[qmailadmin-devel] QmailAdmin 1.2.4 released (development)

[Tom C. <to...@to...>]

http://qmailadmin.sf.net/

Release Notes:

Due to the widespread changes, this release should not be used for
production systems until it has been more thoroughly tested.

The most significant change relates to how QmailAdmin inserts certain
strings into the pages it generates.  It will now properly escape 
strings
so it is impossible to embed HTML tags in user-supplied data.  This
prevents cross site scripting attacks.

It also properly encodes these strings when inserting them as "GET"
parameters to further qmailadmin calls.  This solves problems related
to working with email addresses containing characters such as "+"
and "&".

In the process of making the changes, some possible buffer overflows
were fixed, and we fixed a bug in the routine that extracts form values
from posted data.

ChangeLog:

Tom Collins
- Modify contrib/alias2forward.pl to work with '/Maildir' or
   '/.maildir' directory names.
- Add #define to qmailadmin.h for globally setting Maildir directory
   name (defaults to "/Maildir" but Gentoo can use ".maildir").
- Better detect .qmail-alias files that are tied to mailing lists.
   (Aliases that end in "-owner" but aren't tied to ezmlm lists
   will now display properly.)
- Add printh.c, new routines for generating HTML-safe and CGI-safe
   strings.
- Convert sprintf calls to snprintf to avoid buffer overflow.
- Changes to almost all .c and .html files to make use of printh
   routines.  QmailAdmin should now properly handle email addresses
   that contain special characters (like '+' and '&'), including
   domain admin addresses.  It now also escapes user-supplied text
   to avoid possible HTML-insertion and cross site scripting attacks.