|
============================================================================
2003/06/20 (2.6.4)
* Bug Fixes:
+ Official:
Bug ID Summary
------ ------------------------------------------------------------
3478 Quoted-Printable decoding should also work with
lowercase hex numbers
------ ------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.4&chunksz=50>
+ Unoffical:
- It appears that the UTF8 mapping table for cp1252,
MHonArc::UTF8::CP1252, had bad data. This has been
fixed.
* Management of character mapping tables have been changed. The
various .pm module tables are now auto-generated by ucm, and
similiar, map files. For the end-user, the change should be
transparent. The change only affects how developers maintain
the tables, and the change should make it much easier to make
fixes to any mappings.
============================================================================
2003/04/05 (2.6.3)
* Bug Fixes:
Bug ID Summary
------ --------------------------------------------------------------
3020 Trailing \ in regex
3128 XSS Vulnerabilies
2971 spammode option interferes with iso-2022-jp
------ --------------------------------------------------------------
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.3&chunksz=50>
============================================================================
2003/03/11 (2.6.2)
* Bug Fixes:
Bug Resolution Fixed Summary
ID Release
2738 Fixed 2.6.2 An illegal From: address can cause MHonArc
to hang
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.2&chunksz=50>
============================================================================
2003/02/22 (2.6.1)
* Bug Fixes: See
<http://savannah.nongnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.1&chunksz=50>
* Corrected character mapping tables for VISCII based on a
message to the perl-unicode mailing list.
* Added FASTTEMPFILES resource which causes MHonArc to use
non-random temporary files. This is less secure, but provides
a little bit of speed improvement.
============================================================================
2003/02/10 (2.6.0)
* Bug Fixes: See
<http://savannah.gnu.org/bugs/index.php?group_id=1968
&set=custom&advsrch=0&msort=0&report_id=105&go_report=Go
&fix_release=2.6.0&chunksz=50>
* New resources:
DEFCHARSET Default character set of message text data.
CHARSETALIASES Define aliases for base charset names.
DBFILEPERMS File permissions for DBFILE.
FIELDSTORE Message header fields to store in database.
FILEPERMS File permissions for archive files.
ICONURLPREFIX URL string to prepend to ICONS URLs.
MODIFYBODYADDRESSES Apply ADDRESSMODIFYCODE to text message bodies.
RECONVERT Reconvert existing messages.
TENDBUTTON Button to last message in thread.
TENDBUTTONIA Inactive button to last message in thread.
TENDLINKIA Inactive link to last message in thread.
TENDLINK Link to last message in thread.
TEXTENCODE Encode message text to given character encoding.
TTOPBUTTON Button to first message in thread.
TTOPBUTTONIA Inactive button to first message in thread.
TTOPLINKIA Inactive link to first message in thread.
TTOPLINK Link to first message in thread.
* New resource variables:
$ICONURLPREFIX$ Value of ICONURLPREFIX resource.
$MSGHFIELD$ Retrieve header field value stored via
FIELDSTORE.
* MHonArc::CharEnt:
+ Several charset mappings added to MHonArc::CharEnt with the
default value for CHARSETCONVERTERS updated to reflect the new
mappings. New charset supported include UTF-8, various Cyrillic
sets, VISCII, Chinese sets, Japanese (iso-2022-jp and euc-jp),
Korean, Apple-based charsets, etc. See the documentation for
the CHARSETCONVERTERS and CHARSETALIASES for complete list of
character sets supported.
Note: Sets that have bidirectional rendering (Hebrew, Arabic)
exist, but automatic directional re-ording for rendering is
currently not supported.
. Some existing mappings have been updated to use Unicode numeric
character entity references (&#xHHHH;) instead of standard SGML
character entity references (eg. &Aelig;). Most, if not all,
web browsers only support the set of SGML entity references
defined in the HTML 4.0 specification.
All existing tables should now generate entity references
recognized by all HTML 4.0 compliant browsers.
