I’ve been on the SquirrelMail project for quite some time now, and an administrator on the project for several years. One of the things that has always been an issue has donations. As there are multiple people that contribute to the project at varying levels at different times, we’ve never figured out a good way to handle donations. Other projects, such as MySQL, setup a foundation, and generate enough donations that they’re capable of supporting full time working developers. Whilst it’d definitely be cool to do that, we’re not there project wise. So recently Paul sent out a rather interesting option, and it hit the lists.
He gave the users the ability to donate to individual people on the project, as well as sign up for bounties. The copy of the announcement can be found here. The other option was bounties. This has been used on several open source projects before, and the idea is that people “sponsor” a project, bug, or target. There are already several listed, but we’re always looking for more ideas. So if you have some, submit an idea.
Shortly after we released 1.4.12, somebody reported that the package didn’t match our checksum for it. This is not a good sign, so we set out to find out what might have happened. It turns out that one of the package managers had their account compromised, and the files released in 1.4.11, and 1.4.12, were modified after they were released.
The file change was quite tiny, 3 additional lines of code (and an additional one for a comment)…
/** set the value of the base path */
if (isset($_SERVER['HTTP_BASE_PATH'])) {
define('SM_PATH',$_SERVER['HTTP_BASE_PATH']);
}
Initial views on the code change showed this shouldn’t be able to do anything, because HTTPBASEPATH wasn’t a defined variable. That’s where the problem is. These variables are passed in from the HTTP server, which means that the remote user could push them via the http transaction, and get PHP to load them. This is a bad thing, because it means that the next page loaded would really be loaded from the remote host. This then allows the user to execute malicious PHP code, as the webserver user, on the victim’s host, without any interaction with the victim at all.
Because of this, instead of redeploying the packages (which we initially did), we decided to pull both 1.4.11, and 1.4.12 from the site, and deploy 1.4.13.
Phew… finally got 5 minutes to get 1.4.12 out the door. This release included a bug fix for attachment handling, which was nearly entirely broken with PHP 4, and just slightly broken in a minor area in PHP 5. Full details are in the ChangeLog, grab your copy.
Technorati Tags: SquirrelMail, Open Source
Okay, odd… I’ve just realized I’ve been on the SquirrelMail project now since about 2002, and in the 4 years I’ve been on the project, I don’t believe I’ve written a single plugin. Most unusual, however today I remedied that with a request in #squirrelmail for a new version of ip_user. I quickly knocked together ip_restrict which basically restricts users to certain IP addresses, or networks, depending on your configurations. You can download it here.
For some reason, despite the fact that work is going like hell at the moment, with all kinds of crazy stuff happening, my out of work projects are thriving.
Take SquirrelMail for example. Cor Bosman from XS4ALL released SquirrelMail 1.4.5 to their user base after extensive testing, and internal enhancements. This has generated a whole bunch of feedback and allowed us to get a bunch of bug fixing done. In the last 3 days, I think I’ve made over 30 cvs commits.
I also fixed a long standing bug in the GPG plugin for SquirrelMail today. It was a minor documentation issue, and code misstake. A simple case of assuming strrpos did the same as strpos. In general, it does, except strrpos only accepts one character for the needle. This resulted in a case of matching nearly every attachment to verify with gpg. To fix, it was a case of changing this (line 211 in plugins/gpg/setup.php):
if ((strrpos($filename,".asc") == (strlen($filename)-4))
or (strrpos($filename,".pgp") == (strlen($filename)-4))) {
To this:
if ((strpos($filename,".asc") == (strlen($filename)-4))
or (strpos($filename,".pgp") == (strlen($filename)-4))) {
Code still works as expected, and no more issue of gpg checking all attachments to see if they are encrypted.
So, it’s been very productive for me this week, lets hope it continues. I’m planning on pushing SquirrelMail 1.4.6 out by Christmas.
