From 32eb29fb994404a74b39e707995918f718948cfd Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Tue, 14 Oct 2008 12:55:45 +0000
Subject: Secure new config merging feature + remove full path disclosure

---
 installer/index.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'installer')

diff --git a/installer/index.php b/installer/index.php
index 6ece82385..c7f69e3f5 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -45,7 +45,8 @@ if (isset($_GET['_getfile']) && in_array($_GET['_getfile'], array('main', 'db'))
   }
 }
 
-if (isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) {
+if ($RCI->configured && ($RCI->getprop('enable_installer') || $_SESSION['allowinstaller']) &&
+    isset($_GET['_mergeconfig']) && in_array($_GET['_mergeconfig'], array('main', 'db'))) {
   $filename = $_GET['_mergeconfig'] . '.inc.php';
 
   header('Content-type: text/plain');
@@ -93,7 +94,7 @@ if ($RCI->configured && empty($_REQUEST['_step'])) {
   if ($RCI->configured && !$RCI->getprop('enable_installer') && !$_SESSION['allowinstaller']) {
     // header("HTTP/1.0 404 Not Found");
     echo '<h2 class="error">The installer is disabled!</h2>';
-    echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in '.RCMAIL_CONFIG_DIR.'/main.inc.php</p>';
+    echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in RCMAIL_CONFIG_DIR/main.inc.php</p>';
     echo '</div></body></html>';
     exit;
   }
-- 
cgit v1.2.3