diff options
| author |   Jeremy Huddleston <eradicator@gentoo.org> | 2007-05-21 17:11:33 +0000 |
|---|---|---|
| committer | Jeremy Huddleston <eradicator@gentoo.org> | 2007-05-21 17:11:33 +0000 |
| commit | 996e06a4f9f19f5a730fb3041d692f2f25bf9650 (patch) | |
| tree | b07d116513294a678b05c569216ce3085e49c55e /mail-client/squirrelmail | |
| parent | Stable for HPPA (bug #178510). (diff) | |
| download | gentoo-2-996e06a4f9f19f5a730fb3041d692f2f25bf9650.tar.gz gentoo-2-996e06a4f9f19f5a730fb3041d692f2f25bf9650.tar.bz2 gentoo-2-996e06a4f9f19f5a730fb3041d692f2f25bf9650.zip | |
Added patches to fix CVE-2006-4019, and CVE-2006-6142 in 1.5.1. Removed unused patches.
(Portage version: 2.1.2.7)
Diffstat (limited to 'mail-client/squirrelmail')
| -rw-r--r-- | mail-client/squirrelmail/ChangeLog | 16 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r4 (renamed from mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3) | 0 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/sec-135921.patch | 75 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-4019.patch | 133 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch | 25 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch | 157 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mime.patch | 145 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch | 339 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-1.5.1-ie-mime.patch | 33 | ||||
| -rw-r--r-- | mail-client/squirrelmail/files/squirrelmail-fortune.patch | 12 | ||||
| -rw-r--r-- | mail-client/squirrelmail/squirrelmail-1.5.1-r4.ebuild (renamed from mail-client/squirrelmail/squirrelmail-1.5.1-r3.ebuild) | 7 |
11 files changed, 723 insertions, 219 deletions
diff --git a/mail-client/squirrelmail/ChangeLog b/mail-client/squirrelmail/ChangeLog index 35a64675270f..c10a8ce68e70 100644 --- a/mail-client/squirrelmail/ChangeLog +++ b/mail-client/squirrelmail/ChangeLog @@ -1,6 +1,20 @@ # ChangeLog for mail-client/squirrelmail # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/ChangeLog,v 1.90 2007/05/21 14:20:25 gustavoz Exp $ +# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/ChangeLog,v 1.91 2007/05/21 17:11:33 eradicator Exp $ + +*squirrelmail-1.5.1-r4 (21 May 2007) + + 21 May 2007; Jeremy Huddleston <eradicator@gentoo.org> + +files/squirrelmail-1.5.1-CVE-2006-4019.patch, + +files/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch, + +files/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch, + +files/squirrelmail-1.5.1-CVE-2006-6142-mime.patch, + files/squirrelmail-1.5.1-CVE-2007-1262.patch, + +files/squirrelmail-1.5.1-ie-mime.patch, -files/sec-135921.patch, + -files/squirrelmail-fortune.patch, -squirrelmail-1.5.1-r3.ebuild, + +squirrelmail-1.5.1-r4.ebuild: + Added patches to fix CVE-2006-4019, and CVE-2006-6142 in 1.5.1. Removed + unused patches. 21 May 2007; Gustavo Zacarias <gustavoz@gentoo.org> squirrelmail-1.4.10a.ebuild: diff --git a/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3 b/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r4 index a508701ccbf1..a508701ccbf1 100644 --- a/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3 +++ b/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r4 diff --git a/mail-client/squirrelmail/files/sec-135921.patch b/mail-client/squirrelmail/files/sec-135921.patch deleted file mode 100644 index 88c4387c28b8..000000000000 --- a/mail-client/squirrelmail/files/sec-135921.patch +++ /dev/null @@ -1,75 +0,0 @@ ---- functions/global.php 2006-02-03 14:27:47.000000000 -0800 -+++ functions/global.php.new 2006-06-13 12:28:12.000000000 -0700 -@@ -3,14 +3,13 @@ - /** - * global.php - * -- * Copyright (c) 1999-2006 The SquirrelMail Project Team -- * Licensed under the GNU GPL. For full terms see the file COPYING. -- * - * This includes code to update < 4.1.0 globals to the newer format - * It also has some session register functions that work across various - * php versions. - * -- * @version $Id: global.php,v 1.27.2.15 2006/02/03 22:27:47 jervfors Exp $ -+ * @copyright © 1999-2006 The SquirrelMail Project Team -+ * @license http://opensource.org/licenses/gpl-license.php GNU Public License -+ * @version $Id: global.php,v 1.27.2.17 2006/06/02 02:52:15 jangliss Exp $ - * @package squirrelmail - */ - -@@ -62,6 +61,47 @@ - sqstripslashes($_POST); - } - -+/** -+ * If register_globals are on, unregister globals. -+ * Code requires PHP 4.1.0 or newer. -+ * Second test covers boolean set as string (php_value register_globals off). -+ */ -+if ((bool) @ini_get('register_globals') && -+ strtolower(ini_get('register_globals'))!='off') { -+ /** -+ * Remove all globals from $_GET, $_POST, and $_COOKIE. -+ */ -+ foreach ($_REQUEST as $key => $value) { -+ unset($GLOBALS[$key]); -+ } -+ /** -+ * Remove globalized $_FILES variables -+ * Before 4.3.0 $_FILES are included in $_REQUEST. -+ * Unglobalize them in separate call in order to remove dependency -+ * on PHP version. -+ */ -+ foreach ($_FILES as $key => $value) { -+ unset($GLOBALS[$key]); -+ // there are three undocumented $_FILES globals. -+ unset($GLOBALS[$key.'_type']); -+ unset($GLOBALS[$key.'_name']); -+ unset($GLOBALS[$key.'_size']); -+ } -+ /** -+ * Remove globalized environment variables. -+ */ -+ foreach ($_ENV as $key => $value) { -+ unset($GLOBALS[$key]); -+ } -+ /** -+ * Remove globalized server variables. -+ */ -+ foreach ($_SERVER as $key => $value) { -+ unset($GLOBALS[$key]); -+ } -+} -+ -+ - /* strip any tags added to the url from PHP_SELF. - This fixes hand crafted url XXS expoits for any - page that uses PHP_SELF as the FORM action */ -@@ -336,4 +376,4 @@ - } - - // vim: et ts=4 --?> -\ No newline at end of file -+?> diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-4019.