head 1.16;
access;
symbols
pkgsrc-2026Q2:1.16.0.132
pkgsrc-2026Q2-base:1.16
pkgsrc-2026Q1:1.16.0.130
pkgsrc-2026Q1-base:1.16
pkgsrc-2025Q4:1.16.0.128
pkgsrc-2025Q4-base:1.16
pkgsrc-2025Q3:1.16.0.126
pkgsrc-2025Q3-base:1.16
pkgsrc-2025Q2:1.16.0.124
pkgsrc-2025Q2-base:1.16
pkgsrc-2025Q1:1.16.0.122
pkgsrc-2025Q1-base:1.16
pkgsrc-2024Q4:1.16.0.120
pkgsrc-2024Q4-base:1.16
pkgsrc-2024Q3:1.16.0.118
pkgsrc-2024Q3-base:1.16
pkgsrc-2024Q2:1.16.0.116
pkgsrc-2024Q2-base:1.16
pkgsrc-2024Q1:1.16.0.114
pkgsrc-2024Q1-base:1.16
pkgsrc-2023Q4:1.16.0.112
pkgsrc-2023Q4-base:1.16
pkgsrc-2023Q3:1.16.0.110
pkgsrc-2023Q3-base:1.16
pkgsrc-2023Q2:1.16.0.108
pkgsrc-2023Q2-base:1.16
pkgsrc-2023Q1:1.16.0.106
pkgsrc-2023Q1-base:1.16
pkgsrc-2022Q4:1.16.0.104
pkgsrc-2022Q4-base:1.16
pkgsrc-2022Q3:1.16.0.102
pkgsrc-2022Q3-base:1.16
pkgsrc-2022Q2:1.16.0.100
pkgsrc-2022Q2-base:1.16
pkgsrc-2022Q1:1.16.0.98
pkgsrc-2022Q1-base:1.16
pkgsrc-2021Q4:1.16.0.96
pkgsrc-2021Q4-base:1.16
pkgsrc-2021Q3:1.16.0.94
pkgsrc-2021Q3-base:1.16
pkgsrc-2021Q2:1.16.0.92
pkgsrc-2021Q2-base:1.16
pkgsrc-2021Q1:1.16.0.90
pkgsrc-2021Q1-base:1.16
pkgsrc-2020Q4:1.16.0.88
pkgsrc-2020Q4-base:1.16
pkgsrc-2020Q3:1.16.0.86
pkgsrc-2020Q3-base:1.16
pkgsrc-2020Q2:1.16.0.82
pkgsrc-2020Q2-base:1.16
pkgsrc-2020Q1:1.16.0.62
pkgsrc-2020Q1-base:1.16
pkgsrc-2019Q4:1.16.0.84
pkgsrc-2019Q4-base:1.16
pkgsrc-2019Q3:1.16.0.80
pkgsrc-2019Q3-base:1.16
pkgsrc-2019Q2:1.16.0.78
pkgsrc-2019Q2-base:1.16
pkgsrc-2019Q1:1.16.0.76
pkgsrc-2019Q1-base:1.16
pkgsrc-2018Q4:1.16.0.74
pkgsrc-2018Q4-base:1.16
pkgsrc-2018Q3:1.16.0.72
pkgsrc-2018Q3-base:1.16
pkgsrc-2018Q2:1.16.0.70
pkgsrc-2018Q2-base:1.16
pkgsrc-2018Q1:1.16.0.68
pkgsrc-2018Q1-base:1.16
pkgsrc-2017Q4:1.16.0.66
pkgsrc-2017Q4-base:1.16
pkgsrc-2017Q3:1.16.0.64
pkgsrc-2017Q3-base:1.16
pkgsrc-2017Q2:1.16.0.60
pkgsrc-2017Q2-base:1.16
pkgsrc-2017Q1:1.16.0.58
pkgsrc-2017Q1-base:1.16
pkgsrc-2016Q4:1.16.0.56
pkgsrc-2016Q4-base:1.16
pkgsrc-2016Q3:1.16.0.54
pkgsrc-2016Q3-base:1.16
pkgsrc-2016Q2:1.16.0.52
pkgsrc-2016Q2-base:1.16
pkgsrc-2016Q1:1.16.0.50
pkgsrc-2016Q1-base:1.16
pkgsrc-2015Q4:1.16.0.48
pkgsrc-2015Q4-base:1.16
pkgsrc-2015Q3:1.16.0.46
pkgsrc-2015Q3-base:1.16
pkgsrc-2015Q2:1.16.0.44
pkgsrc-2015Q2-base:1.16
pkgsrc-2015Q1:1.16.0.42
pkgsrc-2015Q1-base:1.16
pkgsrc-2014Q4:1.16.0.40
pkgsrc-2014Q4-base:1.16
pkgsrc-2014Q3:1.16.0.38
pkgsrc-2014Q3-base:1.16
pkgsrc-2014Q2:1.16.0.36
pkgsrc-2014Q2-base:1.16
pkgsrc-2014Q1:1.16.0.34
pkgsrc-2014Q1-base:1.16
pkgsrc-2013Q4:1.16.0.32
pkgsrc-2013Q4-base:1.16
pkgsrc-2013Q3:1.16.0.30
pkgsrc-2013Q3-base:1.16
pkgsrc-2013Q2:1.16.0.28
pkgsrc-2013Q2-base:1.16
pkgsrc-2013Q1:1.16.0.26
pkgsrc-2013Q1-base:1.16
pkgsrc-2012Q4:1.16.0.24
pkgsrc-2012Q4-base:1.16
pkgsrc-2012Q3:1.16.0.22
pkgsrc-2012Q3-base:1.16
pkgsrc-2012Q2:1.16.0.20
pkgsrc-2012Q2-base:1.16
pkgsrc-2012Q1:1.16.0.18
pkgsrc-2012Q1-base:1.16
pkgsrc-2011Q4:1.16.0.16
pkgsrc-2011Q4-base:1.16
pkgsrc-2011Q3:1.16.0.14
pkgsrc-2011Q3-base:1.16
pkgsrc-2011Q2:1.16.0.12
pkgsrc-2011Q2-base:1.16
pkgsrc-2011Q1:1.16.0.10
pkgsrc-2011Q1-base:1.16
pkgsrc-2010Q4:1.16.0.8
pkgsrc-2010Q4-base:1.16
pkgsrc-2010Q3:1.16.0.6
pkgsrc-2010Q3-base:1.16
pkgsrc-2010Q2:1.16.0.4
pkgsrc-2010Q2-base:1.16
pkgsrc-2010Q1:1.16.0.2
pkgsrc-2010Q1-base:1.16
pkgsrc-2009Q4:1.14.0.4
pkgsrc-2009Q4-base:1.14
pkgsrc-2009Q3:1.14.0.2
pkgsrc-2009Q3-base:1.14
pkgsrc-2008Q4:1.13.0.22
pkgsrc-2008Q4-base:1.13
pkgsrc-2008Q3:1.13.0.20
pkgsrc-2008Q3-base:1.13
cube-native-xorg:1.13.0.18
cube-native-xorg-base:1.13
pkgsrc-2008Q2:1.13.0.16
pkgsrc-2008Q2-base:1.13
pkgsrc-2008Q1:1.13.0.14
pkgsrc-2008Q1-base:1.13
pkgsrc-2007Q4:1.13.0.12
pkgsrc-2007Q4-base:1.13
pkgsrc-2007Q3:1.13.0.10
pkgsrc-2007Q3-base:1.13
pkgsrc-2007Q2:1.13.0.8
pkgsrc-2007Q2-base:1.13
pkgsrc-2007Q1:1.13.0.6
pkgsrc-2007Q1-base:1.13
pkgsrc-2006Q4:1.13.0.4
pkgsrc-2006Q4-base:1.13
pkgsrc-2006Q3:1.13.0.2
pkgsrc-2006Q3-base:1.13
pkgsrc-2006Q2:1.12.0.2
pkgsrc-2006Q2-base:1.12
pkgsrc-2006Q1:1.11.0.2
pkgsrc-2006Q1-base:1.11
pkgsrc-2005Q4:1.10.0.4
pkgsrc-2005Q4-base:1.10
pkgsrc-2005Q3:1.10.0.2