* MHonArc::UTF8:
. Module completely redone to support various versions of Perl.
utf8 support code added to all conversion to utf8 with perl
installations that do not have utf8 support, but to also
leverage perl installations with utf8-related modules.
* Default filter for iso-8859-1 and iso-2022-jp changed to
MHonArc::CharEnt::str2sgml. This helps keep MHonArc locale
neutral in its default configuration. Special note added
to release notes for Japanese users about the change.
* m2h_text_plain::filter (mhtxtplain.pl):
+ Added more robust handling of format=flowed data. By default,
all text is rendered in a monospaced font to provide visual
consistency between flowed and fixed text. Proportional spaced
font can be generated using the "nonfixed" option (where
"keepspace" option should also be used to help preserve the
formatting characteristics of the data).
+ Added "fancyquote" option to provide highlight of quoted text
similiar to text/plain;format=flowed data.
+ Added "disableflowed" option to disable the flowed data
conversion. Data will be converted as regular text/plain.
This option is useful for archives that cater to text-based
browsers.
+ Added "quoteclass=<classname>" option to specify a CSS classname
to assign to BLOCKQUOTE elements added when processing flowed
data or when "fancyquote" is active. This suppresses inline
style generation.
+ Added "subdir" option for use when "uudecode" is enabled.
- Reduced set of quote characters to just '>'. Other characters
are used by some people (eg. '}', '|', '+'), especially on the
USENET, but supporting them tends to produce undesirable
results, especially when using fancyquote.
(Maybe make it configurable?)
+ If uudecode and usename specified, check if file ends in
.s?html?, and if so, pass data to HTML filter.
. Make sure to return a non-empty string for an empty body
when in uudecode mode. Avoids bogus warning message that
data could not be converted.
* MIMEEXCS automatically handles unofficial version of a media type.
For example:
<MIMEEXCS>
text/html
</MIMEEXCS>
Will exclude text/html and text/x-html data.
* m2h_text_html::filter (mhtxthtml.pl):
+ CHARSETCONVERTERS is used for converting character data.
- Removed default=charset option. This option is no longer
needed with new character encoding processing features and
CHARSETALIASES resource.
+ Convert javascript:... URLs to "_javascript_:..." when scripting
is disabled (the default). This is an extra measure ontop of
element and attribute stripping.
* <a href>'s are now preserved when cid: only URLs enabled (the
default). This prevents regular hyperlinks in HTML messages from
getting stripped, which I think most people desire. Otherwise,
the allownoncidurls option must be used, and then this opens one
up to potential XSS attacks.
Due to the javascript: URL munging, preserving <a href>'s should
be safe from auto-XSS attacks. Readers should still be careful
about any links they activate.
+ Added "subdir" option to specify that MHTML referenced data
(e.g. images) are saved in a subdirectory.
+ Added "disablerelated" to disable cid: URL resolution.
. STYLE and CLASS attributes stripped if nofont argument specified.
* m2h_text_enriched::filter (mhtxtenrich.pl):
+ CHARSETCONVERTERS is used for converting character data.
+ <lang><param>lang</param> is now mapped to <dir lang="lang">.
+ Added handling of some text/richtext tags.
. Escape unrecognized tags.
* Archive file creation modified to minimize the local symlink exploits:
1. A temp file with a random name is first created and written to.
2. Temp file is compressed if GZIPFILES is active.
3. Temp file is renamed to final filename.
4. File permissions are set according to FILEPERMS/DBFILEPERMS.
Using a random temp filename makes it difficult for someone to
predict filenames to execute a symlink exploit. The rename operation
is immune to symlink exploits, hence trying to using well-known names
(e.g. maillist.html, threads.html) for exploitation will not work.
A similiar technique is used for directory creation for filters
that support the "subdir" option.
Generation of temp files is done via the File::Temp module, if
installed. If not installed, a homegrown implementation is used.
Although not as secure and robust as File::Temp, it's better than
nothing and should provide a decent deterrent.
* Setuid/setgid execution causes mhonarc to terminate with an error.
