From: <pdo...@us...> - 2009-05-07 21:55:46
|
Revision: 13656 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13656&view=rev Author: pdontthink Date: 2009-05-07 21:55:44 +0000 (Thu, 07 May 2009) Log Message: ----------- Adding Khmer translation. Thanks to Khoem Sokhem. Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-07 21:55:41 UTC (rev 13655) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-07 21:55:44 UTC (rev 13656) @@ -40,9 +40,10 @@ - Outgoing attachments that have lines longer than allowed per RFC are now encoded so they are not corrupted by artificial line folds. Thanks to Kelly Fallon. (#2226470, $1473714) - - Converted Italian (it_IT) to UTF-8. - - Converted Czech (cs_CZ) to UTF-8. - - Converted Hungarian (hu_HU) to UTF-8. + - Converted Italian (it_IT) to UTF-8. + - Converted Czech (cs_CZ) to UTF-8. + - Converted Hungarian (hu_HU) to UTF-8. + - Added Khmer translation (Thanks to Khoem Sokhem). Version 1.4.17 - 03 December 2008 --------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php 2009-05-07 21:55:41 UTC (rev 13655) +++ branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php 2009-05-07 21:55:44 UTC (rev 13656) @@ -870,6 +870,12 @@ $languages['ka']['LOCALE'] = array('ka_GE.UTF-8', 'ka_GE.UTF8', 'ka_GE', 'ka'); $languages['ka_GE']['ALIAS'] = 'ka'; +$languages['km']['NAME'] = 'Khmer'; +$languages['km']['ALTNAME'] = 'ខ្មែរ'; +$languages['km']['CHARSET'] = 'utf-8'; +$languages['km']['LOCALE'] = array('km.UTF-8', 'km.UTF8', 'km_KH.UTF-8', 'km_KH.UTF8', 'km', 'km_KH'); +$languages['km_KH']['ALIAS'] = 'km'; + $languages['ko_KR']['NAME'] = 'Korean'; $languages['ko_KR']['CHARSET'] = 'euc-KR'; // Function does not provide all needed options This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 21:17:58
|
Revision: 13667 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13667&view=rev Author: pdontthink Date: 2009-05-11 21:17:50 +0000 (Mon, 11 May 2009) Log Message: ----------- Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content. Thanks to Luc Beurton. (#2723196/CVE-2009-1581) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/mime.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 21:09:28 UTC (rev 13666) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 21:17:50 UTC (rev 13667) @@ -44,6 +44,8 @@ - Converted Czech (cs_CZ) to UTF-8. - Converted Hungarian (hu_HU) to UTF-8. - Added Khmer translation (Thanks to Khoem Sokhem). + - Remove ability for HTML emails to use CSS positioning to overlay + SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] Version 1.4.17 - 03 December 2008 --------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/mime.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009-05-11 21:09:28 UTC (rev 13666) +++ branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009-05-11 21:17:50 UTC (rev 13667) @@ -1965,6 +1965,12 @@ /** * Fix stupid css declarations which lead to vulnerabilities * in IE. + * + * Also remove "position" attribute, as it can easily be set + * to "fixed" or "absolute" with "left" and "top" attributes + * of zero, taking over the whole content frame. It can also + * be set to relative and move itself anywhere it wants to, + * displaying content in areas it shouldn't be allowed to touch. */ $match = Array('/\/\*.*\*\//', '/expression/i', @@ -1972,8 +1978,9 @@ '/binding/i', '/include-source/i', '/javascript/i', - '/script/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + '/script/i', + '/position/i'); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { // insecure css declarations are used. From now on we don't care @@ -2366,12 +2373,28 @@ "/binding/i", "/behaviou*r/i", "/include-source/i", - "/position\s*:\s*absolute/i", + + // position:relative can also be exploited + // to put content outside of email body area + // and position:fixed is similarly exploitable + // as position:absolute, so we'll remove it + // altogether.... + // + // Does this screw up legitimate HTML messages? + // If so, the only fix I see is to allow position + // attributes (any values? I think we still have + // to block static and fixed) only if $use_iframe + // is enabled (1.5.0+) + // + // was: "/position\s*:\s*absolute/i", + // + "/position\s*:/i", + "/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i", "/url\s*\(\s*([\'\"])\s*\S+script\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*mocha\s*:.*([\'\"])\s*\)/si", "/url\s*\(\s*([\'\"])\s*about\s*:.*([\'\"])\s*\)/si", - "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si" + "/(.*)\s*:\s*url\s*\(\s*([\'\"]*)\s*\S+script\s*:.*([\'\"]*)\s*\)/si", ), Array( "", This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 21:49:46
|
Revision: 13670 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13670&view=rev Author: pdontthink Date: 2009-05-11 21:49:37 +0000 (Mon, 11 May 2009) Log Message: ----------- Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of QUERY_STRING server environment variables. Thanks to Niels Teusink and Christian Balzer. (CVE-2009-1578) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/global.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 21:49:23 UTC (rev 13669) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 21:49:37 UTC (rev 13670) @@ -46,6 +46,9 @@ - Added Khmer translation (Thanks to Khoem Sokhem). - Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] + - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of + QUERY_STRING server environment variables. (Thanks to Niels Teusink + and Christian Balzer). [CVE-2009-1578] Version 1.4.17 - 03 December 2008 --------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/global.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-11 21:49:23 UTC (rev 13669) +++ branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-11 21:49:37 UTC (rev 13670) @@ -64,15 +64,29 @@ unset($GLOBALS['value']); } -/* - * strip any tags added to the url from PHP_SELF. +/** + * Strip any tags added to the url from PHP_SELF. * This fixes hand crafted url XXS expoits for any - * page that uses PHP_SELF as the FORM action + * page that uses PHP_SELF as the FORM action. * Must be executed before strings.php is loaded (php_self() call in strings.php). + * Update: strip_tags() won't catch something like + * src/right_main.php?sort=0&startMessage=1&mailbox=INBOX&xxx="><script>window.open("http://example.com")</script> + * or + * contrib/decrypt_headers.php/%22%20onmouseover=%22alert(%27hello%20world%27)%22%3E + * because it doesn't bother with broken tags. + * htmlspecialchars() is the preferred method. */ if (isset($_SERVER['PHP_SELF'])) { - $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']); + $_SERVER['PHP_SELF'] = htmlspecialchars($_SERVER['PHP_SELF']); } +/* + * same needed for QUERY_STRING because SquirrelMail + * uses it along with PHP_SELF when using location + * strings + */ +if (isset($_SERVER['QUERY_STRING'])) { + $_SERVER['QUERY_STRING'] = htmlspecialchars($_SERVER['QUERY_STRING']); +} /** * Bring in the config file @@ -526,7 +540,7 @@ * @param string $filename The full file path of the file to inspect * @param int $max_length If any lines in the file are GREATER THAN * this number, this function returns TRUE. - * + * * @return boolean TRUE as explained above, otherwise, (no long lines * found) FALSE is returned. * @@ -541,7 +555,7 @@ if (strlen($buffer) > $max_length) { fclose($FILE); return TRUE; - } + } } fclose($FILE); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 22:04:51
|
Revision: 13672 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13672&view=rev Author: pdontthink Date: 2009-05-11 22:04:44 +0000 (Mon, 11 May 2009) Log Message: ----------- Sanitize decrypt_headers.php form input (base64 decoding is not the same as sanitizing), general cleanup and grammatical fixes. Thanks to Niels Teusink. (also CVE-2009-1578) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog Modified: branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php 2009-05-11 22:04:40 UTC (rev 13671) +++ branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php 2009-05-11 22:04:44 UTC (rev 13672) @@ -16,7 +16,7 @@ define('SM_PATH','../'); /** - * include SquirrelMail string functions + * include SquirrelMail string and generic functions * script needs OneTimePadDecrypt() (functions/strings.php) * and sqgetGlobalVar() (functions/global.php) */ @@ -59,23 +59,30 @@ ."</head><body>"; if (sqgetGlobalVar('submit',$submit,SQ_POST)) { + $continue = TRUE; if (! sqgetGlobalVar('secret',$secret,SQ_POST) || - empty($secret)) - echo "<p>You must enter encryption key.</p>\n"; + empty($secret)) { + $continue = FALSE; + echo "<p>You must enter an encryption key.</p>\n"; + } if (! sqgetGlobalVar('enc_string',$enc_string,SQ_POST) || - empty($enc_string)) - echo "<p>You must enter encrypted string.</p>\n"; + empty($enc_string)) { + $continue = FALSE; + echo "<p>You must enter an encrypted string.</p>\n"; + } - if (isset($enc_string) && ! base64_decode($enc_string)) { - echo "<p>Encrypted string should be BASE64 encoded.<br />\n" - ."Please enter all characters that are listed after header name.</p>\n"; - } elseif (isset($secret)) { - $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); + if ($continue) { + if (isset($enc_string) && ! base64_decode($enc_string)) { + echo "<p>Encrypted string should be BASE64 encoded.<br />\n" + ."Please enter all characters that are listed after header name.</p>\n"; + } elseif (isset($secret)) { + $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); - if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { - $string=hex2ip($string); + if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { + $string=hex2ip($string); + } + echo "<p>Decoded string: ".htmlspecialchars($string)."</p>\n"; } - echo "<p>Decoded string: ".$string."</p>\n"; } echo "<hr />"; } @@ -84,7 +91,7 @@ <p> Secret key: <input type="password" name="secret"><br /> Encrypted string: <input type="text" name="enc_string"><br /> -Check, if it is an address string: <input type="checkbox" name="ip_addr" /><br /> +<label for="ip_addr">Check here if you are decoding an address string (FromHash/ProxyHash): </label><input type="checkbox" name="ip_addr" id="ip_addr" /><br /> <button type="submit" name="submit" value="submit">Submit</button> </p> </form> Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:04:40 UTC (rev 13671) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:04:44 UTC (rev 13672) @@ -47,8 +47,11 @@ - Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of - QUERY_STRING server environment variables. (Thanks to Niels Teusink + QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer). [CVE-2009-1578] + - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; + also includes general cleanup of that page (Thanks to Niels Teusink). + [also CVE-2009-1578] Version 1.4.17 - 03 December 2008 --------------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 22:17:45
|
Revision: 13674 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13674&view=rev Author: pdontthink Date: 2009-05-11 22:17:35 +0000 (Mon, 11 May 2009) Log Message: ----------- OMG - unsanitized shell command. Thanks to Niels Teusink. (CVE-2009-1579) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:08:25 UTC (rev 13673) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:17:35 UTC (rev 13674) @@ -52,6 +52,8 @@ - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578] + - Fixed unsanitized shell command in example IMAP username mapping + function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] Version 1.4.17 - 03 December 2008 --------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-05-11 22:08:25 UTC (rev 13673) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-05-11 22:17:35 UTC (rev 13674) @@ -973,7 +973,7 @@ * LDAP whatever way to find the users IMAP server. */ function map_yp_alias($username) { - $yp = `ypmatch $username aliases`; + $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`; return chop(substr($yp, strlen($username)+1)); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 22:48:09
|
