Fix for XSS scripting flaw.

PR: ports/73667 Submitted by: Simon Dick <simond@home.irrelevant.org> (maintainer)
svn path=/head/; revision=121144
2004-11-08 17:17:43 +00:00 · 2004-11-08 17:17:43 +00:00 · 6d37a26663 · 2021-03-31 03:12:20 +00:00
commit 6d37a26663
parent 4896daab2c
2 changed files with 29 additions and 1 deletions
--- a/mail/squirrelmail/Makefile
+++ b/mail/squirrelmail/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	squirrelmail
 PORTVERSION?=	1.4.3a
-PORTREVISION?=	2
+PORTREVISION?=	3
 CATEGORIES?=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	squirrelmail
--- a/mail/squirrelmail/files/patch-sm143a-xss.diff
+++ b/mail/squirrelmail/files/patch-sm143a-xss.diff
@ -0,0 +1,28 @@
+diff -urN functions/mime.php functions/mime.php
+--- functions/mime.php	2004-05-23 19:14:11.000000000 +0300
+++ functions/mime.php	2004-11-03 19:16:50.000000000 +0200
+@@ -602,13 +602,22 @@
+             }
+             $iLastMatch = $i;
+             $j = $i;
+-            $ret .= $res[1];
+            if ($htmlsave) {
+                $ret .= htmlspecialchars($res[1]);
+            } else {
+                $ret .= $res[1];
+            }
+             $encoding = ucfirst($res[3]);
+             switch ($encoding)
+             {
+             case 'B':
+                 $replace = base64_decode($res[4]);
+-                $ret .= charset_decode($res[2],$replace);
+                if ($utfencode) {
+                    $replace = charset_decode($res[2],$replace);
+                } elseif ($htmlsave) {
+                    $replace = htmlspecialchars($replace);
+                }
+                $ret .= $replace;
+                 break;
+             case 'Q':
+                 $replace = str_replace('_', ' ', $res[4]);