pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mail/squirrelmail Updated squirrelmail to 1.4.4nb1



details:   https://anonhg.NetBSD.org/pkgsrc/rev/1ffcb3eb924c
branches:  trunk
changeset: 495635:1ffcb3eb924c
user:      martti <martti%pkgsrc.org@localhost>
date:      Thu Jun 16 07:30:40 2005 +0000

description:
Updated squirrelmail to 1.4.4nb1

* Fix several cross site scripting vulnerabilities

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0337

diffstat:

 mail/squirrelmail/Makefile         |    4 +-
 mail/squirrelmail/buildlink3.mk    |    4 +-
 mail/squirrelmail/distinfo         |    3 +-
 mail/squirrelmail/patches/patch-ab |  651 +++++++++++++++++++++++++++++++++++++
 4 files changed, 657 insertions(+), 5 deletions(-)

diffs (truncated from 698 to 300 lines):

diff -r 35bc0242031b -r 1ffcb3eb924c mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile        Thu Jun 16 06:57:37 2005 +0000
+++ b/mail/squirrelmail/Makefile        Thu Jun 16 07:30:40 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.51 2005/04/11 21:46:27 tv Exp $
+# $NetBSD: Makefile,v 1.52 2005/06/16 07:30:40 martti Exp $
 
 DISTNAME=      squirrelmail-1.4.4
-#PKGREVISION=  1
+PKGREVISION=   1
 CATEGORIES=    mail www
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 35bc0242031b -r 1ffcb3eb924c mail/squirrelmail/buildlink3.mk
--- a/mail/squirrelmail/buildlink3.mk   Thu Jun 16 06:57:37 2005 +0000
+++ b/mail/squirrelmail/buildlink3.mk   Thu Jun 16 07:30:40 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.1 2005/01/24 19:03:35 martti Exp $
+# $NetBSD: buildlink3.mk,v 1.2 2005/06/16 07:30:40 martti Exp $
 
 BUILDLINK_DEPTH:=              ${BUILDLINK_DEPTH}+
 SQUIRRELMAIL_BUILDLINK3_MK:=   ${SQUIRRELMAIL_BUILDLINK3_MK}+
@@ -11,7 +11,7 @@
 BUILDLINK_PACKAGES+=   squirrelmail
 
 .if !empty(SQUIRRELMAIL_BUILDLINK3_MK:M+)
-BUILDLINK_DEPENDS.squirrelmail+=       squirrelmail>=1.4.4
+BUILDLINK_DEPENDS.squirrelmail+=       squirrelmail>=1.4.4nb1
 BUILDLINK_PKGSRCDIR.squirrelmail?=     ../../mail/squirrelmail
 .endif # SQUIRRELMAIL_BUILDLINK3_MK
 
diff -r 35bc0242031b -r 1ffcb3eb924c mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo        Thu Jun 16 06:57:37 2005 +0000
+++ b/mail/squirrelmail/distinfo        Thu Jun 16 07:30:40 2005 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.24 2005/02/24 09:59:29 agc Exp $
+$NetBSD: distinfo,v 1.25 2005/06/16 07:30:40 martti Exp $
 
