removed any possible globalized var. It is possible that SESSION, ENV and

SERVER vars can be trusted, but I prefer reverting any possible rg=on effects.

functions/global.php

@@ -362,14 +362,41 @@ if (get_magic_quotes_gpc()) {
 }
 
 /**
- * If register_globals are on, unregister all globals from $_GET, $_POST, 
- * and $_COOKIE. Before 4.3.0 $_FILES globals are unregistered too. Code
- * requires PHP 4.1.0 or newer. 
+ * If register_globals are on, unregister globals.
+ * Code requires PHP 4.1.0 or newer.
  */
 if ((bool) @ini_get('register_globals')) {
+    /**
+     * Remove all globals from $_GET, $_POST, and $_COOKIE.
+     */
     foreach ($_REQUEST as $key => $value) {
         unset($GLOBALS[$key]);
     }
+    /**
+     * Remove globalized $_FILES variables
+     * Before 4.3.0 $_FILES are included in $_REQUEST.
+     * Unglobalize them in separate call in order to remove dependency 
+     * on PHP version.
+     */
+    foreach ($_FILES as $key => $value) {
+        unset($GLOBALS[$key]);
+        // there are three undocumented $_FILES globals.
+        unset($GLOBALS[$key.'_type']);
+        unset($GLOBALS[$key.'_name']);
+        unset($GLOBALS[$key.'_size']);
+    }
+    /**
+     * Remove globalized environment variables.
+     */
+    foreach ($_ENV as $key => $value) {
+        unset($GLOBALS[$key]);
+    }
+    /**
+     * Remove globalized server variables.
+     */
+    foreach ($_SERVER as $key => $value) {
+        unset($GLOBALS[$key]);
+    }
 }
 
 /* strip any tags added to the url from PHP_SELF.
@@ -381,4 +408,12 @@ $PHP_SELF = php_self();
 
 sqsession_is_active();
 
+/** 
+ * Remove globalized session data in rg=on setups
+ */
+if ((bool) @ini_get('register_globals')) {
+    foreach ($_SESSION as $key => $value) {
+        unset($GLOBALS[$key]);
+    }
+}
 ?>

src/configtest.php

@@ -121,21 +121,6 @@ if (function_exists('mb_internal_encoding') &&
     do_err($mb_error);
 }
 
-/**
- * We code with register_globals = off. SquirrelMail should work in such setup
- * since 1.2.9 and 1.3.0. Running SquirrelMail with register_globals = on can
- * cause variable corruption and security issues. Globals can be turned off in
- * php.ini, webserver config and .htaccess files. Scripts can turn off globals only
- * in php 4.2.3 or older.
- */
-if ((bool) ini_get('register_globals')) {
-    $rg_error='You have enabled php register_globals.'
-        .' Running PHP installation with register_globals=on can cause problems.'
-        .' See <a href="http://www.php.net/manual/en/security.registerglobals.php">'
-        .'security information about register_globals</a>.';
-    do_err($rg_error);
-}
-
 /* checking paths */
 
 echo "Checking paths...<br />\n";