Updated squirrelmail to 1.4.6

This release is very important, and we strongly advise everybody to
update to the latest release.

Security Update
===============
This version contains a number of security updates that were brought
to our attention via a number of sources.

- In webmail.php, the right_frame parameter was not properly sanitized
  to deal with very lenient browsers, which allowed for cross site
  scripting or frame replacing. [CVE-2006-0188]

- In the MagicHTML function, some very obscure constructs were
  discovered to be exploitable: 'u\rl' was interpreted as 'url' (privacy
  concern), and comments could be inside keywords (allows for cross site
  scripting). Both only affect Internet Explorer users. Found by Martijn
  Brinkers and Scott Hughes. [CVE-2006-0195]

- The function sqimap_mailbox_select did not strip newlines from the
  mailbox parameter, and thereby allowed for IMAP command injection.
  Found by Vicente Aguilera. [CVE-2006-0377]

11 files changed, 28 insertions, 148 deletions

diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile
index 08781915a96..aa66630cea3 100644
--- a/mail/squirrelmail/Makefile
+++ b/mail/squirrelmail/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.68 2006/02/17 07:04:25 martti Exp $
+# $NetBSD: Makefile,v 1.69 2006/02/27 07:12:13 martti Exp $
 
-DISTNAME=	squirrelmail-1.4.5
-PKGREVISION=	5
+DISTNAME=	squirrelmail-1.4.6
+#PKGREVISION=	1
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=squirrelmail/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/mail/squirrelmail/PLIST b/mail/squirrelmail/PLIST
index 874e9ed4642..9d9f341971f 100644
--- a/mail/squirrelmail/PLIST
+++ b/mail/squirrelmail/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.16 2005/07/18 07:04:27 martti Exp $
+@comment $NetBSD: PLIST,v 1.17 2006/02/27 07:12:13 martti Exp $
 share/examples/squirrelmail/squirrelmail.conf
 share/squirrelmail/AUTHORS
 share/squirrelmail/COPYING
@@ -13,6 +13,7 @@ share/squirrelmail/class/deliver/Deliver_SMTP.class.php
 share/squirrelmail/class/deliver/Deliver_SendMail.class.php
 share/squirrelmail/class/deliver/index.php
 share/squirrelmail/class/helper/VCard.class.php
+share/squirrelmail/class/helper/index.php
 share/squirrelmail/class/html.class.php
 share/squirrelmail/class/index.php
 share/squirrelmail/class/mime.class.php
@@ -63,12 +64,14 @@ share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.2.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.3.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.3a.txt
 share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.4.txt
+share/squirrelmail/doc/ReleaseNotes/1.4/Notes-1.4.5.txt
 share/squirrelmail/doc/authentication.txt
 share/squirrelmail/doc/db-backend.txt
 share/squirrelmail/doc/ie_ssl.txt
 share/squirrelmail/doc/index.html
 share/squirrelmail/doc/presets.txt
 share/squirrelmail/doc/russian_apache.txt
+share/squirrelmail/doc/security.txt
 share/squirrelmail/doc/themes.txt
 share/squirrelmail/doc/translating.txt
 share/squirrelmail/doc/translating_help.txt
@@ -92,6 +95,7 @@ share/squirrelmail/functions/decode/cp1257.php
 share/squirrelmail/functions/decode/cp1258.php
 share/squirrelmail/functions/decode/cp855.php
 share/squirrelmail/functions/decode/cp866.php
+share/squirrelmail/functions/decode/index.php
 share/squirrelmail/functions/decode/iso_8859_1.php
 share/squirrelmail/functions/decode/iso_8859_10.php
 share/squirrelmail/functions/decode/iso_8859_11.php
@@ -118,6 +122,7 @@ share/squirrelmail/functions/display_messages.php
 share/squirrelmail/functions/encode/cp1251.php
 share/squirrelmail/functions/encode/cp1255.php
 share/squirrelmail/functions/encode/cp1256.php
+share/squirrelmail/functions/encode/index.php
 share/squirrelmail/functions/encode/iso_8859_1.php
 share/squirrelmail/functions/encode/iso_8859_15.php
