From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 installer/test.php |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/installer/test.php b/installer/test.php
index 2cd9b53..340fe26 100644
--- a/installer/test.php
+++ b/installer/test.php
@@ -1,3 +1,10 @@
+<?php
+
+if (!class_exists('rcube_install') || !is_object($RCI)) {
+    die("Not allowed! Please open installer/index.php instead.");
+}
+
+?>
 <form action="index.php?_step=3" method="post">
 
 <h3>Check config files</h3>
@@ -31,13 +38,13 @@
   
   if (is_array($messages['missing'])) {
     echo '<h3 class="warning">Missing config options</h3>';
-    echo '<p class="hint">The following config options are not present in the current configuration.<br/>';
-    echo 'Please check the default config files and add the missing properties to your local config files.</p>';
-    
-    echo '<ul class="configwarings">';
+    echo '<p class="hint">The following config options are not set (not present or empty) in the current configuration.<br/>';
+    echo 'Please check the default config files and set the missing properties in your local config files.</p>';
+
+    echo '<ul class="configwarnings">';
     foreach ($messages['missing'] as $msg) {
       echo html::tag('li', null, html::span('propname', $msg['prop']) . ($msg['name'] ? ':&nbsp;' . $msg['name'] : ''));
-    }    
+    }
     echo '</ul>';
   }
 

--
Gitblit v1.9.1