Hastymail2

Hastymail2 is an Open Source IMAP webmail client written in PHP. Our focus is compliance, usability, security, and speed.
     
2015-04-16 Update:

Sadly Hastymail2 is no longer being maintained. Happily this is because we are working on a new web-based E-mail client, called Cypht. If you need support your best bet is the #hastymail IRC channel at freenode. Thanks to everyone who contributed to and supported this project!

Code Updates for May 5

    Its been another slow-ish week in Hastymail development land. I have been swamped with work and had a few personal issues to take care of. I did however get some annoying bugs fixed and continued to chip away at the remaining bits of code that I want in place before we start building beta releases. One fix, making cookie-less sessions work, required quite a bit of troubleshooting to correct, and in the process revealed an interesting facet of some internal PHP behavior. Here is the detailed list of whats new this week.

 - Added a require_check() function that analyzes dynamically created filenames that are then used in require() or require_once() statements (plugins and themes for example). This is an extra precaution to protect against improper file inclusion attacks. These type of weaknesses can result in a serious server compromise. I don't even think it's possible to taint the variables used in these cases but this general security check would disable any attempt to abuse the require or require_once functions.

-  fixed cookie-less sessions. This was a weird one. I tracked it down to be related to output buffering, specifically our internal tag replacement system. In Hastymail we build a complete page and store it in PHP's output buffer, then just before outputting it to the browser we do some replacements and alterations. The problem specifically is that our cookie-less sessions uses the PHP trans_sid functionality. However when grabbing the output buffers contents with ob_get_content, (or any of the ob_ functions for that matter), the trans_sid replacement is not made. Simply echoing the results after pulling it from the buffer has the result of losing the "url-rewrite" condition that trans_sid enables. The solution is to use 2 output buffers, one nested within the other, when we are running with cookie-less sessions. This trick allows the trans_sid rewrite to occur, and lets us pull the markup for the page into a string variable to then apply our own tag replacement routines to.

- fixed IMAP APPEND bug. When saving outgoing messages to the sent folder IMAP needs to know the exact (literal) size of the message, including attachments. A bug existing that was causing this to be slightly less than the actual size, resulting in the final lines of a message attachment to be "clipped". The bug was not hard to track down and is now resolved.

- fixed cookie expiration on logout. There was a bug in which the session cookie was not being deleted, now fixed. 

- autosave on the compose page. More work on auto-save but it is still incomplete (sort of works). One problem with using an IMAP message as the storage mechanism for auto-saved messages is that the IMAP DELETE -> EXPUNGE model does not, without the use of an IMAP extension, allow selective expunging within a folder. 

- Updates to a few of the source docs and added some missing default user settings to the hastymail.conf.example file.


Images
No Images with this post
Comments
KKXRtHGVnr
Posted by Rida 2 years, 26 days ago
Dad who is that fan I have seen some more comments than 1 and my fnreid likes ur site that makes 2 fans me and her. We r both writeing storys. Her username is karatestar2 I showed her the site. is that ur fan?

Add a comment

Name:
Email:
Subject:
Comment:
Security Image:
security image
Enter the letters you see above.
Get Hastymail at SourceForge.net. Fast, secure and Free Open Source software downloads