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-4019.patch new file mode 100644 index 000000000000..c944bf30a1a0 --- /dev/null +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-4019.patch @@ -0,0 +1,133 @@ +diff -Naurp squirrelmail-1.5.1.orig/functions/auth.php squirrelmail-1.5.1/functions/auth.php +--- squirrelmail-1.5.1.orig/functions/auth.php 2006-01-23 10:39:32.000000000 -0800 ++++ squirrelmail-1.5.1/functions/auth.php 2007-05-21 09:09:30.000000000 -0700 +@@ -59,6 +59,8 @@ function is_logged_in() { + sqsession_register($session_expired_location,'session_expired_location'); + } + ++ session_write_close(); ++ + // signout page will deal with users who aren't logged + // in on its own; don't show error here + // +@@ -330,4 +332,4 @@ function get_smtp_user(&$user, &$pass) { + } + } + +-?> +\ No newline at end of file ++?> +diff -Naurp squirrelmail-1.5.1.orig/src/compose.php squirrelmail-1.5.1/src/compose.php +--- squirrelmail-1.5.1.orig/src/compose.php 2006-02-11 07:14:31.000000000 -0800 ++++ squirrelmail-1.5.1/src/compose.php 2007-05-21 09:02:11.000000000 -0700 +@@ -299,13 +299,19 @@ if (sqsession_is_registered('session_exp + sqsession_unregister('session_expired_post'); + session_write_close(); + } else { +- foreach ($session_expired_post as $postvar => $val) { +- if (isset($val)) { +- $$postvar = $val; +- } else { +- $$postvar = ''; ++ // these are the vars that we can set from the expired composed session ++ $compo_var_list = array ( 'send_to', 'send_to_cc','body','startMessage', ++ 'passed_body','use_signature','signature','attachments','subject','newmail', ++ 'send_to_bcc', 'passed_id', 'mailbox', 'from_htmladdr_search', 'identity', ++ 'draft_id', 'delete_draft', 'mailprio', 'edit_as_new', 'compose_messsages', ++ 'composesession', 'request_mdn', 'request_dr'); ++ ++ foreach ($compo_var_list as $var) { ++ if ( isset($session_expired_post[$var]) && !isset($$var) ) { ++ $$var = $session_expired_post[$var]; + } + } ++ + $compose_messages = unserialize(urldecode($restoremessages)); + sqsession_register($compose_messages,'compose_messages'); + sqsession_register($composesession,'composesession'); +diff -Naurp squirrelmail-1.5.1.orig/src/login.php squirrelmail-1.5.1/src/login.php +--- squirrelmail-1.5.1.orig/src/login.php 2006-02-12 01:03:11.000000000 -0800 ++++ squirrelmail-1.5.1/src/login.php 2007-05-21 09:11:11.000000000 -0700 +@@ -44,12 +44,24 @@ if (!function_exists('sqm_baseuri')){ + } + $base_uri = sqm_baseuri(); + +-/* ++/** + * In case the last session was not terminated properly, make sure +- * we get a new one. ++ * we get a new one, but make sure we preserve session_expired_* + */ + +-sqsession_destroy(); ++if ( !empty($_SESSION['session_expired_post']) && !empty($_SESSION['session_expired_location']) ) { ++ $sep = $_SESSION['session_expired_post']; ++ $sel = $_SESSION['session_expired_location']; ++ ++ sqsession_destroy(); ++ ++ sqsession_is_active(); ++ sqsession_register($sep, 'session_expired_post'); ++ sqsession_register($sel, 'session_expired_location'); ++} else { ++ sqsession_destroy(); ++} ++ + /** + * PHP bug. http://bugs.php.net/11643 (warning, spammed bug tracker) and + * http://bugs.php.net/13834 +@@ -195,4 +207,4 @@ $oTemplate->assign('password_field', $pa + $oTemplate->assign('submit_field', addSubmit(_("Login"))); + + $oTemplate->display('login.tpl'); +-?> +\ No newline at end of file ++?> +diff -Naurp squirrelmail-1.5.1.orig/src/redirect.php squirrelmail-1.5.1/src/redirect.php +--- squirrelmail-1.5.1.orig/src/redirect.php 2006-02-07 23:58:18.000000000 -0800 ++++ squirrelmail-1.5.1/src/redirect.php 2007-05-21 09:12:45.000000000 -0700 +@@ -140,13 +140,17 @@ $redirect_url = $location . '/webmail.ph + + if ( sqgetGlobalVar('session_expired_location', $session_expired_location, SQ_SESSION) ) { + sqsession_unregister('session_expired_location'); +- $compose_new_win = getPref($data_dir, $username, 'compose_new_win', 0); +- if ($compose_new_win) { +- // do not prefix $location here because $session_expired_location is set to PHP_SELF +- // of the last page +- $redirect_url = $session_expired_location; +- } elseif ( strpos($session_expired_location, 'webmail.php') === FALSE ) { +- $redirect_url = $location.'/webmail.php?right_frame='.urldecode($session_expired_location); ++ if ( strpos($session_expired_location, 'compose.php') !== FALSE ) { ++ $compose_new_win = getPref($data_dir, $username, 'compose_new_win', 0); ++ if ($compose_new_win) { ++ // do not prefix $location here because $session_expired_location is set to PHP_SELF ++ // of the last page ++ $redirect_url = $session_expired_location; ++ } elseif ( strpos($session_expired_location, 'webmail.php') === FALSE ) { ++ $redirect_url = 'webmail.php?right_frame=compose.php'; ++ } ++ } else { ++ $redirect_url = 'webmail.php?right_frame=' . urldecode($session_expired_location); + } + unset($session_expired_location); + } +@@ -187,4 +191,4 @@ function attachment_common_parse($str, $ + sqsession_register($attachment_common_types, 'attachment_common_types'); + } + +-?> +\ No newline at end of file ++?