pkgsrc-2005Q3-base:1.10
pkgsrc-2005Q2:1.8.0.2
pkgsrc-2005Q2-base:1.8
pkgsrc-2005Q1:1.7.0.2
pkgsrc-2005Q1-base:1.7
pkgsrc-2004Q4:1.6.0.2
pkgsrc-2004Q4-base:1.6
pkgsrc-2004Q3:1.5.0.4
pkgsrc-2004Q3-base:1.5
pkgsrc-2004Q2:1.5.0.2
pkgsrc-2004Q2-base:1.5
pkgsrc-2004Q1:1.2.0.4
pkgsrc-2004Q1-base:1.2
pkgsrc-2003Q4:1.2.0.2
pkgsrc-2003Q4-base:1.2
buildlink2-base:1.2;
locks; strict;
comment @# @;
1.16
date 2010.03.07.03.41.49; author taca; state Exp;
branches;
next 1.15;
1.15
date 2010.03.04.16.00.37; author taca; state Exp;
branches;
next 1.14;
1.14
date 2009.10.04.01.27.15; author taca; state Exp;
branches;
next 1.13;
1.13
date 2006.07.13.07.59.34; author martti; state dead;
branches;
next 1.12;
1.12
date 2006.04.11.05.24.20; author martti; state Exp;
branches
1.12.2.1;
next 1.11;
1.11
date 2006.02.27.07.12.14; author martti; state dead;
branches
1.11.2.1;
next 1.10;
1.10
date 2005.09.20.13.19.05; author schmonz; state Exp;
branches
1.10.4.1;
next 1.9;
1.9
date 2005.07.18.07.04.27; author martti; state dead;
branches;
next 1.8;
1.8
date 2005.06.16.07.30.40; author martti; state Exp;
branches
1.8.2.1;
next 1.7;
1.7
date 2005.01.23.07.02.04; author martti; state dead;
branches;
next 1.6;
1.6
date 2004.11.16.14.18.01; author martti; state Exp;
branches;
next 1.5;
1.5
date 2004.06.04.14.07.13; author xtraeme; state dead;
branches;
next 1.4;
1.4
date 2004.06.02.20.02.18; author bouyer; state Exp;
branches;
next 1.3;
1.3
date 2004.06.02.18.50.27; author bouyer; state Exp;
branches;
next 1.2;
1.2
date 2001.04.30.05.03.25; author jlam; state dead;
branches;
next 1.1;
1.1
date 2001.03.29.16.13.08; author bouyer; state Exp;
branches;
next ;
1.12.2.1
date 2006.07.13.12.30.41; author salo; state dead;
branches;
next ;
1.11.2.1
date 2006.06.04.13.55.57; author salo; state Exp;
branches;
next ;
1.10.4.1
date 2006.03.15.12.07.55; author salo; state dead;
branches;
next ;
1.8.2.1
date 2005.08.24.13.06.03; author salo; state dead;
branches;
next ;
desc
@@
1.16
log
@Update squirrelmail pacakge to 1.4.20.
Version 1.4.20 - 06 Mar 2010
---------------------------
- Fixed issue with search not using literals correctly (#2846511).
- Fixed issue with returning to search results due to new security token
code.
- Fixed issue with multi-part related messages not showing all attachments
(#2830140).
- Fixed for security token missing in newmail plugin (#2919418).
- Fixed sort in Sent folder to sort by "To" field instead of "From" field
(#2907412).
- Fixed mailto: urls containing + characters. Thanks to Michael Puls II
for the patch.
- Made base URL autodetection more robust; fixes some lighttpd issues
(probably #1741469).
- Encoded From headers are now properly quoted (#2830141).
- Multibyte strings (notably subjects) are now handled correctly (#2824813,
#2925731).
- X-DNS-Prefetch-Control: off header is now sent to browsers to prevent
information leakage when Firefox does DNS prefetching for URLs contained
in emails.
- Added unread links in message view.
- Added the ability to configure Google Mail (Gmail) as the mail server
behind SquirrelMail.
- Added option in display preferences that allows the signature to be
stripped from the original message when replying (#2952876). Thanks to
Sven Strickroth.
@
text
@$NetBSD: patch-ab,v 1.15 2010/03/04 16:00:37 taca Exp $
* Use case ignore match for detecting encoded word.
* Fix encoding problem of attached filenames; don't convert encoding here.
--- functions/i18n.php.orig 2010-01-25 02:47:41.000000000 +0000
+++ functions/i18n.php
@@@@ -680,13 +680,6 @@@@ function japanese_charset_xtra() {
$ret = @@mb_convert_encoding($ret, 'EUC-JP', 'AUTO');
break;
case 'downloadfilename':
- $useragent = func_get_arg(2);
- if (strstr($useragent, 'Windows') !== false ||
- strstr($useragent, 'Mac_') !== false) {
- $ret = mb_convert_encoding($ret, 'SJIS', 'AUTO');
- } else {
- $ret = mb_convert_encoding($ret, 'EUC-JP', 'AUTO');
-}
break;
case 'wordwrap':
$no_begin = "\x21\x25\x29\x2c\x2e\x3a\x3b\x3f\x5d\x7d\xa1\xf1\xa1\xeb\xa1" .
