Updated mail/squirrelmail to 1.4.10

This version, 1.4.10 is a maintenance release, addressing
the following problems since 1.4.9a:
- Some security fixes (see below)
- Small enhancements
- A collection of bugfixes and stability enhancements
(see ChangeLog for a full list)

Security issues
===============

This release addresses security issues found since the release of 1.4.9a:

There's an ongoing battle to further secure the HTML filter against malicious
HTML mail and the browsers that accept almost any malformed piece of HTML.

This release contains fixes for the following:
- HTML attachments containing "data:" URLs;
- Internet Explorer in various versions accepts many permutations of HTML
  and JavaScript in many charsets. We now properly canonicalize the incoming
  HTML to us-ascii before applying further filters. IE only.
- Request forgery through images. It was possible to include "images" in
  HTML mails which were in fact GET requests for the compose.php page sending
  mail. These images are now properly detected, and the compose form will only
  send mail through a POST request.

Thanks to Mikhail Markin, Tomas Kuliavas and Michael Jordon for reporting
(parts of) these issues and working with us to get them resolved.

These are known as CVE-2007-1262. Further details on SquirrelMail
vulnerabilities can be found at the following address:

  http://www.squirrelmail.org/security/

4 files changed, 18 insertions, 19 deletions

diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile
index c070470e9ea..d35baff93eb 100644
--- a/mail/squirrelmail/Makefile
+++ b/mail/squirrelmail/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.82 2007/03/24 19:21:27 joerg Exp $
+# $NetBSD: Makefile,v 1.83 2007/05/10 06:48:28 martti Exp $
 
-DISTNAME=	squirrelmail-1.4.9a
+DISTNAME=	squirrelmail-1.4.10
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/mail/squirrelmail/PLIST b/mail/squirrelmail/PLIST
index 27154d839e1..f7456d69ac5 100644
--- a/mail/squirrelmail/PLIST
+++ b/mail/squirrelmail/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.20 2006/12/04 13:06:01 obache Exp $
+@comment $NetBSD: PLIST,v 1.21 2007/05/10 06:48:28 martti Exp $
 man/man8/squirrelmail-conf.pl.8
 share/examples/squirrelmail/squirrelmail.conf
 share/squirrelmail/AUTHORS
@@ -64,14 +64,13 @@ share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.6.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.7.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.8.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.9.txt
+share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.9a.txt
 share/squirrelmail/doc/authentication.txt
-share/squirrelmail/doc/db-backend.txt
 share/squirrelmail/doc/ie_ssl.txt
 share/squirrelmail/doc/index.html
 share/squirrelmail/doc/presets.txt
 share/squirrelmail/doc/russian_apache.txt
 share/squirrelmail/doc/security.txt
-share/squirrelmail/doc/themes.txt
 share/squirrelmail/doc/translating.txt
 share/squirrelmail/doc/translating_help.txt
 share/squirrelmail/functions/abook_database.php
diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo
index 07a75b05af7..b6d9079341e 100644
--- a/mail/squirrelmail/distinfo
+++ b/mail/squirrelmail/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.35 2006/12/04 13:06:01 obache Exp $
+$NetBSD: distinfo,v 1.36 2007/05/10 06:48:28 martti Exp $
 
-SHA1 (squirrelmail-1.4.9a.tar.bz2) = c9fc139c331cc99aa9bb54886106d2beccdd390a
-RMD160 (squirrelmail-1.4.9a.tar.bz2) = ccb4c0b4d74341862fecc4abe7f1fa63a4535984
-Size (squirrelmail-1.4.9a.tar.bz2) = 481601 bytes
-SHA1 (patch-aa) = 8b2f277985e2b7a723e10c3a1c60bd7bde69086f
+SHA1 (squirrelmail-1.4.10.tar.bz2) = 049d48aebd0adad991e09a2d7ae3509323aeb922
+RMD160 (squirrelmail-1.4.10.tar.bz2) = 550d8a6f9bc67f6c15d97e7af7a6cf62e207bfde
+Size (squirrelmail-1.4.10.tar.bz2) = 484389 bytes
+SHA1 (patch-aa) = 17f0957068ab2dc54871aa3746f58babe46d85cc
diff --git a/mail/squirrelmail/patches/patch-aa b/mail/squirrelmail/patches/patch-aa
index 99cb8079fe3..e8340430c6b 100644
--- a/mail/squirrelmail/patches/patch-aa
+++ b/mail/squirrelmail/patches/patch-aa
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.12 2006/12/04 13:06:01 obache Exp $
+$NetBSD: patch-aa,v 1.13 2007/05/10 06:48:28 martti Exp $
 
---- config/config_default.php.orig	2006-10-07 11:58:42.000000000 +0000
-+++ config/config_default.php
-@@ -414,7 +414,7 @@ $default_sub_of_inbox = true;
+--- config/config_default.php.orig	2007-03-04 04:07:59.000000000 +0200
++++ config/config_default.php	2007-05-10 09:21:01.000000000 +0300
+@@ -414,7 +414,7 @@
   * false. (Cyrus works fine whether it's true OR false).
   * @global bool $show_contain_subfolders_option
   */
@@ -11,20 +11,20 @@ $NetBSD: patch-aa,v 1.12 2006/12/04 13:06:01 obache Exp $
  
  /**
   * These next two options set the defaults for the way that the
-@@ -459,7 +459,7 @@ $noselect_fix_enable = false;
-  *   $data_dir = SM_PATH . 'data/';
+@@ -464,7 +464,7 @@
+  *
   * @global string $data_dir
   */
--$data_dir = SM_PATH . 'data/';
+-$data_dir = '/var/local/squirrelmail/data/';
 +$data_dir = '@USER_PREFS_DIR@/';
  
  /**
   * Attachments directory
-@@ -477,7 +477,7 @@ $data_dir = SM_PATH . 'data/';
+@@ -482,7 +482,7 @@
   *    + It should probably be another directory than data_dir.
   * @global string $attachment_dir
   */
--$attachment_dir = $data_dir;
+-$attachment_dir = '/var/local/squirrelmail/attach/';
 +$attachment_dir = '@ATTACHMENTS_DIR@/';
  
  /**