Date: Sun, 19 Jun 2005 12:06:13 +0200 (CEST) From: Thomas <thomas@bsdunix.ch> To: FreeBSD-gnats-submit@FreeBSD.org Cc: simond@irrelevant.org Subject: ports/82410: security fix form mail/squirrelmail Message-ID: <200506191006.j5JA6D5p021848@conversation.bsdunix.ch> Resent-Message-ID: <200506191010.j5JAAJBn020563@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 82410
>Category: ports
>Synopsis: security fix form mail/squirrelmail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jun 19 10:10:19 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Thomas
>Release: FreeBSD 4.11-RELEASE-p10 i386
>Organization:
>Environment:
System: FreeBSD conversation.bsdunix.ch 4.11-RELEASE-p10 FreeBSD 4.11-RELEASE-p10 #3: Fri Jun 17 15:54:34 CEST 2005 root@conversation.bsdunix.ch:/usr/obj/usr/src/sys/CONVERSATION i386
>Description:
XSS security hole in Squirrelmail <=1.4.4
http://www.squirrelmail.org/security/issue/2005-06-15
>How-To-Repeat:
>Fix:
copy this file to port/mail/squirrelmail/files. The patch is from squirrelmail url above. Only the path was so modified to apply cleanly.
--- functions/addressbook.php.orig Mon Dec 27 16:03:42 2004
+++ functions/addressbook.php Wed Jun 15 23:50:03 2005
@@ -108,7 +108,7 @@
if (!$r && $showerr) {
printf( ' ' . _("Error initializing LDAP server %s:") .
"<br />\n", $param['host']);
- echo ' ' . $abook->error;
+ echo ' ' . htmlspecialchars($abook->error);
exit;
}
}
@@ -239,7 +239,7 @@
if (is_array($res)) {
$ret = array_merge($ret, $res);
} else {
- $this->error .= "<br />\n" . $backend->error;
+ $this->error .= "\n" . $backend->error;
$failed++;
}
}
@@ -255,7 +255,7 @@
$ret = $this->backends[$bnum]->search($expression);
if (!is_array($ret)) {
- $this->error .= "<br />\n" . $this->backends[$bnum]->error;
+ $this->error .= "\n" . $this->backends[$bnum]->error;
$ret = FALSE;
}
}
--- functions/mime.php.orig Mon Jan 10 19:52:48 2005
+++ functions/mime.php Wed Jun 15 23:50:03 2005
@@ -1388,12 +1388,33 @@
}
}
}
+
+ /**
+ * Replace empty src tags with the blank image. src is only used
+ * for frames, images, and image inputs. Doing a replace should
+ * not affect them working as should be, however it will stop
+ * IE from being kicked off when src for img tags are not set
+ */
+ if (($attname == 'src') && ($attvalue == '""')) {
+ $attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
+ }
+
/**
* Turn cid: urls into http-friendly ones.
*/
if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
$attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
}
+
+ /**
+ * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
+ * One day MS might actually make it match something useful, for now, falling
+ * back to using cid2http, so we can grab the blank.png.
+ */
+ if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
+ $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
+ }
+
}
/**
* See if we need to append any attributes to this tag.
@@ -1408,7 +1429,7 @@
/**
* This function edits the style definition to make them friendly and
- * usable in squirrelmail.
+ * usable in SquirrelMail.
*
* @param $message the message object
* @param $id the message id
@@ -1436,27 +1457,54 @@
/**
* Fix url('blah') declarations.
*/
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
+ // "url(\\1$secremoveimg\\2)", $content);
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+ // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
+ while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
+ $sProto = strtolower($matches[1]);
+ switch ($sProto) {
/**
* Fix url('https*://.*) declarations but only if $view_unsafe_images
* is false.
*/
+ case 'https':
+ case 'http':
if (!$view_unsafe_images){
- $content = preg_replace("|url\s*\(\s*([\'\"])\s*https*:.*?([\'\"])\s*\)|si",
- "url(\\1$secremoveimg\\2)", $content);
+ $sExpr = "/url\s*\(\s*([\'\"])\s*$sProto*:.*?([\'\"])\s*\)/si";
+ $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
}
-
+ break;
/**
* Fix urls that refer to cid:
*/
- while (preg_match("|url\s*\(\s*([\'\"]\s*cid:.*?[\'\"])\s*\)|si",
- $content, $matches)){
- $cidurl = $matches{1};
+ case 'cid':
+ $cidurl = 'cid:'. $matches[2];
$httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
$content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
- "url($httpurl)", $content);
+ "u\0r\0l($httpurl)", $content);
+ break;
+ default:
+ /**
+ * replace url with protocol other then the white list
+ * http,https and cid by an empty string.
