--- openwebmail-shared.pl.orig	Sat Aug 24 15:59:00 2002
+++ openwebmail-shared.pl	Thu Dec 19 17:55:22 2002
@@ -223,6 +223,9 @@
 sub readconf {
    my ($r_config, $r_config_raw, $configfile)=@_;
 
+   if ($configfile=~/\.\./) {	# .. in path is not allowed for higher security
+      openwebmailerror("Invalid config file path $configfile");
+   }
    # read config
    open(CONFIG, $configfile) or
       openwebmailerror("Couldn't open config file $configfile");
@@ -331,6 +334,11 @@
       }
    }
 
+   # remove / and .. from variables that will be used in require statement for security
+   foreach $key ( 'default_language', 'auth_module') {
+      ${$r_config}{$key} =~ s|/||g;
+      ${$r_config}{$key} =~ s|\.\.||g;
+   }
    # untaint pathname variable defined in openwebmail.conf
    foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
                   'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',