> +diff -Naurp squirrelmail-1.5.1.orig/src/webmail.php squirrelmail-1.5.1/src/webmail.php +--- squirrelmail-1.5.1.orig/src/webmail.php 2006-02-13 10:20:06.000000000 -0800 ++++ squirrelmail-1.5.1/src/webmail.php 2007-05-21 09:13:29.000000000 -0700 +@@ -54,9 +54,6 @@ if (!sqgetGlobalVar('mailbox', $mailbox) + + sqgetGlobalVar('right_frame', $right_frame, SQ_GET); + +-if ( isset($_SESSION['session_expired_post']) ) { +- sqsession_unregister('session_expired_post'); +-} + if(!sqgetGlobalVar('mailto', $mailto)) { + $mailto = ''; + } diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch new file mode 100644 index 000000000000..096aa202f251 --- /dev/null +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch @@ -0,0 +1,25 @@ +diff -Naurp squirrelmail-1.5.1.orig/src/compose.php squirrelmail-1.5.1/src/compose.php +--- squirrelmail-1.5.1.orig/src/compose.php 2007-05-21 09:54:44.000000000 -0700 ++++ squirrelmail-1.5.1/src/compose.php 2007-05-21 09:55:35.000000000 -0700 +@@ -80,7 +80,11 @@ sqgetGlobalVar('draft',$draft); + sqgetGlobalVar('draft_id',$draft_id); + sqgetGlobalVar('ent_num',$ent_num); + sqgetGlobalVar('saved_draft',$saved_draft); +-sqgetGlobalVar('delete_draft',$delete_draft); ++ ++if ( sqgetGlobalVar('delete_draft',$delete_draft) ) { ++ $delete_draft = (int)$delete_draft; ++} ++ + if ( sqgetGlobalVar('startMessage',$startMessage) ) { + $startMessage = (int)$startMessage; + } else { +@@ -343,6 +347,8 @@ if (sqsession_is_registered('session_exp + if (!isset($composesession)) { + $composesession = 0; + sqsession_register(0,'composesession'); ++} else { ++ $composesession = (int)$composesession; + } + + if (!isset($session) || (isset($newmessage) && $newmessage)) { diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch new file mode 100644 index 000000000000..a9ff6dced42c --- /dev/null +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch @@ -0,0 +1,157 @@ +diff -Naurp squirrelmail-1.5.1.orig/src/compose.php squirrelmail-1.5.1/src/compose.php +--- squirrelmail-1.5.1.orig/src/compose.php 2007-05-21 09:14:13.000000000 -0700 ++++ squirrelmail-1.5.1/src/compose.php 2007-05-21 09:20:16.000000000 -0700 +@@ -120,6 +120,25 @@ if ( !sqgetGlobalVar('smaction',$action) + if ( sqgetGlobalVar('smaction_edit_new',$tmp) ) $action = 'edit_as_new'; + } + ++/** ++ * Here we decode the data passed in from mailto.php. ++ */ ++if ( sqgetGlobalVar('mailtodata', $mailtodata, SQ_GET) ) { ++ $trtable = array('to' => 'send_to', ++ 'cc' => 'send_to_cc', ++ 'bcc' => 'send_to_bcc', ++ 'body' => 'body', ++ 'subject' => 'subject'); ++ $mtdata = unserialize($mailtodata); ++ ++ foreach ($trtable as $f => $t) { ++ if ( !empty($mtdata[$f]) ) { ++ $$t = $mtdata[$f]; ++ } ++ } ++ unset($mailtodata,$mtdata, $trtable); ++} ++ + /* Location (For HTTP 1.1 Header("Location: ...") redirects) */ + $location = get_location(); + /* Identities (fetch only once) */ +diff -Naurp squirrelmail-1.5.1.orig/src/login.php squirrelmail-1.5.1/src/login.php +--- squirrelmail-1.5.1.orig/src/login.php 2007-05-21 09:14:13.000000000 -0700 ++++ squirrelmail-1.5.1/src/login.php 2007-05-21 09:21:42.000000000 -0700 +@@ -187,15 +187,15 @@ if (isset($hide_sm_attributions) && !$hi + $username_form_name = 'login_username'; + $password_form_name = 'secretkey'; + +-if(sqgetGlobalVar('mailto', $mailto)) { +- $rcptaddress = addHidden('mailto', $mailto); ++if(sqgetGlobalVar('mailtodata', $mailtodata)) { ++ $mailtofield = addHidden('mailtodata', $mailtodata); + } else { +- $rcptaddress = ''; ++ $mailtofield = ''; + } + + $password_field = addPwField($password_form_name). + addHidden('js_autodetect_results', SMPREF_JS_OFF). +- $rcptaddress . ++ $mailtofield . + addHidden('just_logged_in', '1'); + + $oTemplate->assign('color', $color); +diff -Naurp squirrelmail-1.5.1.orig/src/mailto.php squirrelmail-1.5.1/src/mailto.php +--- squirrelmail-1.5.1.orig/src/mailto.php 2006-01-23 10:43:28.000000000 -0800 ++++ squirrelmail-1.5.1/src/mailto.php 2007-05-21 09:24:07.000000000 -0700 +@@ -41,6 +41,8 @@ $trtable = array('cc' => 'send + 'subject' => 'subject'); + $url = ''; + ++$data = array(); ++ + if(sqgetGlobalVar('emailaddress', $emailaddress)) { + $emailaddress = trim($emailaddress); + if(stristr($emailaddress, 'mailto:')) { +@@ -50,34 +52,33 @@ if(sqgetGlobalVar('emailaddress', $email + list($emailaddress, $a) = explode('?', $emailaddress, 2); + if(strlen(trim($a)) > 0) { + $a = explode('=', $a, 2); +- $url .= $trtable[strtolower($a[0])] . '=' . urlencode($a[1]) . '&'; ++ $data[strtolower($a[0])] = $a[1]; + } + } +- $url = 'send_to=' . urlencode($emailaddress) . '&' . $url; ++ $data['to'] = $emailaddress; + + /* CC, BCC, etc could be any case, so we'll fix them here */ + foreach($_GET as $k=>$g) { + $k = strtolower($k); + if(isset($trtable[$k])) { + $k = $trtable[$k]; +- $url .= $k . '=' . urlencode($g) . '&'; ++ $data[$k] = $g; + } + } +- $url = substr($url, 0, -1); + } + sqsession_is_active(); + + if($force_login == false && sqsession_is_registered('user_is_logged_in')) { + if($compose_only == true) { +- $redirect = 'compose.php?' . $url; ++ $redirect = 'compose.php?mailtodata=' . urlencode(serialize($data)); + } else { +- $redirect = 'webmail.php?right_frame=compose.php?' . urlencode($url); ++ $redirect = 'webmail.php?mailtodata=' . urlencode(serialize($data)); + } + } else { +- $redirect = 'login.php?mailto=' . urlencode($url); ++ $redirect = 'login.php?mailtodata=' . urlencode(serialize($data)); + } + + session_write_close(); + header('Location: ' . get_location() . '/' . $redirect); + +-?> +\ No newline at end of file ++?> +diff -Naurp squirrelmail-1.5.1.orig/src/redirect.php squirrelmail-1.5.1/src/redirect.php +--- squirrelmail-1.5.1.orig/src/redirect.php 2007-05-21 09:14:13.000000000 -0700 ++++ squirrelmail-1.5.1/src/redirect.php 2007-05-21 09:25:34.000000000 -0700 +@@ -50,7 +50,7 @@ sqGetGlobalVar('secretkey', $secretkey); + if(!sqGetGlobalVar('squirrelmail_language', $squirrelmail_language) || $squirrelmail_language == '') { + $squirrelmail_language = $squirrelmail_default_language; + } +-if (!sqgetGlobalVar('mailto', $mailto)) { ++if (!sqgetGlobalVar('mailtodata', $mailtodata)) { + $mailto = ''; + } + +@@ -154,9 +154,9 @@ if ( sqgetGlobalVar('session_expired_loc + } + unset($session_expired_location); + } +-if($mailto != '') { +- $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailto='; +- $redirect_url .= urlencode($mailto); ++if($mailtodata != '') { ++ $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailtodata='; ++ $redirect_url .