Revision: 13676 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13676&view=rev Author: pdontthink Date: 2009-05-11 22:48:03 +0000 (Mon, 11 May 2009) Log Message: ----------- Always generate $base_uri for every page request as opposed to doing it only on some pages. Always regenerate session ID at login to prevent session fixation by an attacker who has set a malicious cookie on the client browser. Try to clean up extraneous cookies, such as ones some browsers might actually obey from the src/ directory. Thanks to Tomas Hoger. (CVE-2009-1580) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/global.php branches/SM-1_4-STABLE/squirrelmail/src/login.php branches/SM-1_4-STABLE/squirrelmail/src/redirect.php branches/SM-1_4-STABLE/squirrelmail/src/signout.php branches/SM-1_4-STABLE/squirrelmail/src/webmail.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 22:48:03 UTC (rev 13676) @@ -54,6 +54,11 @@ [also CVE-2009-1578] - Fixed unsanitized shell command in example IMAP username mapping function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] + - Fixed session fixation issues where someone who can modify a user's + cookies could gain control of their login session. The SquirrelMail + base URI is now uniformly generated, extraneous cookies are cleaned + up and session IDs are regenerated upon every login (Thanks to Tomas + Hoger). [CVE-2009-1580] Version 1.4.17 - 03 December 2008 --------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/global.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-11 22:48:03 UTC (rev 13676) @@ -129,6 +129,13 @@ ini_set('session.use_cookies','1'); } +/** + * Make sure to have $base_uri always initialized to avoid having session + * cookie set separately for each $base_uri subdirectory that receives direct + * requests from user's browser (typically $base_uri and $base_uri/src). + */ +$base_uri = sqm_baseuri(); + sqsession_is_active(); /* if running with magic_quotes_gpc then strip the slashes @@ -365,9 +372,29 @@ global $base_uri; - if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + if (isset($_COOKIE[session_name()])) { + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + + /* + * Make sure to kill /src and /src/ cookies, just in case there are + * some left-over or malicious ones set in user's browser. + * NB: Note that an attacker could try to plant a cookie for one + * of the /plugins/* directories. Such cookies can block + * access to certain plugin pages, but they do not influence + * or fixate the $base_uri cookie, so we don't worry about + * trying to delete all of them here. + */ + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src'); + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src/'); + } + if (isset($_COOKIE['key'])) sqsetcookie('key', 'SQMTRASH', 1, $base_uri); + /* Make sure new session id is generated on subsequent session_start() */ + unset($_COOKIE[session_name()]); + unset($_GET[session_name()]); + unset($_POST[session_name()]); + $sessid = session_id(); if (!empty( $sessid )) { $_SESSION = array(); Modified: branches/SM-1_4-STABLE/squirrelmail/src/login.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/login.php 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/src/login.php 2009-05-11 22:48:03 UTC (rev 13676) @@ -36,8 +36,6 @@ */ set_up_language($squirrelmail_language, TRUE, TRUE); -$base_uri = sqm_baseuri(); - /** * In case the last session was not terminated properly, make sure * we get a new one, but make sure we preserve session_expired_* Modified: branches/SM-1_4-STABLE/squirrelmail/src/redirect.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/redirect.php 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/src/redirect.php 2009-05-11 22:48:03 UTC (rev 13676) @@ -30,8 +30,6 @@ require_once(SM_PATH . 'functions/constants.php'); require_once(SM_PATH . 'functions/page_header.php'); -$base_uri = sqm_baseuri(); - header('Pragma: no-cache'); $location = get_location(); @@ -68,6 +66,22 @@ if (!sqsession_is_registered('user_is_logged_in')) { do_hook ('login_before'); + /** + * Regenerate session id to make sure that authenticated session uses + * different ID than one used before user authenticated. This is a + * countermeasure against session fixation attacks. + * NB: session_regenerate_id() was added in PHP 4.3.2 (and new session + * cookie is only sent out in this call as of PHP 4.3.3), but PHP 4 + * is not vulnerable to session fixation problems in SquirrelMail + * because it prioritizes $base_uri subdirectory cookies differently + * than PHP 5, which is otherwise vulnerable. If we really want to, + * we could define our own session_regenerate_id() when one does not + * exist, but there seems to be no reason to do so. + */ + if (function_exists('session_regenerate_id')) { + session_regenerate_id(); + } + $onetimepad = OneTimePadCreate(strlen($secretkey)); $key = OneTimePadEncrypt($secretkey, $onetimepad); sqsession_register($onetimepad, 'onetimepad'); Modified: branches/SM-1_4-STABLE/squirrelmail/src/signout.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/signout.php 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/src/signout.php 2009-05-11 22:48:03 UTC (rev 13676) @@ -42,7 +42,6 @@ * because it was deleted with the session. */ if (! sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION) ) { require_once(SM_PATH . 'functions/display_messages.php'); - $base_uri = sqm_baseuri(); } do_hook('logout'); Modified: branches/SM-1_4-STABLE/squirrelmail/src/webmail.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2009-05-11 22:17:46 UTC (rev 13675) +++ branches/SM-1_4-STABLE/squirrelmail/src/webmail.php 2009-05-11 22:48:03 UTC (rev 13676) @@ -26,8 +26,6 @@ require_once(SM_PATH . 'include/validate.php'); require_once(SM_PATH . 'functions/imap.php'); -$base_uri = sqm_baseuri(); - sqgetGlobalVar('username', $username, SQ_SESSION); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); sqgetGlobalVar('onetimepad', $onetimepad, SQ_SESSION); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-12 00:04:29
|
Revision: 13681 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13681&view=rev Author: pdontthink Date: 2009-05-12 00:04:23 +0000 (Tue, 12 May 2009) Log Message: ----------- 1.4.19 SVN open for business Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Added Paths: ----------- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.18.txt Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-11 23:46:55 UTC (rev 13680) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-12 00:04:23 UTC (rev 13681) @@ -2,6 +2,9 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** +Version 1.4.19 - SVN +-------------------- + Version 1.4.18 - 11 May 2009 ---------------------------- - Fixed port detection in automatic base URL detection scheme Copied: branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.18.txt (from rev 13680, branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes) =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.18.txt (rev 0) +++ branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.18.txt 2009-05-12 00:04:23 UTC (rev 13681) @@ -0,0 +1,137 @@ +/***************************************************************** + * Release Notes: SquirrelMail 1.4.18 * + * The "Karate Kid" Release * + * 11 May 2009 * + *****************************************************************/ + +In this edition of SquirrelMail Release Notes: + * All about this Release! + * Locales / Translations / Charsets + * Security issues + * Major updates + * Reporting your favorite SquirrelMail bug + + +All about this release +====================== + +This release addresses some security problems in SquirrelMail, adds +several new language translations, makes some improvements to the +filters plugin and the address book system, and addresses several +other small bug fixes and improvements. + +Notable changes: + * Security fixes - see below. + * New languages: Bangladeshi Bengali, Khmer, Tamil + +For a more complete list of changes, please see the file "ChangeLog" +in the doc/ directory. + +Security issues +=============== + +Two issues were fixed that both allowed an attacker to run arbitrary +script (XSS) on most any SquirrelMail page by getting the user to +click on specially crafted SquirrelMail links. We would like to thank +Niels Teusink and Christian Balzer for reporting these issues to us. +These are tracked as CVE-2009-1578. + +An issue was fixed wherein input to the contrib/decrypt_headers.php +script was not sanitized and allowed arbitrary script execution upon +submission of certain values. We would like to thank Niels Teusink for +reporting this issue to us. This is also tracked as CVE-2009-1578. + +An issue was fixed that allowed arbitrary server-side code execution +when SquirrelMail was configured to use the example "map_yp_alias" +username mapping functionality. We would like to thank Niels Teusink +for reporting this issue to us. This is tracked as CVE-2009-1579. + +An issue was fixed that allowed an attacker to possibly steal user +data by hijacking the SquirrelMail login session. We would like to +thank Tomas Hoger for reporting this issue to us. This is tracked +as CVE-2009-1580. + +An issue was fixed that allowed phishing and cross-site scripting +(XSS) attacks to be run by surreptitious placement of content in +specially-crafted emails sent to SquirrelMail users. We would like to +thank Luc Beurton for reporting this issue to us. This is tracked +as CVE-2009-1581. + +Locales / Translations / Charsets +================================= + +Since the release of SquirrelMail 1.4.4, translations are no longer +a part of the main package. They are now downloaded separately; you +can obtain all languages in one package or get an individual language. +You can find these packages on our web site. They also contain +installation instructions. + +The release of SquirrelMail 1.4.4 also introduced a backport of the +new Character set decoding functions from our development code branch, +vastly increasing the decoding performance and the number of supported +character sets. + + +Major updates in 1.4 +==================== + +The 1.4.x series (as a result of 1.3 developent series) brings: + +* A complete rewrite of the way we send mail (Deliver class), + and of the way we parse mail (MIME bodystructure parsing). + This makes SquirrelMail more reliable and more efficient + at the same time! +* Support for IMAP UID which makes SquirrelMail more reliable. +* Optimizations to code and the number of IMAP calls; SquirrelMail + is now a very scalable webmail solution. +* Support for a wider range of authentication mechanisms. +* Lots of bugfixes, some new features and a couple of UI-tweaks. + + +Reporting your favorite SquirrelMail bug +======================================== + +We constantly aim to make SquirrelMail even better. So we need you to +submit any bug you come across! However, before you do so, please have +a look at our various support resources to make sure the issue isn't +already known or solved: + + http://squirrelmail.org/docs/admin/admin-10.html + http://squirrelmail.org/docs/admin/admin-12.html + http://squirrelmail.org/wiki/KnownBugs + http://squirrelmail.org/wiki/SolvingProblems + +You should also search existing tracker items for your issue (remember +to check for CLOSED and PENDING items as well as OPEN ones) - if you +find such an (open) item, please do add any more details you have to +it to help us fix and close the bug report. + +When reporting a new bug, please mention what SquirrelMail release(s) +it pertains to, and list as many details about your system as possible, +including your IMAP server and web server details. + + http://squirrelmail.org/bugs + +Thanks for your cooperation! This helps us to make sure nothing slips +through the cracks. + +Any questions about installing or using SquirrelMail can be directed +to our user support list: + + squ...@li... + +When posting support requests there, please carefully follow our posting +guidelines: + + http://squirrelmail.org/postingguidelines + +If you want to join us in coding SquirrelMail, or have other things to +share with the developers, join the development mailinglist: + + squ...@li... + + + Happy SquirrelMailing! + + - The SquirrelMail Project Team + Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-11 23:46:55 UTC (rev 13680) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-12 00:04:23 UTC (rev 13681) @@ -16,14 +16,14 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.18'; +$version = '1.4.19 [SVN]'; /** * SquirrelMail internal version number -- DO NOT CHANGE * $sm_internal_version = array (release, major, minor) */ global $SQM_INTERNAL_VERSION; -$SQM_INTERNAL_VERSION = array(1,4,18); +$SQM_INTERNAL_VERSION = array(1,4,19); /** * There can be a circular issue with includes, where the $version string is This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-12 07:43:57
|
Revision: 13685 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13685&view=rev Author: pdontthink Date: 2009-05-12 07:43:44 +0000 (Tue, 12 May 2009) Log Message: ----------- No more session_unregister() -- PHP 5.3/6 compatibility Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/global.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-12 07:42:28 UTC (rev 13684) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-12 07:43:44 UTC (rev 13685) @@ -4,6 +4,8 @@ Version 1.4.19 - SVN -------------------- + - Removed use of session_unregister() for compatibility with PHP 5.3.0 + and PHP 6 Version 1.4.18 - 11 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/global.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-12 07:42:28 UTC (rev 13684) +++ branches/SM-1_4-STABLE/squirrelmail/functions/global.php 2009-05-12 07:43:44 UTC (rev 13685) @@ -267,7 +267,10 @@ sqsession_is_active(); unset($_SESSION[$name]); - session_unregister($name); + + // starts throwing warnings in PHP 5.3.0 and is + // removed in PHP 6 and is redundant anyway + //session_unregister($name); } /** This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-19 02:02:54
|
