Add fix for security issue 2006-06-01 from SquirrelMail CVS repository.

Bump package revision.
author: tron <tron@pkgsrc.org> 2006-06-04 12:31:31 +0000
committer: tron <tron@pkgsrc.org> 2006-06-04 12:31:31 +0000
commit: d431f8a51b36b25b02cc550552448fab0b78ef32 (patch)
tree: 4882851b5c60126e6daacda1802b8a570928f2ab /mail
parent: 0c0a60eab1ec8139b316b1bc6813a1a6efc4eeb0 (diff)
download: pkgsrc-d431f8a51b36b25b02cc550552448fab0b78ef32.tar.gz
6 files changed, 126 insertions, 6 deletions
diff --git a/mail/ja-squirrelmail/Makefile b/mail/ja-squirrelmail/Makefile
index 1edd25d23a7..6ae9dcac5b7 100644
--- a/mail/ja-squirrelmail/Makefile
+++ b/mail/ja-squirrelmail/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.30 2006/06/04 12:31:31 tron Exp $
 
 DISTNAME=	squirrelmail-1.4.6
 PKGNAME=	ja-${DISTNAME}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/mail/ja-squirrelmail/distinfo b/mail/ja-squirrelmail/distinfo
index 6d4e4f2b5cb..aa2fe9cc254 100644
--- a/mail/ja-squirrelmail/distinfo
+++ b/mail/ja-squirrelmail/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.10 2006/05/05 05:32:36 martti Exp $
+$NetBSD: distinfo,v 1.11 2006/06/04 12:31:31 tron Exp $
 
 SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
 RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
@@ -8,3 +8,4 @@ RMD160 (squirrelmail-1.4.6-ja-20060504-patch) = 7cb0a584afaffe73176edd75886fe753
 Size (squirrelmail-1.4.6-ja-20060504-patch) = 29808 bytes
 SHA1 (patch-aa) = c96e85a28464c414bef744f9d1398fc9dd49549a
 SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff --git a/mail/ja-squirrelmail/patches/patch-ac b/mail/ja-squirrelmail/patches/patch-ac
new file mode 100644
index 00000000000..d02c29b17d7
--- /dev/null
+++ b/mail/ja-squirrelmail/patches/patch-ac
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig	2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php	2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+ 
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile
index 49836355e42..0ed7d566406 100644
--- a/mail/squirrelmail/Makefile
+++ b/mail/squirrelmail/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2006/06/02 18:27:56 joerg Exp $
+# $NetBSD: Makefile,v 1.73 2006/06/04 12:31:31 tron Exp $
 
 DISTNAME=	squirrelmail-1.4.6
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo
index f8358554fe8..646004b6f70 100644
--- a/mail/squirrelmail/distinfo
+++ b/mail/squirrelmail/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.31 2006/04/11 05:24:20 martti Exp $
+$NetBSD: distinfo,v 1.32 2006/06/04 12:31:31 tron Exp $
 
 SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
 RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
 Size (squirrelmail-1.4.6.tar.bz2) = 484099 bytes
 SHA1 (patch-aa) = cafc171ab1de5e2e1e83caff39f3bfb810fe2ab5
 SHA1 (patch-ab) = a7648438c9764e432e5d040e8e3aebb0ab48730e
+SHA1 (patch-ac) = 393579f9276169d2c765726fb1249160a270e983
diff --git a/mail/squirrelmail/patches/patch-ac b/mail/squirrelmail/patches/patch-ac
new file mode 100644
index 00000000000..d02c29b17d7
--- /dev/null
+++ b/mail/squirrelmail/patches/patch-ac
@@ -0,0 +1,59 @@
+$NetBSD: patch-ac,v 1.3 2006/06/04 12:31:31 tron Exp $
+
+--- functions/global.php.orig	2006-02-03 22:27:47.000000000 +0000
++++ functions/global.php	2006-06-04 13:22:14.000000000 +0100
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
+@@ -336,4 +377,4 @@
+ }
+ 
+ // vim: et ts=4
+-?>
+\ No newline at end of file
++?>
author	tron <tron@pkgsrc.org>	2006-06-04 12:31:31 +0000
committer	tron <tron@pkgsrc.org>	2006-06-04 12:31:31 +0000
commit	d431f8a51b36b25b02cc550552448fab0b78ef32 (patch)
tree	4882851b5c60126e6daacda1802b8a570928f2ab /mail
parent	0c0a60eab1ec8139b316b1bc6813a1a6efc4eeb0 (diff)
download	pkgsrc-d431f8a51b36b25b02cc550552448fab0b78ef32.tar.gz