Mhonarc does not pass taint checks, so we abort with an error that
setuid/setgid execution is not supported. MHonArc is too insecure
for setuid operation and trying to make it setuid-safe would require
alot of work and potentially limit a large amount of functionality.
* More robust parsing used for determining $FROMNAME$ and $FROMADDR*$
resource variables.
* rfc822.pl library removed and replaced with MHonArc::RFC822 module.
* Warning message, "Unable to process data..." removed from message
page when unable to convert any part of a message (usually due to
user-defined MIMEFILTERS settings). Instead, a warning message
is generated to standard error (like other mhonarc warnings) and
the resulting message page will have a blank message body.
* m2h_msg_extbody::filter: (mhmsgextbody.pl)
+ Added support for http/x-http access type. This appears to
be an experimental access type since the general URI type can be
used instead.
. Properly sanitize parameter data.
. Some minor cosmetic changes in the HTML generated.
* m2h_text_tsv::filter (mhtxttsv.pl):
. Sanitize field data.
* m2h_text_setext::filter (mhtxtsetext.pl) has been removed. It
appears this media-type is part of document history.
|
|
Changes since 2.4.9 (the last pkgsrc version):
* Added 'use locale' pragmas to be applied when sorting messages.
This is considered experimental, but it appears to give better
results when sorting text that contains 8-bit-non-English
characters. This is far from any real locale support, but
hopefully it is better than nothing.
* Beefed up HTML filtering in mhtxthtml.pl to eliminate some
security exploits.
CAUTION: If you are worried about security, it is recommended
that you disable support of text/html messages in
your mail archives. There is no guarantee that
the mhtxthtml.pl library is robust enough to
eliminate all possible exploits that can occur with
HTML data.
Thanks goto Jason Molenda and Hiromitsu Takagi for spotting
more exploit cases.
* mhtxtplain.pl checks MIMEXCS if text/html data is excluded
when the htmlcheck option is specified. Seems unnecessary
because someone use excludes HTML data will probably not use
the htmlcheck option to m2h_text_plain::filter.
* Modified mail address extraction for $FROMADDR$ resource
variable to help deal with malformed From: header fields.
Thanks to Eugene Eric Kim for the recommendation.
* Fixed uudecoding support in mhtxtplain.pl to handle spaces
in filenames and \r\n EOLs. Thanks to Jordan Russell for
spotting this.
* Added ISO-8859-15 mappings. Thanks goto Jan Kraeber for the
contribution.
* Removed GIF images from distribution. All GIF images
have been converted to PNG format. Transparency of PNG
images may only be supported in the latest versions of various
graphical web browsers.
See <http://www.gnu.org/philosophy/gif.html> for reasons
why GIF images should not be used.
* Source code imported into CVS. CVS respository is currently
not available publicly. Stilling wondering if a site like
savannah.gnu.org should be used or if the respository should
be hosted independently, like at www.mhonarc.org.
* Fixed regex patterns in readmail.pl to avoid Perl warning
messages.
* Created a contrib/ directory to contain any contributed
programs imported into the MHonArc distribution. Moved
prsfrom.pl from extras/ to contrib/.
* Added Security section to FAQ. Provided more information to
question, "Why does a message get split into mulitple messages
with no headers?", mainly information contributed by users.
============================================================================
2001/11/24 (2.5.2)
(See BUGS for the list of bugs reported and fixed)
o mha-dbrecover new options:
-dbr-startnum #
The starting message number to recover data from. This
option is useful if you have many message files in a
directory, but you only want to recover a subset of the
files. If this option is not specified, the starting
number is 0.
-dbr-endnum #
The ending message number to recover data from. This
option is useful if you have many message files in a
directory, but you only want to recover a subset of the
files. If this option is not specified, all messages
starting from -dbr-startnum will be recovered.
o MSGPGBEGIN default value changed where $SUBJECTNA:72$ has
been replaced with $SUBJECTNA$. This is so default values
do not have any possible conflicts with variable-width
character sets.
============================================================================
2001/11/13 (2.5.1)
(See BUGS for the list of bugs reported and fixed)
o Added special note within the release notes about
downgrading.
o Some documentation corrections.
