backport a security fix from claws-mail 3.3.1 to "Forbid attaching anything

containing "../" or ".ssh/" in mailto: URIs." backporting (we're in freeze) adviced by sthen@, update noticed by MAINTAINER ok espie@ naddy@
2008-02-25 17:14:18 +00:00 · 2008-02-25 17:14:18 +00:00 · 2954e4cc7b
commit 2954e4cc7b
parent 0d235ec1c5
2 changed files with 14 additions and 2 deletions
--- a/mail/claws-mail/Makefile
+++ b/mail/claws-mail/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.15 2008/02/13 13:17:26 landry Exp $
+# $OpenBSD: Makefile,v 1.16 2008/02/25 17:14:18 landry Exp $

 COMMENT-main=		mail and news client
 COMMENT-docs=		documentation
@ -10,7 +10,7 @@ COMMENT-spamassassin=	spamassassin plugin
 V=			3.3.0
 DISTNAME=		claws-mail-${V}

-PKGNAME-main=			${DISTNAME}
+PKGNAME-main=			${DISTNAME}p0
 FULLPKGNAME-docs=		claws-mail-docs-${V}
 FULLPKGNAME-bogofilter=		claws-mail-bogofilter-${V}
 FULLPKGNAME-dillo=		claws-mail-dillo-${V}
--- a/mail/claws-mail/patches/patch-src_common_utils_c
+++ b/mail/claws-mail/patches/patch-src_common_utils_c
@ -0,0 +1,12 @@
+$OpenBSD: patch-src_common_utils_c,v 1.1 2008/02/25 17:14:18 landry Exp $
+--- src/common/utils.c.orig	Mon Feb 25 13:02:36 2008
+++ src/common/utils.c	Mon Feb 25 13:03:20 2008
+@@ -1522,6 +1522,8 @@ gint scan_mailto_url(const gchar *mailto, gchar **from
+ 	const gchar *forbidden_uris[] = { ".gnupg/",
+ 					  "/etc/passwd",
+ 					  "/etc/shadow",
+					  ".ssh/",
+					  "../",
+ 					  NULL };
+ 	gint num_attach = 0;
+ 	gchar **my_att = NULL;