+ */
+ $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
+ "", $content);
+ break;
}
+ break;
+ }
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
+ $contentTemp = $content;
+ sq_defang($contentTemp);
+ sq_unspace($contentTemp);
/**
* Fix stupid css declarations which lead to vulnerabilities
@@ -1467,10 +1515,16 @@
'/binding/i',
'/include-source/i');
$replace = Array('idiocy', 'idiocy', 'idiocy', 'idiocy');
- $content = preg_replace($match, $replace, $content);
+ $contentNew = preg_replace($match, $replace, $contentTemp);
+ if ($contentNew !== $contentTemp) {
+ // insecure css declarations are used. From now on we don't care
+ // anymore if the css is destroyed by sq_deent, sq_unspace or sq_unbackslash
+ $content = $contentNew;
+ }
return array($content, $newpos);
}
+
/**
* This function converts cid: url's into the ones that can be viewed in
* the browser.
@@ -1492,15 +1546,46 @@
$quotchar = '';
}
$cidurl = substr(trim($cidurl), 4);
+
+ $match_str = '/\{.*?\}\//';
+ $str_rep = '';
+ $cidurl = preg_replace($match_str, $str_rep, $cidurl);
+
$linkurl = find_ent_id($cidurl, $message);
/* in case of non-save cid links $httpurl should be replaced by a sort of
unsave link image */
$httpurl = '';
- if ($linkurl) {
+
+ /**
+ * This is part of a fix for Outlook Express 6.x generating
+ * cid URLs without creating content-id headers. These images are
+ * not part of the multipart/related html mail. The html contains
+ * <img src="cid:{some_id}/image_filename.ext"> references to
+ * attached images with as goal to render them inline although
+ * the attachment disposition property is not inline.
+ */
+
+ if (empty($linkurl)) {
+ if (preg_match('/{.*}\//', $cidurl)) {
+ $cidurl = preg_replace('/{.*}\//','', $cidurl);
+ if (!empty($cidurl)) {
+ $linkurl = find_ent_id($cidurl, $message);
+ }
+ }
+ }
+
+ if (!empty($linkurl)) {
$httpurl = $quotchar . SM_PATH . 'src/download.php?absolute_dl=true&' .
"passed_id=$id&mailbox=" . urlencode($mailbox) .
'&ent_id=' . $linkurl . $quotchar;
+ } else {
+ /**
+ * If we couldn't generate a proper img url, drop in a blank image
+ * instead of sending back empty, otherwise it causes unusual behaviour
+ */
+ $httpurl = $quotchar . SM_PATH . 'images/blank.png';
}
+
return $httpurl;
}
@@ -1526,8 +1611,7 @@
$attvalue = str_replace($quotchar, "", $attvalue);
switch ($attname){
case 'background':
- $attvalue = sq_cid2http($message, $id,
- $attvalue, $mailbox);
+ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
$styledef .= "background-image: url('$attvalue'); ";
break;
case 'bgcolor':
@@ -1754,6 +1838,7 @@
"embed",
"title",
"frameset",
+ "xmp",
"xml"
);
@@ -1761,7 +1846,8 @@
"img",
"br",
"hr",
- "input"
+ "input",
+ "outbind"
);
$force_tag_closing = true;
@@ -1816,6 +1902,7 @@
"/binding/i",
"/behaviou*r/i",
"/include-source/i",
+ "/position\s*:\s*absolute/i",
"/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si",
"/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si",
@@ -1826,6 +1913,7 @@
"idiocy",
"idiocy",
"idiocy",
+ "",
"url(\\1#\\1)",
"url(\\1#\\1)",
"url(\\1#\\1)",
@@ -1856,7 +1944,7 @@
$add_attr_to_tag = Array(
"/^a$/i" =>
- Array('target'=>'"_new"',
+ Array('target'=>'"_blank"',
'title'=>'"'._("This external link will open in a new window").'"'