@
1.15
log
@Overhaul squirrelmail package:
* Add DESTDIR support.
* Add more changes from squirrelmail's repositry including
secure token support, hoping early release of real 1.4.20.
Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.14 2009/10/04 01:27:15 taca Exp $
d6 1
a6 1
--- functions/i18n.php.orig 2009-07-29 11:21:06.000000000 +0900
d8 1
a8 7
@@@@ -675,18 +675,11 @@@@ function japanese_charset_xtra() {
break;
case 'decodeheader':
$ret = str_replace("\t", "", $ret);
- if (preg_match('/=\?([^?]+)\?(q|b)\?([^?]+)\?=/', $ret))
+ if (preg_match('/=\?([^?]*)\?(Q|B)\?([^?]*)\?=/i', $ret))
$ret = @@mb_decode_mimeheader($ret);
@
1.14
log
@Add two small fix:
* Use case ignore match for detecting encoded header. This is
language independent problem.
* Improve handling of file name of attachment in Japanese environment.
These fixes make squirrelmail usable after remove of japaneses patch.
Bump PKGREVISION.
@
text
@d1 1
a1 1
$NetBSD$
d13 1
a13 1
+ if (preg_match('/=\?([^?]*)\?(Q|B)\?([^?]*)\?=/Ui', $ret))
@
1.13
log
@Updated squirrelmail to 1.4.7
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.12 2006/04/11 05:24:20 martti Exp $
d3 25
a27 17
--- functions/i18n.php.orig 2006-02-10 22:30:31.000000000 +0200
+++ functions/i18n.php 2006-04-11 08:15:24.000000000 +0300
@@@@ -834,11 +834,11 @@@@
$languages['zh_CN']['LOCALE'] = 'zh_CN.GB2312';
$languages['cn']['ALIAS'] = 'zh_CN';
-/*
$languages['uk_UA']['NAME'] = 'Ukrainian';
-$languages['uk_UA']['CHARSET'] = 'koi8-u';
+$languages['uk_UA']['CHARSET'] = 'utf-8';
+$languages['uk_UA']['LOCALE'] = array('uk_UA.UTF-8','uk_UA','uk');
$languages['uk']['ALIAS'] = 'uk_UA';
-*/
+
/*
$languages['vi_VN']['NAME'] = 'Vietnamese';
$languages['vi_VN']['CHARSET'] = 'utf-8';
@
1.12
log
@Updated mail/squirrelmail to 1.4.6nb1
* added patch for Ukrainian translation (needed by the new squirrelmail-locales)
@
text
@d1 1
a1 1
$NetBSD$
@
1.12.2.1
log
@Pullup ticket 1738 - requested by martti
security update for squirrelmail
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.74
- pkgsrc/mail/squirrelmail/PLIST 1.18
- pkgsrc/mail/squirrelmail/buildlink3.mk 1.12
- pkgsrc/mail/squirrelmail/distinfo 1.33
- pkgsrc/mail/squirrelmail/patches/patch-aa 1.11
- pkgsrc/mail/squirrelmail/patches/patch-ab removed
- pkgsrc/mail/squirrelmail/patches/patch-ac removed
Module Name: pkgsrc
Committed By: martti
Date: Thu Jul 13 07:59:34 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile PLIST buildlink3.mk distinfo
pkgsrc/mail/squirrelmail/patches: patch-aa
Removed Files:
pkgsrc/mail/squirrelmail/patches: patch-ab patch-ac
Log Message:
Updated squirrelmail to 1.4.7
- Fixed URL for Read Receipts being incorrect in some cases (#1177518).
- Fixed endless loop when trying to parse "From: )(" (#1517867).
- Using is_file() instead of file_exists() in fortune plugin (#1499134).
- Add manual page for conf.pl under contrib.
- Don't allow selecting INBOX as Sent, Draft or Trash folder (#1242346).
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.12 2006/04/11 05:24:20 martti Exp $
@
1.11
log
@Updated squirrelmail to 1.4.6
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.10 2005/09/20 13:19:05 schmonz Exp $
d3 17
a19 14
--- class/mime/Rfc822Header.class.php.orig 2005-02-06 19:33:29.000000000 -0500
+++ class/mime/Rfc822Header.class.php
@@@@ -505,8 +505,9 @@@@ class Rfc822Header {
* functions/imap_messages. I'm not sure if it's ok here to call
* that function?
*/
- function parsePriority($value) {
- $value = strtolower(array_shift(split('/\w/',trim($value))));
+ function parsePriority($sValue) {
+ $aValue = split('/\w/',trim($sValue));
+ $value = strtolower(array_shift($aValue));
if ( is_numeric($value) ) {
return $value;
}
@
1.11.2.1
log
@Pullup ticket 1684 - requested by tron
security fix for squirrelmail
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.71, 1.73
- pkgsrc/mail/squirrelmail/distinfo 1.31, 1.32
- pkgsrc/mail/squirrelmail/patches/patch-ab 1.12
- pkgsrc/mail/squirrelmail/patches/patch-ac 1.3
- pkgsrc/mail/ja-squirrelmail/MESSAGE 1.3
- pkgsrc/mail/ja-squirrelmail/Makefile 1.27, 1.28, 1.30
- pkgsrc/mail/ja-squirrelmail/PLIST 1.4
- pkgsrc/mail/ja-squirrelmail/distinfo 1.9, 1.10, 1.11
- pkgsrc/mail/ja-squirrelmail/patches/patch-ab 1.3
- pkgsrc/mail/ja-squirrelmail/patches/patch-ac 1.3
- pkgsrc/mail/ja-squirrelmail/patches/patch-ad removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ae removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-af removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ag removed
- pkgsrc/mail/ja-squirrelmail/patches/patch-ah removed
Module Name: pkgsrc
Committed By: martti
Date: Tue Apr 11 05:24:20 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile distinfo
Added Files:
pkgsrc/mail/squirrelmail/patches: patch-ab
Log Message:
Updated mail/squirrelmail to 1.4.6nb1
* added patch for Ukrainian translation (needed by the new
* squirrelmail-locales)
---
Module Name: pkgsrc
Committed By: taca
Date: Fri May 5 02:46:54 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: MESSAGE Makefile distinfo
Removed Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ab patch-ac patch-ad
patch-ae patch-af patch-ag patch-ah
Log Message:
Update ja-squirrelmail package to 1.4.6 after talking with martti@@.
