pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/mail Add fix for security issue 2006-06-01 from Squirr...
details: https://anonhg.NetBSD.org/pkgsrc/rev/33d76e54adc8
branches: trunk
changeset: 513831:33d76e54adc8
user: tron <tron%pkgsrc.org@localhost>
date: Sun Jun 04 12:31:31 2006 +0000
description:
Add fix for security issue 2006-06-01 from SquirrelMail CVS repository.
Bump package revision.
diffstat:
mail/ja-squirrelmail/Makefile | 4 +-
mail/ja-squirrelmail/distinfo | 3 +-
mail/ja-squirrelmail/patches/patch-ac | 59 +++++++++++++++++++++++++++++++++++
mail/squirrelmail/Makefile | 4 +-
mail/squirrelmail/distinfo | 3 +-
mail/squirrelmail/patches/patch-ac | 59 +++++++++++++++++++++++++++++++++++
6 files changed, 126 insertions(+), 6 deletions(-)
diffs (180 lines):
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/Makefile
--- a/mail/ja-squirrelmail/Makefile Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/ja-squirrelmail/Makefile Sun Jun 04 12:31:31 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.30 2006/06/04 12:31:31 tron Exp $
DISTNAME= squirrelmail-1.4.6
PKGNAME= ja-${DISTNAME}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= mail www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
EXTRACT_SUFX= .tar.bz2
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/distinfo
--- a/mail/ja-squirrelmail/distinfo Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/ja-squirrelmail/distinfo Sun Jun 04 12:31:31 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2006/05/05 05:32:36 martti Exp $
+$NetBSD: distinfo,v 1.11 2006/06/04 12:31:31 tron Exp $
SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
@@ -8,3 +8,4 @@
Size (squirrelmail-1.4.6-ja-20060504-patch) = 29808 bytes
SHA1 (patch-aa) = c96e85a28464c414bef744f9d1398fc9dd49549a
SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/ja-squirrelmail/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/ja-squirrelmail/patches/patch-ac Sun Jun 04 12:31:31 2006 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig 2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php 2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+ sqstripslashes($_POST);
+ }
+
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++ strtolower(ini_get('register_globals'))!='off') {
++ /**
++ * Remove all globals from $_GET, $_POST, and $_COOKIE.
++ */
++ foreach ($_REQUEST as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++ /**
++ * Remove globalized $_FILES variables
++ * Before 4.3.0 $_FILES are included in $_REQUEST.
++ * Unglobalize them in separate call in order to remove dependency
++ * on PHP version.
++ */
++ foreach ($_FILES as $key => $value) {
++ unset($GLOBALS[$key]);
++ // there are three undocumented $_FILES globals.
++ unset($GLOBALS[$key.'_type']);
++ unset($GLOBALS[$key.'_name']);
++ unset($GLOBALS[$key.'_size']);
++ }
++ /**
++ * Remove globalized environment variables.
++ */
++ foreach ($_ENV as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++ /**
++ * Remove globalized server variables.
++ */
++ foreach ($_SERVER as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+ This fixes hand crafted url XXS expoits for any
+ page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/Makefile
--- a/mail/squirrelmail/Makefile Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/squirrelmail/Makefile Sun Jun 04 12:31:31 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.73 2006/06/04 12:31:31 tron Exp $
DISTNAME= squirrelmail-1.4.6
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= mail www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
EXTRACT_SUFX= .tar.bz2
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/distinfo
--- a/mail/squirrelmail/distinfo Sun Jun 04 12:21:24 2006 +0000
+++ b/mail/squirrelmail/distinfo Sun Jun 04 12:31:31 2006 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.31 2006/04/11 05:24:20 martti Exp $
+$NetBSD: distinfo,v 1.32 2006/06/04 12:31:31 tron Exp $
SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
Size (squirrelmail-1.4.6.tar.bz2) = 484099 bytes
SHA1 (patch-aa) = cafc171ab1de5e2e1e83caff39f3bfb810fe2ab5
SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff -r 0ea7caa3932c -r 33d76e54adc8 mail/squirrelmail/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/squirrelmail/patches/patch-ac Sun Jun 04 12:31:31 2006 +0000
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig 2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php 2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+ sqstripslashes($_POST);
+ }
+
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++ strtolower(ini_get('register_globals'))!='off') {
++ /**
++ * Remove all globals from $_GET, $_POST, and $_COOKIE.
++ */
++ foreach ($_REQUEST as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++ /**
++ * Remove globalized $_FILES variables
++ * Before 4.3.0 $_FILES are included in $_REQUEST.
++ * Unglobalize them in separate call in order to remove dependency
++ * on PHP version.
++ */
++ foreach ($_FILES as $key => $value) {
++ unset($GLOBALS[$key]);
++ // there are three undocumented $_FILES globals.
++ unset($GLOBALS[$key.'_type']);
++ unset($GLOBALS[$key.'_name']);
++ unset($GLOBALS[$key.'_size']);
++ }
++ /**
++ * Remove globalized environment variables.
++ */
++ foreach ($_ENV as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++ /**
++ * Remove globalized server variables.
++ */
++ foreach ($_SERVER as $key => $value) {
++ unset($GLOBALS[$key]);
++ }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+ This fixes hand crafted url XXS expoits for any
+ page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
Home |
Main Index |
Thread Index |
Old Index