)
);
--- functions/page_header.php.orig Mon Dec 27 22:08:58 2004
+++ functions/page_header.php Wed Jun 15 23:50:03 2005
@@ -275,6 +275,7 @@
: html_tag( 'td', '', 'left' ) )
. "\n";
$urlMailbox = urlencode($mailbox);
+ $startMessage = (int)$startMessage;
echo makeComposeLink('src/compose.php?mailbox='.$urlMailbox.'&startMessage='.$startMessage);
echo " \n";
displayInternalLink ('src/addressbook.php', _("Addresses"));
--- plugins/calendar/calendar.php.orig Mon Dec 27 16:03:49 2004
+++ plugins/calendar/calendar.php Wed Jun 15 23:51:15 2005
@@ -28,17 +28,17 @@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-
-if (isset($_GET['month'])) {
+unset($month, $year);
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_GET['year'])) {
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
/* got 'em */
--- plugins/calendar/day.php,orig Mon Dec 27 16:03:49 2004
+++ plugins/calendar/day.php Wed Jun 15 23:51:52 2005
@@ -29,22 +29,23 @@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-if (isset($_GET['year'])) {
+unset($year, $month, $day);
+if (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-elseif (isset($_POST['year'])) {
+elseif (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-if (isset($_GET['month'])) {
+if (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-elseif (isset($_POST['month'])) {
+elseif (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-if (isset($_GET['day'])) {
+if (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-elseif (isset($_POST['day'])) {
+elseif (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
--- plugins/calendar/event_create.php.orig Mon Dec 27 16:03:49 2004
+++ plugins/calendar/event_create.php Wed Jun 15 23:52:34 2005
@@ -28,41 +28,42 @@
require_once(SM_PATH . 'functions/html.php');
/* get globals */
-
-if (isset($_POST['year'])) {
+unset($year, $month, $day, $hour, $event_hour, $event_minute,
+ $event_length, $event_priority);
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['event_title'])) {
--- plugins/calendar/event_edit.php.orig Mon Dec 27 16:03:49 2004
+++ plugins/calendar/event_edit.php Wed Jun 15 23:53:22 2005
@@ -29,26 +29,27 @@
/* get globals */
-
+unset($event_year, $event_month, $event_day, $event_hour, $event_minute,
+ $event_length, $event_priority, $year, $month, $day, $hour, $minute);
if (isset($_POST['updated'])) {
$updated = $_POST['updated'];
}
-if (isset($_POST['event_year'])) {
+if (isset($_POST['event_year']) && is_numeric($_POST['event_year'])) {
$event_year = $_POST['event_year'];
}
-if (isset($_POST['event_month'])) {
+if (isset($_POST['event_month']) && is_numeric($_POST['event_month'])) {
$event_month = $_POST['event_month'];
}
-if (isset($_POST['event_day'])) {
+if (isset($_POST['event_day']) && is_numeric($_POST['event_day'])) {
$event_day = $_POST['event_day'];
}
-if (isset($_POST['event_hour'])) {
+if (isset($_POST['event_hour']) && is_numeric($_POST['event_hour'])) {
$event_hour = $_POST['event_hour'];
}
-if (isset($_POST['event_minute'])) {
+if (isset($_POST['event_minute']) && is_numeric($_POST['event_minute'])) {
$event_minute = $_POST['event_minute'];
}
-if (isset($_POST['event_length'])) {
+if (isset($_POST['event_length']) && is_numeric($_POST['event_length'])) {
$event_length = $_POST['event_length'];
}
if (isset($_POST['event_title'])) {
@@ -60,40 +61,40 @@
if (isset($_POST['send'])) {
$send = $_POST['send'];
}
-if (isset($_POST['event_priority'])) {
+if (isset($_POST['event_priority']) && is_numeric($_POST['event_priority'])) {
$event_priority = $_POST['event_priority'];
}
if (isset($_POST['confirmed'])) {
$confirmed = $_POST['confirmed'];
}
-if (isset($_POST['year'])) {
+if (isset($_POST['year']) && is_numeric($_POST['year'])) {
$year = $_POST['year'];
}
-elseif (isset($_GET['year'])) {
+elseif (isset($_GET['year']) && is_numeric($_GET['year'])) {
$year = $_GET['year'];
}
-if (isset($_POST['month'])) {
+if (isset($_POST['month']) && is_numeric($_POST['month'])) {
$month = $_POST['month'];
}
-elseif (isset($_GET['month'])) {
+elseif (isset($_GET['month']) && is_numeric($_GET['month'])) {
$month = $_GET['month'];
}
-if (isset($_POST['day'])) {
+if (isset($_POST['day']) && is_numeric($_POST['day'])) {
$day = $_POST['day'];
}
-elseif (isset($_GET['day'])) {
+elseif (isset($_GET['day']) && is_numeric($_GET['day'])) {
$day = $_GET['day'];
}
-if (isset($_POST['hour'])) {
+if (isset($_POST['hour']) && is_numeric($_POST['hour'])) {
$hour = $_POST['hour'];
}
-elseif (isset($_GET['hour'])) {
+elseif (isset($_GET['hour']) && is_numeric($_GET['hour'])) {
$hour = $_GET['hour'];
}
-if (isset($_POST['minute'])) {
+if (isset($_POST['minute']) && is_numeric($_POST['minute'])) {
$minute = $_POST['minute'];
}
-elseif (isset($_GET['minute'])) {
+elseif (isset($_GET['minute']) && is_numeric($_GET['minute'])) {
$minute = $_GET['minute'];
}
/* got 'em */
--- plugins/filters/options.php.orig Mon Dec 27 16:03:57 2004
+++ plugins/filters/options.php Wed Jun 15 23:50:03 2005
@@ -189,7 +189,7 @@
html_tag( 'td', '', 'left' ) .