 share/squirrelmail/functions/encode/iso_8859_2.php
@@ -188,6 +193,7 @@ share/squirrelmail/locale/index.php
 share/squirrelmail/locale/timezones.cfg
 share/squirrelmail/plugins/README.plugins
 share/squirrelmail/plugins/abook_take/README
+share/squirrelmail/plugins/abook_take/index.php
 share/squirrelmail/plugins/abook_take/setup.php
 share/squirrelmail/plugins/abook_take/take.php
 share/squirrelmail/plugins/administrator/INSTALL
@@ -222,12 +228,14 @@ share/squirrelmail/plugins/filters/bulkquery/README
 share/squirrelmail/plugins/filters/bulkquery/bq.in
 share/squirrelmail/plugins/filters/bulkquery/bq.out
 share/squirrelmail/plugins/filters/bulkquery/bulkquery.c
+share/squirrelmail/plugins/filters/bulkquery/index.php
 share/squirrelmail/plugins/filters/filters.php
 share/squirrelmail/plugins/filters/index.php
 share/squirrelmail/plugins/filters/options.php
 share/squirrelmail/plugins/filters/setup.php
 share/squirrelmail/plugins/filters/spamoptions.php
 share/squirrelmail/plugins/fortune/INSTALL
+share/squirrelmail/plugins/fortune/index.php
 share/squirrelmail/plugins/fortune/setup.php
 share/squirrelmail/plugins/index.php
 share/squirrelmail/plugins/info/README
@@ -247,6 +255,7 @@ share/squirrelmail/plugins/mail_fetch/index.php
 share/squirrelmail/plugins/mail_fetch/options.php
 share/squirrelmail/plugins/mail_fetch/setup.php
 share/squirrelmail/plugins/make_archive.pl
+share/squirrelmail/plugins/message_details/index.php
 share/squirrelmail/plugins/message_details/message_details_bottom.php
 share/squirrelmail/plugins/message_details/message_details_main.php
 share/squirrelmail/plugins/message_details/message_details_top.php
@@ -261,6 +270,7 @@ share/squirrelmail/plugins/newmail/sounds/FanFair.wav
 share/squirrelmail/plugins/newmail/sounds/Friends.wav
 share/squirrelmail/plugins/newmail/sounds/MontyPython.wav
 share/squirrelmail/plugins/newmail/sounds/Notify.wav
+share/squirrelmail/plugins/newmail/sounds/index.php
 share/squirrelmail/plugins/newmail/testsound.php
 share/squirrelmail/plugins/sent_subfolders/index.php
 share/squirrelmail/plugins/sent_subfolders/setup.php
@@ -357,11 +367,13 @@ share/squirrelmail/themes/alien_glow.php
 share/squirrelmail/themes/black_bean_burrito_theme.php
 share/squirrelmail/themes/blue_grey_theme.php
 share/squirrelmail/themes/bluesnews_theme.php
+share/squirrelmail/themes/bluesome.php
 share/squirrelmail/themes/bluesteel_theme.php
 share/squirrelmail/themes/christmas.php
 share/squirrelmail/themes/css/comic-sans-08.css
 share/squirrelmail/themes/css/comic-sans-10.css
 share/squirrelmail/themes/css/comic-sans-12.css
+share/squirrelmail/themes/css/index.php
 share/squirrelmail/themes/css/sans-08.css
 share/squirrelmail/themes/css/sans-10.css
 share/squirrelmail/themes/css/sans-12.css
@@ -402,10 +414,15 @@ share/squirrelmail/themes/sandstorm_theme.php
 share/squirrelmail/themes/seaspray_theme.php
 share/squirrelmail/themes/servery_theme.php
 share/squirrelmail/themes/shades_of_grey.php
+share/squirrelmail/themes/silver_steel_theme.php
+share/squirrelmail/themes/simple_green2.php
+share/squirrelmail/themes/simple_green_theme.php
+share/squirrelmail/themes/simple_purple.php
 share/squirrelmail/themes/slashdot_theme.php
 share/squirrelmail/themes/spice_of_life.php
 share/squirrelmail/themes/spice_of_life_dark.php
 share/squirrelmail/themes/spice_of_life_lite.php
+share/squirrelmail/themes/wood_theme.php
 @dirrm share/squirrelmail/themes/css
 @dirrm share/squirrelmail/themes
 @dirrm share/squirrelmail/src
diff --git a/mail/squirrelmail/buildlink3.mk b/mail/squirrelmail/buildlink3.mk
index 01d47124448..156d5f8a9f8 100644
--- a/mail/squirrelmail/buildlink3.mk
+++ b/mail/squirrelmail/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.6 2006/02/17 07:04:25 martti Exp $
+# $NetBSD: buildlink3.mk,v 1.7 2006/02/27 07:12:13 martti Exp $
 
