Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/mail-client/squirrelmail/files
diff options
context:
space:
mode:
authorJeremy Huddleston <eradicator@gentoo.org>2007-05-19 14:26:22 +0000
committerJeremy Huddleston <eradicator@gentoo.org>2007-05-19 14:26:22 +0000
commit60b2b847e0158c1deecc709a6c8f4207480a6b29 (patch)
tree44141eed7dad13a32b31fc9494464c5a98aac313 /mail-client/squirrelmail/files
parentVersion bumped. (diff)
downloadgentoo-2-60b2b847e0158c1deecc709a6c8f4207480a6b29.tar.gz
gentoo-2-60b2b847e0158c1deecc709a6c8f4207480a6b29.tar.bz2
gentoo-2-60b2b847e0158c1deecc709a6c8f4207480a6b29.zip
Added patch to fix security issue in 1.5.1.
(Portage version: 2.1.2.7)
Diffstat (limited to 'mail-client/squirrelmail/files')
-rw-r--r--mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3 (renamed from mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r2)0
-rw-r--r--mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch354
2 files changed, 354 insertions, 0 deletions
diff --git a/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r2 b/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3
index a508701ccbf1..a508701ccbf1 100644
--- a/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r2
+++ b/mail-client/squirrelmail/files/digest-squirrelmail-1.5.1-r3
diff --git a/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch
new file mode 100644
index 000000000000..36f0680eeb3a
--- /dev/null
+++ b/mail-client/squirrelmail/files/squirrelmail-1.5.1-CVE-2007-1262.patch
@@ -0,0 +1,354 @@
+Index: src/view_text.php
+===================================================================
+--- src/view_text.php (revision 12419)
++++ src/view_text.php (working copy)
+@@ -70,10 +70,10 @@
+ }
+
+ if ($type1 == 'html' || (isset($override_type1) && $override_type1 == 'html')) {
+- $body = MagicHTML( $body, $passed_id, $message, $mailbox);
+ // html attachment with character set information
+ if (! empty($charset))
+ $body = charset_decode($charset,$body,false,true);
++ $body = MagicHTML( $body, $passed_id, $message, $mailbox);
+ } else {
+ translateText($body, $wrap_at, $charset);
+ }
+Index: src/compose.php
+===================================================================
+--- src/compose.php (revision 12419)
++++ src/compose.php (working copy)
+@@ -55,32 +55,42 @@
+ }
+
+ /** SESSION/POST/GET VARS */
+-sqgetGlobalVar('session',$session);
+-sqgetGlobalVar('mailbox',$mailbox);
+-if(!sqgetGlobalVar('identity',$identity)) {
++sqgetGlobalVar('send', $send, SQ_POST);
++// Send can only be achieved by setting $_POST var. If Send = true then
++// retrieve other form fields from $_POST
++if (isset($send) && $send) {
++ $SQ_GLOBAL = SQ_POST;
++} else {
++ $SQ_GLOBAL = SQ_FORM;
++}
++sqgetGlobalVar('session',$session, $SQ_GLOBAL);
++sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL);
++if(!sqgetGlobalVar('identity',$identity, $SQ_GLOBAL)) {
+ $identity=0;
+ }
+-sqgetGlobalVar('send_to',$send_to);
+-sqgetGlobalVar('send_to_cc',$send_to_cc);
+-sqgetGlobalVar('send_to_bcc',$send_to_bcc);
+-sqgetGlobalVar('subject',$subject);
+-sqgetGlobalVar('body',$body);
+-sqgetGlobalVar('mailprio',$mailprio);
+-sqgetGlobalVar('request_mdn',$request_mdn);
+-sqgetGlobalVar('request_dr',$request_dr);
+-sqgetGlobalVar('html_addr_search',$html_addr_search);
+-sqgetGlobalVar('mail_sent',$mail_sent);
+-sqgetGlobalVar('passed_id',$passed_id);
+-sqgetGlobalVar('passed_ent_id',$passed_ent_id);
+-sqgetGlobalVar('send',$send);
++sqgetGlobalVar('send_to',$send_to, $SQ_GLOBAL);
++sqgetGlobalVar('send_to_cc',$send_to_cc, $SQ_GLOBAL);
++sqgetGlobalVar('send_to_bcc',$send_to_bcc, $SQ_GLOBAL);
++sqgetGlobalVar('subject',$subject, $SQ_GLOBAL);
++sqgetGlobalVar('body',$body, $SQ_GLOBAL);
++sqgetGlobalVar('mailprio',$mailprio, $SQ_GLOBAL);
++sqgetGlobalVar('request_mdn',$request_mdn, $SQ_GLOBAL);