Prior to this release, there are security vulnerability the same as
squirrelmail 1.4.5.
This update made with temporary Japanese patch based on the patch
for 1.4.5.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri May 5 05:32:36 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile PLIST distinfo
Added Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ab
Log Message:
Updated ja-squirrelmail to 1.4.6nb1
* sync with squirrelmail-1.4.6nb1
---
Module Name: pkgsrc
Committed By: tron
Date: Sun Jun 4 12:31:31 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile distinfo
pkgsrc/mail/squirrelmail: Makefile distinfo
Added Files:
pkgsrc/mail/ja-squirrelmail/patches: patch-ac
pkgsrc/mail/squirrelmail/patches: patch-ac
Log Message:
Add fix for security issue 2006-06-01 from SquirrelMail CVS repository.
Bump package revision.
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.12 2006/04/11 05:24:20 martti Exp $
d3 14
a16 17
--- functions/i18n.php.orig 2006-02-10 22:30:31.000000000 +0200
+++ functions/i18n.php 2006-04-11 08:15:24.000000000 +0300
@@@@ -834,11 +834,11 @@@@
$languages['zh_CN']['LOCALE'] = 'zh_CN.GB2312';
$languages['cn']['ALIAS'] = 'zh_CN';
-/*
$languages['uk_UA']['NAME'] = 'Ukrainian';
-$languages['uk_UA']['CHARSET'] = 'koi8-u';
+$languages['uk_UA']['CHARSET'] = 'utf-8';
+$languages['uk_UA']['LOCALE'] = array('uk_UA.UTF-8','uk_UA','uk');
$languages['uk']['ALIAS'] = 'uk_UA';
-*/
+
/*
$languages['vi_VN']['NAME'] = 'Vietnamese';
$languages['vi_VN']['CHARSET'] = 'utf-8';
@
1.10
log
@Fix "Fatal error: Only variables can be passed by reference" in
several files that occurs with PHP 5.0.5 by applying the small
"squirrelmail-stable.diff" from the SourceForge page about the bug:
http://sourceforge.net/tracker/index.php?func=detail&aid=1237160&group_id=311&atid=423679
Problem reported by Nathan Arthur in private mail. Fix OK'd by martti@@.
@
text
@d1 1
a1 1
$NetBSD$
@
1.10.4.1
log
@Pullup ticket 1186 - requested by Martti Kuparinen
security update for squirrelmail
Revisions pulled up:
- pkgsrc/mail/squirrelmail/Makefile 1.65, 1.66, 1.68, 1.69
- pkgsrc/mail/squirrelmail/PLIST 1.17
- pkgsrc/mail/squirrelmail/buildlink3.mk 1.6, 1.7
- pkgsrc/mail/squirrelmail/distinfo 1.30
- pkgsrc/mail/squirrelmail/patches/patch-ab removed
- pkgsrc/mail/squirrelmail/patches/patch-ac removed
- pkgsrc/mail/squirrelmail/patches/patch-ad removed
- pkgsrc/mail/squirrelmail/patches/patch-ae removed
- pkgsrc/mail/squirrelmail/patches/patch-af removed
- pkgsrc/mail/squirrelmail/patches/patch-ag removed
- pkgsrc/mail/squirrelmail/patches/patch-ah removed
- pkgsrc/mail/squirrelmail/plugin.mk 1.3
- pkgsrc/mail/squirrelmail-decode/Makefile 1.3
- pkgsrc/mail/squirrelmail-locales/Makefile 1.11, 1.12, 1.13, 1.14
- pkgsrc/mail/squirrelmail-locales/PLIST 1.5, 1.6, 1.7
- pkgsrc/mail/squirrelmail-locales/distinfo 1.4
- pkgsrc/mail/ja-squirrelmail/Makefile 1.23, 1.24, 1.26
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jan 20 23:56:59 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile
Log Message:
Use SUBST framework. Replace some "find foo | xargs bar" with
"find foo -exec bar {} \;" while here, the former is faster, but can't
cope with all quoting issues and is also more likely to hit argument
length limits. CONFLICT to ja-squirrelmail.
---
Module Name: pkgsrc
Committed By: joerg
Date: Fri Jan 20 23:57:26 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
Log Message:
Use SUBST. Use find foo -exec bar {} \; instead of find foo | xargs bar.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 3 10:26:17 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile
Log Message:
s/SMDIRDIR/SMDIR/ and bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 3 10:26:44 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
Log Message:
s/SMDIRDIR/SMDIR/ and bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: martti
Date: Fri Feb 17 07:04:25 UTC 2006
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile
pkgsrc/mail/squirrelmail: Makefile buildlink3.mk plugin.mk
pkgsrc/mail/squirrelmail-locales: Makefile
Log Message:
Fixed warnings found by pkglint -Wall.
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Feb 27 07:12:14 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail: Makefile PLIST buildlink3.mk distinfo
Removed Files:
pkgsrc/mail/squirrelmail/patches: patch-ab patch-ac patch-ad patch-ae
patch-af patch-ag patch-ah
Log Message:
Updated squirrelmail to 1.4.6
This release is very important, and we strongly advise everybody to
update to the latest release.
Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.
- In webmail.php, the right_frame parameter was not properly sanitized
to deal with very lenient browsers, which allowed for cross site
scripting or frame replacing. [CVE-2006-0188]
- In the MagicHTML function, some very obscure constructs were
discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
concern), and comments could be inside keywords (allows for cross site
scripting). Both only affect Internet Explorer users. Found by Martijn
Brinkers and Scott Hughes. [CVE-2006-0195]
- The function sqimap_mailbox_select did not strip newlines from the
mailbox parameter, and thereby allowed for IMAP command injection.
Found by Vicente Aguilera. [CVE-2006-0377]
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Feb 27 07:13:00 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST distinfo
Log Message:
Updated squirrelmail-locales to 1.4.6
* sync with squirrelmail 1.4.6
---
Module Name: pkgsrc
Committed By: cube
Date: Wed Mar 1 06:39:52 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST
Log Message:
Fix PLIST.
---
Module Name: pkgsrc
Committed By: martti
Date: Thu Mar 2 07:41:44 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-decode: Makefile
Log Message:
Fix pkglint -Wall warnings.
---
Module Name: pkgsrc
Committed By: salo
Date: Wed Mar 15 11:48:29 UTC 2006
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST
Log Message:
Fix PLIST. (hi cube and martti!)