= urlencode($mailtodata); + } + + /* Write session data and send them off to the appropriate page. */ +diff -Naurp squirrelmail-1.5.1.orig/src/webmail.php squirrelmail-1.5.1/src/webmail.php +--- squirrelmail-1.5.1.orig/src/webmail.php 2007-05-21 09:14:13.000000000 -0700 ++++ squirrelmail-1.5.1/src/webmail.php 2007-05-21 09:26:37.000000000 -0700 +@@ -54,8 +54,10 @@ if (!sqgetGlobalVar('mailbox', $mailbox) + + sqgetGlobalVar('right_frame', $right_frame, SQ_GET); + +-if(!sqgetGlobalVar('mailto', $mailto)) { +- $mailto = ''; ++if(sqgetGlobalVar('mailtodata', $mailtodata)) { ++ $mailtourl = 'mailtodata='.urlencode($mailtodata); ++} else { ++ $mailtourl = ''; + } + + is_logged_in(); +@@ -166,7 +168,7 @@ switch($right_frame) { + $right_frame_url = 'folders.php'; + break; + case 'compose.php': +- $right_frame_url = 'compose.php?' . $mailto; ++ $right_frame_url = 'compose.php?' . $mailtourl; + break; + case '': + $right_frame_url = 'right_main.php'; diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mime.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mime.patch new file mode 100644 index 000000000000..ff1aa74a1020 --- /dev/null +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2006-6142-mime.patch @@ -0,0 +1,145 @@ +diff -Naurp squirrelmail-1.5.1.orig/functions/mime.php squirrelmail-1.5.1/functions/mime.php +--- squirrelmail-1.5.1.orig/functions/mime.php 2006-02-11 03:13:05.000000000 -0800 ++++ squirrelmail-1.5.1/functions/mime.php 2007-05-21 09:32:19.000000000 -0700 +@@ -1132,6 +1132,75 @@ function sq_unspace(&$attvalue){ + } + + /** ++ * Translate all dangerous Unicode or Shift_JIS characters which are acepted by ++ * IE as regular characters. ++ * ++ * @param attvalue The attribute value before dangerous characters are translated. ++ * @return attvalue Nothing, modifies a reference value. ++ * @author Marc Groot Koerkamp. ++ */ ++function sq_fixIE_idiocy(&$attvalue) { ++ // remove NUL ++ $attvalue = str_replace("\0", "", $attvalue); ++ // remove comments ++ $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue); ++ ++ // IE has the evil habit of excepting every possible value for the attribute expression ++ // The table below contain characters which are valid in IE if they are used in the "expression" ++ // attribute value. ++ $aDangerousCharsReplacementTable = array( ++ array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ ++ 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ ++ 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ ++ 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ ++ 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ ++ 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ ++ 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ ++ 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ ++ 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */ ++ 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ ++ 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */ ++ 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ ++ 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */ ++ 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ ++ 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */ ++ 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ ++ 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */ ++ 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ ++ 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */ ++ 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ ++ 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */ ++ 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ ++ 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ ++ 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ ++ '艤', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some chinese char range ++ '芅', /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ ++ '艷', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ ++ '芘', /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ ++ '良', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ ++ '芐', /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ ++ '艱', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ ++ '芒', /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ ++ '色', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ ++ '芓', /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ ++ '艨', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ ++ '芉', /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ ++ '艮', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ ++ '芏', /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ ++ '艭', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ ++ '芎'), /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ ++ array('l', 'l', 'r','r','n','n', ++ 'E','E','e','e','X','X','x','x','P','P','p','p','S','S','s','s','I','I', ++ 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n', ++ 'E','e','X','x','P','p','S','s','I','i','O','o','N','n')); ++ $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue); ++ ++ // Escapes are usefull for special characters like "{}[]()'&. In other cases they are ++ // used for XSS ++ $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue); ++} ++ ++/** + * This function returns the final tag out of the tag name, an array + * of attributes, and the type of the tag. This function is called by + * sq_sanitize internally. +@@ -1597,10 +1666,23 @@ function sq_fixatts($tagname, + } + } + } ++ ++ /** ++ * Workaround for IE quirks ++ */ ++ sq_fixIE_idiocy($attvalue); ++ + /** + * Remove any backslashes, entities, and extraneous whitespace. + */ ++ $oldattvalue = $attvalue; + sq_defang($attvalue); ++ if ($attname == 'style' && $attvalue !