++sqgetGlobalVar('request_dr',$request_dr, $SQ_GLOBAL);
++sqgetGlobalVar('html_addr_search',$html_addr_search, $SQ_GLOBAL);
++sqgetGlobalVar('mail_sent',$mail_sent, $SQ_GLOBAL);
++sqgetGlobalVar('passed_id',$passed_id, $SQ_GLOBAL);
++sqgetGlobalVar('passed_ent_id',$passed_ent_id, $SQ_GLOBAL);
+
+-sqgetGlobalVar('attach',$attach);
++sqgetGlobalVar('attach',$attach, SQ_POST);
++sqgetGlobalVar('draft',$draft, SQ_POST);
++sqgetGlobalVar('draft_id',$draft_id, $SQ_GLOBAL);
++sqgetGlobalVar('ent_num',$ent_num, $SQ_GLOBAL);
++sqgetGlobalVar('saved_draft',$saved_draft, SQ_FORM);
+
+-sqgetGlobalVar('draft',$draft);
+-sqgetGlobalVar('draft_id',$draft_id);
+-sqgetGlobalVar('ent_num',$ent_num);
+-sqgetGlobalVar('saved_draft',$saved_draft);
+-sqgetGlobalVar('delete_draft',$delete_draft);
++if ( sqgetGlobalVar('delete_draft',$delete_draft) ) {
++ $delete_draft = (int)$delete_draft;
++}
++
+ if ( sqgetGlobalVar('startMessage',$startMessage) ) {
+ $startMessage = (int)$startMessage;
+ } else {
+Index: functions/mime.php
+===================================================================
+--- functions/mime.php (revision 12419)
++++ functions/mime.php (working copy)
+@@ -428,13 +428,16 @@
+ $body.="</iframe></div>\n";
+ } else {
+ // old way of html rendering
+- $body = magicHTML($body, $id, $message, $mailbox);
+ /**
+ * convert character set. charset_decode does not remove html special chars
+ * applied by magicHTML functions and does not sanitize them second time if
+ * fourth argument is true.
+ */
+- $body = charset_decode($body_message->header->getParameter('charset'),$body,false,true);
++ $charset = $body_message->header->getParameter('charset');
++ if (!empty($charset)) {
++ $body = charset_decode($charset,$body,false,true);
++ }
++ $body = magicHTML($body, $id, $message, $mailbox);
+ }
+ } else {
+ translateText($body, $wrap_at,
+@@ -1623,38 +1626,34 @@
+ preg_replace($valmatch, $valrepl, $attvalue);
+ if ($newvalue != $attvalue){
+ $attary{$attname} = $newvalue;
++ $attvalue = $newvalue;
+ }
+ }
+ }
+ }
+ }
+-
+- /**
+- * Replace empty src tags with the blank image. src is only used
+- * for frames, images, and image inputs. Doing a replace should
+- * not affect them working as should be, however it will stop
+- * IE from being kicked off when src for img tags are not set
+- */
+- if (($attname == 'src') && ($attvalue == '""')) {
+- $attary{$attname} = '"' . SM_PATH . 'images/blank.png"';
++ if ($attname == 'style') {
++ if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) {
++ // 8bit and control characters in style attribute values can be used for XSS, remove them
++ $attary{$attname} = '"disallowed character"';
++ }
++ preg_match_all("/url\s*\((.+)\)/si",$attvalue,$aMatch);
++ if (count($aMatch)) {
++ foreach($aMatch[1] as $sMatch) {
++ // url value
++ $urlvalue = $sMatch;
++ sq_fix_url($attname, $urlvalue, $message, $id, $mailbox,"'");
++ $attary{$attname} = str_replace($sMatch,$urlvalue,$attvalue);
++ }
++ }
+ }
+-
+ /**
+- * Turn cid: urls into http-friendly ones.
++ * Use white list based filtering on attributes which can contain url's
+ */
+- if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){
+- $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
++ else if ($attname == 'href' || $attname == 'src' || $attname == 'background') {
++ sq_fix_url($attname, $attvalue, $message, $id, $mailbox);
++ $attary{$attname} = $attvalue;
+ }
+-
+- /**
+- * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
+- * One day MS might actually make it match something useful, for now, falling
+- * back to using cid2http, so we can grab the blank.png.
+- */
+- if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) {
+- $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox);
+- }
+-
+ }
+ /**
+ * See if we need to append any attributes to this tag.