 SHA1 (squirrelmail-1.4.4.tar.bz2) = 52bdb31e826e845464d7d53e0745c50ead9ba6fe
 RMD160 (squirrelmail-1.4.4.tar.bz2) = d1e3f46b665a1bdf9d074eb805682f66f068221c
 Size (squirrelmail-1.4.4.tar.bz2) = 468790 bytes
 SHA1 (patch-aa) = 9e66fdf7697379cc66266b7aa0c599db68750284
+SHA1 (patch-ab) = 3ae096450e7397475e043abc6c3ec993bb6f80f8
diff -r 35bc0242031b -r 1ffcb3eb924c mail/squirrelmail/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/squirrelmail/patches/patch-ab        Thu Jun 16 07:30:40 2005 +0000
@@ -0,0 +1,651 @@
+$NetBSD: patch-ab,v 1.8 2005/06/16 07:30:40 martti Exp $
+
+--- functions/addressbook.php  Mon Dec 27 16:03:42 2004
++++ functions/addressbook.php  Wed Jun 15 23:50:03 2005
+@@ -108,7 +108,7 @@
+                 if (!$r && $showerr) {
+                     printf( '&nbsp;' . _("Error initializing LDAP server %s:") .
+                             "<br />\n", $param['host']);
+-                    echo '&nbsp;' . $abook->error;
++                    echo '&nbsp;' . htmlspecialchars($abook->error);
+                     exit;
+                 }
+             }
+@@ -239,7 +239,7 @@
+                 if (is_array($res)) {
+                     $ret = array_merge($ret, $res);
+                 } else {
+-                    $this->error .= "<br />\n" . $backend->error;
++                    $this->error .= "\n" . $backend->error;
+                     $failed++;
+                 }
+             }
+@@ -255,7 +255,7 @@
+ 
+             $ret = $this->backends[$bnum]->search($expression);
+             if (!is_array($ret)) {
+-                $this->error .= "<br />\n" . $this->backends[$bnum]->error;
++                $this->error .= "\n" . $this->backends[$bnum]->error;
+                 $ret = FALSE;
+             }
+         }
+diff -urw squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php
+--- functions/mime.php Mon Jan 10 19:52:48 2005
++++ functions/mime.php Wed Jun 15 23:50:03 2005
+@@ -1388,12 +1388,33 @@
+                 }
+             }
+         }
++
++        /**
++         * Replace empty src tags with the blank image.  src is only used
++         * for frames, images, and image inputs.  Doing a replace should
++         * not affect them working as should be, however it will stop
++         * IE from being kicked off when src for img tags are not set
++         */
++        if (($attname == 'src') && ($attvalue == '""')) {
++            $attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
++        }
++
+         /**
+          * Turn cid: urls into http-friendly ones.
+          */
+         if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
+             $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
+         }
++
++        /**
++         * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
++         * One day MS might actually make it match something useful, for now, falling
++         * back to using cid2http, so we can grab the blank.png.
++         */
++        if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
++            $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
++        }
++
+     }
+     /**
+      * See if we need to append any attributes to this tag.
+@@ -1408,7 +1429,7 @@
+ 
+ /**
+  * This function edits the style definition to make them friendly and
+- * usable in squirrelmail.
++ * usable in SquirrelMail.
+  *
+  * @param  $message  the message object
+  * @param  $id       the message id
+@@ -1436,27 +1457,54 @@
+     /**
+      * Fix url('blah') declarations.
+      */
+-    $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
+-                            "url(\\1$secremoveimg\\2)", $content);
++    //   $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
++    //                           "url(\\1$secremoveimg\\2)", $content);
++    // remove NUL
++    $content = str_replace("\0", "", $content);
++    // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
++    while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
++        $sProto = strtolower($matches[1]);
++        switch ($sProto) {
+     /**
+      * Fix url('https*://.*) declarations but only if $view_unsafe_images
+      * is false.
+      */
++          case 'https':
++          case 'http':
+     if (!$view_unsafe_images){
+-        $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
+-                                "url(\\1$secremoveimg\\2)", $content);
++                $sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si";
++                $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
+     }
+-
++            break;
+     /**
+      * Fix urls that refer to cid:
+      */
+-    while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
+-                      $content, $matches)){
+-        $cidurl = $matches{1};
++          case 'cid':
++            $cidurl = 'cid:'. $matches[2];
+         $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
+         $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
+-                                "url($httpurl)", $content);
