Thread: SF.net SVN: postfixadmin:[1673] branches/postfixadmin-2.3 (Page 3)
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
postfixadmin-svn
|
From: <chr...@us...> - 2014-05-18 19:52:54
|
Revision: 1673
http://sourceforge.net/p/postfixadmin/code/1673
Author: christian_boltz
Date: 2014-05-18 19:52:51 +0000 (Sun, 18 May 2014)
Log Message:
-----------
edit-mailbox.php:
- fix query to enable/disable alias in edit-mailbox for PostgreSQL
https://sourceforge.net/p/postfixadmin/bugs/311/
CHANGELOG.TXT:
- update for the above fix
- add CVE number for the show_gen_status() SQL injection fixed in 2.3.7
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/edit-mailbox.php
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2014-05-11 23:09:18 UTC (rev 1672)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2014-05-18 19:52:51 UTC (rev 1673)
@@ -10,9 +10,12 @@
# Last update:
# $Id$
+Changes since the 2.3.7 release:
+ - fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
+
Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)
----------------------------------------------------------------
- - SECURITY: fix SQL injection in show_gen_status()
+ - SECURITY: fix SQL injection in show_gen_status() (CVE-2014-2655)
- lt.lang, da.lang translation update
- when enabling/disabling a mailbox, also update the corresponding alias
- fix creating superadmin in setup.php with MariaDB (more strict SQL)
Modified: branches/postfixadmin-2.3/edit-mailbox.php
===================================================================
--- branches/postfixadmin-2.3/edit-mailbox.php 2014-05-11 23:09:18 UTC (rev 1672)
+++ branches/postfixadmin-2.3/edit-mailbox.php 2014-05-18 19:52:51 UTC (rev 1673)
@@ -162,7 +162,7 @@
else {
db_log ($SESSID_USERNAME, $fDomain, 'edit_mailbox', $fUsername);
- $result = db_query ("UPDATE $table_alias SET active=$sqlActive WHERE address='$fUsername' AND domain='$fDomain'");
+ $result = db_query ("UPDATE $table_alias SET active='$sqlActive' WHERE address='$fUsername' AND domain='$fDomain'");
if ($result['rows'] != 1)
{
$error = 1;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2015-09-28 20:37:55
|
Revision: 1806
http://sourceforge.net/p/postfixadmin/code/1806
Author: christian_boltz
Date: 2015-09-28 20:37:53 +0000 (Mon, 28 Sep 2015)
Log Message:
-----------
templates/users_login.php:
- don't prefill username in users/ login on failed logins - fixes (probably
harmless) XSS.
Thanks to Juan Rossi for reporting this!
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/templates/users_login.php
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-26 18:54:50 UTC (rev 1805)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:37:53 UTC (rev 1806)
@@ -12,6 +12,8 @@
Changes since the 2.3.7 release:
- fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
+ - don't prefill username in users/ login on failed logins - fixes (probably
+ harmless) XSS
Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)
----------------------------------------------------------------
Modified: branches/postfixadmin-2.3/templates/users_login.php
===================================================================
--- branches/postfixadmin-2.3/templates/users_login.php 2015-09-26 18:54:50 UTC (rev 1805)
+++ branches/postfixadmin-2.3/templates/users_login.php 2015-09-28 20:37:53 UTC (rev 1806)
@@ -7,7 +7,7 @@
</tr>
<tr>
<td><?php print $PALANG['pUsersLogin_username'] . ":"; ?></td>
- <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td>
+ <td><input class="flat" type="text" name="fUsername" /></td>
</tr>
<tr>
<td><?php print $PALANG['pUsersLogin_password'] . ":"; ?></td>
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2015-09-28 20:40:19
|
Revision: 1807
http://sourceforge.net/p/postfixadmin/code/1807
Author: christian_boltz
Date: 2015-09-28 20:40:17 +0000 (Mon, 28 Sep 2015)
Log Message:
-----------
debian/control:
- allow MariaDB in Debian package dependencies
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/debian/control
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:37:53 UTC (rev 1806)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:40:17 UTC (rev 1807)
@@ -14,6 +14,7 @@
- fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
- don't prefill username in users/ login on failed logins - fixes (probably
harmless) XSS
+ - allow MariaDB in Debian package dependencies
Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)
----------------------------------------------------------------
Modified: branches/postfixadmin-2.3/debian/control
===================================================================
--- branches/postfixadmin-2.3/debian/control 2015-09-28 20:37:53 UTC (rev 1806)
+++ branches/postfixadmin-2.3/debian/control 2015-09-28 20:40:17 UTC (rev 1807)
@@ -8,11 +8,11 @@
Package: postfixadmin
Architecture: all
-Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-pgsql, mysql-client | postgresql-client, ${misc:Depends}
-Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server | postgresql
+Depends: debconf (>= 0.5), dbconfig-common, wwwconfig-common, apache2 | lighttpd | httpd, libapache2-mod-php5 | php5-cgi | php5, php5-imap, php5-mysql | php5-mysqlnd | php5-pgsql, mysql-client | postgresql-client | mariadb-client, ${misc:Depends}
+Recommends: postfix-mysql | postfix-pgsql, mysql-server | postgresql-server | mariadb-server | postgresql
Suggests: squirrelmail-postfixadmin, dovecot-common | courier-authlib-mysql | courier-authlib-postgresql
Description: Virtual mail hosting interface for Postfix
- Postfixadmin is a web interface to managing virtual users and domains
+ Postfixadmin is a web interface to manage virtual users and domains
for a Postfix mail transport agent. The web interface is written in PHP.
