« Return to Thread: Re: SF.net SVN: squirrelmail:[13777] branches/SM-1_4-STABLE/squirrelmail
Re: SF.net SVN: squirrelmail:[13777] branches/SM-1_4-STABLE/squirre
by Jon Angliss
::
Rate this Message:
On Tue, 02 Jun 2009 02:04:46 +0000,
jangliss@... wrote:
>Revision: 13777
> http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13777&view=rev
>Author: jangliss
>Date: 2009-06-02 02:04:46 +0000 (Tue, 02 Jun 2009)
>
>Log Message:
>-----------
>Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839).
>
>This probably needs further discussion
>
>Modified Paths:
>--------------
> branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess
> branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess
> branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
>
>Modified: branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess
>===================================================================
>--- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-05-31 10:23:20 UTC (rev 13776)
>+++ branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-06-02 02:04:46 UTC (rev 13777)
>@@ -2,4 +2,5 @@
> Deny from All
> Allow from 127
> Allow from 10
>-Allow from 192
>+Allow from 172.16
>+Allow from 192.168
Somebody had posted a bug about this minor error in that the 192 block
isn't entirely a private network. RFC1918 defines 3 blocks, which can
now be seen in this file. The bug report
(http://www.squirrelmail.org/bugs/2798839) question the reasoning for
granting access to the private block. Along with that comment,
somebody jumped on IRC today to comment on the way the code is laid
out, and it has been mentioned before.
Currently we point the web root to the base of the SquirrelMail
directory, instead of the src/ directory. Currently that's because
plugins reside in the plugins/ folder, and may require some output.
The user that jumped on IRC questioned why so many PHP scripts can be
executed without a need to. Whilst I generally agree that the idea is
that you should be able to just drop and run SquirrelMail without
having to tinker with any paths, I sometimes wonder how difficult it'd
be making all the subdirectories outside the web root. I also
question whether this is one of those cases of "security by
obscurity", but it does lead to improve security in that some scripts
that don't need to be executed by the user, should not be executable.
The example provided by the user on IRC was the themes folder. Whilst
they're harmless, they can be executed as a script, and it only takes
small typos to introduce bugs.
We only provide a limited number .htaccess files in the directories,
should we consider expanding it, as well as increasing the options
included (no listings and such)? Do we want to consider the idea of
bumping stuff outside the web root?
--
Jonathan Angliss
<jon@...>
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
jangliss@... wrote:
>Revision: 13777
> http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13777&view=rev
>Author: jangliss
>Date: 2009-06-02 02:04:46 +0000 (Tue, 02 Jun 2009)
>
>Log Message:
>-----------
>Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839).
>
>This probably needs further discussion
>
>Modified Paths:
>--------------
> branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess
> branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess
> branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
>
>Modified: branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess
>===================================================================
>--- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-05-31 10:23:20 UTC (rev 13776)
>+++ branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-06-02 02:04:46 UTC (rev 13777)
>@@ -2,4 +2,5 @@
> Deny from All
> Allow from 127
> Allow from 10
>-Allow from 192
>+Allow from 172.16
>+Allow from 192.168
Somebody had posted a bug about this minor error in that the 192 block
isn't entirely a private network. RFC1918 defines 3 blocks, which can
now be seen in this file. The bug report
(http://www.squirrelmail.org/bugs/2798839) question the reasoning for
granting access to the private block. Along with that comment,
somebody jumped on IRC today to comment on the way the code is laid
out, and it has been mentioned before.
Currently we point the web root to the base of the SquirrelMail
directory, instead of the src/ directory. Currently that's because
plugins reside in the plugins/ folder, and may require some output.
The user that jumped on IRC questioned why so many PHP scripts can be
executed without a need to. Whilst I generally agree that the idea is
that you should be able to just drop and run SquirrelMail without
having to tinker with any paths, I sometimes wonder how difficult it'd
be making all the subdirectories outside the web root. I also
question whether this is one of those cases of "security by
obscurity", but it does lead to improve security in that some scripts
that don't need to be executed by the user, should not be executable.
The example provided by the user on IRC was the themes folder. Whilst
they're harmless, they can be executed as a script, and it only takes
small typos to introduce bugs.
We only provide a limited number .htaccess files in the directories,
should we consider expanding it, as well as increasing the options
included (no listings and such)? Do we want to consider the idea of
bumping stuff outside the web root?
--
Jonathan Angliss
<jon@...>
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
-----
squirrelmail-devel mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-devel@...
List archives: http://news.gmane.org/gmane.mail.squirrelmail.devel
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-devel
« Return to Thread: Re: SF.net SVN: squirrelmail:[13777] branches/SM-1_4-STABLE/squirrelmail
| Free embeddable forum powered by Nabble | Forum Help |