+@@ -1668,6 +1667,98 @@
+ }
+
+ /**
++ * This function filters url's
++ *
++ * @param $attvalue String with attribute value to filter
++ * @param $message message object
++ * @param $id message id
++ * @param $mailbox mailbox
++ * @param $sQuote quoting characters around url's
++ */
++function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"') {
++ $attvalue = trim($attvalue);
++ if ($attvalue && ($attvalue[0] =='"'|| $attvalue[0] == "'")) {
++ // remove the double quotes
++ $sQuote = $attvalue[0];
++ $attvalue = trim(substr($attvalue,1,-1));
++ }
++
++ if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) {
++ $view_unsafe_images = false;
++ }
++ $secremoveimg = '../images/' . _("sec_remove_eng.png");
++
++ /**
++ * Replace empty src tags with the blank image. src is only used
++ * for frames, images, and image inputs. Doing a replace should
++ * not affect them working as should be, however it will stop
++ * IE from being kicked off when src for img tags are not set
++ */
++ if ($attvalue == '') {
++ $attvalue = '"' . SM_PATH . 'images/blank.png"';
++ } else {
++ // first, disallow 8 bit characters and control characters
++ if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) {
++ switch ($attname) {
++ case 'href':
++ $attvalue = $sQuote . 'http://invalid-stuff-detected.example.com' . $sQuote;
++ break;
++ default:
++ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
++ break;
++ }
++ } else {
++ $aUrl = parse_url($attvalue);
++ if (isset($aUrl['scheme'])) {
++ switch(strtolower($aUrl['scheme'])) {
++ case 'http':
++ case 'https':
++ case 'ftp':
++ if ($attname != 'href') {
++ if ($view_unsafe_images == false) {
++ $attvalue = $sQuote . $secremoveimg . $sQuote;
++ } else {
++ if (isset($aUrl['path'])) {
++ // validate image extension.
++ $ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.')));
++ if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) {
++ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
++ }
++ } else {
++ $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote;
++ }
++ }
++ }
++ break;
++ case 'outbind':
++ /**
++ * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags.
++ * One day MS might actually make it match something useful, for now, falling
++ * back to using cid2http, so we can grab the blank.png.
++ */
++ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
++ break;
++ case 'cid':
++ /**
++ * Turn cid: urls into http-friendly ones.
++ */
++ $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox);
++ break;
++ default:
++ $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
++ break;
++ }
++ } else {
++ if (!(isset($aUrl['path']) && $aUrl['path'] == $secremoveimg)) {
++ // parse_url did not lead to satisfying result
++ $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote;
++ }
++ }
++ }
++ }
++}
++
++/**
+ * This function edits the style definition to make them friendly and
+ * usable in SquirrelMail.
+ *
+@@ -1699,51 +1790,30 @@
+ */
+ // $content = preg_replace("|url\s*\(\s*([\'\"])\s*\S+script\s*:.*?([\'\"])\s*\)|si",
+ // "url(\\1$secremoveimg\\2)", $content);
++
++ // first check for 8bit sequences and disallowed control characters
++ if (preg_match('/[\16-\37\200-\377]+/',$content)) {
++ $content = '<!-- style block removed by html filter due to presence of 8bit characters -->';
++ return array($content, $newpos);
++ }
++
+ // remove NUL
+ $content = str_replace("\0", "", $content);
+
+- // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop.
+- while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) {
+- $sProto = strtolower($matches[1]);
+- switch ($sProto) {
+- /**
+- * Fix url('https*://.*) declarations but only if $view_unsafe_images
+- * is false.
+- */
+- case 'https':
+- case 'http':
+- if (!$view_unsafe_images){
++ preg_match_all("/url\s*\((.+)\)/si",$content,$aMatch);
++ if (count($aMatch)) {
++ $aValue = $aReplace = array();
++ foreach($aMatch[1] as $sMatch) {
++ // url value
++ $urlvalue = $sMatch;
++ sq_fix_url('style',$urlvalue, $message, $id, $mailbox,"'");
++ $aValue[] = $sMatch;
++ $aReplace[] = $urlvalue;
++ }
++ $content = str_replace($aValue,$aReplace,$content);
++ }
+
+- $sExpr = "/url\s*\(\s*[\'\"]?\s*$sProto*:.*[\'\"]?\s*\)/si";
+- $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content);
+
+- } else {
+- $content = preg_replace('/url/i',"u\0r\0l",$content);
+- }
+- break;
+- /**
+- * Fix urls that refer to cid:
+- */
+- case 'cid':
+- $cidurl = 'cid:'. $matches[2];
+- $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox);
+- // escape parentheses that can modify the regular expression
+- $cidurl = str_replace(array('(',')'),array('\\(','\\)'),$cidurl);
+- $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si",
+- "u\0r\0l($httpurl)", $content);
+- break;
+- default:
+- /**
+- * replace url with protocol other then the white list
+- * http,https and cid by an empty string.
+- */
+- $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si",
+- "", $content);
+- break;
+- }
+- }
+- // remove NUL
+- $content = str_replace("\0", "", $content);
+ /**
+ * Remove any backslashes, entities, and extraneous whitespace.
+ */
+@@ -2175,7 +2245,7 @@
+ "idiocy",
+ "idiocy",
+ "idiocy",
+- "",
++ "idiocy",
+ "url(\\1#\\1)",
+ "url(\\1#\\1)",
+ "url(\\1#\\1)",
+@@ -2220,7 +2290,7 @@
+ $id,
+ $mailbox
+ );
+- if (preg_match("|$secremoveimg|i", $trusted)){
++ if (strpos($trusted,$secremoveimg)){
+ $has_unsafe_images = true;
+ }
+