'<input type="text" size="32" name="filter_what" value="';
if (isset($filters[$theid]['what'])) {
- echo $filters[$theid]['what'];
+ echo htmlspecialchars($filters[$theid]['what']);
}
echo '" />'.
'</td>'.
--- plugins/filters/spamoptions.php.orig Mon Dec 27 16:03:57 2004
+++ plugins/filters/spamoptions.php Wed Jun 15 23:50:03 2005
@@ -199,7 +199,7 @@
echo html_tag( 'p', '', 'center' ) .
'[<a href="spamoptions.php?action=spam">' . _("Edit") . '</a>]' .
' - [<a href="../../src/options.php">' . _("Done") . '</a>]</center><br /><br />';
- printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.imap_utf7_decode_local($filters_spam_folder).'</b>':'[<i>'._("not set yet").'</i>]' ) );
+ printf( _("Spam is sent to %s."), ($filters_spam_folder?'<b>'.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'</b>':'[<i>'._("not set yet").'</i>]' ) );
echo '<br />';
printf( _("Spam scan is limited to %s."), '<b>' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '</b>' );
echo '</p>'.
--- plugins/listcommands/mailout.php,orig Mon Dec 27 16:03:58 2004
+++ plugins/listcommands/mailout.php Wed Jun 15 23:50:03 2005
@@ -25,14 +25,6 @@
sqgetGlobalVar('body', $body, SQ_GET);
sqgetGlobalVar('action', $action, SQ_GET);
-echo html_tag('p', '', 'left' ) .
-html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
- html_tag( 'tr',
- html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
- ) .
- html_tag( 'tr' ) .
- html_tag( 'td', '', 'left' );
-
switch ( $action ) {
case 'help':
$out_string = _("This will send a message to %s requesting help for this list. You will receive an emailed response at the address below.");
@@ -42,7 +34,19 @@
break;
case 'unsubscribe':
$out_string = _("This will send a message to %s requesting that you will be unsubscribed from this list. It will try to unsubscribe the adress below.");
+default:
+ error_box(sprintf(_("Unknown action: %s"),htmlspecialchars($action)), $color);
+ exit;
}
+
+echo html_tag('p', '', 'left' ) .
+html_tag( 'table', '', 'center', $color[0], 'border="0" width="75%"' ) . "\n" .
+ html_tag( 'tr',
+ html_tag( 'th', _("Mailinglist") . ' ' . _($action), '', $color[9] )
+ ) .
+ html_tag( 'tr' ) .
