diff options
| author | Yen-Ming Lee <leeym@FreeBSD.org> | 2006-09-28 13:15:41 +0000 |
|---|---|---|
| committer | Yen-Ming Lee <leeym@FreeBSD.org> | 2006-09-28 13:15:41 +0000 |
| commit | 89d3dc0029dd21b30db146f646da2b50452cde0f (patch) | |
| tree | 677cb4eed7d47e592ec8d3a9536e61345dad1e7c /mail/openwebmail | |
| parent | b9ce1a484e3d491939b4e94f61a29570a5d6b5e3 (diff) | |
| download | ports-89d3dc0029dd21b30db146f646da2b50452cde0f.tar.gz ports-89d3dc0029dd21b30db146f646da2b50452cde0f.zip | |
- fix cross-site scripting (XSS) vulnerability in openwebmail-read.pl
- bump PORTREVISION
Submitted by: rafan
Security: CVE-2006-3233
Notes
Notes:
svn path=/head/; revision=174033
Diffstat (limited to 'mail/openwebmail')
| -rw-r--r-- | mail/openwebmail/Makefile | 2 | ||||
| -rw-r--r-- | mail/openwebmail/files/patch-CVE-2006-3233 | 29 |
2 files changed, 30 insertions, 1 deletions
diff --git a/mail/openwebmail/Makefile b/mail/openwebmail/Makefile index 3a561b6f9351..2ef4c77b0f59 100644 --- a/mail/openwebmail/Makefile +++ b/mail/openwebmail/Makefile @@ -7,7 +7,7 @@ PORTNAME= openwebmail PORTVERSION?= 2.52 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail MASTER_SITES= http://openwebmail.acatysmoof.com/download/%SUBDIR%/ \ http://openwebmail.org/openwebmail/download/%SUBDIR%/ diff --git a/mail/openwebmail/files/patch-CVE-2006-3233 b/mail/openwebmail/files/patch-CVE-2006-3233 new file mode 100644 index 000000000000..9773ce24004c --- /dev/null +++ b/mail/openwebmail/files/patch-CVE-2006-3233 @@ -0,0 +1,29 @@ +--- openwebmail-read.pl.orig Sun May 1 20:00:00 2005 ++++ openwebmail-read.pl Thu Sep 28 16:36:55 2006 +@@ -755,7 +755,8 @@ + $temphtml .= "<BR>\n"; + + my ($ename, $eaddr)=ow::tool::email2nameaddr($message{from}); +- $temphtml .= qq|<B>$lang_text{'from'}:</B> <a href="http://www.google.com/search?q=$eaddr" title="google $lang_text{'search'}..." target="_blank">$from</a> \n|; ++ my $jseaddr = $eaddr; $jseaddr=~ s/'/\\'/g; # escape ' with \' ++ $temphtml .= qq|<B>$lang_text{'from'}:</B> <a href="http://www.google.com/search?q=|.ow::tool::escapeURL($eaddr).qq|" title="google $lang_text{'search'}..." target="_blank">$from</a> \n|; + if ($printfriendly ne "yes") { + if ($config{'enable_addressbook'}) { + my $is_writableabook_found=0; +@@ -774,13 +775,13 @@ + if ($is_writableabook_found) { + my $fullname=(iconv($message{charset}, $prefs{charset}, $ename))[0]; + my ($firstname, $lastname) = split(/\s+/, $fullname, 2); +- $temphtml .= qq| |. iconlink("import.s.gif", "$lang_text{'importadd'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addreditform&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid&N.0.VALUE.GIVENNAME=|.ow::tool::escapeURL($firstname).qq|&N.0.VALUE.FAMILYNAME=|.ow::tool::escapeURL($lastname).qq|&FN.0.VALUE=|.ow::tool::escapeURL($fullname).qq|&EMAIL.0.VALUE=|.ow::tool::escapeURL($eaddr).qq|&formchange=1" onclick="return confirm('$lang_text{importadd} $eaddr ?');"|) . qq|\n|; ++ $temphtml .= qq| |. iconlink("import.s.gif", qq|$lang_text{'importadd'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addreditform&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid&N.0.VALUE.GIVENNAME=|.ow::tool::escapeURL($firstname).qq|&N.0.VALUE.FAMILYNAME=|.ow::tool::escapeURL($lastname).qq|&FN.0.VALUE=|.ow::tool::escapeURL($fullname).qq|&EMAIL.0.VALUE=|.ow::tool::escapeURL($eaddr).qq|&formchange=1" onclick="return confirm('$lang_text{importadd} |.ow::htmltext::str2html($jseaddr).qq| ?');"|) . qq|\n|; + } else { +- $temphtml .= qq| |. iconlink("import.s.gif", "$lang_text{'importadd'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addrbookedit&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid" onclick="return confirm('$lang_err{abook_all_readonly}');"|) . qq|\n|; ++ $temphtml .= qq| |. iconlink("import.s.gif", qq|$lang_text{'importadd'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addrbookedit&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid" onclick="return confirm('$lang_err{abook_all_readonly}');"|) . qq|\n|; + } + } + if ($config{'enable_userfilter'}) { +- $temphtml .= qq| |. iconlink("blockemail.gif", "$lang_text{'blockemail'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid&priority=20&ruletype=from&include=include&text=$eaddr&destination=mail-trash&enable=1" onclick="return confirm('$lang_text{blockemail} $eaddr ?');"|) . qq|\n|; ++ $temphtml .= qq| |. iconlink("blockemail.gif", qq|$lang_text{'blockemail'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid&priority=20&ruletype=from&include=include&text=|.ow::tool::escapeURL($eaddr).qq|&destination=mail-trash&enable=1" onclick="return confirm('$lang_text{blockemail} |.ow::htmltext::str2html($jseaddr).qq| ?');"|) . qq|\n|; + if ($message{smtprelay} !~ /^\s*$/) { + $temphtml .= qq| |.iconlink("blockrelay.gif", "$lang_text{'blockrelay'} $message{smtprelay}", qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&sessionid=$thissession&sort=$sort&msgdatetype=$msgdatetype&page=$page&folder=$escapedfolder&message_id=$escapedmessageid&priority=20&ruletype=smtprelay&include=include&text=$message{smtprelay}&destination=mail-trash&enable=1" onclick="return confirm('$lang_text{blockrelay} $message{smtprelay} ?');"|) . qq|\n|; + } |