It supports Virtual mailboxes, aliases, forwarders and vacation.
.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2015-09-28 20:46:01
|
Revision: 1808
http://sourceforge.net/p/postfixadmin/code/1808
Author: christian_boltz
Date: 2015-09-28 20:45:58 +0000 (Mon, 28 Sep 2015)
Log Message:
-----------
2.3.8 release - update version number and changelog
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/debian/changelog
branches/postfixadmin-2.3/functions.inc.php
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:40:17 UTC (rev 1807)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-09-28 20:45:58 UTC (rev 1808)
@@ -10,7 +10,8 @@
# Last update:
# $Id$
-Changes since the 2.3.7 release:
+Version 2.3.8 - 2015/09/29 - SVN r1808 (postfixadmin-2.3 branch)
+----------------------------------------------------------------
- fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
- don't prefill username in users/ login on failed logins - fixes (probably
harmless) XSS
Modified: branches/postfixadmin-2.3/debian/changelog
===================================================================
--- branches/postfixadmin-2.3/debian/changelog 2015-09-28 20:40:17 UTC (rev 1807)
+++ branches/postfixadmin-2.3/debian/changelog 2015-09-28 20:45:58 UTC (rev 1808)
@@ -1,3 +1,10 @@
+postfixadmin (2.3.8-1) unstable; urgency=low
+
+ * New upstream release (v2.3.8)
+ * update dependencies to allow mariadb as database
+
+ -- David Goodwin (PalePurple) <da...@pa...> Tue, 29 Sep 2015 09:30:00 +0100
+
postfixadmin (2.3.7-1) unstable; urgency=low
* New upstream release (v2.3.7)
Modified: branches/postfixadmin-2.3/functions.inc.php
===================================================================
--- branches/postfixadmin-2.3/functions.inc.php 2015-09-28 20:40:17 UTC (rev 1807)
+++ branches/postfixadmin-2.3/functions.inc.php 2015-09-28 20:45:58 UTC (rev 1808)
@@ -16,7 +16,7 @@
* Contains re-usable code.
*/
-$version = '2.3.7';
+$version = '2.3.8';
/**
* check_session
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2015-10-03 09:40:40
|
Revision: 1813
http://sourceforge.net/p/postfixadmin/code/1813
Author: christian_boltz
Date: 2015-10-03 09:40:37 +0000 (Sat, 03 Oct 2015)
Log Message:
-----------
create-mailbox.php
- fix escaping in username and name field
(again reported by Juan Rossi)
admin_create-admin.php
- fix escaping in username input field
fetchmail.php
- fix escaping in input and textarea fields
- don't echo back the password to the browser
This fixes some harmless XSS which is POST-only and can only be used
by authentificated admins to attack themself.