Revision: 13720 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13720&view=rev Author: pdontthink Date: 2009-05-19 01:49:24 +0000 (Tue, 19 May 2009) Log Message: ----------- - Fixed the Filters plugin to allow commas in filter criteria text Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php branches/SM-1_4-STABLE/squirrelmail/plugins/filters/options.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-18 12:02:52 UTC (rev 13719) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-19 01:49:24 UTC (rev 13720) @@ -6,6 +6,7 @@ -------------------- - Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6 + - Fixed the Filters plugin to allow commas in filter criteria text Version 1.4.18 - 11 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-18 12:02:52 UTC (rev 13719) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-19 01:49:24 UTC (rev 13720) @@ -528,7 +528,7 @@ for ($i=0; $fltr = getPref($data_dir, $username, 'filter' . $i); $i++) { $ary = explode(',', $fltr); $filters[$i]['where'] = $ary[0]; - $filters[$i]['what'] = $ary[1]; + $filters[$i]['what'] = str_replace('###COMMA###', ',', $ary[1]); $filters[$i]['folder'] = $ary[2]; } return $filters; Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/filters/options.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/filters/options.php 2009-05-18 12:02:52 UTC (rev 13719) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/filters/options.php 2009-05-19 01:49:24 UTC (rev 13720) @@ -79,7 +79,7 @@ } if ($complete_post) { - $filter_what = str_replace(',', ' ', $filter_what); + $filter_what = str_replace(',', '###COMMA###', $filter_what); $filter_what = str_replace("\\\\", "\\", $filter_what); $filter_what = str_replace("\\\"", '"', $filter_what); $filter_what = str_replace('"', '"', $filter_what); @@ -276,4 +276,4 @@ ) , 'center', '', 'width="80%" border="0" cellpadding="2" cellspacing="0"' ); echo '</body></html>'; -?> \ No newline at end of file +?> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-20 15:21:32
|
Revision: 13724 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13724&view=rev Author: kink Date: 2009-05-20 15:21:14 +0000 (Wed, 20 May 2009) Log Message: ----------- parseFetch passed a template array not containing message objects, this caused the error message on login when spam filters were limited to new mail only: Warning: Invalid argument supplied for foreach() in /usr/share/squirrelmail/plugins/filters/filters.php on line 427 Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-20 05:16:32 UTC (rev 13723) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-20 15:21:14 UTC (rev 13724) @@ -6,7 +6,8 @@ -------------------- - Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6 - - Fixed the Filters plugin to allow commas in filter criteria text + - Fixed the Filters plugin to allow commas in filter criteria text and + not to error out when spam-scanning only unread mail. Version 1.4.18 - 11 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-20 05:16:32 UTC (rev 13723) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-20 15:21:14 UTC (rev 13724) @@ -412,7 +412,7 @@ return; } - $messages = parseFetch($read, $search_array); + $messages = parseFetch($read); $bulkquery = (strlen($SpamFilters_BulkQuery) > 0 ? true : false); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-21 17:11:14
|
Revision: 13733 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13733&view=rev Author: kink Date: 2009-05-21 17:11:04 +0000 (Thu, 21 May 2009) Log Message: ----------- The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete. Thanks Michal Hlavinka for noticing this. [CVE-2009-1381] Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 10:23:43 UTC (rev 13732) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 17:11:04 UTC (rev 13733) @@ -11,6 +11,8 @@ - Resend cookie to browser after session ID regeneration so it gets the right cookie parameters. - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154). + - The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete. + Thanks Michal Hlavinka for noticing this. [CVE-2009-1381] Version 1.4.18 - 11 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-05-21 10:23:43 UTC (rev 13732) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-05-21 17:11:04 UTC (rev 13733) @@ -973,7 +973,8 @@ * LDAP whatever way to find the users IMAP server. */ function map_yp_alias($username) { - $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`; + $safe_username = escapeshellarg($username); + $yp = `ypmatch $safe_username aliases`; return chop(substr($yp, strlen($username)+1)); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-21 17:19:26
|
Revision: 13735 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13735&view=rev Author: kink Date: 2009-05-21 17:19:09 +0000 (Thu, 21 May 2009) Log Message: ----------- prepare for 1.4.19 release Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 17:11:22 UTC (rev 13734) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 17:19:09 UTC (rev 13735) @@ -2,8 +2,8 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** -Version 1.4.19 - SVN --------------------- +Version 1.4.19 - 21 May 2009 +---------------------------- - Removed use of session_unregister() for compatibility with PHP 5.3.0 and PHP 6. - Fixed the Filters plugin to allow commas in filter criteria text and Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-05-21 17:11:22 UTC (rev 13734) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-05-21 17:19:09 UTC (rev 13735) @@ -1,7 +1,7 @@ /***************************************************************** - * Release Notes: SquirrelMail 1.4.18 * - * The "Karate Kid" Release * - * 11 May 2009 * + * Release Notes: SquirrelMail 1.4.19 * + * The "Backticking Timebomb" Release * + * 21 May 2009 * *****************************************************************/ In this edition of SquirrelMail Release Notes: @@ -15,48 +15,23 @@ All about this release ====================== -This release addresses some security problems in SquirrelMail, adds -several new language translations, makes some improvements to the -filters plugin and the address book system, and addresses several -other small bug fixes and improvements. +This release was made to address an incomplete fix to a security +issue, and regressions in the filters plugin introduced in the +previous release, plus some small other fixes. -Notable changes: - * Security fixes - see below. - * New languages: Bangladeshi Bengali, Khmer, Tamil - -For a more complete list of changes, please see the file "ChangeLog" +For a complete list of changes, please see the file "ChangeLog" in the doc/ directory. Security issues =============== -Two issues were fixed that both allowed an attacker to run arbitrary -script (XSS) on most any SquirrelMail page by getting the user to -click on specially crafted SquirrelMail links. We would like to thank -Niels Teusink and Christian Balzer for reporting these issues to us. -These are tracked as CVE-2009-1578. - -An issue was fixed wherein input to the contrib/decrypt_headers.php -script was not sanitized and allowed arbitrary script execution upon -submission of certain values. We would like to thank Niels Teusink for -reporting this issue to us. This is also tracked as CVE-2009-1578. - An issue was fixed that allowed arbitrary server-side code execution when SquirrelMail was configured to use the example "map_yp_alias" -username mapping functionality. We would like to thank Niels Teusink -for reporting this issue to us. This is tracked as CVE-2009-1579. +username mapping functionality. This was originally repaired in +1.4.18 but the fix turned out to be incomplete. Thanks go to Michal +Hlavinka for spotting this. The issue was originally tracked as +CVE-2009-1579, the fix being incomplete is named CVE-2009-1381. -An issue was fixed that allowed an attacker to possibly steal user -data by hijacking the SquirrelMail login session. We would like to -thank Tomas Hoger for reporting this issue to us. This is tracked -as CVE-2009-1580. - -An issue was fixed that allowed phishing and cross-site scripting -(XSS) attacks to be run by surreptitious placement of content in -specially-crafted emails sent to SquirrelMail users. We would like to -thank Luc Beurton for reporting this issue to us. This is tracked -as CVE-2009-1581. - Locales / Translations / Charsets ================================= Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-21 17:11:22 UTC (rev 13734) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-21 17:19:09 UTC (rev 13735) @@ -16,7 +16,7 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.19 [SVN]'; +$version = '1.4.19'; /** * SquirrelMail internal version number -- DO NOT CHANGE This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-21 17:32:35
|
Revision: 13738 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13738&view=rev Author: kink Date: 2009-05-21 17:32:27 +0000 (Thu, 21 May 2009) Log Message: ----------- reopen svn for continued development Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Added Paths: ----------- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.19.txt Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 17:28:30 UTC (rev 13737) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-21 17:32:27 UTC (rev 13738) @@ -2,6 +2,9 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** +Version 1.4.20 - SVN +-------------------- + Version 1.4.19 - 21 May 2009 ---------------------------- - Removed use of session_unregister() for compatibility with PHP 5.3.0 Copied: branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.19.txt (from rev 13735, branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes) =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.19.txt (rev 0) +++ branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.19.txt 2009-05-21 17:32:27 UTC (rev 13738) @@ -0,0 +1,112 @@ +/***************************************************************** + * Release Notes: SquirrelMail 1.4.19 * + * The "Backticking Timebomb" Release * + * 21 May 2009 * + *****************************************************************/ + +In this edition of SquirrelMail Release Notes: + * All about this Release! + * Locales / Translations / Charsets + * Security issues + * Major updates + * Reporting your favorite SquirrelMail bug + + +All about this release +====================== + +This release was made to address an incomplete fix to a security +issue, and regressions in the filters plugin introduced in the +previous release, plus some small other fixes. + +For a complete list of changes, please see the file "ChangeLog" +in the doc/ directory. + +Security issues +=============== + +An issue was fixed that allowed arbitrary server-side code execution +when SquirrelMail was configured to use the example "map_yp_alias" +username mapping functionality. This was originally repaired in +1.4.18 but the fix turned out to be incomplete. Thanks go to Michal +Hlavinka for spotting this. The issue was originally tracked as +CVE-2009-1579, the fix being incomplete is named CVE-2009-1381. + +Locales / Translations / Charsets +================================= + +Since the release of SquirrelMail 1.4.4, translations are no longer +a part of the main package. They are now downloaded separately; you +can obtain all languages in one package or get an individual language. +You can find these packages on our web site. They also contain +installation instructions. + +The release of SquirrelMail 1.4.4 also introduced a backport of the +new Character set decoding functions from our development code branch, +vastly increasing the decoding performance and the number of supported +character sets. + + +Major updates in 1.4 +==================== + +The 1.4.x series (as a result of 1.3 developent series) brings: + +* A complete rewrite of the way we send mail (Deliver class), + and of the way we parse mail (MIME bodystructure parsing). + This makes SquirrelMail more reliable and more efficient + at the same time! +* Support for IMAP UID which makes SquirrelMail more reliable. +* Optimizations to code and the number of IMAP calls; SquirrelMail + is now a very scalable webmail solution. +* Support for a wider range of authentication mechanisms. +* Lots of bugfixes, some new features and a couple of UI-tweaks. + + +Reporting your favorite SquirrelMail bug +======================================== + +We constantly aim to make SquirrelMail even better. So we need you to +submit any bug you come across! However, before you do so, please have +a look at our various support resources to make sure the issue isn't +already known or solved: + + http://squirrelmail.org/docs/admin/admin-10.html + http://squirrelmail.org/docs/admin/admin-12.html + http://squirrelmail.org/wiki/KnownBugs + http://squirrelmail.org/wiki/SolvingProblems + +You should also search existing tracker items for your issue (remember +to check for CLOSED and PENDING items as well as OPEN ones) - if you +find such an (open) item, please do add any more details you have to +it to help us fix and close the bug report. + +When reporting a new bug, please mention what SquirrelMail release(s) +it pertains to, and list as many details about your system as possible, +including your IMAP server and web server details. + + http://squirrelmail.org/bugs + +Thanks for your cooperation! This helps us to make sure nothing slips +through the cracks. + +Any questions about installing or using SquirrelMail can be directed +to our user support list: + + squ...@li... + +When posting support requests there, please carefully follow our posting +guidelines: + + http://squirrelmail.org/postingguidelines + +If you want to join us in coding SquirrelMail, or have other things to +share with the developers, join the development mailinglist: + + squ...@li... + + + Happy SquirrelMailing! + + - The SquirrelMail Project Team + Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-21 17:28:30 UTC (rev 13737) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-05-21 17:32:27 UTC (rev 13738) @@ -16,14 +16,14 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.19'; +$version = '1.4.20 [SVN]'; /** * SquirrelMail internal version number -- DO NOT CHANGE * $sm_internal_version = array (release, major, minor) */ global $SQM_INTERNAL_VERSION; -$SQM_INTERNAL_VERSION = array(1,4,19); +$SQM_INTERNAL_VERSION = array(1,4,20); /** * There can be a circular issue with includes, where the $version string is This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-06-02 03:22:23
