by default behaviour.
+
 Roundcube writes internal errors to the 'errors' log file located in the logs
 directory which can be configured in config/config.inc.php. If you want ordinary
 PHP errors to be logged there as well, enable the 'php_value error_log' line
@@ -82,6 +83,7 @@
 ==============
 
 Note: Database for Roundcube must use UTF-8 character set.
+Note: See defaults.inc.php file for examples of DSN configuration.
 
 * MySQL
 -------
@@ -153,6 +155,29 @@
 	php_value       upload_max_filesize     2M
 
 
+SECURE YOUR INSTALLATION
+========================
+
+Access through the webserver to the following directories should be denied:
+
+  /config
+  /temp
+  /logs
+
+Roundcube uses .htaccess files to protect these directories, so be sure to
+allow override of the Limit directives to get them taken into account. The
+package also ships a .htaccess file in the root directory which defines some
+rewrite rules. In order to properly secure your installation, please enable
+mod_rewrite for Apache webserver and double check access to the above listed
+directories and their contents is denied.
+
+NOTE: In Apache 2.4, support for .htaccess files has been disabled by
+default. Therefore you first need to enable this in your Apache main or
+virtual host config by with:
+
+ AllowOverride all
+
+
 UPGRADING
 =========
 

--
Gitblit v1.9.1