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.10 2005/09/20 13:19:05 schmonz Exp $
@
1.9
log
@Updated mail/squirrelmail to 1.4.5
* lots of bug fixes
* translation updates
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.8 2005/06/16 07:30:40 martti Exp $
d3 5
a7 105
--- functions/addressbook.php Mon Dec 27 16:03:42 2004
+++ functions/addressbook.php Wed Jun 15 23:50:03 2005
@@@@ -108,7 +108,7 @@@@
if (!$r && $showerr) {
printf( ' ' . _("Error initializing LDAP server %s:") .
" \n", $param['host']);
- echo ' ' . $abook->error;
+ echo ' ' . htmlspecialchars($abook->error);
exit;
}
}
@@@@ -239,7 +239,7 @@@@
if (is_array($res)) {
$ret = array_merge($ret, $res);
} else {
- $this->error .= " \n" . $backend->error;
+ $this->error .= "\n" . $backend->error;
$failed++;
}
}
@@@@ -255,7 +255,7 @@@@
$ret = $this->backends[$bnum]->search($expression);
if (!is_array($ret)) {
- $this->error .= " \n" . $this->backends[$bnum]->error;
+ $this->error .= "\n" . $this->backends[$bnum]->error;
$ret = FALSE;
}
}
diff -urw squirrelmail-1.4.4.orig/functions/mime.php squirrelmail-1.4.4/functions/mime.php
--- functions/mime.php Mon Jan 10 19:52:48 2005
+++ functions/mime.php Wed Jun 15 23:50:03 2005
@@@@ -1388,12 +1388,33 @@@@
}
}
}
+
+ /**
+ * Replace empty src tags with the blank image. src is only used
+ * for frames, images, and image inputs. Doing a replace should
+ * not affect them working as should be, however it will stop
+ * IE from being kicked off when src for img tags are not set
+ */
+ if (($attname == 'src') && ($attvalue == '""')) {
+ $attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
+ }
+
/**
* Turn cid: urls into http-friendly ones.
*/
if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
}
+
+ /**
+ * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
+ * One day MS might actually make it match something useful, for now, falling
+ * back to using cid2http, so we can grab the blank.png.
+ */
+ if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
+ $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
+ }
+
}
/**
* See if we need to append any attributes to this tag.
@@@@ -1408,7 +1429,7 @@@@
/**
* This function edits the style definition to make them friendly and
- * usable in squirrelmail.
+ * usable in SquirrelMail.
*
* @@param $message the message object
* @@param $id the message id
@@@@ -1436,27 +1457,54 @@@@
/**
* Fix url('blah') declarations.
*/
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
+ // "url(\\1$secremoveimg\\2)", $content);
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
+ $sProto = strtolower($matches[1]);
+ switch ($sProto) {
/**
* Fix url('https*://.*) declarations but only if $view_unsafe_images
* is false.
*/
+ case 'https':
+ case 'http':
if (!$view_unsafe_images){
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ $sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si";
+ $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
}
-
+ break;
/**
* Fix urls that refer to cid:
d9 7
a15 380
- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
- $content, $matches)){
- $cidurl = $matches{1};
+ case 'cid':
+ $cidurl = 'cid:'. $matches[2];
$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
$content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
- "url($httpurl)", $content);
+ "u\0r\0l($httpurl)", $content);
+ break;
+ default:
+ /**
+ * replace url with protocol other then the white list
+ * http,https and cid by an empty string.
+ */
+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
+ "", $content);
+ break;
}
+ break;
+ }
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
+ $contentTemp = $content;
+ sq_defang($contentTemp);
+ sq_unspace($contentTemp);
/**
* Fix stupid css declarations which lead to vulnerabilities
@@@@ -1467,10 +1515,16 @@@@
'/binding/i',
'/include-source/i');
$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
- $content = preg_replace($match, $replace, $content);
+ $contentNew = preg_replace($match, $replace, $contentTemp);
+ if ($contentNew !== $contentTemp) {
+ // insecure css declarations are used. From now on we don't care
+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
+ $content = $contentNew;
+ }
return array($content, $newpos);
}
+
/**
* This function converts cid: url's into the ones that can be viewed in
* the browser.
@@@@ -1492,15 +1546,46 @@@@
$quotchar = '';
}
$cidurl = substr(trim($cidurl), 4);
+
+ $match_str = '/\{.*?\}\//';
+ $str_rep = '';
+ $cidurl = preg_replace($match_str, $str_rep, $cidurl);
+
$linkurl = find_ent_id($cidurl, $message);
/* in case of non-save cid links $httpurl should be replaced by a sort of
unsave link image */
$httpurl = '';
- if ($linkurl) {
+
+ /**
+ * This is part of a fix for Outlook Express 6.x generating
+ * cid URLs without creating content-id headers. These images are
+ * not part of the multipart/related html mail. The html contains
+ * references to
+ * attached images with as goal to render them inline although
+ * the attachment disposition property is not inline.
+ */
+
+ if (empty($linkurl)) {
+ if (preg_match('/{.*}\//', $cidurl)) {
+ $cidurl = preg_replace('/{.*}\//','', $cidurl);
+ if (!empty($cidurl)) {
+ $linkurl = find_ent_id($cidurl, $message);
+ }
+ }
+ }
+
+ if (!empty($linkurl)) {
$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
"passed_id=$id&mailbox=" . urlencode($mailbox) .
'&ent_id=' . $linkurl . $quotchar;
+ } else {
+ /**
+ * If we couldn't generate a proper img url, drop in a blank image
+ * instead of sending back empty, otherwise it causes unusual behaviour
+ */
+ $httpurl = $quotchar . SM_PATH . 'images/blank.png';
}
+
return $httpurl;
}
@@@@ -1526,8 +1611,7 @@@@
$attvalue = str_replace($quotchar, "", $attvalue);
switch ($attname){
case 'background':
- $attvalue = sq_cid2http($message, $id,
- $attvalue, $mailbox);
+ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
$styledef .= "background-image: url('$attvalue'); ";
break;
case 'bgcolor':
@@@@ -1754,6 +1838,7 @@@@
"embed",
"title",
"frameset",
+ "xmp",
"xml"
);
@@@@ -1761,7 +1846,8 @@@@
"img",
"br",
"hr",
- "input"
+ "input",
+ "outbind"
);
$force_tag_closing = true;
@@@@ -1816,6 +1902,7 @@@@
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
+ "/position\s*:\s*absolute/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
@@@@ -1826,6 +1913,7 @@@@
"idiocy",
"idiocy",
"idiocy",
+ "",
"url(\\1#\\1)",
"url(\\1#\\1)",
"url(\\1#\\1)",
@@@@ -1856,7 +1944,7 @@@@
$add_attr_to_tag = Array(
"/^a$/i" =>
- Array('target'=>'"_new"',
+ Array('target'=>'"_blank"',
'title'=>'"'._("This external link will open in a new window").'"'