|
Revision: 13777 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13777&view=rev Author: jangliss Date: 2009-06-02 02:04:46 +0000 (Tue, 02 Jun 2009) Log Message: ----------- Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). This probably needs further discussion Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog Modified: branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-05-31 10:23:20 UTC (rev 13776) +++ branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-06-02 02:04:46 UTC (rev 13777) @@ -2,4 +2,5 @@ Deny from All Allow from 127 Allow from 10 -Allow from 192 +Allow from 172.16 +Allow from 192.168 \ No newline at end of file Modified: branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess 2009-05-31 10:23:20 UTC (rev 13776) +++ branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess 2009-06-02 02:04:46 UTC (rev 13777) @@ -2,4 +2,5 @@ Deny from All Allow from 127 Allow from 10 -Allow from 192 +Allow from 172.16 +Allow from 192.168 \ No newline at end of file Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-31 10:23:20 UTC (rev 13776) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-06-02 02:04:46 UTC (rev 13777) @@ -5,6 +5,7 @@ Version 1.4.20 - SVN -------------------- - Removed the shut down DSBL blocklists (#2796734). + - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). Version 1.4.19 - 21 May 2009 ---------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-06-02 06:43:00
|
Revision: 13780 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13780&view=rev Author: kink Date: 2009-06-02 06:42:56 +0000 (Tue, 02 Jun 2009) Log Message: ----------- specify RFC1918 completely Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess Modified: branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-06-02 06:30:05 UTC (rev 13779) +++ branches/SM-1_4-STABLE/squirrelmail/contrib/.htaccess 2009-06-02 06:42:56 UTC (rev 13780) @@ -1,6 +1,6 @@ Order Deny,Allow Deny from All -Allow from 127 -Allow from 10 -Allow from 172.16 -Allow from 192.168 \ No newline at end of file +Allow from 10.0.0.0/8 +Allow from 127.0.0.0/8 +Allow from 172.16.0.0/12 +Allow from 192.168.0.0/16 Modified: branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess 2009-06-02 06:30:05 UTC (rev 13779) +++ branches/SM-1_4-STABLE/squirrelmail/doc/.htaccess 2009-06-02 06:42:56 UTC (rev 13780) @@ -1,6 +1,6 @@ Order Deny,Allow Deny from All -Allow from 127 -Allow from 10 -Allow from 172.16 -Allow from 192.168 \ No newline at end of file +Allow from 10.0.0.0/8 +Allow from 127.0.0.0/8 +Allow from 172.16.0.0/12 +Allow from 192.168.0.0/16 This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-07-27 01:40:54
|
Revision: 13789 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13789&view=rev Author: jangliss Date: 2009-07-27 01:40:44 +0000 (Mon, 27 Jul 2009) Log Message: ----------- - Updated INSTALL doc to remove possible bad system admin typos (#2827153). - PHP 5.3 deprecates ereg functions (#2820952). - Filters plugin uses badly formatted literals request (#2805201). Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/doc/INSTALL branches/SM-1_4-STABLE/squirrelmail/functions/abook_local_file.php branches/SM-1_4-STABLE/squirrelmail/functions/attachment_common.php branches/SM-1_4-STABLE/squirrelmail/functions/gettext.php branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php branches/SM-1_4-STABLE/squirrelmail/functions/mime.php branches/SM-1_4-STABLE/squirrelmail/functions/strings.php branches/SM-1_4-STABLE/squirrelmail/functions/url_parser.php branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/class.POP3.php branches/SM-1_4-STABLE/squirrelmail/src/compose.php branches/SM-1_4-STABLE/squirrelmail/src/left_main.php branches/SM-1_4-STABLE/squirrelmail/src/read_body.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-27 01:40:44 UTC (rev 13789) @@ -6,6 +6,9 @@ -------------------- - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). + - Updated INSTALL doc to remove possible bad system admin typos (#2827153). + - PHP 5.3 deprecates ereg functions (#2820952). + - Filters plugin uses badly formatted literals request (#2805201). Version 1.4.19 - 21 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/doc/INSTALL =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/INSTALL 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/doc/INSTALL 2009-07-27 01:40:44 UTC (rev 13789) @@ -145,8 +145,7 @@ deletes everything in the attachment directory. Something similar to the following will be good enough: - $ cd /var/local/squirrelmail/attach - $ rm -f * + $ cd /var/local/squirrelmail/attach && rm -f * However, this will delete attachments that are currently in use by people sending email when the cron job runs. You can either (1) make sure that @@ -159,7 +158,7 @@ attachment directory is the same as your data directory) might look like this: - $ rm `find /var/local/squirrelmail/attach -atime +2 | grep -v "\." | grep -v _` + $ find /var/local/squirrelmail/attach -type f -atime +2 -exec rm {} \; Remember to be careful with whatever method you do use, and to test out the command before it potentially wipes out everyone's preferences. Modified: branches/SM-1_4-STABLE/squirrelmail/functions/abook_local_file.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/abook_local_file.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/abook_local_file.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -295,8 +295,8 @@ die('</body></html>'); } else { $line = join(' ', $row); - // errors on eregi call are suppressed in order to prevent display of regexp compilation errors - if(@eregi($expr, $line)) { + // errors on preg_match call are suppressed in order to prevent display of regexp compilation errors + if(@preg_match('/' . $expr . '/i', $line)) { array_push($res, array('nickname' => $row[0], 'name' => $row[1] . ' ' . $row[2], 'firstname' => $row[1], @@ -418,7 +418,8 @@ $this->quotevalue((!empty($userdata['label'])?$userdata['label']:'')); /* Strip linefeeds */ - $data = ereg_replace("[\r\n]", ' ', $data); + $nl_str = array("\r","\n"); + $data = str_replace($nl_str, ' ', $data); /** * Make sure that entry fits into allocated record space. @@ -573,7 +574,7 @@ function quotevalue($value) { /* Quote the field if it contains | or ". Double quotes need to * be replaced with "" */ - if(ereg("[|\"]", $value)) { + if(stristr('"', $value) || stristr('|', $value)) { $value = '"' . str_replace('"', '""', $value) . '"'; } return $value; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/attachment_common.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/attachment_common.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/attachment_common.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -201,8 +201,13 @@ do_hook('attachment_common-load_mime_types'); - ereg('\\.([^\\.]+)$', $Args[7], $Regs); + preg_match('/\.([^\.]+)$/', $Args[7], $Regs); + $Ext = ''; + if (is_array($Regs) && isset($Regs[1])) { + $Ext = $Regs[1]; + } + $Ext = strtolower($Regs[1]); if ($Ext == '' || ! isset($FileExtensionToMimeType[$Ext])) Modified: branches/SM-1_4-STABLE/squirrelmail/functions/gettext.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/gettext.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/gettext.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -96,7 +96,7 @@ $SkipRead = false; } - if (ereg('^msgid "(.*)"$', $line, $match)) { + if (preg_match('/^msgid "(.*)"$/', $line, $match)) { if ($match[1] == '') { /* * Potential multi-line @@ -106,7 +106,7 @@ */ $key = ''; $line = trim(fgets($file, 4096)); - while (ereg('^[ ]*"(.*)"[ ]*$', $line, $match)) { + while (preg_match('/^[ ]*"(.*)"[ ]*$/', $line, $match)) { $key .= $match[1]; $line = trim(fgets($file, 4096)); } @@ -115,7 +115,7 @@ /* msgid "string string" */ $key = $match[1]; } - } elseif (ereg('^msgstr "(.*)"$', $line, $match)) { + } elseif (preg_match('/^msgstr "(.*)"$/', $line, $match)) { if ($match[1] == '') { /* * Potential multi-line @@ -125,7 +125,7 @@ */ $gettext_php_translateStrings[$key] = ''; $line = trim(fgets($file, 4096)); - while (ereg('^[ ]*"(.*)"[ ]*$', $line, $match)) { + while (preg_match('/^[ ]*"(.*)"[ ]*$/', $line, $match)) { $gettext_php_translateStrings[$key] .= $match[1]; $line = trim(fgets($file, 4096)); } Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -76,7 +76,44 @@ } } +function sqimap_run_literal_command($imap_stream, $query, $handle_errors, &$response, &$message, $unique_id = false) { + if ($imap_stream) { + $sid = sqimap_session_id($unique_id); + $command = sprintf("%s {%d}\r\n", $query['command'], strlen($query['literal_args'][0])); + fputs($imap_stream, $sid . ' ' . $command); + // TODO: Put in error handling here // + $read = sqimap_read_data($imap_stream, $sid, $handle_errors, $response, $message, $query['command']); + + $i = 0; + $cnt = count($query['literal_args']); + while( $i < $cnt ) { + if (($cnt > 1) && ($i < ($cnt - 1))) { + $command = sprintf("%s {%d}\r\n", $query['literal_args'][$i], strlen($query['literal_args'][$i+1])); + } else { + $command = sprintf("%s\r\n", $query['literal_args'][$i]); + } + + fputs($imap_stream, $command); + $read = sqimap_read_data($imap_stream, $sid, $handle_errors, $response, $message, $query['command']); + + $i++; + + } + return $read; + } else { + global $squirrelmail_language, $color; + set_up_language($squirrelmail_language); + require_once(SM_PATH . 'functions/display_messages.php'); + $string = "<b><font color=\"$color[2]\">\n" . + _("ERROR: No available IMAP stream.") . + "</b></font>\n"; + error_box($string,$color); + return false; + } +} + + /** * Custom fgets function: gets a line from the IMAP server, * no matter how big it may be. @@ -171,12 +208,17 @@ $resultlist = array(); $data = array(); $read = sqimap_fgets($imap_stream); + $i = 0; while ($read) { $char = $read{0}; switch ($char) { case '+': + { + $response = 'OK'; + break 2; + } default: $read = sqimap_fgets($imap_stream); break; @@ -657,8 +699,8 @@ * OS: We want to lookup all personal NAMESPACES... */ $read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b); - if (eregi('\\* NAMESPACE +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL)', $read[0], $data)) { - if (eregi('^\\( *\\((.*)\\) *\\)', $data[1], $data2)) { + if (preg_match('/\* NAMESPACE +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL)/i', $read[0], $data)) { + if (preg_match('/^\( *\((.*)\) *\)/', $data[1], $data2)) { $pn = $data2[1]; } $pna = explode(')(', $pn); @@ -689,7 +731,7 @@ function sqimap_get_num_messages ($imap_stream, $mailbox) { $read_ary = sqimap_run_command ($imap_stream, "EXAMINE \"$mailbox\"", false, $result, $message); for ($i = 0; $i < count($read_ary); $i++) { - if (ereg("[^ ]+ +([^ ]+) +EXISTS", $read_ary[$i], $regs)) { + if (preg_match('/[^ ]+ +([^ ]+) +EXISTS/', $read_ary[$i], $regs)) { return $regs[1]; } } @@ -878,7 +920,7 @@ $i = 0; $regs = array(false, false); while (isset($read_ary[$i])) { - if (ereg("UNSEEN ([0-9]+)", $read_ary[$i], $regs)) { + if (preg_match('/UNSEEN\s+([0-9]+)/i', $read_ary[$i], $regs)) { break; } $i++; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -39,9 +39,9 @@ function find_mailbox_name ($mailbox) { if (preg_match('/\*.+\"([^\r\n\"]*)\"[\s\r\n]*$/', $mailbox, $regs)) return $regs[1]; - if (ereg(" *\"([^\r\n\"]*)\"[ \r\n]*$", $mailbox, $regs)) + if (preg_match('/ *"([^\r\n"]*)"[ \r\n]*$/', $mailbox, $regs)) return $regs[1]; - ereg(" *([^ \r\n\"]*)[ \r\n]*$",$mailbox,$regs); + preg_match('/ *([^ \r\n"]*)[ \r\n]*$/',$mailbox,$regs); return $regs[1]; } @@ -447,7 +447,7 @@ $boxesall[$g]['flags'] = array(); if (isset($line[$g])) { - ereg("\(([^)]*)\)",$line[$g],$regs); + preg_match('/\(([^)]*)\)/',$line[$g],$regs); $flags = trim(strtolower(str_replace('\\', '',$regs[1]))); if ($flags) { $boxesall[$g]['flags'] = explode(' ', $flags); @@ -595,7 +595,7 @@ * (larger then fgets buffer) */ if (isset($lsub_ary[$i + 1]) && substr($lsub_ary[$i],-3) == "}\r\n") { - if (ereg("^(\\* [A-Z]+.