38 lines
1.9 KiB
Plaintext
38 lines
1.9 KiB
Plaintext
$OpenBSD: patch-cgi-bin_openwebmail_ow-shared_pl,v 1.1 2003/01/30 07:57:26 kevlo Exp $
|
|
--- cgi-bin/openwebmail/ow-shared.pl.orig Tue Nov 26 12:20:51 2002
|
|
+++ cgi-bin/openwebmail/ow-shared.pl Thu Jan 30 14:45:08 2003
|
|
@@ -125,8 +125,8 @@ use vars qw($_OFFSET $_FROM $_TO $_DATE
|
|
###################### OPENWEBMAIL_INIT ###################
|
|
# init routine to set globals, switch euid
|
|
sub openwebmail_init {
|
|
- readconf(\%config, \%config_raw, "$SCRIPT_DIR/etc/openwebmail.conf.default");
|
|
- readconf(\%config, \%config_raw, "$SCRIPT_DIR/etc/openwebmail.conf") if (-f "$SCRIPT_DIR/etc/openwebmail.conf");
|
|
+ readconf(\%config, \%config_raw, "/var/www/conf/openwebmail/openwebmail.conf.default");
|
|
+ readconf(\%config, \%config_raw, "/var/www/conf/openwebmail/openwebmail.conf") if (-f "/var/www/conf/openwebmail/openwebmail.conf");
|
|
# setuid is required if mails is located in user's dir
|
|
if ( $>!=0 && ($config{'use_homedirspools'}||$config{'use_homedirfolders'}) ) {
|
|
print "Content-type: text/html\n\n'$0' must setuid to root"; exit 0;
|
|
@@ -231,6 +231,9 @@ sub openwebmail_init {
|
|
sub readconf {
|
|
my ($r_config, $r_config_raw, $configfile)=@_;
|
|
|
|
+ if ($configfile=~/\.\./) { # .. in path is not allowed for higher security
|
|
+ openwebmailerror("Invalid config file path $configfile");
|
|
+ }
|
|
# read config
|
|
open(CONFIG, $configfile) or
|
|
openwebmailerror("Couldn't open config file $configfile");
|
|
@@ -340,6 +343,12 @@ sub readconf {
|
|
}
|
|
}
|
|
|
|
+ # remove / and .. from variables that will be used in require statement for security
|
|
+ foreach $key ( 'default_language', 'auth_module') {
|
|
+ ${$r_config}{$key} =~ s|/||g;
|
|
+ ${$r_config}{$key} =~ s|\.\.||g;
|
|
+
|
|
+ }
|
|
# untaint pathname variable defined in openwebmail.conf
|
|
foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
|
|
'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',
|