)
);
diff -urw squirrelmail-1.4.4.orig/functions/page_header.php squirrelmail-1.4.4/functions/page_header.php
--- functions/page_header.php Mon Dec 27 22:08:58 2004
+++ functions/page_header.php Wed Jun 15 23:50:03 2005
@@@@ -275,6 +275,7 @@@@
: html_tag( 'td', '', 'left' ) )
. "\n";
$urlMailbox = urlencode($mailbox);
+ $startMessage = (int)$startMessage;
echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);
echo " \n";
displayInternalLink ('src/addressbook.php', _("Addresses"));
diff -urw squirrelmail-1.4.4.orig/plugins/calendar/calendar.php squirrelmail-1.4.4/plugins/calendar/calendar.php
--- plugins/calendar/calendar.php Mon Dec 27 16:03:49 2004
+++ plugins/calendar/calendar.php Wed Jun 15 23:51:15 2005
@@@@ -28,17 +28,17 @@@@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-
-if (isset($_GET['month'])) {
+unset($month, $year);
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
/* got 'em */
diff -urw squirrelmail-1.4.4.orig/plugins/calendar/day.php squirrelmail-1.4.4/plugins/calendar/day.php
--- plugins/calendar/day.php Mon Dec 27 16:03:49 2004
+++ plugins/calendar/day.php Wed Jun 15 23:51:52 2005
@@@@ -29,22 +29,23 @@@@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-if (isset($_GET['year'])) {
+unset($year, $month, $day);
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-elseif (isset($_POST['year'])) {
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-elseif (isset($_POST['month'])) {
+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-if (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-elseif (isset($_POST['day'])) {
+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
diff -urw squirrelmail-1.4.4.orig/plugins/calendar/event_create.php squirrelmail-1.4.4/plugins/calendar/event_create.php
--- plugins/calendar/event_create.php Mon Dec 27 16:03:49 2004
+++ plugins/calendar/event_create.php Wed Jun 15 23:52:34 2005
@@@@ -28,41 +28,42 @@@@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-
-if (isset($_POST['year'])) {
+unset($year, $month, $day, $hour, $event_hour, $event_minute,
+ $event_length, $event_priority);
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['event_title'])) {
diff -urw squirrelmail-1.4.4.orig/plugins/calendar/event_edit.php squirrelmail-1.4.4/plugins/calendar/event_edit.php
--- plugins/calendar/event_edit.php Mon Dec 27 16:03:49 2004
+++ plugins/calendar/event_edit.php Wed Jun 15 23:53:22 2005
@@@@ -29,26 +29,27 @@@@
/* get globals */
-
+unset($event_year, $event_month, $event_day, $event_hour, $event_minute,
+ $event_length, $event_priority, $year, $month, $day, $hour, $minute);
if (isset($_POST['updated'])) {
$updated = $_POST['updated'];
}
-if (isset($_POST['event_year'])) {
+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
$event_year = $_POST['event_year'];
}
-if (isset($_POST['event_month'])) {
+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
$event_month = $_POST['event_month'];
}
-if (isset($_POST['event_day'])) {
+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
$event_day = $_POST['event_day'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
if (isset($_POST['event_title'])) {
@@@@ -60,40 +61,40 @@@@
if (isset($_POST['send'])) {
$send = $_POST['send'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['confirmed'])) {
$confirmed = $_POST['confirmed'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['minute'])) {
+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
$minute = $_POST['minute'];
}
-elseif (isset($_GET['minute'])) {
+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
$minute = $_GET['minute'];
}
/* got 'em */
diff -urw squirrelmail-1.4.4.orig/plugins/filters/options.php squirrelmail-1.4.4/plugins/filters/options.php
--- plugins/filters/options.php Mon Dec 27 16:03:57 2004
+++ plugins/filters/options.php Wed Jun 15 23:50:03 2005
@@@@ -189,7 +189,7 @@@@
html_tag( 'td', '', 'left' ) .
''.
''.
diff -urw squirrelmail-1.4.4.orig/plugins/filters/spamoptions.php squirrelmail-1.4.4/plugins/filters/spamoptions.php
--- plugins/filters/spamoptions.php Mon Dec 27 16:03:57 2004
+++ plugins/filters/spamoptions.php Wed Jun 15 23:50:03 2005
@@@@ -199,7 +199,7 @@@@
echo html_tag( 'p', '', 'center' ) .
'[' . _("Edit") . ']' .
' - [' . _("Done") . ']
';
- printf( _("Spam is sent to %s."), ($filters_spam_folder?''.imap_utf7_decode_local($filters_spam_folder).'':'['._("not set yet").']' ) );
+ printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) );
echo ' ';
printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' );
echo ''.
diff -urw squirrelmail-1.4.4.orig/plugins/listcommands/mailout.php squirrelmail-1.4.4/plugins/listcommands/mailout.php
--- plugins/listcommands/mailout.php Mon Dec 27 16:03:58 2004
+++ plugins/listcommands/mailout.php Wed Jun 15 23:50:03 2005
@@@@ -25,14 +25,6 @@@@
sqgetGlobalVar('body', $body, SQ_GET);
sqgetGlobalVar('action', $action, SQ_GET);
-echo html_tag('p', '', 'left' ) .
-html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
- html_tag( 'tr',
- html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
- ) .
- html_tag( 'tr' ) .
- html_tag( 'td', '', 'left' );
-
switch ( $action ) {
case 'help':
$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
@@@@ -42,7 +34,19 @@@@
break;
case 'unsubscribe':
$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
+default:
+ error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
+ exit;
}
+
+echo html_tag('p', '', 'left' ) .
+html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
+ html_tag( 'tr',
+ html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
+ ) .
+ html_tag( 'tr' ) .
