From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Oct 2013 08:17:26 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 plugins/password/config.inc.php.dist |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 8d7b433..e960bbe 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -25,6 +25,12 @@
 // will be not available (no Password tab in Settings)
 $rcmail_config['password_login_exceptions'] = null;
 
+// Array of hosts that support password changing. Default is NULL.
+// Listed hosts will feature a Password option in Settings; others will not.
+// Example:
+//$rcmail_config['password_hosts'] = array('mail.example.com', 'mail2.example.org');
+$rcmail_config['password_hosts'] = null;
+
 
 // SQL Driver options
 // ------------------

--
Gitblit v1.9.1