 BUILDLINK_DEPTH:=		${BUILDLINK_DEPTH}+
 SQUIRRELMAIL_BUILDLINK3_MK:=	${SQUIRRELMAIL_BUILDLINK3_MK}+
@@ -11,8 +11,8 @@ BUILDLINK_PACKAGES:=	${BUILDLINK_PACKAGES:Nsquirrelmail}
 BUILDLINK_PACKAGES+=	squirrelmail
 
 .if !empty(SQUIRRELMAIL_BUILDLINK3_MK:M+)
-BUILDLINK_DEPENDS.squirrelmail+=	{ja-,}squirrelmail>=1.4.5
-BUILDLINK_RECOMMENDED.squirrelmail?=	squirrelmail>=1.4.5nb5
+BUILDLINK_DEPENDS.squirrelmail+=	{ja-,}squirrelmail>=1.4.6
+BUILDLINK_RECOMMENDED.squirrelmail?=	squirrelmail>=1.4.6
 BUILDLINK_PKGSRCDIR.squirrelmail?=	../../mail/squirrelmail
 .endif	# SQUIRRELMAIL_BUILDLINK3_MK
 
diff --git a/mail/squirrelmail/distinfo b/mail/squirrelmail/distinfo
index 52a572fb7dc..83c8c0570c2 100644
--- a/mail/squirrelmail/distinfo
+++ b/mail/squirrelmail/distinfo
@@ -1,13 +1,6 @@
-$NetBSD: distinfo,v 1.29 2005/12/05 20:13:38 martti Exp $
+$NetBSD: distinfo,v 1.30 2006/02/27 07:12:13 martti Exp $
 