*)\\{[0-9]+\\}([ \n\r\t]*)$", + if (preg_match('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $lsub_ary[$i], $regs)) { $i++; $lsub_ary[$i] = $regs[1] . '"' . addslashes(trim($lsub_ary[$i])) . '"' . $regs[2]; @@ -636,7 +636,7 @@ /* Another workaround for literals */ if (isset($read[1]) && substr($read[1],-3) == "}\r\n") { - if (ereg("^(\\* [A-Z]+.*)\\{[0-9]+\\}([ \n\r\t]*)$", + if (preg_match('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $read[0], $regs)) { $read[0] = $regs[1] . '"' . addslashes(trim($read[1])) . '"' . $regs[2]; } @@ -658,7 +658,7 @@ true, $response, $message); /* Another workaround for literals */ if (isset($inbox_ary[1]) && substr($inbox_ary[0],-3) == "}\r\n") { - if (ereg("^(\\* [A-Z]+.*)\\{[0-9]+\\}([ \n\r\t]*)$", + if (preg_match('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $inbox_ary[0], $regs)) { $inbox_ary[0] = $regs[1] . '"' . addslashes(trim($inbox_ary[1])) . '"' . $regs[2]; @@ -733,7 +733,7 @@ for ($i = 0, $cnt = count($read_ary); $i < $cnt; $i++) { /* Another workaround for EIMS */ if (isset($read_ary[$i + 1]) && - ereg("^(\\* [A-Z]+.*)\\{[0-9]+\\}([ \n\r\t]*)$", + ereg('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $read_ary[$i], $regs)) { $i ++; $read_ary[$i] = $regs[1] . '"' . addslashes(trim($read_ary[$i])) . '"' . $regs[2]; @@ -753,8 +753,9 @@ /* Format folder name, but only if it's a INBOX.* or has a parent. */ $boxesallbyname[$mailbox] = $g; $parentfolder = readMailboxParent($mailbox, $delimiter); - if((eregi('^inbox'.quotemeta($delimiter), $mailbox)) || - (ereg('^'.$folder_prefix, $mailbox)) || + /* @FIXME shouldn't use preg_match for simple string matching */ + if((preg_match('/^inbox'.quotemeta($delimiter).'/i', $mailbox)) || + (preg_match('/^'.$folder_prefix.'/', $mailbox)) || ( isset($boxesallbyname[$parentfolder]) && (strlen($parentfolder) > 0) ) ) { if ($dm_count) { $boxes[$g]['formatted'] = str_repeat(' ', $dm_count); Modified: branches/SM-1_4-STABLE/squirrelmail/functions/mime.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/mime.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -117,7 +117,7 @@ } while($topline && ($topline[0] == '*') && !preg_match('/\* [0-9]+ FETCH.*/i', $topline)) ; $wholemessage = implode('', $data); - if (ereg('\\{([^\\}]*)\\}', $topline, $regs)) { + if (preg_match('/\{([^\}]*)\}/', $topline, $regs)) { $ret = substr($wholemessage, 0, $regs[1]); /* There is some information in the content info header that could be important * in order to parse html messages. Let's get them here. @@ -125,7 +125,7 @@ // if ($ret{0} == '<') { // $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, $uid_support); // } - } else if (ereg('"([^"]*)"', $topline, $regs)) { + } else if (preg_match('/"([^"]*)"/', $topline, $regs)) { $ret = $regs[1]; } else if ((stristr($topline, 'nil') !== false) && (empty($wholemessage))) { $ret = $wholemessage; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -56,7 +56,7 @@ } } - ereg("^([\t >]*)([^\t >].*)?$", $line, $regs); + preg_match('/^([\t >]*)([^\t >].*)?$/', $line, $regs); $beginning_spaces = $regs[1]; if (isset($regs[2])) { $words = explode(' ', $regs[2]); Modified: branches/SM-1_4-STABLE/squirrelmail/functions/url_parser.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/url_parser.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/functions/url_parser.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -52,7 +52,7 @@ $addresses = array(); /* Find all the email addresses in the body */ - while(eregi($Email_RegExp_Match, $sbody, $regs)) { + while(preg_match('/'.$Email_RegExp_Match.'/i', $sbody, $regs)) { $addresses[$regs[0]] = $regs[0]; $start = strpos($sbody, $regs[0]) + strlen($regs[0]); $sbody = substr($sbody, $start); @@ -169,7 +169,7 @@ $url = substr($body, $target_pos, $end-$target_pos); /* Needed since lines are not passed with \n or \r */ - while ( ereg("[,\.]$", $url) ) { + while ( preg_match('/[,\.]$/', $url) ) { $url = substr( $url, 0, -1 ); $end--; } Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -113,12 +113,12 @@ // Check to see if this line is the right "Received from" line // to check if (is_int(strpos($read[$i], $SpamFilters_YourHop))) { - $read[$i] = ereg_replace('[^0-9\.]', ' ', $read[$i]); + $read[$i] = preg_replace('/[^0-9\.]/', ' ', $read[$i]); $elements = explode(' ', $read[$i]); foreach ($elements as $value) { if ($value != '' && - ereg('[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}', - $value, $regs)) { + preg_match('/((\d{1,3}\.){3}\d{1,3})/', + $value)) { $Chunks = explode('.', $value); $IP = $Chunks[3] . '.' . $Chunks[2] . '.' . $Chunks[1] . '.' . $Chunks[0]; @@ -256,6 +256,12 @@ $id = array(); // For every rule for ($i=0, $num = count($filters); $i < $num; $i++) { + // Don't attempt to run filters if folder does not exist // + if (!sqimap_mailbox_exists($imap_stream, $filters[$i]['folder'])) { + continue; + } + + // If it is the "combo" rule if ($filters[$i]['where'] == 'To or Cc') { /* @@ -326,13 +332,17 @@ // see comments in squirrelmail sqimap_search function if ($imap_server_type == 'macosx' || $imap_server_type == 'hmailserver') { $search_str .= ' ' . $where . ' ' . $what; + $read = sqimap_run_command_list($imap, $search_str, true, $response, $message, $uid_support); } else { - $search_str .= ' ' . $where . ' {' . strlen($what) . "}\r\n" - . $what; + $lit = array(); + $lit['command'] = $search_str . ' ' . $where; + $lit['literal_args'][] = $what; + + $read = sqimap_run_literal_command($imap, $lit, true, $response, $message, $uid_support ); } /* read data back from IMAP */ - $read = sqimap_run_command($imap, $search_str, true, $response, $message, $uid_support); + // This may have problems with EIMS due to it being goofy Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/class.POP3.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/class.POP3.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/class.POP3.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -253,7 +253,7 @@ $MsgArray = array(); $line = fgets($fp,$buffer); - while ( !ereg("^\.\r\n",$line)) + while ( !preg_match('/^\.\r\n/',$line)) { $MsgArray[$count] = $line; $count++; @@ -320,7 +320,7 @@ if($msgC > $Total) { break; } $line = fgets($fp,$this->BUFFER); $line = $this->strip_clf($line); - if(ereg("^\.",$line)) + if(strpos($line, '.') === 0) { $this->ERROR = "POP3 pop_list: " . _("Premature end of list"); return false; @@ -366,7 +366,7 @@ $MsgArray = array(); $line = fgets($fp,$buffer); - while ( !ereg("^\.\r\n",$line)) + while ( !preg_match('/^\.\r\n/',$line)) { if ( $line{0} == '.' ) { $line = substr($line,1); } $MsgArray[$count] = $line; @@ -554,10 +554,7 @@ $line = ""; $count = 1; $line = fgets($fp,$buffer); - while ( !ereg("^\.\r\n",$line)) { - if(ereg("^\.\r\n",$line)) { - break; - } + while ( !preg_match('/^\.\r\n/',$line)) { list ($msg,$msgUidl) = preg_split('/\s+/',$line); $msgUidl = $this->strip_clf($msgUidl); if($count == $msg) { @@ -607,7 +604,7 @@ if( empty($cmd) ) return false; else - return( ereg ("^\+OK", $cmd ) ); + return( stripos('+OK', $cmd ) !== false ); } function strip_clf ($text = "") { @@ -616,8 +613,7 @@ if(empty($text)) return $text; else { - $stripped = str_replace("\r",'',$text); - $stripped = str_replace("\n",'',$stripped); + $stripped = str_replace(array("\r","\n"),'',$text); return $stripped; } } Modified: branches/SM-1_4-STABLE/squirrelmail/src/compose.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -793,7 +793,7 @@ $cnt = count($body_ary) ; $body = ''; for ($i=0; $i < $cnt; $i++) { - if (!ereg("^[>\\s]*$", $body_ary[$i]) || !$body_ary[$i]) { + if (!preg_match('/^[>\s]*$/', $body_ary[$i]) || !$body_ary[$i]) { sqWordWrap($body_ary[$i], $editor_size, $default_charset ); $body .= $body_ary[$i] . "\n"; } @@ -1473,7 +1473,7 @@ } $composeMessage->setBody($body); - if (ereg("^([^@%/]+)[@%/](.+)$", $username, $usernamedata)) { + if (preg_match('|^([^@%/]+)[@%/](.+)$|', $username, $usernamedata)) { $popuser = $usernamedata[1]; $domain = $usernamedata[2]; unset($usernamedata); Modified: branches/SM-1_4-STABLE/squirrelmail/src/left_main.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/left_main.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/src/left_main.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -46,7 +46,7 @@ $mailboxURL = urlencode($real_box); /* Strip down the mailbox name. */ - if (ereg("^( *)([^ ]*)$", $mailbox, $regs)) { + if (preg_match('/^( *)([^ ]*)$/', $mailbox, $regs)) { $mailbox = $regs[2]; } $unseen = 0; @@ -450,7 +450,7 @@ } else { $line .= "<font color=\"$color[15]\">"; } - if (ereg("^( *)([^ ]*)", $mailbox, $regs)) { + if (preg_match('/^( *)([^ ]*)/', $mailbox, $regs)) { $mailbox = str_replace(' ','',$mailbox); $line .= str_replace(' ', ' ', $mailbox); } Modified: branches/SM-1_4-STABLE/squirrelmail/src/read_body.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/read_body.php 2009-07-16 21:33:48 UTC (rev 13788) +++ branches/SM-1_4-STABLE/squirrelmail/src/read_body.php 2009-07-27 01:40:44 UTC (rev 13789) @@ -208,7 +208,7 @@ // Patch #793504 Return Receipt Failing with <@> from Tim Craig (burny_md) // This merely comes from compose.php and only happens when there is no // email_addr specified in user's identity (which is the startup config) - if (ereg("^([^@%/]+)[@%/](.+)$", $username, $usernamedata)) { + if (preg_match('|^([^@%/]+)[@%/](.+)$|', $username, $usernamedata)) { $popuser = $usernamedata[1]; $domain = $usernamedata[2]; unset($usernamedata); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: Paul L. <pa...@sq...> - 2009-07-29 02:37:56
|
Jon, On 7/26/09, jan...@us... <jan...@us...> wrote: > Revision: 13789 > > http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13789&view=rev > Author: jangliss > Date: 2009-07-27 01:40:44 +0000 (Mon, 27 Jul 2009) > > Log Message: > ----------- > - Updated INSTALL doc to remove possible bad system admin typos > (#2827153). > - PHP 5.3 deprecates ereg functions (#2820952). > - Filters plugin uses badly formatted literals request (#2805201). Can you please put this into 1.5.2? Even if the filters plugin works better there, the new IMAP library function you created probably should be added to the development stream. > Modified Paths: > -------------- > branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog > branches/SM-1_4-STABLE/squirrelmail/doc/INSTALL > branches/SM-1_4-STABLE/squirrelmail/functions/abook_local_file.php > branches/SM-1_4-STABLE/squirrelmail/functions/attachment_common.php > branches/SM-1_4-STABLE/squirrelmail/functions/gettext.php > branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php > branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php > branches/SM-1_4-STABLE/squirrelmail/functions/mime.php > branches/SM-1_4-STABLE/squirrelmail/functions/strings.php > branches/SM-1_4-STABLE/squirrelmail/functions/url_parser.php > branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php > branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/class.POP3.php > branches/SM-1_4-STABLE/squirrelmail/src/compose.php > branches/SM-1_4-STABLE/squirrelmail/src/left_main.php > branches/SM-1_4-STABLE/squirrelmail/src/read_body.php > <snip> |
From: <pdo...@us...> - 2009-07-29 02:21:16
|