== $oldattvalue) { ++ // entities are used in the attribute value. In 99% of the cases it's there as XSS ++ // i.e.<div style="{ left:expʀessioɴ( alert('XSS') ) }"> ++ $attvalue = "idiocy"; ++ $attary{$attname} = $attvalue; ++ } + sq_unspace($attvalue); + + /** +@@ -1694,14 +1776,18 @@ function sq_fixstyle($body, $pos, $messa + */ + $content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content); + $secremoveimg = '../images/' . _("sec_remove_eng.png"); ++ ++ // IE Sucks hard. We have a special function for it. ++ sq_fixIE_idiocy($content); ++ ++ // remove @import line ++ $content = preg_replace("/^\s*(@import.*)$/mi","\n<!-- @import rules forbidden -->\n",$content); ++ + /** + * Fix url('blah') declarations. + */ + // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", + // "url(\\1$secremoveimg\\2)", $content); +- // remove NUL +- $content = str_replace("\0", "", $content); +- + // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. + while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { + $sProto = strtolower($matches[1]); +@@ -1759,8 +1845,10 @@ function sq_fixstyle($body, $pos, $messa + '/expression/i', + '/behaviou*r/i', + '/binding/i', +- '/include-source/i'); +- $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy'); ++ '/include-source/i', ++ '/javascript/i', ++ '/script/i'); ++ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + $contentNew = preg_replace($match, $replace, $contentTemp); + if ($contentNew !== $contentTemp) { + // insecure css declarations are used. From now on we don't care +@@ -2387,4 +2475,4 @@ function SendDownloadHeaders($type0, $ty + + } // end fn SendDownloadHeaders + +-?> +\ No newline at end of file ++?> diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch index 36f0680eeb3a..d5accd6c8eb2 100644 --- a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch @@ -1,93 +1,7 @@ -Index: src/view_text.php -=================================================================== ---- src/view_text.php (revision 12419) -+++ src/view_text.php (working copy) -@@ -70,10 +70,10 @@ - } - - if ($type1 == 'html' || (isset($override_type1) && $override_type1 == 'html')) { -- $body = MagicHTML( $body, $passed_id, $message, $mailbox); - // html attachment with character set information - if (! empty($charset)) - $body = charset_decode($charset,$body,false,true); -+ $body = MagicHTML( $body, $passed_id, $message, $mailbox); - } else { - translateText($body, $wrap_at, $charset); - } -Index: src/compose.php -=================================================================== ---- src/compose.php (revision 12419) -+++ src/compose.php (working copy) -@@ -55,32 +55,42 @@ - } - - /** SESSION/POST/GET VARS */ --sqgetGlobalVar('session',$session); --sqgetGlobalVar('mailbox',$mailbox); --if(!sqgetGlobalVar('identity',$identity)) { -+sqgetGlobalVar('send', $send, SQ_POST); -+// Send can only be achieved by setting $_POST var. If Send = true then -+// retrieve other form fields from $_POST -+if (isset($send) && $send) { -+ $SQ_GLOBAL = SQ_POST; -+} else { -+ $SQ_GLOBAL = SQ_FORM; -+} -+sqgetGlobalVar('session',$session, $SQ_GLOBAL); -+sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL); -+if(!sqgetGlobalVar('identity',$identity, $SQ_GLOBAL)) { - $identity=0; - } --sqgetGlobalVar('send_to',$send_to); --sqgetGlobalVar('send_to_cc',$send_to_cc); --sqgetGlobalVar('send_to_bcc',$send_to_bcc); --sqgetGlobalVar('subject',$subject); --sqgetGlobalVar('body',$body); --sqgetGlobalVar('mailprio',$mailprio); --sqgetGlobalVar('request_mdn',$request_mdn); --sqgetGlobalVar('request_dr',$request_dr); --sqgetGlobalVar('html_addr_search',$html_addr_search); --sqgetGlobalVar('mail_sent',$mail_sent); --sqgetGlobalVar('passed_id',$passed_id); --sqgetGlobalVar('passed_ent_id',$passed_ent_id); --sqgetGlobalVar('send',$send); -+sqgetGlobalVar('send_to',$send_to, $SQ_GLOBAL); -+sqgetGlobalVar('send_to_cc',$send_to_cc, $SQ_GLOBAL); -+sqgetGlobalVar('send_to_bcc',$send_to_bcc, $SQ_GLOBAL); -+sqgetGlobalVar('subject',$subject, $SQ_GLOBAL); -+sqgetGlobalVar('body',$body, $SQ_GLOBAL); -+sqgetGlobalVar('mailprio',$mailprio, $SQ_GLOBAL); -+sqgetGlobalVar('request_mdn',$request_mdn, $SQ_GLOBAL); -+sqgetGlobalVar('request_dr',$request_dr, $SQ_GLOBAL); -+sqgetGlobalVar('html_addr_search',$html_addr_search, $SQ_GLOBAL); -+sqgetGlobalVar('mail_sent',$mail_sent, $SQ_GLOBAL); -+sqgetGlobalVar('passed_id',$passed_id, $SQ_GLOBAL); -+sqgetGlobalVar('passed_ent_id',$passed_ent_id, $SQ_GLOBAL); - --sqgetGlobalVar('attach',$attach); -+sqgetGlobalVar('attach',$attach, SQ_POST); -+sqgetGlobalVar('draft',$draft, SQ_POST); -+sqgetGlobalVar('draft_id',$draft_id, $SQ_GLOBAL); -+sqgetGlobalVar('ent_num',$ent_num, $SQ_GLOBAL); -+sqgetGlobalVar('saved_draft',$saved_draft, SQ_FORM); - --sqgetGlobalVar('draft',$draft); --sqgetGlobalVar('draft_id',$draft_id); --sqgetGlobalVar('ent_num',$ent_num); --sqgetGlobalVar('saved_draft',$saved_draft); --sqgetGlobalVar('delete_draft',$delete_draft); -+if ( sqgetGlobalVar('delete_draft',$delete_draft) ) { -+ $delete_draft = (int)$delete_draft; -+} -+ - if ( sqgetGlobalVar('startMessage',$startMessage) ) { - $startMessage = (int)$startMessage; - } else { -Index: functions/mime.php -=================================================================== ---- functions/mime.php (revision 12419) -+++ functions/mime.php (working copy) -@@ -428,13 +428,16 @@ +diff -Naurp squirrelmail-1.5.1.orig/functions/mime.php squirrelmail-1.5.1/functions/mime.php +--- squirrelmail-1.5.1.orig/functions/mime.php 2007-05-21 09:57:36.000000000 -0700 ++++ squirrelmail-1.5.1/functions/mime.php 2007-05-21 09:58:36.000000000 -0700 +@@ -428,13 +428,16 @@ function formatBody($imap_stream, $messa $body.