-SHA1 (squirrelmail-1.4.5.tar.bz2) = 48c93dd99b72b73a3ea48311152bcbc40af5cabb
-RMD160 (squirrelmail-1.4.5.tar.bz2) = 6f748e483ea1c3c94eeb849ce11a3afd90c499a0
-Size (squirrelmail-1.4.5.tar.bz2) = 480226 bytes
+SHA1 (squirrelmail-1.4.6.tar.bz2) = b813aa9f736b4b6c41d1afd35bcbd01604e85cf7
+RMD160 (squirrelmail-1.4.6.tar.bz2) = 3cee894b392620af3e35ef1d00e35775559dd4f7
+Size (squirrelmail-1.4.6.tar.bz2) = 484099 bytes
 SHA1 (patch-aa) = cafc171ab1de5e2e1e83caff39f3bfb810fe2ab5
-SHA1 (patch-ab) = c101e77938a3c2c6cf62b62a79a63125d44dda32
-SHA1 (patch-ac) = 7d3c742e8694fb051ada1d11d1624b199d61cf5b
-SHA1 (patch-ad) = 1db2f3d91e059a26ba41e638b7fba134fb7fa1ca
-SHA1 (patch-ae) = 45578c696d9e0ff48928e81228982e5d40c86919
-SHA1 (patch-af) = 96bb58143a83b6bbeb5477fdcd470895ccae202b
-SHA1 (patch-ag) = a9cd5b779468ca7f1361c72207bbb550cd9748e3
-SHA1 (patch-ah) = 073dfa9544b8dd9ec91c4a8cba5e5b6c710e284f
diff --git a/mail/squirrelmail/patches/patch-ab b/mail/squirrelmail/patches/patch-ab
deleted file mode 100644
index 6f2fe5ad7e5..00000000000
--- a/mail/squirrelmail/patches/patch-ab
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-ab,v 1.10 2005/09/20 13:19:05 schmonz Exp $
-
---- class/mime/Rfc822Header.class.php.orig	2005-02-06 19:33:29.000000000 -0500
-+++ class/mime/Rfc822Header.class.php
-@@ -505,8 +505,9 @@ class Rfc822Header {
-      * functions/imap_messages. I'm not sure if it's ok here to call
-      * that function?
-      */
--    function parsePriority($value) {
--        $value = strtolower(array_shift(split('/\w/',trim($value))));
-+    function parsePriority($sValue) {
-+	$aValue = split('/\w/',trim($sValue));
-+        $value = strtolower(array_shift($aValue));
-         if ( is_numeric($value) ) {
-             return $value;
-         }
diff --git a/mail/squirrelmail/patches/patch-ac b/mail/squirrelmail/patches/patch-ac
deleted file mode 100644
index 1604c342a92..00000000000
--- a/mail/squirrelmail/patches/patch-ac
+++ /dev/null
@@ -1,23 +0,0 @@
-$NetBSD: patch-ac,v 1.1 2005/09/20 13:19:05 schmonz Exp $
-
---- functions/imap_messages.php.orig	2005-04-16 13:45:38.000000000 -0400
-+++ functions/imap_messages.php
-@@ -476,8 +476,9 @@ function parseArray($read,&$i) {
-  * NOTE: this is actually a duplicate from the function in
-  * class/mime/Rfc822Header.php.
-  */
--function parsePriority($value) {
--    $value = strtolower(array_shift(split('/\w/',trim($value))));
-+function parsePriority($sValue) {
-+    $aValue=split('/\w/',trim($sValue));
-+    $value = strtolower(array_shift($aValue));
-     if ( is_numeric($value) ) {
-         return $value;
-     }
-@@ -915,4 +916,4 @@ function sqimap_get_small_header($imap_s
-     return $res[0];
- }
- 
--?>
-\ No newline at end of file
-+?>
diff --git a/mail/squirrelmail/patches/patch-ad b/mail/squirrelmail/patches/patch-ad
deleted file mode 100644
index 4375d023f5b..00000000000
--- a/mail/squirrelmail/patches/patch-ad
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-ad,v 1.1 2005/09/20 13:19:05 schmonz Exp $
-
---- plugins/listcommands/setup.php.orig	2005-02-28 05:20:12.000000000 -0500
-+++ plugins/listcommands/setup.php
-@@ -51,8 +51,9 @@ function plugin_listcommands_menu() {
-         }
- 
-         /* proto = {mailto,href} */
--	$proto = array_shift(array_keys($actions));
--	$act   = array_shift($actions);
-+	$aActionKeys = array_keys($actions);
-+	$proto = array_shift($aActionKeys);
-+	$act   = array_shift($aActionKeys);
- 
-         if ($proto == 'mailto') {
- 
diff --git a/mail/squirrelmail/patches/patch-ae b/mail/squirrelmail/patches/patch-ae
deleted file mode 100644
index 493cc0a5adb..00000000000
--- a/mail/squirrelmail/patches/patch-ae
+++ /dev/null
@@ -1,32 +0,0 @@