============================================================================
2001/10/14 (2.5.0)
[This is non-beta release of 2.5.0. See the change notes
below and for the various beta release for a complete list of
changes from the last v2.4 release.]
(See BUGS for the list of bugs reported and fixed)
o The ICONS resource has been updated to support the association
of icons at the base type level (e.g. text/*) and to specify
width and height hints. The example icon resource file
listed in an appendix of the documentation updated to
to use changes to ICONS resource.
o Formatting of attachment links within the m2hexternal.pl
filter has been updated to provide more verbose information.
Description of the format provided in the MIMEFILTERS
documentation. Also, a 'frame' filter argument is now
supported to instruct the filter to draw a frame around
the link.
o Default value for MIMEArgs has been changed to the following:
<MIMEArgs>
m2h_external::filter; inline
</MIMEArgs>
This is more concise then previous default value.
On a resource file maintenance standpoint, it is generally
best to specify filter arguments at the filter level and
not at the content-type level.
o Value of Perl's $^O variable printed with version information
for -V, -v, -help command-line options.
o The count of new messages added to archive are now printed
along with the total message count when QUIET is not active.
============================================================================
2001/09/05 (2.5.0b2)
(See BUGS for the list of bugs fixed)
o Long overdue update of ACKNOWLG file.
o New resources:
TSLICELEVELS -- Maximum depth for thread slices.
o New resource variables:
$TLEVEL$ -- Numeric level of message in thread.
o Added recognition of windows-1250 and windows-1252 charsets
into MHonArc::CharEnt and to default value of CHARSETCONVERTERS
resource. To apply to existing archives, use mha-dbedit
with examples/def-mime.mrc resource file.
o SUBJECTREPLYRXP now used to determine if "Re: " is added
when $SUBJECT$ is used within MAILTOURL.
o Code cleanup to eliminate perl -w warnings. Cleanup not
required for running MHonArc, but convenient for those that
use MHonArc with perl's -w option.
============================================================================
2001/08/26 (2.5.0b)
(See BUGS for the list of bugs fixed)
o API for MIMEFILTERS has been changed. Content filters are
now called as follows:
($html, @files) =
&filter($fields_hash_ref, $body_data_ref, $is_decoded,
$filter_args);
Paramaters:
$fields_hash_ref
A reference to hash of message/part header
fields. Keys are field names in lowercase
and values are array references containing the
field values. For example, to obtain the
content-type, if defined, you would do:
$fields_hash_ref->{'content-type'}[0]
Values for a fields are stored in arrays since
duplication of fields are possible. For example,
the Received: header field is typically repeated
multiple times. For fields that only occur once,
then array for the field will only contain one
item.
$body_data_ref
Reference to body data. It is okay for the
filter to modify the text in-place.
$is_decoded
Boolean flag if body data has been decoded.
This is normally true unless some non-standard
content-transfer-encoding is used.
$filter_args
String containing filter args as defined by
MIMEARGS resource.
Return:
The return value is still treated in the same manner as
previous releases. The first item in the return list is
the text that should printed to the message page. Any
other items in the return list are derived filenames created
by the filter. If undef, or the empty string, is returned,
readmail.pl assumes the filter was unable to filter the
data.
All the filters provided in the MHonArc distribution have
been modified to use the new calling convention.
o The HEADER and FOOTER resources are no longer supported.
o The default value of DEFRCNAME is now ".mhonarc.mrc"
("mhonarc.mrc" for Win/DOS).
o ISO8859 character set data processing now defaults to using
the MHonArc::CharEnt module. The old iso8859.pl library
is still provided for compatibility with older archives.
To update archives to use the new settings, you can run
the following command,
mha-dbedit -rcfile examples/def-mime.mrc \
-outdir /path/to/archive
where "examples/def-mime.mrc" represents the default MIME
processing resources for MHonArc provided within the MHonArc
distribution.