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/templates/admin_create-admin.php
branches/postfixadmin-2.3/templates/create-mailbox.php
branches/postfixadmin-2.3/templates/fetchmail.php
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-03 09:40:37 UTC (rev 1813)
@@ -16,6 +16,9 @@
- don't prefill username in users/ login on failed logins - fixes (probably
harmless) XSS
- fix show_gen_status() to properly escape mail addresses in query (#356)
+ - fix escaping in create-admin, create-mailbox and fetchmail templates -
+ fixes (harmless) XSS on form validation errors
+ - don't echo the password back to the browser in the fetchmail form
- allow MariaDB in Debian package dependencies
Version 2.3.7 - 2014/02/20 - SVN r1651 (postfixadmin-2.3 branch)
Modified: branches/postfixadmin-2.3/templates/admin_create-admin.php
===================================================================
--- branches/postfixadmin-2.3/templates/admin_create-admin.php 2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/admin_create-admin.php 2015-10-03 09:40:37 UTC (rev 1813)
@@ -7,7 +7,7 @@
</tr>
<tr>
<td><?php print $PALANG['pAdminCreate_admin_username'] . ":"; ?></td>
- <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" /></td>
+ <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" /></td>
<td><?php print $pAdminCreate_admin_username_text; ?></td>
</tr>
<tr>
Modified: branches/postfixadmin-2.3/templates/create-mailbox.php
===================================================================
--- branches/postfixadmin-2.3/templates/create-mailbox.php 2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/create-mailbox.php 2015-10-03 09:40:37 UTC (rev 1813)
@@ -12,7 +12,7 @@
</tr>
<tr>
<td><?php print $PALANG['pCreate_mailbox_username'] . ":"; ?></td>
- <td><input class="flat" type="text" name="fUsername" value="<?php print $tUsername; ?>" autocomplete="off"/></td>
+ <td><input class="flat" type="text" name="fUsername" value="<?php print htmlentities($tUsername); ?>" autocomplete="off"/></td>
<td>@
<select name="fDomain">
<?php
@@ -44,7 +44,7 @@
</tr>
<tr>
<td><?php print $PALANG['pCreate_mailbox_name'] . ":"; ?></td>
- <td><input class="flat" type="text" name="fName" value="<?php print $tName; ?>" /></td>
+ <td><input class="flat" type="text" name="fName" value="<?php print htmlentities($tName); ?>" /></td>
<td><?php print $pCreate_mailbox_name_text; ?></td>
</tr>
<?php if ($CONF['quota'] == 'YES') { ?>
Modified: branches/postfixadmin-2.3/templates/fetchmail.php
===================================================================
--- branches/postfixadmin-2.3/templates/fetchmail.php 2015-10-03 08:58:21 UTC (rev 1812)
+++ branches/postfixadmin-2.3/templates/fetchmail.php 2015-10-03 09:40:37 UTC (rev 1813)
@@ -120,12 +120,12 @@
function _edit_text($id,$key,$def_vals,$val=""){
$val=htmlspecialchars($val);
- return "<input type=text name=${key} id=${id} value='${val}'>";
+ return "<input type=text name=${key} id=${id} value='" . htmlentities($val, ENT_QUOTES) . "'>";
}
function _edit_password($id,$key,$def_vals,$val=""){
$val=preg_replace("{.}","*",$val);
- return "<input type=password name=${key} id=${id} value='${val}'>";
+ return "<input type=password name=${key} id=${id} value=''>";
}
function _edit_num($id,$key,$def_vals,$val=""){
@@ -143,7 +143,7 @@
function _edit_longtext($id,$key,$def_vals,$val=""){
$val=htmlspecialchars($val);
- return "<textarea name=${key} id=${id} rows=2 style='width:20em;'>${val}</textarea>";
+ return "<textarea name=${key} id=${id} rows=2 style='width:20em;'>" . htmlentities($val, ENT_QUOTES) . "</textarea>";
}
function _edit_enum($id,$key,$def_vals,$val=""){
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <chr...@us...> - 2015-10-11 19:38:01
|
Revision: 1819
http://sourceforge.net/p/postfixadmin/code/1819
Author: christian_boltz
Date: 2015-10-11 19:37:59 +0000 (Sun, 11 Oct 2015)
Log Message:
-----------
create-mailbox.php:
- enforce $CONF[min_password_length]
reported by voytek eymont in
https://sourceforge.net/p/postfixadmin/discussion/676076/thread/914cf02e/
Modified Paths:
--------------
branches/postfixadmin-2.3/CHANGELOG.TXT
branches/postfixadmin-2.3/create-mailbox.php
Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================
--- branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-07 19:44:38 UTC (rev 1818)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT 2015-10-11 19:37:59 UTC (rev 1819)
@@ -10,6 +10,10 @@
# Last update:
# $Id$
+Changes since the 2.3.8 release
+-------------------------------
+ - enforce $CONF[min_password_length] in create-mailbox
+
Version 2.3.8 - 2015/10/07 - SVN r1814 (postfixadmin-2.3 branch)
----------------------------------------------------------------
- fix query to enable/disable alias in edit-mailbox for PostgreSQL (#311)
Modified: branches/postfixadmin-2.3/create-mailbox.php
===================================================================
--- branches/postfixadmin-2.3/create-mailbox.php 2015-10-07 19:44:38 UTC (rev 1818)
+++ branches/postfixadmin-2.3/create-mailbox.php 2015-10-11 19:37:59 UTC (rev 1819)
@@ -129,6 +129,12 @@
$tDomain = $fDomain;
$pCreate_mailbox_password_text = $PALANG['pCreate_mailbox_password_text_error'];
}
+ } else {
+ $min_length = $CONF['min_password_length'];
+ if($min_length > 0 && strlen($fPassword) < $min_length) {
+ flash_error(sprintf($PALANG['pPasswordTooShort'], $CONF['min_password_length']));
+ $error = 1;
+ }
}
if ($CONF['quota'] == "YES")
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X