-$NetBSD: patch-ae,v 1.1 2005/09/20 13:19:05 schmonz Exp $
-
---- src/configtest.php.orig	2005-05-20 14:43:39.000000000 -0400
-+++ src/configtest.php
-@@ -314,7 +314,7 @@ if (function_exists('recode')) {
- echo "$IND iconv - ";
- if (function_exists('iconv')) {
-     echo "Iconv functions are available.<br />\n";
--} elseif ($use_php_iconv) {
-+} elseif (isset($use_php_iconv) && $use_php_iconv) {
-     echo "Iconv functions are unavailable.<br />\n";
-     do_err('Your configuration requires iconv support, but iconv support is missing.');
- } else {
-@@ -365,7 +365,8 @@ if(!empty($addrbook_dsn) || !empty($pref
-         }
- 
-         foreach($dsns as $type => $dsn) {
--            $dbtype = array_shift(explode(':', $dsn));
-+            $aDsn = explode(':', $dsn);
-+            $dbtype = array_shift($aDsn);
-             if(isset($db_functions[$dbtype]) && function_exists($db_functions[$dbtype])) {
-                 echo "$IND$dbtype database support present.<br />\n";
- 
-@@ -380,7 +381,7 @@ if(!empty($addrbook_dsn) || !empty($pref
-                 echo "$IND$type database connect successful.<br />\n";
- 
-             } else {
--                do_err($db.' database support not present!');
-+                do_err($dbtype.' database support not present!');
-             }
-         }
-     } else {
diff --git a/mail/squirrelmail/patches/patch-af b/mail/squirrelmail/patches/patch-af
deleted file mode 100644
index e6c96a30235..00000000000
--- a/mail/squirrelmail/patches/patch-af
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD: patch-af,v 1.1 2005/09/20 13:19:05 schmonz Exp $
-
---- src/search.php.orig	2005-06-22 03:05:59.000000000 -0400
-+++ src/search.php
-@@ -297,7 +297,11 @@ echo html_tag( 'table',
- /*  update the recent and saved searches from the pref files  */
- $attributes = get_recent($username, $data_dir);
- $saved_attributes = get_saved($username, $data_dir);
--$saved_count = count($saved_attributes['saved_what']);
-+if (isset($saved_attributes['saved_what'])) {
-+    $saved_count = count($saved_attributes['saved_what']);
-+} else {
-+    $saved_count = 0;
-+}
- $count_all = 0;
- 
- /* Saved Search Table */
diff --git a/mail/squirrelmail/patches/patch-ag b/mail/squirrelmail/patches/patch-ag
deleted file mode 100644
index 6a5e07056eb..00000000000
--- a/mail/squirrelmail/patches/patch-ag
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-ag,v 1.1 2005/12/05 09:18:44 martti Exp $
-
---- src/download.php.orig	2004-12-27 17:03:59.000000000 +0200
-+++ src/download.php	2005-12-05 11:08:51.000000000 +0200
-@@ -55,7 +55,7 @@
- }
- $subject = $message->rfc822_header->subject;
- if ($ent_id) {
--    $message = &$message->getEntity($ent_id);
-+    $message = $message->getEntity($ent_id);
-     $header = $message->header;
- 
-     if ($message->rfc822_header) {
diff --git a/mail/squirrelmail/patches/patch-ah b/mail/squirrelmail/patches/patch-ah
deleted file mode 100644
index d3b3ff16e91..00000000000
--- a/mail/squirrelmail/patches/patch-ah
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-ah,v 1.1 2005/12/05 20:13:38 martti Exp $
-
---- functions/imap_general.php.orig	2005-05-20 13:37:34.000000000 +0300
-+++ functions/imap_general.php	2005-12-05 22:08:12.000000000 +0200
-@@ -888,7 +888,7 @@
-  * Saves a message to a given folder -- used for saving sent messages
-  */
- function sqimap_append ($imap_stream, $sent_folder, $length) {
--    fputs ($imap_stream, sqimap_session_id() . " APPEND \"$sent_folder\" (\\Seen) \{$length}\r\n");
-+    fputs ($imap_stream, sqimap_session_id() . " APPEND \"$sent_folder\" (\\Seen) {".$length."}\r\n");
-     $tmp = fgets ($imap_stream, 1024);
-     sqimap_append_checkresponse($tmp, $sent_folder);
- }