The new module is more efficient in memory usage by only
loading mappings for character sets actually processed. The
old iso8859.pl library preloads all mappings. Also, the
module is designed to be easily extensible for processing
any 8-bit-based character sets.
o Reference, follow-up, and derived file information of a
message is now stored in a different format in the database
(and internally). MHonArc will auto-update older archives
to the new format. The newer format should provide some
performance improvement.
o Messages with no subjects are now stored with no subjects.
In previous releases, the text "No Subject" was automatically
added as a message was parsed, hence there was no real
indicator that a message had no real subject.
A related change is that messages without subject text
are skipped in subject-based thread detection. Therefore,
a no-subject message will never be a possible follow-up,
but it is still possible for it to be an explicit follow-up
if it includes reference message-ids.
NOTE: This functionality does not apply to messages
processed by earlier versions where the text "No Subject"
was auto-applied to messages when parsed. A recreation
of an archive from the original message data would
have to be done to have new behavior applied to message
processed by earlier releases.
A messages with no subject will now have the string
"[no subject]" displayed any time the $SUBJECT$ resource
variable is used for the message.
o New resources:
FIRSTPGLINK Link markup for first page of main index.
LASTPGLINK Link markup for last page of main index.
TFIRSTPGLINK Link markup for first page of thread index.
TLASTPGLINK Link markup for last page of thread index.
TNEXTINBUTTON Button markup for next message
within a thread.
TNEXTINBUTTONIA Inactive button markup for next
message within a thread.
TNEXTINLINK Link markup for next message within
a thread.
TNEXTINLINKIA Inactive link markup for next
message within a thread.
TNEXTTOPBUTTON Button markup for first message in
the next thread.
TNEXTTOPBUTTONIA Inactive button markup for first
message in the next thread.
TPREVINBUTTON Button markup for previous message
within a thread.
TPREVINBUTTONIA Inactive button markup for previous
message within a thread.
TPREVINLINK Link markup for previous message
within a thread.
TPREVINLINKIA Inactive link markup for previous
message within a thread.
TPREVTOPBUTTON Button markup for first message in the
previous thread.
TPREVTOPBUTTONIA Inactive button markup for first
message in the previous thread.
TSLICECONTBEGIN Thread slice markup before the
continuation of a broken thread.
TSLICECONTEND Thread slice markup after the
continuation of a broken thread.
TSLICEINDENTBEGIN Thread slice markup for opening a level
when continuing a broken thread.
TSLICEINDENTEND Thread slice markup for closing a level
when continuing a broken thread.
TSLICELIEND Ending markup for a thread slice
message listing.
TSLICELIENDCUR Ending markup for a thread slice
message listing.
TSLICELINONE Thread slice markup for a missing
message in thread slice.
TSLICELINONEEND Ending markup for a missing message in
thread slice.
TSLICELITXT Markup for a thread slice message
listing.
TSLICELITXTCUR Markup for a thread slice message
listing if current message.
TSLICESINGLETXT Markup for a thread slice listing with
no follow-ups.
TSLICESINGLETXTCUR Markup for a thread slice listing with
no follow-ups if current message.
TSLICESUBJECTBEG Markup before a subject based thread
slice listing.
TSLICESUBJECTEND Markup after a subject based thread
slice listing.
TSLICESUBLISTBEG Thread slice markup for starting a
sub-thread.
TSLICESUBLISTEND Thread slice markup for ending a
sub-thread.
TSLICETOPBEGIN Thread slice markup for the root/start
of a thread.
TSLICETOPBEGINCUR Thread slice markup for the root/start
of a thread.
TSLICETOPEND Thread slice markup for the end of a
thread.
TSLICETOPENDCUR Thread slice markup for the end of a
thread if current message.
o $TSLICE$ resource variable can now take up to three arguments:
$TSLICE(<before>;<after>;<inclusive>)$
where,
<before> : Number indicated the maximum number of
message to print before the current message.
If empty, the before value specified in
TSLICE resource will be used.
<after> : Number indicated the maximum number of
message to print after the current message.
If empty, the after value specified in
TSLICE resource will be used.
