Bug 240328 - mail/squirrelmail: session_set_cookie_params() (version 1.4.23 [SVN])
Summary: mail/squirrelmail: session_set_cookie_params() (version 1.4.23 [SVN])
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Zsolt Udvari
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-04 11:30 UTC by Aleks
Modified: 2019-09-13 14:14 UTC (History)
1 user (show)

See Also:
w.schwarzenfeld: maintainer-feedback?


Attachments
Update to 20190904 (1.44 KB, patch)
2019-09-04 14:38 UTC, Zsolt Udvari
uzsolt: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aleks 2019-09-04 11:30:12 UTC
squirrelmai

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/i18n.php on line 470

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/global.php on line 569

Warning: session_regenerate_id(): Cannot regenerate session id - headers already sent in /usr/local/www/squirrelmail/src/redirect.php on line 86

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/page_header.php on line 69

SquirrelMail version 1.4.23 [SVN]

php.ini

session.gc_maxlifetime = 86400
session.cookie_lifetime = 0
Comment 1 Aleks 2019-09-04 12:29:22 UTC
Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/i18n.php on line 470

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/global.php on line 569

Warning: session_regenerate_id(): Cannot regenerate session id - headers already sent in /usr/local/www/squirrelmail/src/redirect.php on line 86

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/functions/global.php on line 569

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in /usr/local/www/squirrelmail/functions/global.php on line 476

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/www/squirrelmail/functions/global.php:476) in /usr/local/www/squirrelmail/src/redirect.php on line 194
Comment 2 Aleks 2019-09-04 12:30:02 UTC
php -v
PHP 7.2.21 (cli) (built: Aug  8 2019 01:31:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.21, Copyright (c) 1999-2018, by Zend Technologies
Segmentation fault
Comment 3 Aleks 2019-09-04 12:31:22 UTC
 php -m
[PHP Modules]
Core
ctype
curl
date
dom
filter
gettext
hash
iconv
imap
intl
json
libxml
mbstring
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
Phar
posix
Reflection
session
SimpleXML
soap
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache
Comment 4 Zsolt Udvari 2019-09-04 14:38:36 UTC
Created attachment 207185 [details]
Update to 20190904

Changelog based on
svn log -r 'HEAD:{20180405}' https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail

Fix broken anchor links
Document CVE-2019-12970 fix
Add handling for RCDATA and RAWTEXT elements in HTML sanitizer (CVE-2019-12970)
PHP7.2 fix (#2848)
Some browswers were not putting cursor at beginning of message body after focus
Don't wrap headers right after the name (configurable)
Allow some plugins to run "normal" code that happens to switch text domain
Correct mistaken use of rfc822_header->date field that was being treated as a date string when it is only ever a timestamp
Last change needs to be made across all attachment common hooks
Fix view links for messages with same subject
Fix PHP7 warning (#2847)
Add IMAP ID command (RFC2971), sent after every login - use by setting $imap_id_command_args in config/config_local.php (see notes in functions/imap_general.php for more details)
Layout fixes for saved search and search history
Updated SVG handling, closing several related vulnerabilities reported in #2831 and CVE-2018-14950, CVE-2018-14951, CVE-2018-14952, CVE-2018-14953, CVE-2018-14954, CVE-2018-14955
Add new options for SVG handling and broken base64-encoded messages
Disable SVG display be default
Updated SVG handling, gracefully fix broken base64-encoded messages, also close XSS reported in #2831 and CVE-2018-14950, CVE-2018-14951, CVE-2018-14952, CVE-2018-14953, CVE-2018-14954, CVE-2018-14955
When message being replied to has no Reply-To header, we use the From header to fill in the reply To address, so we have to account for that situation when building the Cc header
Happy New Year
Allow unsent compose sessions to stay around, but remove them after successful send
Minor cleanup
Make globalized hook return values unique - prevents clashes between hooks and offers plugins more power to control each hook
put an ID on move button
PAGE_NAME needed in more scripts
Alter hook types "do_hook_function" and "concat_hook_function" such that the ultimate hook return value (in its current state, as computed (or not) by the plugins that have executed previously) is both globalized and passed as an additional argument to each plugin.  This allows plugins to cooperate better and not overwrite each others return values.
Make sure link tags are proper XHTML
Note favicon addition
Add favicon and ability for admins to use their own by setting $head_tag_extra in config_local.php (see documented comments in, for example, src/webmail.php)
Add view_header_bottom hook
Add generic bottom hook for miscellaneous option pages
removing pointless show_more=0
removing pointless show_more=0
Need to load the default - user may never have changed their sent folder settings!
Fix broken mailto links created by some (Microsoft?) clients
Add better spam header handling; also cache raw headers
Change anti-CSRF security token lifetime to be session-based
Add session-based security token functionality (enabled by default)
Unify DEVEL and STABLE
Fix PHP notice. Thanks to Hanno Böck
Minor fix for plugin usage
Allow more advanced element focusing
Also needed IMAP TLS update
Better handling for empty identities
Update use_smtp_tls setting to reflect availability of STARTTLS
Allow plugins better control of sqfixidentities
Bug fixes for reordering and better sanity checks
Allow users who cannot edit their email address but who have multiple identities to edit all their identities
Comment 5 Zsolt Udvari 2019-09-04 14:40:36 UTC
Could you please test this patch? Or temporarily use the svn version (http://squirrelmail.org/download.php)?
If it works well I think it's done. If not should backport the changes from development version.

(Now I don't have time to check it).

Thanks for your report!
Comment 6 Aleks 2019-09-05 17:32:36 UTC
????

version 1.4.23 [SVN]
Comment 7 Zsolt Udvari 2019-09-05 17:35:18 UTC
(In reply to Aleks from comment #6)
Yes.
"Stable version snapshots (1.4.23-svn)"
Comment 8 Aleks 2019-09-05 17:44:56 UTC
I have such a version (((
Comment 9 Zsolt Udvari 2019-09-05 17:49:32 UTC
(In reply to Aleks from comment #8)
Please check the date!
http://squirrelmail.org/download.php
squirrelmail-20190905_0200-SVN.stable.tar.bz2

Its date is 2019-09-05 (today). Tomorrow will 2019-09-06 but it will same because it is created automatically every day.
Comment 11 Zsolt Udvari 2019-09-05 18:21:53 UTC
(In reply to Aleks from comment #10)
It's 20180404 - more than one year old version.
Comment 12 Aleks 2019-09-09 09:24:28 UTC
svn checkout https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail


what version will it be

????
Comment 14 Zsolt Udvari 2019-09-13 14:13:06 UTC
The patch works well, warning messages gone.
Comment 15 Zsolt Udvari 2019-09-13 14:14:01 UTC
@Aleks please add "patch" and "patch-ready" keywords to this report (you're the reporter so only you can do it).