Pullup ticket #3948 - requested by taca

mail/roundcube: security patch

Revisions pulled up:
- mail/roundcube/Makefile                                       1.47-1.48
- mail/roundcube/distinfo                                       1.26
- mail/roundcube/patches/patch-program_steps_utils_error.inc    1.1

---
   Module Name:	pkgsrc
   Committed By:	asau
   Date:		Mon Oct  8 12:19:35 UTC 2012

   Modified Files:
   	pkgsrc/mail/roundcube: Makefile

   Log Message:
   Drop PKG_DESTDIR_SUPPORT setting, "user-destdir" is default these days.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon Oct 15 03:33:23 UTC 2012

   Modified Files:
   	pkgsrc/mail/roundcube: Makefile distinfo
   Added Files:
   	pkgsrc/mail/roundcube/patches: patch-program_steps_utils_error.inc

   Log Message:
   Add minimum fix for XSS with HTTP_USER_AGENT from the repository.

   Bump PKGREVISION.

3 files changed, 19 insertions, 4 deletions

diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile
index a0c49fc67a0..7196c0d9a9d 100644
--- a/mail/roundcube/Makefile
+++ b/mail/roundcube/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.46 2012/08/21 15:26:31 taca Exp $
+# $NetBSD: Makefile,v 1.46.2.1 2012/10/16 18:45:01 tron Exp $
 
 DISTNAME=	roundcubemail-0.8.1-dep
 PKGNAME=	${DISTNAME:S/mail-/-/:S/-dep//}
+PKGREVISION=	1
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=roundcubemail/}
 
@@ -10,8 +11,6 @@ HOMEPAGE=	http://roundcube.net/
 COMMENT=	Browser-based multilingual IMAP client
 LICENSE=	gnu-gpl-v3
 
-PKG_DESTDIR_SUPPORT=	user-destdir
-
 DEPENDS+=	${PHP_PKG_PREFIX}-pear-Net_SMTP>=1.4.2:../../net/pear-Net_SMTP
 DEPENDS+=	${PHP_PKG_PREFIX}-pear-Mail_Mime>=1.8.1:../../mail/pear-Mail_Mime
 DEPENDS+=	${PHP_PKG_PREFIX}-pear-MDB2>=2.5.0:../../databases/pear-MDB2
diff --git a/mail/roundcube/distinfo b/mail/roundcube/distinfo
index bed71d089c3..0687fb41dcf 100644
--- a/mail/roundcube/distinfo
+++ b/mail/roundcube/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2012/08/21 15:26:31 taca Exp $
+$NetBSD: distinfo,v 1.25.2.1 2012/10/16 18:45:01 tron Exp $
 
 SHA1 (roundcubemail-0.8.1-dep.tar.gz) = 3e9642800e7e5226057b54c61baba17f5ba75680
 RMD160 (roundcubemail-0.8.1-dep.tar.gz) = 92430f23b5241ef9cf8942d75455d2aba84fdc72
@@ -7,3 +7,4 @@ SHA1 (patch-aa) = 4946fab1dd1a809d32de7fa16b9eb1075eb8424a
 SHA1 (patch-ab) = ac9f7ac488f9c309fd1b30a8ecec73e52b245c11
 SHA1 (patch-ac) = c25fc1c662bbdbde388165fe835e8af9b5665c5b
 SHA1 (patch-af) = e2bae396f049b2c5030f24e539b7f418a3d09d78
+SHA1 (patch-program_steps_utils_error.inc) = d2062e13762d33bcd8426c7c2db1f49e910b9d50
diff --git a/mail/roundcube/patches/patch-program_steps_utils_error.inc b/mail/roundcube/patches/patch-program_steps_utils_error.inc
new file mode 100644
index 00000000000..69e77279741
--- /dev/null
+++ b/mail/roundcube/patches/patch-program_steps_utils_error.inc
@@ -0,0 +1,15 @@
+$NetBSD: patch-program_steps_utils_error.inc,v 1.1.2.2 2012/10/16 18:45:01 tron Exp $
+
+Minimum fix for XSS with HTTP_USER_AGENT from the repository.
+
+--- program/steps/utils/error.inc.orig	2012-08-17 19:34:07.000000000 +0000
++++ program/steps/utils/error.inc
+@@ -25,7 +25,7 @@
+ 
+ // browser is not compatible with this application
+ if ($ERROR_CODE==409) {
+-  $user_agent = $_SERVER['HTTP_USER_AGENT'];
++  $user_agent = htmlentities($_SERVER['HTTP_USER_AGENT']);
+   $__error_title = 'Your browser does not suit the requirements for this application';
+   $__error_text = <<<EOF
+ <i>Supported browsers:</i><br />