<inclusive> : If `1', only messages within the current
thread will be printed. If `0', messages
from the previous and next threads can
be printed if the values for <before> and
<after> would go beyond the current thread.
o TSLICE resource updated to allow specification of default
value of inclusive flag.
o The following new message specifications can be used for
message data-related resource variables:
TNEXTIN Next message within current thread.
TNEXTTOP Start of next thread.
TPREVIN Next message within current thread.
TPREVTOP Start of previous thread.
When used as arguments to the the $BUTTON$ and $LINK$ resource
variables, the TNEXTINBUTTON(IA), TNEXTTOPBUTTON(IA),
TPREVINBUTTON(IA), TPREVTOPBUTTON(IA), TNEXTINLINK(IA),
TNEXTTOPLINK(IA), TPREVINLINK(IA), TPREVTOPLINK(IA) resources
are respectively applied.
o The use of TNEXT, TPREV (and new TNEXTTOP and TPREVTOP)
message specifications in resource variables behave more
intuitively when TREVERSE is active. If at the boundaries
of a thread, TNEXT and TPREV will reference the first
message of the next thread by date and the first message
of the previous thread by date, respectively.
o Version of MHonArc and Perl are printed when MHonArc starts
unless QUIET is active.
o mhtxtplain.pl (text/plain) filter changes:
. If the htmlcheck option is set and it is detected that
the data is HTML, an attempt is first made to use the
registered text/html filter via MIMEFILTERS. If none
is defined, mhtxthtml.pl will be used.
. When uudecode option is set, an attempt is to use
the registered decoder for uuencode via MIMEDECODERS.
If not defined, then base64::uudecode is used from
base64.pl.
o mhtxthtml.pl (text/html) filter changes:
. Elements that have URL attributes that auto-load data --
IMG, BODY, IFRAME, FRAME, OBJECT, SCRIPT, INPUT -- have the
atributes converted to 'javascript:void(0);' URLs. See new
'allownoncidurls' filter argument below for more details.
. The follow filter arguments have been added:
allownoncidurls Preserve URL-based attributes that are not
cid: URLs. Normally, any URL-based
attribute -- href, src, background,
classid, data, longdesc -- will be
converted to 'javascript:void(0);'
if it is not a cid: URL. This is to
prevent malicious URLs that verify mail
addresses for spam purposes, secretly set
cookies, or gather some statistical data
automatically with the use of elements
that cause browsers to automatically
fetch data: IMG, BODY, IFRAME, FRAME,
OBJECT, SCRIPT, INPUT.
notitle Do not print title.
o Searching for OTHERINDEXES resource files has been modified.
The following lists the search order for an OTHERINDEXES
resource file:
1. Current working directory.
2. Same directory that the first resource file was read as
specified by the RCFILE resource.
3. User's home directory.
4. Archive directory.
5. Perl's @INC.
o FIRST, LAST, TFIRST, and TLAST idx_page_spec arguments to
$PGLINK$ are now supported via the FIRSTPGLINK, LASTPGLINK,
TFIRSTPGLINK, and TLASTPGLINK resources.
o $PGLINKLIST$ resource variable changed to print entire
list of page links if no arguments are provided. To get
the entire list for thread indexes, use: $PGLINKLIST(T)$.
o Date parsing routine updated to recognize dates in the
following format: Weekday, Month DD, YYYY HH:MM Zone.
Apparently, this is useful if converting mail saved to
a file in text format from MS Outlook.
o Support for defining Perl function callbacks when a
new message header is read and just after a message body
has been converted. Documentation about the callbacks is
provided in a new API appendix section in the documentation
and is provided in comments in the example mhasiteinit.pl
provided in the examples/ directory.
o Various internal changes have been made to try to eradicate
Perl 4-based conventions. For example, the use of typeglobs to
pass by "reference" has been replaced by using real references.
Assuming nothing was screwed up, this change should be
transparent to most users (with the notable exception of the
API changes to MIMEFILTERS registered routines). However,
if you have mucked with MHonArc internals, or created custom
modifications, you may need to be aware that changes have
been made.
|