+ html_tag( 'td', '', 'left' );
+
printf( $out_string, htmlspecialchars($send_to) );
diff -urw squirrelmail-1.4.4.orig/plugins/newmail/newmail.php squirrelmail-1.4.4/plugins/newmail/newmail.php
--- plugins/newmail/newmail.php Mon Dec 27 16:03:58 2004
+++ plugins/newmail/newmail.php Wed Jun 15 23:50:03 2005
@@@@ -22,6 +22,7 @@@@
require_once(SM_PATH . 'functions/page_header.php');
sqGetGlobalVar('numnew', $numnew, SQ_GET);
+$numnew = (int)$numnew;
displayHtmlHeader( _("New Mail"), '', FALSE );
diff -urw squirrelmail-1.4.4.orig/plugins/spamcop/setup.php squirrelmail-1.4.4/plugins/spamcop/setup.php
--- plugins/spamcop/setup.php Mon Dec 27 16:03:58 2004
+++ plugins/spamcop/setup.php Wed Jun 15 23:50:03 2005
@@@@ -75,6 +75,9 @@@@
sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);
sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
+ if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
+ $startMessage = (int)$startMessage;
+ }
/* END GLOBALS */
// catch unset passed_ent_id
diff -urw squirrelmail-1.4.4.orig/plugins/squirrelspell/modules/lang_change.mod squirrelmail-1.4.4/plugins/squirrelspell/modules/lang_change.mod
--- plugins/squirrelspell/modules/lang_change.mod Sat Jun 12 18:39:48 2004
+++ plugins/squirrelspell/modules/lang_change.mod Wed Jun 15 23:50:03 2005
@@@@ -69,11 +69,11 @@@@
$lang_array = explode( ',', $lang_string );
$dsp_string = '';
foreach( $lang_array as $a) {
- $dsp_string .= _(trim($a)) . ', ';
+ $dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
}
$dsp_string = substr( $dsp_string, 0, -2 );
$msg = '
'
- . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._($lang_default).'')
+ . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._(htmlspecialchars($lang_default)).'')
. '
';
} else {
/**
diff -urw squirrelmail-1.4.4.orig/src/addressbook.php squirrelmail-1.4.4/src/addressbook.php
--- src/addressbook.php Mon Dec 27 16:03:59 2004
+++ src/addressbook.php Wed Jun 15 23:50:03 2005
@@@@ -279,7 +279,7 @@@@
html_tag( 'tr',
html_tag( 'td',
"\n". '' . _("ERROR") . ': ' . $abook->error . '' ."\n",
+ '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '' ."\n",
'center' )
),
'center', '', 'width="100%"' );
@@@@ -331,7 +331,7 @@@@
html_tag( 'tr',
html_tag( 'td',
"\n". ' ' . _("ERROR") . ': ' . $formerror . '' ."\n",
+ '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '' ."\n",
'center' )
),
'center', '', 'width="100%"' );
@@@@ -343,6 +343,7 @@@@
/* Get and sort address list */
$alist = $abook->list_addr();
if(!is_array($alist)) {
+ $abook->error = htmlspecialchars($abook->error);
plain_error_message($abook->error, $color);
exit;
}
diff -urw squirrelmail-1.4.4.orig/src/compose.php squirrelmail-1.4.4/src/compose.php
--- src/compose.php Mon Jan 3 16:06:28 2005
+++ src/compose.php Wed Jun 15 23:50:03 2005
@@@@ -76,6 +76,11 @@@@
sqgetGlobalVar('saved_draft',$saved_draft);
sqgetGlobalVar('delete_draft',$delete_draft);
sqgetGlobalVar('startMessage',$startMessage);
+if ( sqgetGlobalVar('startMessage',$startMessage) ) {
+ $startMessage = (int)$startMessage;
+} else {
+ $startMessage = 1;
+}
/** POST VARS */
sqgetGlobalVar('sigappend', $sigappend, SQ_POST);
diff -urw squirrelmail-1.4.4.orig/src/printer_friendly_bottom.php squirrelmail-1.4.4/src/printer_friendly_bottom.php
--- src/printer_friendly_bottom.php Tue Dec 28 14:02:49 2004
+++ src/printer_friendly_bottom.php Wed Jun 15 23:50:03 2005
@@@@ -33,7 +33,8 @@@@
sqgetGlobalVar('passed_id', $passed_id, SQ_GET);
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
-if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) {
+if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ||
+ ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) {
$passed_ent_id = '';
}
/* end globals */
diff -urw squirrelmail-1.4.4.orig/src/right_main.php squirrelmail-1.4.4/src/right_main.php
--- src/right_main.php Mon Dec 27 16:04:00 2004
+++ src/right_main.php Wed Jun 15 23:50:03 2005
@@@@ -165,7 +165,7 @@@@
do_hook('right_main_after_header');
if (isset($note)) {
- echo html_tag( 'div', '' . $note .'', 'center' ) . " \n";
+ echo html_tag( 'div', '' . htmlspecialchars($note) .'', 'center' ) . " \n";
}
if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
@
1.8
log
@Updated squirrelmail to 1.4.4nb1
* Fix several cross site scripting vulnerabilities
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0337
@
text
@d1 1
a1 1
$NetBSD$
@
1.8.2.1
log
@Pullup ticket 664 - requested by Manuel Bouyer
security update for squirrelmail
Revisions pulled up:
- pkgsrc/mail/ja-squirrelmail/Makefile 1.15
- pkgsrc/mail/ja-squirrelmail/PLIST 1.3
- pkgsrc/mail/ja-squirrelmail/distinfo 1.6
- pkgsrc/mail/squirrelmail/Makefile 1.56
- pkgsrc/mail/squirrelmail/PLIST 1.16
- pkgsrc/mail/squirrelmail/buildlink3.mk 1.3
- pkgsrc/mail/squirrelmail/distinfo 1.26
- pkgsrc/mail/squirrelmail/patches/patch-aa 1.10
- pkgsrc/mail/squirrelmail/patches/patch-ab removed
- pkgsrc/mail/squirrelmail-locales/Makefile 1.8
- pkgsrc/mail/squirrelmail-locales/PLIST 1.4
- pkgsrc/mail/squirrelmail-locales/distinfo 1.3
Module Name: pkgsrc
Committed By: martti
Date: Mon Jul 18 07:04:25 UTC 2005
Modified Files:
pkgsrc/mail/ja-squirrelmail: Makefile PLIST distinfo
Log Message:
Updated mail/ja-squirrelmail to 1.4.5
* lots of bug fixes
* translation updates
---
Module Name: pkgsrc
Committed By: martti
Date: Mon Jul 18 07:04:27 UTC 2005
Modified Files:
pkgsrc/mail/squirrelmail: Makefile PLIST buildlink3.mk distinfo
pkgsrc/mail/squirrelmail/patches: patch-aa
Removed Files:
pkgsrc/mail/squirrelmail/patches: patch-ab
Log Message:
Updated mail/squirrelmail to 1.4.5
* lots of bug fixes
* translation updates
--
Module Name: pkgsrc
Committed By: martti
Date: Mon Jul 18 07:04:29 UTC 2005
Modified Files:
pkgsrc/mail/squirrelmail-locales: Makefile PLIST distinfo
Log Message:
Updated mail/squirrelmail-locales
* sync with squirrelmail 1.4.5
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.8 2005/06/16 07:30:40 martti Exp $
@
1.7
log
@Updated squirrelmail to 1.4.4
We are pleased to announce the release of SquirrelMail 1.4.4. This
release is a strongly recommended upgrade due to a number of security
issues that have been resolved since 1.4.3a.