++                                "u\0r\0l($httpurl)", $content);
++            break;
++          default:
++            /**
++             * replace url with protocol other then the white list
++             * http,https and cid by an empty string.
++             */
++            $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
++                                "", $content);
++            break;
+     }
++        break;
++    }
++    // remove NUL
++    $content = str_replace("\0", "", $content);
++
++   /**
++    * Remove any backslashes, entities, and extraneous whitespace.
++    */
++    $contentTemp = $content;
++    sq_defang($contentTemp);
++    sq_unspace($contentTemp);
+ 
+     /**
+      * Fix stupid css declarations which lead to vulnerabilities
+@@ -1467,10 +1515,16 @@
+                      '/binding/i',
+                      '/include-source/i');
+     $replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
+-    $content = preg_replace($match, $replace, $content);
++    $contentNew = preg_replace($match, $replace, $contentTemp);
++    if ($contentNew !== $contentTemp) {
++        // insecure css declarations are used. From now on we don't care
++        // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
++        $content = $contentNew;
++    }
+     return array($content, $newpos);
+ }
+ 
++
+ /**
+  * This function converts cid: url's into the ones that can be viewed in
+  * the browser.
+@@ -1492,15 +1546,46 @@
+         $quotchar = '';
+     }
+     $cidurl = substr(trim($cidurl), 4);
++
++    $match_str = '/\{.*?\}\//';
++    $str_rep = '';
++    $cidurl = preg_replace($match_str, $str_rep, $cidurl);
++
+     $linkurl = find_ent_id($cidurl, $message);
+     /* in case of non-save cid links $httpurl should be replaced by a sort of
+        unsave link image */
+     $httpurl = '';
+-    if ($linkurl) {
++
++    /**
++     * This is part of a fix for Outlook Express 6.x generating
++     * cid URLs without creating content-id headers. These images are
++     * not part of the multipart/related html mail. The html contains
++     * <img src="cid:{some_id}/image_filename.ext"> references to
++     * attached images with as goal to render them inline although
++     * the attachment disposition property is not inline.
++     */
++
++    if (empty($linkurl)) {
++        if (preg_match('/{.*}\//', $cidurl)) {
++            $cidurl = preg_replace('/{.*}\//','', $cidurl);
++            if (!empty($cidurl)) {
++                $linkurl = find_ent_id($cidurl, $message);
++            }
++        }
++    }
++
++    if (!empty($linkurl)) {
+         $httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&amp;' .
+                    "passed_id=$id&amp;mailbox=" . urlencode($mailbox) .
+                    '&amp;ent_id=' . $linkurl . $quotchar;
++    } else {
++        /**
++         * If we couldn't generate a proper img url, drop in a blank image
++         * instead of sending back empty, otherwise it causes unusual behaviour
++         */
++        $httpurl = $quotchar . SM_PATH . 'images/blank.png';
+     }
++
+     return $httpurl;
+ }
+ 
+@@ -1526,8 +1611,7 @@
+             $attvalue = str_replace($quotchar, "", $attvalue);
+             switch ($attname){
+                 case 'background':
+-                    $attvalue = sq_cid2http($message, $id,
+-                                            $attvalue, $mailbox);
++                    $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
+                     $styledef .= "background-image: url('$attvalue'); ";
+                     break;
+                 case 'bgcolor':
+@@ -1754,6 +1838,7 @@
+                                   "embed",
+                                   "title",
+                                   "frameset",
++            "xmp",
+                                   "xml"
+                                   );
+ 
+@@ -1761,7 +1846,8 @@
+                                 "img",
+                                 "br",
+                                 "hr",
+-                                "input"
++            "input",
++            "outbind"
+                                 );
+ 
+     $force_tag_closing = true;
+@@ -1816,6 +1902,7 @@
+                                 "/binding/i",
+                                 "/behaviou*r/i",
+                                 "/include-source/i",
++                    "/position\s*:\s*absolute/i",
+                                 "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
+                                 "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
+                                 "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
+@@ -1826,6 +1913,7 @@
+                                 "idiocy",
+                                 "idiocy",
+                                 "idiocy",
++                    "",
+                                 "url(\\1#\\1)",
+                                 "url(\\1#\\1)",
+                                 "url(\\1#\\1)",
+@@ -1856,7 +1944,7 @@
+ 



Home | Main Index | Thread Index | Old Index