From bd0551b22076b82a6d49e9f7a2b2e0c90a1b2326 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 05 Feb 2016 07:25:27 -0500
Subject: [PATCH] Secure also downloads of addressbook exports, managesieve script exports and Enigma keys exports
---
installer/test.php | 64 ++++++++++++++++++++++++++-----
1 files changed, 53 insertions(+), 11 deletions(-)
diff --git a/installer/test.php b/installer/test.php
index c2e3214..237e8df 100644
--- a/installer/test.php
+++ b/installer/test.php
@@ -1,6 +1,6 @@
<?php
-if (!class_exists('rcube_install') || !is_object($RCI)) {
+if (!class_exists('rcmail_install', false) || !is_object($RCI)) {
die("Not allowed! Please open installer/index.php instead.");
}
@@ -91,7 +91,7 @@
$dirs[] = $RCI->config['log_dir'] ? $RCI->config['log_dir'] : 'logs';
foreach ($dirs as $dir) {
- $dirpath = $dir[0] == '/' ? $dir : INSTALL_PATH . $dir;
+ $dirpath = rcube_utils::is_absolute_path($dir) ? $dir : INSTALL_PATH . $dir;
if (is_writable(realpath($dirpath))) {
$RCI->pass($dir);
$pass = true;
@@ -115,6 +115,7 @@
if ($RCI->configured) {
if (!empty($RCI->config['db_dsnw'])) {
$DB = rcube_db::factory($RCI->config['db_dsnw'], '', false);
+ $DB->set_debug((bool)$RCI->config['sql_debug']);
$DB->db_connect('w');
if (!($db_error_msg = $DB->is_error())) {
@@ -153,7 +154,7 @@
// test database
if ($db_working) {
- $db_read = $DB->query("SELECT count(*) FROM {$RCI->config['db_prefix']}users");
+ $db_read = $DB->query("SELECT count(*) FROM " . $DB->quote_identifier($RCI->config['db_prefix'] . 'users'));
if ($DB->is_error()) {
$RCI->fail('DB Schema', "Database not initialized");
echo '<p><input type="submit" name="initdb" value="Initialize database" /></p>';
@@ -177,17 +178,19 @@
if ($db_working) {
// write test
$insert_id = md5(uniqid());
- $db_write = $DB->query("INSERT INTO {$RCI->config['db_prefix']}session (sess_id, created, ip, vars) VALUES (?, ".$DB->now().", '127.0.0.1', 'foo')", $insert_id);
+ $db_write = $DB->query("INSERT INTO " . $DB->quote_identifier($RCI->config['db_prefix'] . 'session')
+ . " (`sess_id`, `created`, `ip`, `vars`) VALUES (?, ".$DB->now().", '127.0.0.1', 'foo')", $insert_id);
if ($db_write) {
$RCI->pass('DB Write');
- $DB->query("DELETE FROM {$RCI->config['db_prefix']}session WHERE sess_id=?", $insert_id);
+ $DB->query("DELETE FROM " . $DB->quote_identifier($RCI->config['db_prefix'] . 'session')
+ . " WHERE `sess_id` = ?", $insert_id);
}
else {
$RCI->fail('DB Write', $RCI->get_error());
}
echo '<br />';
-
+
// check timezone settings
$tz_db = 'SELECT ' . $DB->unixtimestamp($DB->now()) . ' AS tz_db';
$tz_db = $DB->query($tz_db);
@@ -207,10 +210,43 @@
?>
+<h3>Test filetype detection</h3>
+
+<?php
+
+if ($errors = $RCI->check_mime_detection()) {
+ $RCI->fail('Fileinfo/mime_content_type configuration');
+ if (!empty($RCI->config['mime_magic'])) {
+ echo '<p class="hint">Try setting the <tt>mime_magic</tt> config option to <tt>null</tt>.</p>';
+ }
+ else {
+ echo '<p class="hint">Check the <a href="http://www.php.net/manual/en/function.finfo-open.php">Fileinfo functions</a> of your PHP installation.<br/>';
+ echo 'The path to the magic.mime file can be set using the <tt>mime_magic</tt> config option in Roundcube.</p>';
+ }
+}
+else {
+ $RCI->pass('Fileinfo/mime_content_type configuration');
+ echo "<br/>";
+}
+
+
+if ($errors = $RCI->check_mime_extensions()) {
+ $RCI->fail('Mimetype to file extension mapping');
+ echo '<p class="hint">Please set a valid path to your webserver\'s mime.types file to the <tt>mime_types</tt> config option.<br/>';
+ echo 'If you can\'t find such a file, download it from <a href="http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types">svn.apache.org</a>.</p>';
+}
+else {
+ $RCI->pass('Mimetype to file extension mapping');
+ echo "<br/>";
+}
+
+?>
+
+
<h3>Test SMTP config</h3>
<p>
-Server: <?php echo rcube_parse_host($RCI->getprop('smtp_server', 'PHP mail()')); ?><br />
+Server: <?php echo rcube_utils::parse_host($RCI->getprop('smtp_server', 'PHP mail()')); ?><br />
Port: <?php echo $RCI->getprop('smtp_port'); ?><br />
<?php
@@ -274,7 +310,7 @@
$send_headers = $mail_object->headers($headers);
$SMTP = new rcube_smtp();
- $SMTP->connect(rcube_parse_host($RCI->getprop('smtp_server')),
+ $SMTP->connect(rcube_utils::parse_host($RCI->getprop('smtp_server')),
$RCI->getprop('smtp_port'), $CONFIG['smtp_user'], $CONFIG['smtp_pass']);
$status = $SMTP->send_mail($headers['From'], $headers['To'],
@@ -289,7 +325,7 @@
$status = mail($headers['To'], $headers['Subject'], $body, $header_str);
else
$status = mail($headers['To'], $headers['Subject'], $body, $header_str, '-f'.$headers['From']);
-
+
if (!$status)
$smtp_response[] = 'Mail delivery with mail() failed. Check your error logs for details';
}
@@ -304,7 +340,7 @@
else {
$RCI->fail('SMTP send', 'Invalid sender or recipient');
}
-
+
echo '</p>';
}
@@ -369,7 +405,7 @@
if (isset($_POST['imaptest']) && !empty($_POST['_host']) && !empty($_POST['_user'])) {
- echo '<p>Connecting to ' . Q($_POST['_host']) . '...<br />';
+ echo '<p>Connecting to ' . rcube::Q($_POST['_host']) . '...<br />';
$imap_host = trim($_POST['_host']);
$imap_port = $RCI->getprop('default_port');
@@ -388,6 +424,12 @@
$imap_user = idn_to_ascii($_POST['_user']);
$imap = new rcube_imap(null);
+ $imap->set_options(array(
+ 'auth_type' => $RCI->getprop('imap_auth_type'),
+ 'debug' => $RCI->getprop('imap_debug'),
+ 'socket_options' => $RCI->getprop('imap_conn_options'),
+ ));
+
if ($imap->connect($imap_host, $imap_user, $_POST['_pass'], $imap_port, $imap_ssl)) {
$RCI->pass('IMAP connect', 'SORT capability: ' . ($imap->get_capability('SORT') ? 'yes' : 'no'));
$imap->close();
--
Gitblit v1.9.1