$OpenBSD: patch-cgi-bin_openwebmail_ow-shared_pl,v 1.1 2003/01/30 07:57:26 kevlo Exp $
--- cgi-bin/openwebmail/ow-shared.pl.orig	Tue Nov 26 12:20:51 2002
+++ cgi-bin/openwebmail/ow-shared.pl	Thu Jan 30 14:45:08 2003
@@ -125,8 +125,8 @@ use vars qw($_OFFSET $_FROM $_TO $_DATE 
 ###################### OPENWEBMAIL_INIT ###################
 # init routine to set globals, switch euid
 sub openwebmail_init {
-   readconf(\%config, \%config_raw, "$SCRIPT_DIR/etc/openwebmail.conf.default");
-   readconf(\%config, \%config_raw, "$SCRIPT_DIR/etc/openwebmail.conf") if (-f "$SCRIPT_DIR/etc/openwebmail.conf");
+   readconf(\%config, \%config_raw, "/var/www/conf/openwebmail/openwebmail.conf.default");
+   readconf(\%config, \%config_raw, "/var/www/conf/openwebmail/openwebmail.conf") if (-f "/var/www/conf/openwebmail/openwebmail.conf");
    # setuid is required if mails is located in user's dir
    if ( $>!=0 && ($config{'use_homedirspools'}||$config{'use_homedirfolders'}) ) {
       print "Content-type: text/html\n\n'$0' must setuid to root"; exit 0;
@@ -231,6 +231,9 @@ sub openwebmail_init {
 sub readconf {
    my ($r_config, $r_config_raw, $configfile)=@_;
 
+   if ($configfile=~/\.\./) {  # .. in path is not allowed for higher security
+      openwebmailerror("Invalid config file path $configfile");
+   }
    # read config
    open(CONFIG, $configfile) or
       openwebmailerror("Couldn't open config file $configfile");
@@ -340,6 +343,12 @@ sub readconf {
       }
    }
 
+   # remove / and .. from variables that will be used in require statement for security
+   foreach $key ( 'default_language', 'auth_module') {
+       ${$r_config}{$key} =~ s|/||g;
+       ${$r_config}{$key} =~ s|\.\.||g;
+    
+   }
    # untaint pathname variable defined in openwebmail.conf
    foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
                   'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',
