28.03.2013 12:13, A.L.E.C wrote: > On 03/28/2013 09:54 AM, Vladislav Bogdanov wrote: > >>> Patch for 0.6: http://ow.ly/jtQNd >> >> Are previous versions affected? >> >> Looking at my 0.4 installation, save_prefs is implemented absolutely >> differently, there are lists of prefs for each section, and they are >> cherry-picked from a what client sends.
It is r3787 (Mon, 28 Jun 2010) https://github.com/roundcube/roundcubemail/tree/bdb13a51f735623146f1ac81d9323e5182f99511 with local patches to be precise. > > 0.4 is vulnerable too, you're looking in a wrong place. The issue is in > steps/utils/save_pref.inc. program/steps/settings/save_prefs.inc in my tree. This one - https://github.com/roundcube/roundcubemail/blob/bdb13a51f735623146f1ac81d9323e5182f99511/program/steps/settings/save_prefs.inc This revision uses static lists of per-section prefs. I can't believe it is vulnerable. > We don't support such very old releases. I understand. You go toooo fast for me to follow ;) Keep going! It would be nice if you dig exact commit which introduced this. _______________________________________________ Roundcube Development discussion mailing list dev@lists.roundcube.net http://lists.roundcube.net/mailman/listinfo/dev
