Added "Secured Configuration" mode

ChangeLog

@@ -242,6 +242,7 @@ Version 1.5.2 - SVN
     patch by Walter Huijbers (#1833123).
   - Fix for IMAP servers that were having problems saving sent messages
   - Added multiple select folder list option widgets (SMOPT_TYPE_FLDRLIST_MULTI).
+  - Added "Secured Configuration" mode.
 
 
 Version 1.5.1 (branched on 2006-02-12)

config/conf.pl

@@ -424,6 +424,7 @@ $use_icons = 'false'                    if ( !$use_icons );
 $use_iframe = 'false'                   if ( !$use_iframe );
 $lossy_encoding = 'false'               if ( !$lossy_encoding );
 $allow_remote_configtest = 'false'      if ( !$allow_remote_configtest );
+$secured_config = 'true'                if ( !$secured_config );
 
 $sm_debug_mode = 'SM_DEBUG_MODE_MODERATE' if ( !$sm_debug_mode );
 #FIXME: When this is STABLE software, remove the line above and uncomment the one below:
@@ -821,6 +822,7 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) {
     print $WHT. "Configuration tweaks\n" . $NRM;
     print "6.  Allow remote configtest     : $WHT$allow_remote_configtest$NRM\n";
     print "7.  Debug mode                  : $WHT$sm_debug_mode$NRM\n";
+    print "8.  Secured configuration mode  : $WHT$secured_config$NRM\n";
     print "\n";
         print "R   Return to Main Menu\n";
     }
@@ -994,6 +996,7 @@ while ( ( $command ne "q" ) && ( $command ne "Q" ) && ( $command ne ":q" ) ) {
             elsif ( $command == 5 ) { $use_php_iconv  = commandB5(); }
             elsif ( $command == 6 ) { $allow_remote_configtest = commandB6(); }
             elsif ( $command == 7 ) { $sm_debug_mode = commandB8(); }
+            elsif ( $command == 8 ) { $secured_config = commandB9(); }
         }
     }
 }
@@ -4429,6 +4432,32 @@ sub commandB8 {
     return $sm_debug_mode;
 }
 
+# Secured configuration mode (since 1.5.2)
+sub commandB9 {
+    print "This option allows you to enable \"Secured Configuration\" mode,\n";
+    print "which will guarantee that certain settings made herein will be\n";
+    print "made immutable and will not be subject to override by either friendly\n";
+    print "or unfriendly code/plugins.  Only a small number of settings herein\n";
+    print "will be used in this manner - just those that are deemed to be a\n";
+    print "potential security threat when rouge plugin or other code may be\n";
+    print "executed inside SquirrelMail.\n";
+    print "\n";
+
+    if ( lc($secured_config) eq 'true' ) {
+        $default_value = "y";
+    } else {
+        $default_value = "n";
+    }
+    print "Enable secured configuration mode? (y/n) [$WHT$default_value$NRM]: $WHT";
+    $secured_config = <STDIN>;
+    if ( ( $secured_config =~ /^y\n/i ) || ( ( $secured_config =~ /^\n/ ) && ( $default_value eq "y" ) ) ) {
+        $secured_config = 'true';
+    } else {
+        $secured_config = 'false';
+    }
+    return $secured_config;
+}
+
 sub save_data {
     $tab = "    ";
     if ( open( CF, ">config.php" ) ) {
@@ -4824,6 +4853,7 @@ sub save_data {
         print CF "\n";
         # boolean
         print CF "\$allow_remote_configtest = $allow_remote_configtest;\n";
+        print CF "\$secured_config = $secured_config;\n";
         # (binary) integer or constant - convert integer 
         # values to constants before output
         $sm_debug_mode = convert_debug_binary_integer_to_constants($sm_debug_mode);

functions/global.php

@@ -348,6 +348,69 @@ function sqgetGlobalVar($name, &$value, $search = SQ_INORDER, $default = NULL, $
     return $result;
 }
 
+/**
+ * Get an immutable copy of a configuration variable if SquirrelMail
+ * is in "secured configuration" mode.  This guarantees the caller 
+ * gets a copy of the requested value as it is set in the main 
+ * application configuration (including config_local overrides), and 
+ * not what it might be after possibly having been modified by some 
+ * other code (usually a plugin overriding configuration values for 
+ * one reason or another).
+ *
+ * WARNING: Please use this function as little as possible, because 
+ * every time it is called, it forcibly reloads the main configuration
+ * file(s).
+ *
+ * Caller beware that this function will do nothing if SquirrelMail
+ * is not in "secured configuration" mode per the $secured_config 
+ * setting.
+ *
+ * @param string $var_name The name of the desired variable
+ *
+ * @return mixed The desired value
+ *
+ * @since 1.5.2
+ *
+ */
+function get_secured_config_value($var_name) {
+
+    static $return_values = array();
+
+    // if we can avoid it, return values that have 
+    // already been retrieved (so we don't have to
+    // include the config file yet again)
+    //
+    if (isset($return_values[$var_name])) {
+        return $return_values[$var_name];
+    }
+
+
+    // load site configuration
+    //
+    require(SM_PATH . 'config/config.php');
+
+    // load local configuration overrides
+    //
+    if (file_exists(SM_PATH . 'config/config_local.php')) {
+        require(SM_PATH . 'config/config_local.php');
+    }
+
+    // if SM isn't in "secured configuration" mode,
+    // just return the desired value from the global scope
+    // 
+    if (!$secured_config) {
+        global $$var_name;
+        $return_values[$var_name] = $$var_name;
+        return $$var_name;
+    }
+
+    // else we return what we got from the config file
+    //
+    $return_values[$var_name] = $$var_name;
+    return $$var_name;
+
+}
+
 /**
  * Deletes an existing session, more advanced than the standard PHP
  * session_destroy(), it explicitly deletes the cookies and global vars.