Additional config not parsed, resulted in exposed admin with default password

[muhlemmer]

RainLoop version, browser, OS:
rainloop-community-1.12.1, N/A, Docker image php:7.2-apache

Part of the Mailu mail distribution.

Expected behavior and actual behavior:

Configuration file defined in __get_additional_configuration_name() in include.php is not parsed when application.ini is not present. application.ini only gets generated when any setting is changed in the admin interface.

Using the above, we used to include a .ini file which specified:

[security]
allow_admin_panel = Off

I'm relatively new to that project, but this way of configuring was introduced around 3 years ago. I assume it worked back then and got broken somewhere between then and now. This resulted in a security bug: Mailu/Mailu#947. Which basically exposed the admin interface with the default password for many of our users!

Steps to reproduce the problem:

/var/www/html/include.php:

<?php
// Rename this file to "include.php" to enable it.
/**
 * @return string
 */
function __get_custom_data_full_path()
{
	return '/data/'; // custom data folder path
}
/**
 * @return string
 */
function __get_additional_configuration_name()
{
	return 'config.ini';
}

/data/_data_/_default_/configs/config.ini:

; RainLoop Webmail configuration file

[webmail]
attachment_size_limit = {{ MAX_FILESIZE }}

[security]
allow_admin_panel = Off

[labs]
allow_gravatar = Off

Logs or screenshots:
No logs found explaining a faulty config or exposed admin.

[rolfen]

I feel it is better that application.ini would be part of the installation.
And also that allow_admin_panel should default to Off.

[teknopaul]

Just found this the hard way too, I think it would be better to distribute a complete application.ini with sensible secure defaults and a random user or password when its first started.

[teknopaul]

A mechanism to encrypt a secret password on the cli before booting for the first time would be useful too.