From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 UPGRADING |   27 +++++++++++++++++++--------
 1 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/UPGRADING b/UPGRADING
index ce951d1..03d5499 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -20,7 +20,7 @@
 After all is done, the temporary folder with the new Roundcube files can be 
 removed again.
 
-Please also see Post-Upgrade Activities section.
+WARNING: See Post-Upgrade Activities section below.
 
 
 Updating manually
@@ -32,17 +32,19 @@
    - ./bin/
    - ./SQL/
    - ./program/
-   - ./installer/
-   - ./skins/default/
-   - ./plugins/
-2. Run ./bin/update.sh from the commandline OR
+2. rsync the contents of the following folders from your installation
+   directory into the target folder:
+   ./skins/
+   ./plugins/
+3. Run ./bin/update.sh from the commandline OR
    open http://url-to-roundcube/installer/ in a browser and choose "3 Test config".
    To enable the latter one, you have to temporary set 'enable_installer'
    to true in your local config/main.inc.php file.
-3. Let the update script/installer check your configuration and
+   WARNING: See SQLite database upgrade below.
+4. Let the update script/installer check your configuration and
    update your config files and database schema as suggested by the updater.
-4. Make sure 'enable_installer' is set to false again.
-5. See Post-Upgrade Activities section.
+5. Make sure 'enable_installer' is set to false again.
+6. See Post-Upgrade Activities section.
 
 
 Post-Upgrade Activities
@@ -52,3 +54,12 @@
 3. When upgrading from version older than 0.6-beta you should make sure
    your folder settings contain namespace prefix. For example Courier users
    should add INBOX. prefix to folder names in main configuration file.
+4. Check system requirements in INSTALL file.
+
+SQLite database upgrade
+-----------------------
+Versions older than 0.9 were supporting SQLite v2 only. Newer versions require
+database in v3 format. The best what you can do is to convert database file
+to the new format using command line tools:
+
+sqlite OLD.DB .dump | sqlite3 NEW.DB

--
Gitblit v1.9.1