Revision: 13800 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13800&view=rev Author: pdontthink Date: 2009-07-29 02:21:06 +0000 (Wed, 29 Jul 2009) Log Message: ----------- More than should have been in rev.#13789 - removing use of deprecated ereg() functions (#2820952) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/functions/addressbook.php branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php branches/SM-1_4-STABLE/squirrelmail/functions/imap_messages.php branches/SM-1_4-STABLE/squirrelmail/functions/imap_search.php branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php branches/SM-1_4-STABLE/squirrelmail/src/options_order.php branches/SM-1_4-STABLE/squirrelmail/src/view_header.php Modified: branches/SM-1_4-STABLE/squirrelmail/functions/addressbook.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/addressbook.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/functions/addressbook.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -519,7 +519,7 @@ $userdata['nickname'] = $userdata['email']; } - if (eregi('[ \\:\\|\\#\\"\\!]', $userdata['nickname'])) { + if (preg_match('/[ :|#"!]/', $userdata['nickname'])) { $this->error = _("Nickname contains illegal characters"); return false; } @@ -603,7 +603,7 @@ return false; } - if (eregi('[\\: \\|\\#"\\!]', $userdata['nickname'])) { + if (preg_match('/[: |#"!]/', $userdata['nickname'])) { $this->error = _("Nickname contains illegal characters"); return false; } Modified: branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/functions/i18n.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -675,7 +675,7 @@ break; case 'decodeheader': $ret = str_replace("\t", "", $ret); - if (eregi('=\\?([^?]+)\\?(q|b)\\?([^?]+)\\?=', $ret)) + if (preg_match('/=\?([^?]+)\?(q|b)\?([^?]+)\?=/', $ret)) $ret = @mb_decode_mimeheader($ret); $ret = @mb_convert_encoding($ret, 'EUC-JP', 'AUTO'); break; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_mailbox.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -319,6 +319,8 @@ */ function sqimap_mailbox_is_subscribed($imap_stream, $folder) { $boxesall = sqimap_mailbox_list ($imap_stream); +//LEFT OFF HERE DEBUGGING +if (!is_array($boxesall)) sm_print_r('boxesall is not an array!', 'Folder: ' . $folder, 'boxesall: ' . $boxesall, debug_backtrace()); foreach ($boxesall as $ref) { if ($ref['unformatted'] == $folder) { return true; @@ -734,7 +736,7 @@ for ($i = 0, $cnt = count($read_ary); $i < $cnt; $i++) { /* Another workaround for EIMS */ if (isset($read_ary[$i + 1]) && - ereg('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', + preg_match('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $read_ary[$i], $regs)) { $i ++; $read_ary[$i] = $regs[1] . '"' . addslashes(trim($read_ary[$i])) . '"' . $regs[2]; @@ -785,7 +787,7 @@ /* Another workaround for EIMS */ // if (isset($read_mlbx[1]) && -// ereg("^(\\* [A-Z]+.*)\\{[0-9]+\\}([ \n\r\t]*)$", $read_mlbx[0], $regs)) { +// preg_match('/^(\* [A-Z]+.*)\{[0-9]+\}([ \n\r\t]*)$/', $read_mlbx[0], $regs)) { // $read_mlbx[0] = $regs[1] . '"' . addslashes(trim($read_mlbx[1])) . '"' . $regs[2]; // } // echo $read_mlbx[0] .' raw 2 <br>'; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_messages.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_messages.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_messages.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -122,7 +122,7 @@ $results = array(); $references = ""; $responses = sqimap_run_command_list ($imap_stream, "FETCH $message BODY[HEADER.FIELDS (References)]", true, $response, $message, $uid_support); - if (!eregi("^\\* ([0-9]+) FETCH", $responses[0][0], $regs)) { + if (!preg_match("/^\* ([0-9]+) FETCH/i", $responses[0][0], $regs)) { $responses = array (); } return $responses; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/imap_search.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/imap_search.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/functions/imap_search.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -34,7 +34,7 @@ /* construct the search query, taking multiple search terms into account */ $multi_search = array(); $search_what = trim($search_what); - $search_what = ereg_replace('[ ]{2,}', ' ', $search_what); + $search_what = preg_replace('/[ ]{2,}/', ' ', $search_what); $multi_search = explode(' ', $search_what); $search_string = ''; Modified: branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -194,7 +194,7 @@ if (!$r) { /* Remove backend name from error string */ $errstr = $abook->error; - $errstr = ereg_replace('^\[.*\] *', '', $errstr); + $errstr = preg_replace('/^\[.*\] */', '', $errstr); $formerror = $errstr; $showaddrlist = false; Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -100,7 +100,7 @@ /** lets see if we CAN move folders to the trash.. otherwise, ** just delete them **/ if ((isset($delete_folder) && $delete_folder) || - eregi('^'.$trash_folder.'.+', $mailbox) ) { + preg_match('/^' . $trash_folder . '.+/', $mailbox) ) { $can_move_to_trash = FALSE; } Modified: branches/SM-1_4-STABLE/squirrelmail/src/options_order.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -85,7 +85,7 @@ } else if ($method == 'add' && $add) { /* User should not be able to insert PHP-code here */ $add = str_replace ('<?', '..', $add); - $add = ereg_replace ('<.*script.*language.*php.*>', '..', $add); + $add = preg_replace ('/<.*script.*language.*php.*>/', '..', $add); $add = str_replace ('<%', '..', $add); $index_order[count($index_order)+1] = $add; } @@ -155,4 +155,4 @@ </td></tr> </table> -</body></html> \ No newline at end of file +</body></html> Modified: branches/SM-1_4-STABLE/squirrelmail/src/view_header.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/view_header.php 2009-07-29 01:55:21 UTC (rev 13799) +++ branches/SM-1_4-STABLE/squirrelmail/src/view_header.php 2009-07-29 02:21:06 UTC (rev 13800) @@ -48,16 +48,17 @@ for ($i=1; $i < count($read); $i++) { $line = htmlspecialchars($read[$i]); switch (true) { - case (eregi("^>", $line)): + case (preg_match('/^>/i', $line)): $second[$i] = $line; $first[$i] = ' '; $cnum++; break; - case (eregi("^[ |\t]", $line)): +// FIXME: is the pipe character below a mistake? I think the original author might have thought it carried special meaning in the character class, which it does not... but then again, I am not currently trying to understand what this code actually does + case (preg_match('/^[ |\t]/', $line)): $second[$i] = $line; $first[$i] = ''; break; - case (eregi("^([^:]+):(.+)", $line, $regs)): + case (preg_match('/^([^:]+):(.+)/', $line, $regs)): $first[$i] = $regs[1] . ':'; $second[$i] = $regs[2]; $cnum++; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-07-31 05:22:41
|
Revision: 13804 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13804&view=rev Author: pdontthink Date: 2009-07-31 05:22:35 +0000 (Fri, 31 Jul 2009) Log Message: ----------- Provide option for complete removal of usernames and user IP addresses from message headers, and remove personal data from Message ID seed. (#880029/847107) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog Modified: branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php 2009-07-29 03:35:07 UTC (rev 13803) +++ branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver.class.php 2009-07-31 05:22:35 UTC (rev 13804) @@ -586,15 +586,9 @@ /* Create a message-id */ $message_id = 'MESSAGE ID GENERATION ERROR! PLEASE CONTACT SQUIRRELMAIL DEVELOPERS'; if (empty($rfc822_header->message_id)) { - $message_id = '<'; - /* user-specifc data to decrease collision chance */ - $seed_data = $username . '.'; - $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : ''); - $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : ''); - /* add the current time in milliseconds and randomness */ - $seed_data .= uniqid(mt_rand(),true); - /* put it through one-way hash and add it to the ID */ - $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>'; + $message_id = '<' + . md5(GenerateRandomString(16, '', 7) . uniqid(mt_rand(),true)) + . '.squirrel@' . $SERVER_NAME .'>'; } /* Make an RFC822 Received: line */ @@ -619,22 +613,33 @@ * unless you understand all possible forging issues or your * webmail installation does not prevent changes in user's email address. * See SquirrelMail bug tracker #847107 for more details about it. + * + * Add hide_squirrelmail_header as a candidate for config_local.php + * (must be defined as a constant: define('hide_squirrelmail_header', 1); + * to allow completely hiding SquirrelMail participation in message + * processing; This is dangerous, especially if users can modify their + * account information, as it makes mapping a sent message back to the + * original sender almost impossible. */ + $show_sm_header = ( defined('hide_squirrelmail_header') ? ! hide_squirrelmail_header : 1 ); + // FIXME: The following headers may generate slightly differently between the message sent to the destination and that stored in the Sent folder because this code will be called before both actions. This is not necessarily a big problem, but other headers such as Message-ID and Date are preserved between both actions - if (isset($encode_header_key) && + if ( $show_sm_header ) { + if (isset($encode_header_key) && trim($encode_header_key)!='') { // use encoded headers, if encryption key is set and not empty $header[] = 'X-Squirrel-UserHash: '.OneTimePadEncrypt($username,base64_encode($encode_header_key)).$rn; $header[] = 'X-Squirrel-FromHash: '.OneTimePadEncrypt($this->ip2hex($REMOTE_ADDR),base64_encode($encode_header_key)).$rn; if (isset($HTTP_X_FORWARDED_FOR)) $header[] = 'X-Squirrel-ProxyHash:'.OneTimePadEncrypt($this->ip2hex($HTTP_X_FORWARDED_FOR),base64_encode($encode_header_key)).$rn; - } else { + } else { // use default received headers $header[] = "Received: from $received_from" . $rn; if ($edit_identity || ! isset($hide_auth_header) || ! $hide_auth_header) $header[] = " (SquirrelMail authenticated user $username)" . $rn; $header[] = " by $SERVER_NAME with HTTP;" . $rn; $header[] = " $date" . $rn; + } } /* Insert the rest of the header fields */ Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-29 03:35:07 UTC (rev 13803) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-07-31 05:22:35 UTC (rev 13804) @@ -9,6 +9,9 @@ - Updated INSTALL doc to remove possible bad system admin typos (#2827153). - PHP 5.3 deprecates ereg functions (#2820952). - Filters plugin uses badly formatted literals request (#2805201). + - Provide option for complete removal of usernames and user IP addresses + from message headers, and remove personal data from Message ID seed. + (#880029/847107) Version 1.4.19 - 21 May 2009 ---------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 08:19:24
|
Revision: 13815 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13815&view=rev Author: pdontthink Date: 2009-08-12 08:19:16 +0000 (Wed, 12 Aug 2009) Log Message: ----------- Implemented page referal verification mechanism. (Secunia Advisory SA34627) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/auth.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-10 23:19:04 UTC (rev 13814) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:19:16 UTC (rev 13815) @@ -12,6 +12,7 @@ - Provide option for complete removal of usernames and user IP addresses from message headers, and remove personal data from Message ID seed. (#880029/847107) + - Implemented page referal verification mechanism. (Secunia Advisory SA34627) Version 1.4.19 - 21 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/auth.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/auth.php 2009-08-10 23:19:04 UTC (rev 13814) +++ branches/SM-1_4-STABLE/squirrelmail/functions/auth.php 2009-08-12 08:19:16 UTC (rev 13815) @@ -33,21 +33,56 @@ * Check if user has previously logged in to the SquirrelMail session. If user * has not logged in, execution will stop inside this function. * + * This function optionally checks the referrer of this page request. If the + * administrator wants to impose a check that the referrer of this page request + * is another page on the same domain (otherwise, the page request is likely + * the result of a XSS or phishing attack), then they need to specify the + * acceptable referrer domain in a variable named $check_referrer in + * config/config.php (or the configuration tool) for which the value is + * usually the same as the $domain setting (for example: + * $check_referrer = 'example.com'; + * However, in some cases (where proxy servers are in use, etc.), the + * acceptable referrer might be different. If $check_referrer is set to + * "###DOMAIN###", then the current value of $domain is used (useful in + * situations where $domain might change at runtime (when using the Login + * Manager plugin to host multiple domains with one SquirrelMail installation, + * for example)): + * $check_referrer = '###DOMAIN###'; + * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed + * by browsers, and some browsers intentionally don't send them, in which + * case SquirrelMail silently ignores referrer checks. + * * @return void This function returns ONLY if user has previously logged in * successfully (otherwise, execution terminates herein). */ function is_logged_in() { - if ( sqsession_is_registered('user_is_logged_in') ) { + // check for user login as well as referrer if needed + // + global $check_referrer, $domain; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $check_referrer = 'http://' . $check_referrer; + } + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if (sqsession_is_registered('user_is_logged_in') + && (!$check_referrer || empty($referrer) + || ($check_referrer && !empty($referrer) + && (strpos(strtolower($referrer), strtolower($check_referrer)) === 0 + || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) { return; } else { + global $session_expired_post, $session_expired_location, $squirrelmail_language; // use $message to indicate what logout text the user // will see... if 0, typical "You must be logged in" // if 1, information that the user session was saved - // and will be resumed after (re)login + // and will be resumed after (re)login, if 2, there + // seems to have been a XSS or phishing attack (bad + // referrer) // $message = 0; @@ -67,6 +102,12 @@ $message = 1; } + // was bad referrer the reason we were rejected? + // + if (sqsession_is_registered('user_is_logged_in') + && $check_referrer && !empty($referrer)) + $message = 2; + session_write_close(); // signout page will deal with users who aren't logged @@ -79,8 +120,10 @@ set_up_language($squirrelmail_language, true); if (!$message) logout_error( _("You must be logged in to access this page.") ); - else + else if ($message == 1) logout_error( _("Your session has expired, but will be resumed after logging in again.") ); + else if ($message == 2) + logout_error( _("The current page request appears to have originated from an unrecognized source.") ); exit; } } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 08:30:02
|
