the problem is mixed up session ids. i have made a quick patch based on
the upstream update. i've attached it. it is for the c4 version,
but probably would apply to c5. apply it with:
cd /usr/share/squirrelmail
patch -p3 < FILE
also, after this sometimes customers will have to clear the SQMSESSID
cookie from their browser or they won't be able to login.
-------------- next part --------------
diff -ru /usr/share/squirrelmail/functions/global.php
usr/share/squirrelmail/functions/global.php
--- /usr/share/squirrelmail/functions/global.php 2009-01-14 13:40:23.000000000
-0800
+++ usr/share/squirrelmail/functions/global.php 2009-01-21 13:49:14.000000000
-0800
@@ -123,6 +123,10 @@
ini_set('session.use_cookies','1');
}
+/* Make sure to have $base_uri always initialized to avoid having session
+ cookie set twice (for $base_uri and $base_uri/src. */
+$base_uri = sqm_baseuri();
+
/* convert old-style superglobals to current method
* this is executed if you are running PHP 4.0.x.
* it is run via a require_once directive in validate.php
@@ -379,9 +383,12 @@
global $base_uri;
- if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(),
'', 0, $base_uri);
- if (isset($_COOKIE['username'])) sqsetcookie('username',
'', 0, $base_uri);
- if (isset($_COOKIE['key'])) sqsetcookie('key', '',
0, $base_uri);
+ if (isset($_COOKIE[session_name()])) {
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1,
$base_uri."src/");
+ }
+ if (isset($_COOKIE['username'])) sqsetcookie('username',
'', 1, $base_uri);
+ if (isset($_COOKIE['key'])) sqsetcookie('key', '',
1, $base_uri);
$sessid = session_id();
if (!empty( $sessid )) {
@@ -428,6 +435,12 @@
// could be: sq_call_function_suppress_errors('session_start');
$session_id = session_id();
+ // make sure 'deleted' is never a valid session identifier
+ if ($session_id == 'deleted') {
+ session_regenerate_id();
+ $session_id = session_id();
+ }
+
// session_starts sets the sessionid cookie but without the httponly var
// setting the cookie again sets the httponly cookie attribute
//
diff -ru /usr/share/squirrelmail/functions/strings.php
usr/share/squirrelmail/functions/strings.php
--- /usr/share/squirrelmail/functions/strings.php 2009-01-14 13:40:25.000000000
-0800
+++ usr/share/squirrelmail/functions/strings.php 2009-01-21 13:49:16.000000000
-0800
@@ -16,7 +16,7 @@
* SquirrelMail version number -- DO NOT CHANGE
*/
global $version;
-$version = '1.4.8-5.el4.centos.2';
+$version = '1.4.8-5.3';
/**
* SquirrelMail internal version number -- DO NOT CHANGE
Binary files /usr/share/squirrelmail/images/sm_logo.png and
usr/share/squirrelmail/images/sm_logo.png differ
Only in /usr/share/squirrelmail/plugins: abook_import_export
Only in /usr/share/squirrelmail/plugins: address_add
Only in /usr/share/squirrelmail/plugins: change_pass
Only in /usr/share/squirrelmail/plugins: gpg
Only in /usr/share/squirrelmail/plugins: vacation_local
Only in /usr/share/squirrelmail/plugins: vacation_spire
Only in /usr/share/squirrelmail/plugins: virtualtable
diff -ru /usr/share/squirrelmail/src/redirect.php
usr/share/squirrelmail/src/redirect.php
--- /usr/share/squirrelmail/src/redirect.php 2009-01-14 13:40:23.000000000 -0800
+++ usr/share/squirrelmail/src/redirect.php 2009-01-21 13:49:14.000000000 -0800
@@ -71,6 +71,9 @@
if (!sqsession_is_registered('user_is_logged_in')) {
do_hook ('login_before');
+ // make sure to regenerate session id upon user login
+ session_regenerate_id();
+
$onetimepad = OneTimePadCreate(strlen($secretkey));
$key = OneTimePadEncrypt($secretkey, $onetimepad);
sqsession_register($onetimepad, 'onetimepad');