+ html_tag( 'td', '', 'left' );
+
printf( $out_string, htmlspecialchars($send_to) );
--- plugins/newmail/newmail.php.orig Mon Dec 27 16:03:58 2004
+++ plugins/newmail/newmail.php Wed Jun 15 23:50:03 2005
@@ -22,6 +22,7 @@
require_once(SM_PATH . 'functions/page_header.php');
sqGetGlobalVar('numnew', $numnew, SQ_GET);
+$numnew = (int)$numnew;
displayHtmlHeader( _("New Mail"), '', FALSE );
--- plugins/spamcop/setup.php.orig Mon Dec 27 16:03:58 2004
+++ plugins/spamcop/setup.php Wed Jun 15 23:50:03 2005
@@ -75,6 +75,9 @@
sqgetGlobalVar('passed_ent_id',$passed_ent_id,SQ_FORM);
sqgetGlobalVar('mailbox', $mailbox, SQ_FORM);
sqgetGlobalVar('startMessage', $startMessage, SQ_FORM);
+ if ( sqgetGlobalVar('startMessage', $startMessage, SQ_FORM) ) {
+ $startMessage = (int)$startMessage;
+ }
/* END GLOBALS */
// catch unset passed_ent_id
--- plugins/squirrelspell/modules/lang_change.mod,orig Sat Jun 12 18:39:48 2004
+++ plugins/squirrelspell/modules/lang_change.mod Wed Jun 15 23:50:03 2005
@@ -69,11 +69,11 @@
$lang_array = explode( ',', $lang_string );
$dsp_string = '';
foreach( $lang_array as $a) {
- $dsp_string .= _(trim($a)) . ', ';
+ $dsp_string .= _(htmlspecialchars(trim($a))) . ', ';
}
$dsp_string = substr( $dsp_string, 0, -2 );
$msg = '<p>'
- . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._($lang_default).'</strong>')
+ . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), '<strong>'.$dsp_string.'</strong>', '<strong>'._(htmlspecialchars($lang_default)).'</strong>')
. '</p>';
} else {
/**
--- src/addressbook.php.orig Mon Dec 27 16:03:59 2004
+++ src/addressbook.php Wed Jun 15 23:50:03 2005
@@ -279,7 +279,7 @@
html_tag( 'tr',
html_tag( 'td',
"\n". '<strong><font color="' . $color[2] .
- '">' . _("ERROR") . ': ' . $abook->error . '</font></strong>' ."\n",
+ '">' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '</font></strong>' ."\n",
'center' )
),
'center', '', 'width="100%"' );
@@ -331,7 +331,7 @@
html_tag( 'tr',
html_tag( 'td',
"\n". '<br /><strong><font color="' . $color[2] .
- '">' . _("ERROR") . ': ' . $formerror . '</font></strong>' ."\n",
+ '">' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '</font></strong>' ."\n",
'center' )
),
'center', '', 'width="100%"' );
@@ -343,6 +343,7 @@
/* Get and sort address list */
$alist = $abook->list_addr();
if(!is_array($alist)) {
+ $abook->error = htmlspecialchars($abook->error);
plain_error_message($abook->error, $color);
exit;
}
--- src/compose.php,orig Mon Jan 3 16:06:28 2005
+++ src/compose.php Wed Jun 15 23:50:03 2005
@@ -76,6 +76,11 @@
sqgetGlobalVar('saved_draft',$saved_draft);
sqgetGlobalVar('delete_draft',$delete_draft);
sqgetGlobalVar('startMessage',$startMessage);
+if ( sqgetGlobalVar('startMessage',$startMessage) ) {
+ $startMessage = (int)$startMessage;
+} else {
+ $startMessage = 1;
+}
/** POST VARS */
sqgetGlobalVar('sigappend', $sigappend, SQ_POST);
--- src/printer_friendly_bottom.php.orig Tue Dec 28 14:02:49 2004
+++ src/printer_friendly_bottom.php Wed Jun 15 23:50:03 2005
@@ -33,7 +33,8 @@
sqgetGlobalVar('passed_id', $passed_id, SQ_GET);
sqgetGlobalVar('mailbox', $mailbox, SQ_GET);
-if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ) {
+if (! sqgetGlobalVar('passed_ent_id', $passed_ent_id, SQ_GET) ||
+ ! preg_match('/^\d+(\.\d+)*$/', $passed_ent_id) ) {
$passed_ent_id = '';
}
/* end globals */
--- src/right_main.php.orig Mon Dec 27 16:04:00 2004
+++ src/right_main.php Wed Jun 15 23:50:03 2005
@@ -165,7 +165,7 @@
do_hook('right_main_after_header');
if (isset($note)) {
- echo html_tag( 'div', '<b>' . $note .'</b>', 'center' ) . "<br />\n";
+ echo html_tag( 'div', '<b>' . htmlspecialchars($note) .'</b>', 'center' ) . "<br />\n";
}
if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) {
Updated Portrevision:
--- Makefile.orig Sun Jun 19 11:57:58 2005
+++ Makefile Sun Jun 19 11:58:09 2005
@@ -7,7 +7,7 @@
PORTNAME= squirrelmail
PORTVERSION?= 1.4.4
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES?= mail www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= squirrelmail
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200506191006.j5JA6D5p021848>