Revision: 13818 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13818&view=rev Author: pdontthink Date: 2009-08-12 08:29:53 +0000 (Wed, 12 Aug 2009) Log Message: ----------- Implemented security token system. (Secunia Advisory SA34627) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/forms.php branches/SM-1_4-STABLE/squirrelmail/functions/mailbox_display.php branches/SM-1_4-STABLE/squirrelmail/functions/strings.php branches/SM-1_4-STABLE/squirrelmail/src/addrbook_search_html.php branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php branches/SM-1_4-STABLE/squirrelmail/src/compose.php branches/SM-1_4-STABLE/squirrelmail/src/folders.php branches/SM-1_4-STABLE/squirrelmail/src/folders_create.php branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_do.php branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_getname.php branches/SM-1_4-STABLE/squirrelmail/src/folders_subscribe.php branches/SM-1_4-STABLE/squirrelmail/src/move_messages.php branches/SM-1_4-STABLE/squirrelmail/src/options.php branches/SM-1_4-STABLE/squirrelmail/src/options_highlight.php branches/SM-1_4-STABLE/squirrelmail/src/options_identities.php branches/SM-1_4-STABLE/squirrelmail/src/options_order.php branches/SM-1_4-STABLE/squirrelmail/src/search.php branches/SM-1_4-STABLE/squirrelmail/src/vcard.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:29:53 UTC (rev 13818) @@ -13,6 +13,7 @@ from message headers, and remove personal data from Message ID seed. (#880029/847107) - Implemented page referal verification mechanism. (Secunia Advisory SA34627) + - Implemented security token system. (Secunia Advisory SA34627) Version 1.4.19 - 21 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/functions/forms.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/forms.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/functions/forms.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -130,8 +130,24 @@ /** * Make a <form> start-tag. + * + * @param string $action + * @param string $method + * @param string $name + * @param string $enctype + * @param string $charset + * @param string $extra Any other attributes can be added with this parameter; + * they should use double quotes around attribute values + * (OPTIONAL; default empty) + * @param mixed $add_token When given as a string or as boolean TRUE, a hidden + * input is also added to the form containing a security + * token. When given as TRUE, the input name is "smtoken"; + * otherwise the name is the string that is given for this + * parameter. When FALSE, no hidden token input field is + * added. (OPTIONAL; default not used) + * */ -function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '') +function addForm($action, $method = 'post', $name = '', $enctype = '', $charset = '', $extra = '', $add_token = FALSE) { if($name) { $name = ' name="'.$name.'"'; @@ -143,7 +159,15 @@ $charset = ' accept-charset="'.htmlspecialchars($charset).'"'; } - return '<form action="'. $action .'" method="'. $method .'"'. - $enctype . $name . $charset . ">\n"; + $form_string = '<form action="'. $action .'" method="'. $method .'"'. + $enctype . $name . $charset . ' ' . $extra . " >\n"; + + if($add_token) { + $form_string .= '<input type="hidden" value="' . sm_generate_security_token() + . '" name="' . (is_string($add_token) ? $add_token : 'smtoken') + . "\" />\n"; + } + + return $form_string; } Modified: branches/SM-1_4-STABLE/squirrelmail/functions/mailbox_display.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/mailbox_display.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/functions/mailbox_display.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -514,6 +514,7 @@ $safe_name = preg_replace("/[^0-9A-Za-z_]/", '_', $mailbox); $form_name = "FormMsgs" . $safe_name; echo '<form name="' . $form_name . '" method="post" action="move_messages.php">' ."\n" . + '<input type="hidden" name="smtoken" value="'.sm_generate_security_token().'">' . "\n" . '<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" . '<input type="hidden" name="startMessage" value="'.htmlspecialchars($start_msg).'">' . "\n"; Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -879,5 +879,186 @@ $value = trim($value); } +/** + * Gathers the list of secuirty tokens currently + * stored in the user's preferences and optionally + * purges old ones from the list. + * + * @param boolean $purge_old Indicates if old tokens + * should be purged from the + * list ("old" is 30 days or + * older unless the administrator + * overrides that value using + * $max_security_token_age in + * config/config_local.php) + * (OPTIONAL; default is to always + * purge old tokens) + * + * @return array The list of tokens + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_get_user_security_tokens($purge_old=TRUE) +{ + global $data_dir, $username, $max_token_age_days; + + $tokens = getPref($data_dir, $username, 'security_tokens', ''); + if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) + $tokens = array(); + + // purge old tokens if necessary + // + if ($purge_old) + { + if (empty($max_token_age_days)) $max_token_age_days = 30; + $now = time(); + $discard_token_date = $now - ($max_token_age_days * 86400); + $cleaned_tokens = array(); + foreach ($tokens as $token => $timestamp) + if ($timestamp >= $discard_token_date) + $cleaned_tokens[$token] = $timestamp; + $tokens = $cleaned_tokens; + } + + return $tokens; + +} + +/** + * Generates a security token that is then stored in + * the user's preferences with a timestamp for later + * verification/use. + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will not store tokens in the user + * preferences (but it will still generate and return + * a random string). + * + * @return void + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_generate_security_token() +{ + + global $data_dir, $username, $disable_security_tokens; + $max_generation_tries = 1000; + + $tokens = sm_get_user_security_tokens(); + + $new_token = GenerateRandomString(12, '', 7); + $count = 0; + while (isset($tokens[$new_token])) + { + $new_token = GenerateRandomString(12, '', 7); + if (++$count > $max_generation_tries) + { + logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team")); + exit; + } + } + + // is the token system enabled? CAREFUL! + // + if (!$disable_security_tokens) + { + $tokens[$new_token] = time(); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + return $new_token; + +} + +/** + * Validates a given security token and optionally remove it + * from the user's preferences if it was valid. If the token + * is too old but otherwise valid, it will still be rejected. + * + * "Too old" is 30 days or older unless the administrator + * overrides that value using $max_security_token_age in + * config/config_local.php + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config.php or the configuration tool, this + * function will always return TRUE. + * + * @param string $token The token to validate + * @param int $validity_period The number of seconds tokens are valid + * for (set to zero to remove valid tokens + * after only one use; use 3600 to allow + * tokens to be reused for an hour) + * (OPTIONAL; default is to only allow tokens + * to be used once) + * @param boolean $show_error Indicates that if the token is not + * valid, this function should display + * a generic error, log the user out + * and exit - this function will never + * return in that case. + * (OPTIONAL; default FALSE) + * + * @return boolean TRUE if the token validated; FALSE otherwise + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE) +{ + + global $data_dir, $username, $max_token_age_days, + $disable_security_tokens; + + // bypass token validation? CAREFUL! + // + if ($disable_security_tokens) return TRUE; + + // don't purge old tokens here because we already + // do it when generating tokens + // + $tokens = sm_get_user_security_tokens(FALSE); + + // token not found? + // + if (empty($tokens[$token])) + { + if (!$show_error) return FALSE; + logout_error(_("This page request could not be verified and appears to have expired.")); + exit; + } + + $now = time(); + $timestamp = $tokens[$token]; + + // whether valid or not, we want to remove it from + // user prefs if it's old enough + // + if ($timestamp < $now - $validity_period) + { + unset($tokens[$token]); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + // reject tokens that are too old + // + if (empty($max_token_age_days)) $max_token_age_days = 30; + $old_token_date = $now - ($max_token_age_days * 86400); + if ($timestamp < $old_token_date) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + + // token OK! + // + return TRUE; + +} + $PHP_SELF = php_self(); Modified: branches/SM-1_4-STABLE/squirrelmail/src/addrbook_search_html.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/addrbook_search_html.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/addrbook_search_html.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -83,7 +83,7 @@ if (sizeof($res) <= 0) return; - echo addForm($PHP_SELF, 'POST', 'addrbook'). + echo addForm($PHP_SELF, 'POST', 'addrbook', '', '', '', TRUE). addHidden('html_addr_search_done', 'true'); addr_insert_hidden(); $line = 0; @@ -308,7 +308,7 @@ if ($addrquery == '' || sizeof($res) == 0) { /* printf('<center><form method="post" name="k" action="compose.php">'."\n", $PHP_SELF); */ echo '<center>'. - addForm('compose.php','POST','k'); + addForm('compose.php','POST','k', '', '', '', TRUE); addr_insert_hidden(); echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" . '</form></center></nobr>'; Modified: branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/addressbook.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -31,6 +31,9 @@ require_once(SM_PATH . 'functions/forms.php'); /** lets get the global vars we may need */ +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} sqgetGlobalVar('key', $key, SQ_COOKIE); sqgetGlobalVar('username', $username, SQ_SESSION); @@ -180,6 +183,9 @@ /* Handle user's actions */ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') { + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + /************************************************** * Add new address * **************************************************/ @@ -313,7 +319,7 @@ $olddata = $abook->lookup($enick, $ebackend); /* Display the "new address" form */ - echo addForm($form_url, 'post'). + echo addForm($form_url, 'post', '', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', @@ -345,7 +351,7 @@ 'center', '', 'width="100%"' ); /* Display the "new address" form again */ - echo addForm($form_url, 'post'). + echo addForm($form_url, 'post', '', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', @@ -426,7 +432,7 @@ /* List addresses */ if (count($alist) > 0) { - echo addForm($form_url, 'post', 'address_book_form'); + echo addForm($form_url, 'post', 'address_book_form', '', '', '', TRUE); if ($abook->add_extra_field) { $abook_fields = 6; } else { @@ -573,7 +579,7 @@ /* Display the "new address" form */ echo '<a name="AddAddress"></a>' . "\n" . - addForm($form_url, 'post', 'f_add'). + addForm($form_url, 'post', 'f_add', '', '', '', TRUE). html_tag( 'table', html_tag( 'tr', html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n", Modified: branches/SM-1_4-STABLE/squirrelmail/src/compose.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -67,6 +67,9 @@ $SQ_GLOBAL = SQ_FORM; } sqgetGlobalVar('smaction',$action, $SQ_GLOBAL); +if (!sqgetGlobalVar('smtoken',$submitted_token, $SQ_GLOBAL)) { + $submitted_token = ''; +} sqgetGlobalVar('session',$session, $SQ_GLOBAL); sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL); if ( !sqgetGlobalVar('identity',$identity, $SQ_GLOBAL) ) { @@ -377,6 +380,11 @@ } if ($draft) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + /* * Set $default_charset to correspond with the user's selection * of language interface. @@ -428,6 +436,11 @@ } if ($send) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if (isset($_FILES['attachfile']) && $_FILES['attachfile']['tmp_name'] && $_FILES['attachfile']['tmp_name'] != 'none') { @@ -513,6 +526,11 @@ /* sqimap_logout($imapConnection); */ } } elseif (isset($html_addr_search_done)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } @@ -557,6 +575,11 @@ */ include_once('./addrbook_search_html.php'); } elseif (isset($attach)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if (saveAttachedFiles($session)) { plain_error_message(_("Could not move/copy file. File not attached"), $color); } @@ -568,6 +591,11 @@ showInputForm($session); } elseif (isset($sigappend)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + $signature = $idents[$identity]['signature']; $body .= "\n\n".($prefix_sig==true? "-- \n":'').