From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)
---
INSTALL | 71 ++++++++++++++++++++---------------
1 files changed, 40 insertions(+), 31 deletions(-)
diff --git a/INSTALL b/INSTALL
index 2664e7f..51dbfd8 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,7 +1,7 @@
INTRODUCTION
============
-This file describes the basic steps to install RoundCube Webmail on your
+This file describes the basic steps to install Roundcube Webmail on your
web server. For additional information, please also consult the project's
wiki page at http://trac.roundcube.net/wiki
@@ -9,16 +9,20 @@
REQUIREMENTS
============
-* The Apache or Lighttpd Webserver
+* The Apache, Lighttpd, Cherokee or Hiawatha web server
* .htaccess support allowing overrides for DirectoryIndex
-* PHP Version 5.2 or greater including
+* PHP Version 5.2.1 or greater including
- PCRE, DOM, JSON, XML, Session, Sockets (required)
- - libiconv (recommended)
- - mbstring, fileinfo, mcrypt (optional)
+ - PHP Data Objects (PDO) with driver for either MySQL, PostgreSQL or SQLite (required)
+ Note: MySQL database driver requires PHP 5.3 or newer.
+ - Libiconv, Zip (recommended)
+ - Fileinfo, Mcrypt, mbstring (optional)
* PEAR packages distributed with Roundcube or external:
- - MDB2 2.5.0 or newer
- - Mail_Mime 1.7.0 or newer
- - Net_SMTP 1.4.2 or newer
+ - Mail_Mime 1.8.1 or newer
+ - Mail_mimeDecode 1.5.5 or newer
+ - Net_SMTP (latest from https://github.com/pear/Net_SMTP/)
+ - Net_IDNA2 0.1.1 or newer
+ - Auth_SASL 1.0.6 or newer
* php.ini options (see .htaccess file):
- error_reporting E_ALL & ~E_NOTICE (or lower)
- memory_limit > 16MB (increase as suitable to support large attachments)
@@ -27,9 +31,11 @@
- zend.ze1_compatibility_mode disabled
- suhosin.session.encrypt disabled
- mbstring.func_overload disabled
+ - magic_quotes_runtime disabled
+ - magic_quotes_sybase disabled
* PHP compiled with OpenSSL to connect to IMAPS and to use the spell checker
-* A MySQL (4.0.8 or newer), PostgreSQL, MSSQL database engine
- or the SQLite extension for PHP
+* A MySQL (4.0.8 or newer), PostgreSQL, MS SQL Server (2005 or newer) database engine
+ or SQLite support in PHP
* One of the above databases with permission to create tables
* An SMTP server (recommended) or PHP configured for mail delivery
@@ -42,7 +48,7 @@
are writable by the webserver
- /temp
- /logs
-3. Create a new database and a database user for RoundCube (see DATABASE SETUP)
+3. Create a new database and a database user for Roundcube (see DATABASE SETUP)
4. Point your browser to http://url-to-roundcube/installer/
5. Follow the instructions of the install script (or see MANUAL CONFIGURATION)
6. After creating and testing the configuration, remove the installer directory
@@ -52,7 +58,7 @@
CONFIGURATION HINTS
===================
-RoundCube writes internal errors to the 'errors' log file located in the logs
+Roundcube writes internal errors to the 'errors' log file located in the logs
directory which can be configured in config/main.inc.php. If you want ordinary
PHP errors to be logged there as well, enable the 'php_value error_log' line
in the .htaccess file and set the path to the log file accordingly.
@@ -66,7 +72,7 @@
DATABASE SETUP
==============
-Note: Database for RoundCube must use UTF-8 character set.
+Note: Database for Roundcube must use UTF-8 character set.
* MySQL
-------
@@ -89,24 +95,15 @@
* SQLite
--------
-You need sqlite 2 (preferably 2.8) to setup the sqlite db
-(sqlite 3.x also doesn't work at the moment). Here is
-an example how you can setup the sqlite.db for roundcube:
-
-# sqlite -init SQL/sqlite.initial.sql sqlite.db
-Loading resources from SQL/sqlite.initial.sql
-SQLite version 2.8.16
-Enter ".help" for instructions
-sqlite> .exit
-# chmod o+rw sqlite.db
-
-Make sure your configuration points to the sqlite.db file and that the
+Versions of sqlite database engine older than 3 aren't supported.
+Database file and structure is created automatically by Roundcube.
+Make sure your configuration points to some file location and that the
webserver can write to the file and the directory containing the file.
* PostgreSQL
------------
-To use RoundCube with PostgreSQL support you have to follow these
+To use Roundcube with PostgreSQL support you have to follow these
simple steps, which have to be done as the postgres system user (or
which ever is the database superuser):
@@ -121,6 +118,20 @@
All this has been tested with PostgreSQL 8.x and 7.4.x. Older
versions don't have a -O option for the createdb, so if you are
using that version you'll have to change ownership of the DB later.
+
+
+* Microsoft SQL Server
+----------------------
+Language/locale of the database must be set to us_english (1033). More info
+on this at http://trac.roundcube.net/ticket/1488918.
+
+
+Database cleaning
+-----------------
+To keep your database slick and clean we recommend to periodically execute
+bin/cleandb.sh which finally removes all records that are marked as deleted.
+Best solution is to install a cronjob running this script daily.
+
MANUAL CONFIGURATION
@@ -139,7 +150,7 @@
UPGRADING
=========
-If you already have a previous version of RoundCube installed,
+If you already have a previous version of Roundcube installed,
please refer to the instructions in UPGRADING guide.
@@ -147,9 +158,9 @@
==========
There are two forms of optimisation here, compression and caching, both aimed
-at increasing an end user's experience using RoundCube Webmail. Compression
+at increasing an end user's experience using Roundcube Webmail. Compression
allows the static web pages to be delivered with less bandwidth. The index.php
-of RoundCube Webmail already enables compression on its output. The settings
+of Roundcube Webmail already enables compression on its output. The settings
below allow compression to occur for all static files. Caching sets HTTP
response headers that enable a user's web client to understand what is static
and how to cache it.
@@ -218,5 +229,3 @@
compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
}
-
-
--
Gitblit v1.9.1