ports/73667: Maintainer port update: mail/squirrelmail

Simon Dick simond at home.irrelevant.org
Mon Nov 8 10:40:30 UTC 2004 

>Number:         73667
>Category:       ports
>Synopsis:       Maintainer port update: mail/squirrelmail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 08 10:40:29 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Simon Dick
>Release:        FreeBSD 4.9-RELEASE-p1 i386
>Organization:
>Environment:
System: FreeBSD nelly.internal.irrelevant.org 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #5: Sat Feb 7 07:48:58 GMT 2004 root at nelly.internal.irrelevant.org:/usr/obj/usr/src/sys/ELEPHANT i386


>Description:

Fix for XSS scripting flaw

>How-To-Repeat:
	
>Fix:

diff -ruN /usr/ports/mail/squirrelmail/Makefile squirrelmail/Makefile
--- /usr/ports/mail/squirrelmail/Makefile	Wed Nov  3 09:04:51 2004
+++ squirrelmail/Makefile	Mon Nov  8 10:29:56 2004
@@ -7,7 +7,7 @@
 
 PORTNAME=	squirrelmail
 PORTVERSION?=	1.4.3a
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES?=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	squirrelmail
diff -ruN /usr/ports/mail/squirrelmail/files/patch-sm143a-xss.diff squirrelmail/files/patch-sm143a-xss.diff
--- /usr/ports/mail/squirrelmail/files/patch-sm143a-xss.diff	Thu Jan  1 01:00:00 1970
+++ squirrelmail/files/patch-sm143a-xss.diff	Mon Nov  8 10:29:15 2004
@@ -0,0 +1,28 @@
+diff -urN functions/mime.php functions/mime.php
+--- functions/mime.php	2004-05-23 19:14:11.000000000 +0300
++++ functions/mime.php	2004-11-03 19:16:50.000000000 +0200
+@@ -602,13 +602,22 @@
+             }
+             $iLastMatch = $i;
+             $j = $i;
+-            $ret .= $res[1];
++            if ($htmlsave) {
++                $ret .= htmlspecialchars($res[1]);
++            } else {
++                $ret .= $res[1];
++            }
+             $encoding = ucfirst($res[3]);
+             switch ($encoding)
+             {
+             case 'B':
+                 $replace = base64_decode($res[4]);
+-                $ret .= charset_decode($res[2],$replace);
++                if ($utfencode) {
++                    $replace = charset_decode($res[2],$replace);
++                } elseif ($htmlsave) {
++                    $replace = htmlspecialchars($replace);
++                }
++                $ret .= $replace;
+                 break;
+             case 'Q':
+                 $replace = str_replace('_', ' ', $res[4]);
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list