="</iframe></div>\n"; } else { // old way of html rendering @@ -106,7 +20,72 @@ Index: functions/mime.php } } else { translateText($body, $wrap_at, -@@ -1623,38 +1626,34 @@ +@@ -1156,8 +1159,8 @@ function sq_fixIE_idiocy(&$attvalue) { + array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ + 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ + 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ +- 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ +- 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ ++ 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ ++ 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ + 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ + 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ + 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ +@@ -1177,26 +1180,34 @@ function sq_fixIE_idiocy(&$attvalue) { + 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ + 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ + 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ +- '艤', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some chinese char range +- '芅', /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ +- '艷', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ +- '芘', /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ +- '良', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ +- '芐', /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ +- '艱', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ +- '芒', /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ +- '色', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ +- '芓', /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ +- '艨', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ +- '芉', /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ +- '艮', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ +- '芏', /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ +- '艭', /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ +- '芎'), /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ ++ "\xEF\xBC\xA5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some Chinese char range ++ "\xEF\xBD\x85", /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ ++ "\xEF\xBC\xB8", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ ++ "\xEF\xBD\x98", /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ ++ "\xEF\xBC\xB0", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ ++ "\xEF\xBD\x90", /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ ++ "\xEF\xBC\xB2", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ ++ "\xEF\xBD\x92", /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ ++ "\xEF\xBC\xB3", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ ++ "\xEF\xBD\x93", /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ ++ "\xEF\xBC\xA9", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ ++ "\xEF\xBD\x89", /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ ++ "\xEF\xBC\xAF", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ ++ "\xEF\xBD\x8F", /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ ++ "\xEF\xBC\xAE", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ ++ "\xEF\xBD\x8E", /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ ++ "\xEF\xBC\xAC", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER L */ ++ "\xEF\xBD\x8C", /* Shift JIS FULLWIDTH LATIN SMALL LETTER L */ ++ "\xEF\xBC\xB5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER U */ ++ "\xEF\xBD\x95", /* Shift JIS FULLWIDTH LATIN SMALL LETTER U */ ++ "\xE2\x81\xBF", /* Shift JIS FULLWIDTH SUPERSCRIPT N */ ++ "\xCA\x9F", /* L UNICODE IPA Extension */ ++ "\xCA\x80", /* R UNICODE IPA Extension */ ++ "\xC9\xB4"), /* N UNICODE IPA Extension */ + array('l', 'l', 'r','r','n','n', +- 'E','E','e','e','X','X','x','x','P','P','p','p','S','S','s','s','I','I', +- 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n', +- 'E','e','X','x','P','p','S','s','I','i','O','o','N','n')); ++ 'E','E','e','e','X','X','x','x','P','P','p','p','R','R','r','r','S','S','s','s','I','I', ++ 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n','n', ++ 'E','e','X','x','P','p','R','r','S','s','I','i','O','o','N','n','L','l','U','u','n','l','r','n')); + $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue); + + // Escapes are usefull for special characters like "{}[]()'&. In other cases they are +@@ -1709,38 +1720,34 @@ function sq_fixatts($tagname, preg_replace($valmatch, $valrepl, $attvalue); if ($newvalue != $attvalue){ $attary{$attname} = $newvalue; @@ -125,6 +104,13 @@ Index: functions/mime.php - */ - if (($attname == 'src') && ($attvalue == '""')) { - $attary{$attname} = '"' . SM_PATH . 'images/blank.png"'; +- } +- +- /** +- * Turn cid: urls into http-friendly ones. +- */ +- if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ +- $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); + if ($attname == 'style') { + if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) { + // 8bit and control characters in style attribute values can be used for XSS, remove them @@ -142,29 +128,22 @@ Index: functions/mime.php } - /** -- * Turn cid: urls into http-friendly ones. +- * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. +- * One day MS might actually make it match something useful, for now, falling +- * back to using cid2http, so we can grab the blank.png. + * Use white list based filtering on attributes which can contain url's */ -- if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ +- if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) { - $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); + else if ($attname == 'href' || $attname == 'src' || $attname == 