ports/98588: Maintainer port update: mail/squirrelmail

Tue Jun 6 09:30:37 UTC 2006

>Number:         98588
>Category:       ports
>Synopsis:       Maintainer port update: mail/squirrelmail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 06 09:30:22 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Simon Dick
>Release:        FreeBSD 6.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD amd64.irrelevant.org 6.1-RELEASE FreeBSD 6.1-RELEASE #3: Tue May 9 10:53:21 BST 2006 root at amd64.irrelevant.org:/usr/obj/usr/src/sys/HOME amd64


	
>Description:

Apply a security fix to mail/squirrelmail

>How-To-Repeat:
	
>Fix:

diff -ruN /usr/ports/mail/squirrelmail/Makefile squirrelmail/Makefile

--- /usr/ports/mail/squirrelmail/Makefile	Mon Mar 20 16:24:33 2006
+++ squirrelmail/Makefile	Tue Jun  6 10:19:01 2006
@@ -7,6 +7,7 @@
 
 PORTNAME=	squirrelmail
 PORTVERSION=	1.4.6
+PORTREVISION=	1
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -57,7 +58,7 @@
 
 post-patch:
 .ifndef PATCH_DEBUG
-	@${RM} -f ${WRKSRC}/config/config_default.php.orig
+	@${RM} -f ${WRKSRC}/config/config_default.php.orig ${WRKSRC}/functions/global.php.orig
 .endif
 	@${REINPLACE_CMD} -e 's|ispell|${LOCALBASE}/bin/ispell|g' \
 		${WRKSRC}/plugins/squirrelspell/sqspell_config.php
diff -ruN /usr/ports/mail/squirrelmail/files/patch-functions-global.php squirrelmail/files/patch-functions-global.php
--- /usr/ports/mail/squirrelmail/files/patch-functions-global.php	Thu Jan  1 01:00:00 1970
+++ squirrelmail/files/patch-functions-global.php	Tue Jun  6 10:13:04 2006
@@ -0,0 +1,50 @@
+--- functions/global.php.orig	Fri Feb  3 22:27:47 2006
++++ functions/global.php	Tue Jun  6 10:12:22 2006
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
>Release-Note:
>Audit-Trail:
>Unformatted:

