diff options
| author | martti <martti@pkgsrc.org> | 2004-11-16 14:18:01 +0000 |
|---|---|---|
| committer | martti <martti@pkgsrc.org> | 2004-11-16 14:18:01 +0000 |
| commit | 914bc2a8a8a2b48b8b5178bad6f673a377147df5 (patch) | |
| tree | 3d802fd5bdce8c93f4de5c2091aa816c77569c01 /mail/squirrelmail | |
| parent | e5549532e2cfb126e5dbd05a7a7cb5192ece2c9b (diff) | |
| download | pkgsrc-914bc2a8a8a2b48b8b5178bad6f673a377147df5.tar.gz | |
Updated squirrelmail to 1.4.3anb1 (pkg/28328 by IYODA Atsushi)
There is a cross site scripting issue in the decoding of encoded text
in certain headers. SquirrelMail correctly decodes the specially
crafted header, but doesn't sanitize the decoded strings.
http://article.gmane.org/gmane.mail.squirrelmail.user/21169
Diffstat (limited to 'mail/squirrelmail')
| -rw-r--r-- | mail/squirrelmail/Makefile | 3 | ||||
| -rw-r--r-- | mail/squirrelmail/distinfo | 5 | ||||
| -rw-r--r-- | mail/squirrelmail/patches/patch-aa | 2 | ||||
| -rw-r--r-- | mail/squirrelmail/patches/patch-ab | 30 |
4 files changed, 37 insertions, 3 deletions
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile index 66a845969aa..8a8f2fe5379 100644 --- a/mail/squirrelmail/Makefile +++ b/mail/squirrelmail/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.42 2004/10/31 23:47:33 jdolecek Exp $ +# $NetBSD: Makefile,v 1.43 2004/11/16 14:18:01 martti Exp $ DISTNAME= squirrelmail-1.4.3a +PKGREVISION= 1 CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=squirrelmail/} EXTRACT_SUFX= .tar.bz2 diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo index 2534320c6c8..aca5bdeede4 100644 --- a/mail/squirrelmail/distinfo +++ b/mail/squirrelmail/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.20 2004/06/04 14:05:53 xtraeme Exp $ +$NetBSD: distinfo,v 1.21 2004/11/16 14:18:01 martti Exp $ SHA1 (squirrelmail-1.4.3a.tar.bz2) = 8cb22905ddedbe94c9a174d12074263ce84c9a27 Size (squirrelmail-1.4.3a.tar.bz2) = 2254039 bytes -SHA1 (patch-aa) = cad816ce6e36def3f1b99ba831aa297c074d5aca +SHA1 (patch-aa) = b850165c4ed863faca1b8786e43c2cc16abba060 +SHA1 (patch-ab) = c994d1287465f4b3ffa79d1e9c0f27c50ce27aa6 diff --git a/mail/squirrelmail/patches/patch-aa b/mail/squirrelmail/patches/patch-aa index 1934fe2b5d8..2cd801f7e71 100644 --- a/mail/squirrelmail/patches/patch-aa +++ b/mail/squirrelmail/patches/patch-aa @@ -1,3 +1,5 @@ +$NetBSD: patch-aa,v 1.8 2004/11/16 14:18:01 martti Exp $ + --- config/config_default.php.orig 2004-04-21 20:21:54.000000000 +0300 +++ config/config_default.php 2004-05-31 21:32:43.000000000 +0300 @@ -383,7 +383,7 @@ diff --git a/mail/squirrelmail/patches/patch-ab b/mail/squirrelmail/patches/patch-ab new file mode 100644 index 00000000000..b1de49d39b0 --- /dev/null +++ b/mail/squirrelmail/patches/patch-ab @@ -0,0 +1,30 @@ +$NetBSD: patch-ab,v 1.6 2004/11/16 14:18:01 martti Exp $ + +diff -urN functions/mime.php functions/mime.php +--- functions/mime.php 2004-05-23 19:14:11.000000000 +0300 ++++ functions/mime.php 2004-11-03 19:16:50.000000000 +0200 +@@ -602,13 +602,22 @@ + } + $iLastMatch = $i; + $j = $i; +- $ret .= $res[1]; ++ if ($htmlsave) { ++ $ret .= htmlspecialchars($res[1]); ++ } else { ++ $ret .= $res[1]; ++ } + $encoding = ucfirst($res[3]); + switch ($encoding) + { + case 'B': + $replace = base64_decode($res[4]); +- $ret .= charset_decode($res[2],$replace); ++ if ($utfencode) { ++ $replace = charset_decode($res[2],$replace); ++ } elseif ($htmlsave) { ++ $replace = htmlspecialchars($replace); ++ } ++ $ret .= $replace; + break; + case 'Q': + $replace = str_replace('_', ' ', $res[4]); |