'background') { + sq_fix_url($attname, $attvalue, $message, $id, $mailbox); + $attary{$attname} = $attvalue; } - -- /** -- * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. -- * One day MS might actually make it match something useful, for now, falling -- * back to using cid2http, so we can grab the blank.png. -- */ -- if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) { -- $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); -- } -- } /** * See if we need to append any attributes to this tag. -@@ -1668,6 +1667,98 @@ +@@ -1754,6 +1761,98 @@ function sq_fixatts($tagname, } /** @@ -263,20 +242,21 @@ Index: functions/mime.php * This function edits the style definition to make them friendly and * usable in SquirrelMail. * -@@ -1699,51 +1790,30 @@ +@@ -1781,59 +1880,40 @@ function sq_fixstyle($body, $pos, $messa + $content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content); + $secremoveimg = '../images/' . _("sec_remove_eng.png"); + +- // IE Sucks hard. We have a special function for it. +- sq_fixIE_idiocy($content); +- +- // remove @import line +- $content = preg_replace("/^\s*(@import.*)$/mi","\n<!-- @import rules forbidden -->\n",$content); +- + /** + * Fix url('blah') declarations. */ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si", // "url(\\1$secremoveimg\\2)", $content); -+ -+ // first check for 8bit sequences and disallowed control characters -+ if (preg_match('/[\16-\37\200-\377]+/',$content)) { -+ $content = '<!-- style block removed by html filter due to presence of 8bit characters -->'; -+ return array($content, $newpos); -+ } -+ - // remove NUL - $content = str_replace("\0", "", $content); - - // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. - while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { - $sProto = strtolower($matches[1]); @@ -288,21 +268,14 @@ Index: functions/mime.php - case 'https': - case 'http': - if (!$view_unsafe_images){ -+ preg_match_all("/url\s*\((.+)\)/si",$content,$aMatch); -+ if (count($aMatch)) { -+ $aValue = $aReplace = array(); -+ foreach($aMatch[1] as $sMatch) { -+ // url value -+ $urlvalue = $sMatch; -+ sq_fix_url('style',$urlvalue, $message, $id, $mailbox,"'"); -+ $aValue[] = $sMatch; -+ $aReplace[] = $urlvalue; -+ } -+ $content = str_replace($aValue,$aReplace,$content); -+ } ++ // first check for 8bit sequences and disallowed control characters ++ if (preg_match('/[\16-\37\200-\377]+/',$content)) { ++ $content = '<!-- style block removed by html filter due to presence of 8bit characters -->'; - $sExpr = "/url\s*\(\s*[\'\"]?\s*$sProto*:.*[\'\"]?\s*\)/si"; - $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content); ++ return array($content, $newpos); ++ } - } else { - $content = preg_replace('/url/i',"u\0r\0l",$content); @@ -327,14 +300,34 @@ Index: functions/mime.php - $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", - "", $content); - break; -- } -- } ++ // IE Sucks hard. We have a special function for it. ++ sq_fixIE_idiocy($content); ++ ++ // remove @import line ++ $content = preg_replace("/^\s*(@import.*)$/mi","\n<!-- @import rules forbidden -->\n",$content); ++ ++ // translate ur\l and variations (IE parses that) ++ // TODO check if the sq_fixIE_idiocy function already handles this. ++ $content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", 'url', $content); ++ preg_match_all("/url\s*\((.+)\)/si",$content,$aMatch); ++ if (count($aMatch)) { ++ $aValue = $aReplace = array(); ++ foreach($aMatch[1] as $sMatch) { ++ // url value ++ $urlvalue = $sMatch; ++ sq_fix_url('style',$urlvalue, $message, $id, $mailbox,"'"); ++ $aValue[] = $sMatch; ++ $aReplace[] = $urlvalue; + } ++ $content = str_replace($aValue,$aReplace,$content); + } - // remove NUL - $content = str_replace("\0", "", $content); ++ /** * Remove any backslashes, entities, and extraneous whitespace. */ -@@ -2175,7 +2245,7 @@ +@@ -2267,7 +2347,7 @@ function magicHTML($body, $id, $message, "idiocy", "idiocy", "idiocy", @@ -343,7 +336,7 @@ Index: functions/mime.php "url(\\1#\\1)", "url(\\1#\\1)", "url(\\1#\\1)", -@@ -2220,7 +2290,7 @@ +@@ -2312,7 +2392,7 @@ function magicHTML($body, $id, $message, $id, $mailbox ); @@ -352,3 +345,89 @@ Index: functions/mime.php $has_unsafe_images = true; } +diff -Naurp squirrelmail-1.5.1.orig/src/compose.php squirrelmail-1.5.1/src/compose.php +--- squirrelmail-1.5.1.orig/src/compose.php 2007-05-21 09:57:36.000000000 -0700 ++++ squirrelmail-1.5.1/src/compose.php 2007-05-21 10:00:07.000000000 -0700 +@@ -55,31 +55,37 @@ if (is_array($delayed_errors)) { + } + + /** SESSION/POST/GET VARS */ +-sqgetGlobalVar('session',$session); +-sqgetGlobalVar('mailbox',$mailbox); +-if(!sqgetGlobalVar('identity',$identity)) { ++sqgetGlobalVar('send', $send, SQ_POST); ++// Send can only be achieved by setting $_POST var. If Send = true then ++// retrieve other form fields from $_POST ++if (isset($send) && $send) { ++ $SQ_GLOBAL = SQ_POST; ++} else { ++ $SQ_GLOBAL = SQ_FORM; ++} ++sqgetGlobalVar('session',$session, $SQ_GLOBAL); ++sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL); ++if(!sqgetGlobalVar('identity',$identity, $SQ_GLOBAL)) { + $identity=0; + } +-sqgetGlobalVar('send_to',$send_to); +-sqgetGlobalVar('send_to_cc',$send_to_cc); +-sqgetGlobalVar('send_to_bcc',$send_to_bcc); +-sqgetGlobalVar('subject',$subject); +-sqgetGlobalVar('body',$body); +-sqgetGlobalVar('mailprio',$mailprio); +-sqgetGlobalVar('request_mdn',$request_mdn); +-sqgetGlobalVar('request_dr',$request_dr); +-sqgetGlobalVar('html_addr_search',$html_addr_search); +-sqgetGlobalVar('mail_sent',$mail_sent); +-sqgetGlobalVar('passed_id',$passed_id); +-sqgetGlobalVar('passed_ent_id',$passed_ent_id); +-sqgetGlobalVar('send',$send); +- +-sqgetGlobalVar('attach',$attach); +- +-sqgetGlobalVar('draft',$draft); +-sqgetGlobalVar('draft_id',$draft_id); +-sqgetGlobalVar('ent_num',$ent_num); +-sqgetGlobalVar('saved_draft',$saved_draft); ++sqgetGlobalVar('send_to',$send_to, $SQ_GLOBAL); ++sqgetGlobalVar('send_to_cc',$send_to_cc, $SQ_GLOBAL); ++sqgetGlobalVar('send_to_bcc',$send_to_bcc, $SQ_GLOBAL); ++sqgetGlobalVar('subject',$subject, $SQ_GLOBAL); ++sqgetGlobalVar('body',$body, $SQ_GLOBAL); ++sqgetGlobalVar('mailprio',$mailprio, $SQ_GLOBAL); ++sqgetGlobalVar('request_mdn',$request_mdn, $SQ_GLOBAL); ++sqgetGlobalVar('request_dr',$request_dr, $SQ_GLOBAL); ++sqgetGlobalVar('html_addr_search',$html_addr_search, $SQ_GLOBAL); ++sqgetGlobalVar('mail_sent',$mail_sent, $SQ_GLOBAL); ++sqgetGlobalVar('passed_id',$passed_id, $SQ_GLOBAL); ++sqgetGlobalVar('passed_ent_id',$passed_ent_id, $SQ_GLOBAL); ++ ++sqgetGlobalVar('attach',$attach, SQ_POST); ++sqgetGlobalVar('draft',$draft, SQ_POST); ++sqgetGlobalVar('draft_id',$draft_id, $SQ_GLOBAL); ++sqgetGlobalVar('ent_num',$ent_num, $SQ_GLOBAL); ++sqgetGlobalVar('saved_draft',$saved_draft, SQ_FORM); + + if ( sqgetGlobalVar('delete_draft',$delete_draft) ) { + $delete_draft = (int)$delete_draft; +@@ -1765,4 +1771,4 @@ function deliverMessage($composeMessage, + return $success; + } + +-?> +\ No newline at end of file ++?> +diff -Naurp squirrelmail-1.5.1.orig/src/view_text.php squirrelmail-1.5.1/src/view_text.php +--- squirrelmail-1.5.1.orig/src/view_text.php 2006-02-05 03:18:50.000000000 -0800 ++++ squirrelmail-1.5.1/src/view_text.php 2007-05-21 09:58:36.000000000 -0700 +@@ -70,10 +70,10 @@ if (isset($languages[$squirrelmail_langu + } + + if ($type1 == 'html' || (isset($override_type1) && $override_type1 == 'html')) { +- $body = MagicHTML( $body, $passed_id, $message, $mailbox); + // html attachment with character set information + if (! empty($charset)) + $body = charset_decode($charset,$body,false,true); ++ $body = MagicHTML( $body, $passed_id, $message, $mailbox); + } else { + translateText($body, $wrap_at, $charset); + } diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-ie-mime.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-ie-mime.patch new file mode 100644 index 000000000000..1b7eac318f06 --- /dev/null +++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-ie-mime.patch @@ -0,0 +1,33 @@ +diff -u -r1.265.2.69 mime.php +--- functions/mime.php 2 Dec 2006 09:57:21 -0000 1.265.2.69 ++++ functions/mime.php 2 Dec 2006 14:30:29 -0000 +@@ -477,7 +477,11 @@ + if ($where && $what) { + $defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what); + } +- ++ // IE does make use of mime content sniffing. Forcing a download ++ // prohibit execution of XSS inside an application/octet-stream attachment ++ if ($type0 == 'application' && $type1 == 'octet-stream') { ++ $defaultlink .= '&absolute_dl=true'; ++ } + /* This executes the attachment hook with a specific MIME-type. + * If that doesn't have results, it tries if there's a rule + * for a more generic type. Finally, a hook for ALL attachment +@@ -2195,11 +2253,15 @@ + + // This works for most types, but doesn't work with Word files + header ("Content-Type: application/download; name=\"$filename\""); +- ++ // This is to prevent IE for MIME sniffing and auto open a file in IE ++ header ("Content-Type: application/force-download; name=\"$filename\""); + // These are spares, just in case. :-) + //header("Content-Type: $type0/$type1; name=\"$filename\""); + //header("Content-Type: application/x-msdownload; name=\"$filename\""); + //header("Content-Type: application/octet-stream; name=\"$filename\""); ++ } else if ($isIE) { ++ // This is to prevent IE for MIME sniffing and auto open a file in IE ++ header ("Content-Type: application/force-download; name=\"$filename\""); + } else { + // another application/octet-stream forces download for Netscape + header ("Content-Type: application/octet-stream; name=\"$filename\""); diff --git a/mail-client/squirrelmail/files/squirrelmail-fortune.patch b/mail-client/squirrelmail/files/squirrelmail-fortune.patch deleted file mode 100644 index 49932d9ac481..000000000000 --- a/mail-client/squirrelmail/files/squirrelmail-fortune.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ru plugins/fortune/setup.php.org plugins/fortune/setup.php ---- plugins/fortune/setup.php.org 2004-04-26 15:20:10.000000000 -0700 -+++ plugins/fortune/setup.php 2004-05-11 11:00:43.910401166 -0700 -@@ -30,7 +30,7 @@ - return; - } - -- $fortune_location = '/usr/games/fortune'; -+ $fortune_location = '/usr/bin/fortune'; - $exist = file_exists($fortune_location); - echo "<center><table cellpadding=0 cellspacing=0 border=0 bgcolor=$color[10]><tr><td><table width=100% cellpadding=2 cellspacing=1 border=0 bgcolor=\"$color[5]\"><tr><td align=center>"; - echo '<table><tr><td>'; diff --git a/mail-client/squirrelmail/squirrelmail-1.5.1-r3.ebuild b/mail-client/squirrelmail/squirrelmail-1.5.1-r4.ebuild index dda25d107c32..383b619c0d18 100644 --- a/mail-client/squirrelmail/squirrelmail-1.5.1-r3.ebuild +++ b/mail-client/squirrelmail/squirrelmail-1.5.1-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/squirrelmail-1.5.1-r3.ebuild,v 1.1 2007/05/19 14:26:22 eradicator Exp $ +# $Header: /var/cvsroot/gentoo-x86/mail-client/squirrelmail/squirrelmail-1.5.1-r4.ebuild,v 1.1 2007/05/21 17:11:33 eradicator Exp $ IUSE="crypt ldap spell ssl filter mysql postgres nls" @@ -54,6 +54,11 @@ src_unpack() { unpack ${MY_P}.tar.bz2 cd ${S} + epatch ${FILESDIR}/squirrelmail-1.5.1-CVE-2006-4019.patch + epatch ${FILESDIR}/squirrelmail-1.5.1-CVE-2006-6142-draft_composesess.patch + epatch ${FILESDIR}/squirrelmail-1.5.1-CVE-2006-6142-mailto.patch + epatch ${FILESDIR}/squirrelmail-1.5.1-CVE-2006-6142-mime.patch + epatch ${FILESDIR}/squirrelmail-1.5.1-ie-mime.patch epatch ${FILESDIR}/squirrelmail-1.5.1-CVE-2007-1262.patch mv config/config_default.php config/config.php |