About This Release
------------------
This release contains a number of bug fixes, and security updates. The
list is very long, as this version has been hiding in the trees for a
while. For a full list of the changes, you can see the changelog here:
http://www.squirrelmail.org/changelog.php
A general summary of updates includes a few cross site scripting issues,
and two possible file inclusion issue (one remote, one local). Better
IMAP handling introduced for certain IMAP servers that advertise
LOGINDISABLED, folder handling, and a number of locales issues.
Locales
-------
Shortly after the release of 1.4.3, the locales were broken out of the
main branch into their own branch. This makes the SquirrelMail package
itself a lot smaller, along with allowing administrators to download just
the packages they need. Details on this change can be found in the
ReleaseNotes and the INSTALL files.
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.6 2004/11/16 14:18:01 martti Exp $
d3 10
a12 4
diff -urN functions/mime.php functions/mime.php
--- functions/mime.php 2004-05-23 19:14:11.000000000 +0300
+++ functions/mime.php 2004-11-03 19:16:50.000000000 +0200
@@@@ -602,13 +602,22 @@@@
d14 175
a188 7
$iLastMatch = $i;
$j = $i;
- $ret .= $res[1];
+ if ($htmlsave) {
+ $ret .= htmlspecialchars($res[1]);
+ } else {
+ $ret .= $res[1];
d190 462
a651 15
$encoding = ucfirst($res[3]);
switch ($encoding)
{
case 'B':
$replace = base64_decode($res[4]);
- $ret .= charset_decode($res[2],$replace);
+ if ($utfencode) {
+ $replace = charset_decode($res[2],$replace);
+ } elseif ($htmlsave) {
+ $replace = htmlspecialchars($replace);
+ }
+ $ret .= $replace;
break;
case 'Q':
$replace = str_replace('_', ' ', $res[4]);
@
1.6
log
@Updated squirrelmail to 1.4.3anb1 (pkg/28328 by IYODA Atsushi)
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
@
text
@d1 1
a1 1
$NetBSD$
@
1.5
log
@Forgot to remove this patch in previous.
@
text
@d1 6
a6 13
--- src/compose.php.orig Wed Jun 2 20:38:45 2004
+++ src/compose.php Wed Jun 2 20:38:19 2004
@@@@ -757,9 +757,9 @@@@
sqWordWrap($rewrap_body[$i], ($editor_size));
if (preg_match("/^(>+)/", $rewrap_body[$i], $matches)) {
$gt = $matches[1];
- $body .= $body .= '>' . str_replace("\n", "\n>$gt ", rtrim($rewrap_body[$i])) ."\n";
+ $body .= '>' . str_replace("\n", "\n>$gt ", rtrim($rewrap_body[$i])) ."\n";
} else {
- $body .= $body .= '> ' . str_replace("\n", "\n> ", rtrim($rewrap_body[$i])) . "\n";
+ $body .= '> ' . str_replace("\n", "\n> ", rtrim($rewrap_body[$i])) . "\n";
}
unset($rewrap_body[$i]);
d8 23
@
1.4
log
@Ok, I know why the distinfo entry was wrong.
Remove $Id: $ from the patch, and regen distinfo.
@
text
@@
1.3
log
@Add patch from squirrelmail repository:
"Fix typo in compose.php reply/reply to all quoting (#963499)."
Without this, reply/reply all won't work when quoting a message.
Bump PKGREVISION.
@
text
@a2 9
@@@@ -14,7 +14,7 @@@@
* - Send mail
* - Save As Draft
*
- * $Id: compose.php,v 1.319.2.34 2004/05/24 07:56:51 pdontthink Exp $
+ * $Id: compose.php,v 1.319.2.35 2004/05/31 17:32:34 tokul Exp $
*/
/* Path for SquirrelMail required files. */
@
1.2
log
@Update squirrelmail to 1.0.6. Pkgsrc changes include:
- Respect ${APACHE_SYSCONFDIR} setting.
- Install example squirrelmail.conf Apache config file fragment into
${PREFIX}/share/examples/squirrelmail.
Changes from version 1.0.3 include:
- Reworked validation for each page. It's now standardized in validate.php
- Fixed login bug that resulted from 1.0.5 security updates
- Fixed plugin incompatibilities that were introduced in 1.0.5
- Added more security checking to preference saving/loading
- Updated German translation (thanks to Roland Bauerschmidt )
- Updated Finnish help files
- MAJOR security issues addressed. Please upgrade as soon as possible.
- Downloading attachments should work better due to a tip by Ray Black III.
- Fixed bug with drop-down folder list not containing INBOX
- Added Sweedish help files Teemu Junnila
- Added Italian help files Antonetti Roberto
- Fixed some bugs with folder creation
- Security fix for UW IMAP server to disallow folder paths outside of $folder_pr
efix
- Some problems with header encoding/decoding fixed
- Made subject column take up whatever width is available
- Added bcc to html addressbook search
@
text
@d1 9
a9 13
$NetBSD: patch-ab,v 1.1 2001/03/29 16:13:08 bouyer Exp $
--- src/right_main.php.orig Thu Mar 29 17:22:25 2001
+++ src/right_main.php Thu Mar 29 17:20:01 2001
@@@@ -81,7 +81,8 @@@@
}
// compensate for the UW vulnerability
- if ($imap_server_type == 'uw' && strstr($mailbox, '/')) {
+ if ($imap_server_type == 'uw' && (strstr($mailbox, '../') ||
+ substr($mailbox, 0, 1) == '/')) {
$mailbox = 'INBOX';
}
d11 13
@
1.1
log
@Patch from the squirrelmail cvs repository:
Revision 1.46.2.1:
* UW workaround improved, methinks (1.0 branch)
Fixes a problem when used with imap-uw: 1.0.3 couldn't read folders
in subdirectories.
@
text
@d1 1
a1 1
$NetBSD: patch-aa,v 1.2 2001/02/02 19:39:19 jlam Exp $
@