From 967b342039261ab294fe85d806fe49ce16391ada Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Fri, 28 Mar 2008 19:42:35 +0000
Subject: [PATCH] Disable installer by default; add config option to enable it
 again

---
 INSTALL                     |  2 +-
 config/main.inc.php.dist    | 11 +++++++++--
 index.php                   |  4 ++--
 installer/config.php        |  3 +++
 installer/index.php         | 15 +++++++++++++--
 installer/rcube_install.php |  2 +-
 6 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/INSTALL b/INSTALL
index f40bb1f11..a88f4f9be 100644
--- a/INSTALL
+++ b/INSTALL
@@ -35,7 +35,7 @@ INSTALLATION
    - /temp
    - /logs
 3. Create a new database and a database user for RoundCube (see DATABASE SETUP)
-4. Point your browser to http:///url-to-roundcube/installer/
+4. Point your browser to http://url-to-roundcube/installer/
 5. Follow the instructions of the install script (or see MANUAL CONFINGURATION)
 6. After creating and testing the configuration, remove the installer directory
 7. Done!
diff --git a/config/main.inc.php.dist b/config/main.inc.php.dist
index ab98da884..962fb4e2f 100644
--- a/config/main.inc.php.dist
+++ b/config/main.inc.php.dist
@@ -180,7 +180,7 @@ $rcmail_config['flag_for_deletion'] = TRUE;
 // 0 = ask the user, 1 = send automatically, 2 = ignore (never send or ask)
 $rcmail_config['mdn_requests'] = 0;
 
-// Use this as charset as fallback for message decoding
+// Use this charset as fallback for message decoding
 $rcmail_config['default_charset'] = 'ISO-8859-1';
 
 // Make use of the built-in spell checker. It is based on GoogieSpell.
@@ -203,6 +203,9 @@ $rcmail_config['spellcheck_languages'] = NULL;
 // paths are relative to the RoundCube root folder
 $rcmail_config['generic_message_footer'] = '';
 
+// add a received header to outgoing mails containing the creators IP and hostname
+$rcmail_config['http_received_header'] = false;
+
 // this string is used as a delimiter for message headers when sending
 // leave empty for auto-detection
 $rcmail_config['mail_header_delimiter'] = NULL;
@@ -241,7 +244,11 @@ $rcmail_config['dont_override'] = array();
 $rcmail_config['javascript_config'] = array('read_when_deleted', 'flag_for_deletion');
 
 // try to load host-specific configuration
-$rcmail_config['include_host_config'] = FALSE;
+$rcmail_config['include_host_config'] = false;
+
+// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
+// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
+$rcmail_config['enable_installer'] = false;
 
 
 /***** these settings can be overwritten by user's preferences *****/
diff --git a/index.php b/index.php
index 7d12d9d77..0687763da 100644
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
 /*
  +-----------------------------------------------------------------------+
  | RoundCube Webmail IMAP Client                                         |
- | Version 0.1-20080314                                                  |
+ | Version 0.1-20080328                                                  |
  |                                                                       |
  | Copyright (C) 2005-2008, RoundCube Dev. - Switzerland                 |
  | Licensed under the GNU GPL                                            |
@@ -245,7 +245,7 @@ if (!empty($_action))
 if (empty($USER->ID))
 {
   // check if installer is still active
-  if (!$CONFIG['installer_disable_warning'] && is_readable('./installer/index.php'))
+  if ($CONFIG['enable_installer'] && is_readable('./installer/index.php'))
     $OUTPUT->add_footer('
   <div style="background:#ef9398; border:2px solid #dc5757; padding:0.5em; margin:2em auto; width:50em">
   <h2 style="margin-top:0.2em">Installer script is still accessible</h2>
diff --git a/installer/config.php b/installer/config.php
index 5b365a5a5..9845bb3f3 100644
--- a/installer/config.php
+++ b/installer/config.php
@@ -20,6 +20,9 @@ $RCI->config_props = array(
   'htmleditor' => 1,
 );
 
+// allow the current user to get to the next step
+$_SESSION['allowinstaller'] = true;
+
 if (!empty($_POST['submit'])) {
   
   echo '<p class="notice">Copy the following configurations and save them in two files (names above the text box)';
diff --git a/installer/index.php b/installer/index.php
index 3b144dfae..69e33f870 100644
--- a/installer/index.php
+++ b/installer/index.php
@@ -22,11 +22,11 @@
 
 <div id="content">
 
-<h1>RoundCube Webmail Installer</h1>
-
 <?php
   ini_set('error_reporting', E_ALL&~E_NOTICE);
   ini_set('display_errors', 1);
+  
+  session_start();
 
   $docroot = realpath(dirname(__FILE__) . '/../');
   $include_path  = $docroot . '/program/lib' . PATH_SEPARATOR . $docroot . '/program' . PATH_SEPARATOR . ini_get('include_path');
@@ -35,9 +35,20 @@
   require_once 'rcube_install.php';
   $RCI = rcube_install::get_instance();
   $RCI->load_config();
+
+  // exit if installation is complete
+  if ($RCI->configured && !$RCI->getprop('enable_installer') && !$_SESSION['allowinstaller']) {
+    header("HTTP/1.0 404 Not Found");
+    echo '<h2 class="error">The installer is disabled!</h2>';
+    echo '<p>To enable it again, set <tt>$rcmail_config[\'enable_installer\'] = true;</tt> in config/main.inc.php</p>';
+    echo '</div></body></html>';
+    exit;
+  }
   
 ?>
 
+<h1>RoundCube Webmail Installer</h1>
+
 <ol id="progress">
 <?php
   
diff --git a/installer/rcube_install.php b/installer/rcube_install.php
index 8caa79d02..07a9922b7 100644
--- a/installer/rcube_install.php
+++ b/installer/rcube_install.php
@@ -171,7 +171,7 @@ class rcube_install
         $out);
     }
     
-    return $out;
+    return trim($out);
   }