[pkgsrc/trunk]: pkgsrc/mail/squirrelmail Updated squirrelmail to 1.4.3anb1 (p...

[martti <martti%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/248da4738aa7
branches:  trunk
changeset: 483633:248da4738aa7
user:      martti <martti%pkgsrc.org@localhost>
date:      Tue Nov 16 14:18:01 2004 +0000

description:
Updated squirrelmail to 1.4.3anb1 (pkg/28328 by IYODA Atsushi)

There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.

http://article.gmane.org/gmane.mail.squirrelmail.user/21169

diffstat:

 mail/squirrelmail/Makefile         |   3 ++-
 mail/squirrelmail/distinfo         |   5 +++--
 mail/squirrelmail/patches/patch-aa |   2 ++
 mail/squirrelmail/patches/patch-ab |  30 ++++++++++++++++++++++++++++++
 4 files changed, 37 insertions(+), 3 deletions(-)

diffs (67 lines):

diff -r 203004e69a16 -r 248da4738aa7 mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Tue Nov 16 14:10:55 2004 +0000
+++ b/mail/squirrelmail/Makefile        Tue Nov 16 14:18:01 2004 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2004/10/31 23:47:33 jdolecek Exp $
+# $NetBSD: Makefile,v 1.43 2004/11/16 14:18:01 martti Exp $
 
 DISTNAME=      squirrelmail-1.4.3a
+PKGREVISION=   1
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 203004e69a16 -r 248da4738aa7 mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Tue Nov 16 14:10:55 2004 +0000
+++ b/mail/squirrelmail/distinfo        Tue Nov 16 14:18:01 2004 +0000
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.20 2004/06/04 14:05:53 xtraeme Exp $
+$NetBSD: distinfo,v 1.21 2004/11/16 14:18:01 martti Exp $
 
 SHA1 (squirrelmail-1.4.3a.tar.bz2) = 8cb22905ddedbe94c9a174d12074263ce84c9a27
 Size (squirrelmail-1.4.3a.tar.bz2) = 2254039 bytes
-SHA1 (patch-aa) = cad816ce6e36def3f1b99ba831aa297c074d5aca
+SHA1 (patch-aa) = b850165c4ed863faca1b8786e43c2cc16abba060
+SHA1 (patch-ab) = c994d1287465f4b3ffa79d1e9c0f27c50ce27aa6
diff -r 203004e69a16 -r 248da4738aa7 mail/squirrelmail/patches/patch-aa
--- a/mail/squirrelmail/patches/patch-aa        Tue Nov 16 14:10:55 2004 +0000
+++ b/mail/squirrelmail/patches/patch-aa        Tue Nov 16 14:18:01 2004 +0000
@@ -1,3 +1,5 @@
+$NetBSD: patch-aa,v 1.8 2004/11/16 14:18:01 martti Exp $
+
 --- config/config_default.php.orig     2004-04-21 20:21:54.000000000 +0300
 +++ config/config_default.php  2004-05-31 21:32:43.000000000 +0300
 @@ -383,7 +383,7 @@
diff -r 203004e69a16 -r 248da4738aa7 mail/squirrelmail/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/squirrelmail/patches/patch-ab        Tue Nov 16 14:18:01 2004 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-ab,v 1.6 2004/11/16 14:18:01 martti Exp $
+
+diff -urN functions/mime.php functions/mime.php
+--- functions/mime.php 2004-05-23 19:14:11.000000000 +0300
++++ functions/mime.php 2004-11-03 19:16:50.000000000 +0200
+@@ -602,13 +602,22 @@
+             }
+             $iLastMatch = $i;
+             $j = $i;
+-            $ret .= $res[1];
++            if ($htmlsave) {
++                $ret .= htmlspecialchars($res[1]);
++            } else {
++                $ret .= $res[1];
++            }
+             $encoding = ucfirst($res[3]);
+             switch ($encoding)
+             {
+             case 'B':
+                 $replace = base64_decode($res[4]);
+-                $ret .= charset_decode($res[2],$replace);
++                if ($utfencode) {
++                    $replace = charset_decode($res[2],$replace);
++                } elseif ($htmlsave) {
++                    $replace = htmlspecialchars($replace);
++                }
++                $ret .= $replace;
+                 break;
+             case 'Q':
+                 $replace = str_replace('_', ' ', $res[4]);