$signature; @@ -578,6 +606,11 @@ } showInputForm($session); } elseif (isset($do_delete)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } else { @@ -1032,6 +1065,7 @@ echo ">\n"; + echo addHidden('smtoken', sm_generate_security_token()); echo addHidden('startMessage', $startMessage); if ($action == 'draft') { Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -103,7 +103,7 @@ ) . html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[0] ) . - addForm('folders_create.php', 'POST', 'cf'). + addForm('folders_create.php', 'POST', 'cf', '', '', '', TRUE). addInput('folder_name', '', 25). "<br />\n". _("as a subfolder of"). '<br />'. "<tt><select name=\"subfolder\">\n"; @@ -228,7 +228,7 @@ html_tag( 'td', '', 'center', $color[0], 'width="50%"' ); if (count($skip_folders) < count($boxes)) { - echo addForm('folders_subscribe.php?method=unsub') + echo addForm('folders_subscribe.php?method=unsub', 'post', '', '', '', '', TRUE) . "<tt><select name=\"mailbox[]\" multiple=\"multiple\" size=\"8\">\n"; for ($i = 0; $i < count($boxes); $i++) { $use_folder = true; @@ -273,7 +273,7 @@ } if (count($box) > 0) { - echo addForm('folders_subscribe.php?method=sub') + echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE) . '<tt><select name="mailbox[]" multiple="multiple" size="8">'; for ($q = 0; $q < count($box); $q++) { @@ -288,7 +288,7 @@ } } else { /* don't perform the list action -- this is much faster */ - echo addForm('folders_subscribe.php?method=sub') + echo addForm('folders_subscribe.php?method=sub', 'post', '', '', '', '', TRUE) . _("Subscribe to:") . '<br />' . '<tt><input type="text" name="mailbox[]" size="35" />' . '<input type="submit" value="'. _("Subscribe") . "\" />\n" Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_create.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_create.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_create.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -37,8 +37,14 @@ if (! sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST)) { unset($contain_subs); } +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $folder_name = trim($folder_name); if (substr_count($folder_name, '"') || substr_count($folder_name, "\\") || Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_delete.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -41,6 +41,9 @@ sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); sqgetGlobalVar('mailbox', $mailbox, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ if ($mailbox == '') { @@ -76,7 +79,7 @@ html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[4] ) . sprintf(_("Are you sure you want to delete %s?"), str_replace(array(' ','<','>'),array(' ','<','>'),imap_utf7_decode_local($mailbox_unformatted_disp))). - addForm('folders_delete.php', 'post')."<p>\n". + addForm('folders_delete.php', 'post', '', '', '', '', TRUE)."<p>\n". addHidden('mailbox', $mailbox). addSubmit(_("Yes"), 'confirmed'). addSubmit(_("No"), 'backingout'). @@ -85,6 +88,9 @@ exit; } +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $imap_stream = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); $boxes = sqimap_mailbox_list ($imap_stream); Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_do.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_do.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_do.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -35,8 +35,14 @@ sqgetGlobalVar('orig', $orig, SQ_POST); sqgetGlobalVar('old_name', $old_name, SQ_POST); sqgetGlobalVar('new_name', $new_name, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $new_name = trim($new_name); if (substr_count($new_name, '"') || substr_count($new_name, "\\") || Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_getname.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_getname.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_rename_getname.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -82,7 +82,7 @@ ) . html_tag( 'tr' ) . html_tag( 'td', '', 'center', $color[4] ) . - addForm('folders_rename_do.php'). + addForm('folders_rename_do.php', 'post', '', '', '', '', TRUE). _("New name:"). '<br /><b>'. $parent . '</b>'. addInput('new_name', $old_name, 25) . '<br />' . "\n"; Modified: branches/SM-1_4-STABLE/squirrelmail/src/folders_subscribe.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/folders_subscribe.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/folders_subscribe.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -33,8 +33,14 @@ sqgetGlobalVar('onetimepad',$onetimepad, SQ_SESSION); sqgetGlobalVar('method', $method, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end globals */ +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $location = get_location(); if (!isset($mailbox) || !isset($mailbox[0]) || $mailbox[0] == '') { Modified: branches/SM-1_4-STABLE/squirrelmail/src/move_messages.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/move_messages.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/move_messages.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -138,8 +138,14 @@ sqgetGlobalVar('attache', $attache, SQ_POST); sqgetGlobalVar('location', $location, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ +// security check +sm_validate_security_token($submitted_token, 3600, TRUE); + $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); $mbx_response=sqimap_mailbox_select($imapConnection, $mailbox); Modified: branches/SM-1_4-STABLE/squirrelmail/src/options.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/options.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -143,6 +143,9 @@ sqgetGlobalVar('optpage', $optpage); sqgetGlobalVar('optmode', $optmode, SQ_FORM); sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of getting globals */ /* Make sure we have an Option Page set. Default to main. */ @@ -226,6 +229,12 @@ /*** Next, process anything that needs to be processed. ***/ /***********************************************************/ +// security check before saving anything... +//FIXME: what about SMOPT_MODE_LINK?? +if ($optmode == SMOPT_MODE_SUBMIT) { + sm_validate_security_token($submitted_token, 3600, TRUE); +} + // set empty error message $optpage_save_error=array(); @@ -426,7 +435,7 @@ /* If we are not looking at the main option page, display the page here. */ /*************************************************************************/ } else { - echo addForm('options.php', 'POST', 'f') + echo addForm('options.php', 'POST', 'f', '', '', '', TRUE) . create_optpage_element($optpage) . create_optmode_element(SMOPT_MODE_SUBMIT) . html_tag( 'table', '', '', '', 'width="100%" cellpadding="2" cellspacing="0" border="0"' ) . "\n" Modified: branches/SM-1_4-STABLE/squirrelmail/src/options_highlight.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options_highlight.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/options_highlight.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -40,6 +40,9 @@ sqGetGlobalVar('match_type', $match_type); sqGetGlobalVar('value', $value); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ function oh_opt( $val, $sel, $tit ) { @@ -59,6 +62,10 @@ if (isset($theid) && ($action == 'delete') || ($action == 'up') || ($action == 'down')) { + + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $new_rules = array(); switch($action) { case('delete'): @@ -93,6 +100,9 @@ exit; } else if ($action == 'save') { + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($color_type == 1) $newcolor = $newcolor_choose; elseif ($color_type == 2) $newcolor = $newcolor_input; else $newcolor = $color_type; @@ -364,7 +374,7 @@ else if ($selected_choose == '') $selected_input = TRUE; - echo addForm('options_highlight.php', 'POST', 'f'). + echo addForm('options_highlight.php', 'POST', 'f', '', '', '', TRUE). addHidden('action', 'save'); if($action == 'edit') { echo addHidden('theid', (isset($theid)?$theid:'')); @@ -469,4 +479,4 @@ } do_hook('options_highlight_bottom'); ?> -</table></body></html> \ No newline at end of file +</table></body></html> Modified: branches/SM-1_4-STABLE/squirrelmail/src/options_identities.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options_identities.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/options_identities.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -27,6 +27,7 @@ include_once(SM_PATH . 'functions/global.php'); include_once(SM_PATH . 'functions/display_messages.php'); include_once(SM_PATH . 'functions/html.php'); +include_once(SM_PATH . 'functions/forms.php'); include_once(SM_PATH . 'functions/identity.php'); /* make sure that page is not available when $edit_identity is false */ @@ -42,9 +43,16 @@ sqgetGlobalVar('smaction', $smaction, SQ_POST); sqgetGlobalVar('return', $return, SQ_POST); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} + // First lets see if there are any actions to perform // if (!empty($smaction) && is_array($smaction)) { + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $doaction = ''; $identid = 0; @@ -72,9 +80,9 @@ do_hook('options_identities_top'); -$td_str = ''; -$td_str .= '<form name="f" action="options_identities.php" method="post"><br />' . "\n"; -$td_str .= '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n"; +$td_str = '<form name="f" action="options_identities.php" method="post"><br />' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n" + . '<table border="0" cellspacing="0" cellpadding="0" width="100%">' . "\n"; $cnt = count($identities); foreach( $identities as $iKey=>$ident ) { Modified: branches/SM-1_4-STABLE/squirrelmail/src/options_order.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/options_order.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -28,6 +28,7 @@ require_once(SM_PATH . 'functions/imap.php'); require_once(SM_PATH . 'functions/plugin.php'); require_once(SM_PATH . 'functions/html.php'); +require_once(SM_PATH . 'functions/forms.php'); /* get globals */ sqgetGlobalVar('num', $num, SQ_GET); @@ -35,6 +36,9 @@ sqgetGlobalVar('submit', $submit); sqgetGlobalVar('method', $method); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; +} /* end of get globals */ displayPageHeader($color, 'None'); @@ -83,6 +87,10 @@ include_once(SM_PATH . 'include/load_prefs.php'); } } else if ($method == 'add' && $add) { + + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + /* User should not be able to insert PHP-code here */ $add = str_replace ('<?', '..', $add); $add = preg_replace ('/<.*script.*language.*php.*>/', '..', $add); @@ -128,8 +136,9 @@ } if (count($index_order) != count($available)) { - echo '<form name="f" method="post" action="options_order.php">'; - echo '<select name="add">'; + echo '<form name="f" method="post" action="options_order.php">' . "\n" + . addHidden('smtoken', sm_generate_security_token()) + . '<select name="add">' . "\n"; for ($i=1; $i <= count($available); $i++) { $found = false; for ($j=1; $j <= count($index_order); $j++) { Modified: branches/SM-1_4-STABLE/squirrelmail/src/search.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/search.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/search.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -28,6 +28,7 @@ require_once(SM_PATH . 'functions/imap_search.php'); require_once(SM_PATH . 'functions/imap_mailbox.php'); require_once(SM_PATH . 'functions/strings.php'); +require_once(SM_PATH . 'functions/forms.php'); global $allow_thread_sort; @@ -67,6 +68,9 @@ } else { unset($count); } +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; +} /* end of get globals */ /* here are some functions, could go in imap_search.php @@ -240,7 +244,8 @@ $form_name = "FormMsgs" . $safe_name; echo '<form name="' . $form_name . '" method="post" action="move_messages.php">' ."\n" . '<input type="hidden" name="mailbox" value="'.htmlspecialchars($mailbox).'">' . "\n" . - '<input type="hidden" name="startMessage" value="1">' . "\n"; + '<input type="hidden" name="startMessage" value="1">' . "\n" . + addHidden('smtoken', sm_generate_security_token()) . "\n"; echo '<table border="0" width="100%" cellpadding="0" cellspacing="0">'; echo '<tr><td>'; @@ -301,6 +306,11 @@ $submit = _("Search"); } +// need to verify security token if user wants to do anything +if (!empty($submit)) { + sm_validate_security_token($submitted_token, 3600, TRUE); +} + if ($submit == _("Search") && !empty($what)) { if ($recent_count > 0) { update_recent($what, $where, $mailbox, $username, $data_dir); @@ -449,6 +459,7 @@ /* Search Form */ echo html_tag( 'div', '<b>' . _("Current Search") . '</b>', 'left' ) . "\n" . '<form action="search.php" name="s">' + . addHidden('smtoken', sm_generate_security_token()) . html_tag( 'table', '', '', '', 'width="95%" cellpadding="0" cellspacing="0" border="0"' ) . html_tag( 'tr' ) . html_tag( 'td', '', 'left' ) Modified: branches/SM-1_4-STABLE/squirrelmail/src/vcard.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/vcard.php 2009-08-12 08:28:38 UTC (rev 13817) +++ branches/SM-1_4-STABLE/squirrelmail/src/vcard.php 2009-08-12 08:29:53 UTC (rev 13818) @@ -155,6 +155,7 @@ '</td></tr>' . '<tr><td align="center">' . '<form action="../src/addressbook.php" method="post" name="f_add">' . + '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' . '<table border="0" cellpadding="2" cellspacing="0" align="center">' . '<tr><td align="right"><b>' . _("Nickname") . ':</b></td>' . '<td>' . @@ -236,4 +237,4 @@ <table border="0" cellspacing="0" cellpadding="2" align="center"> <tr><td bgcolor="<?php echo $color[4]; ?>"> </td></tr></table> -</body></html> \ No newline at end of file +</body></html> This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 08:53:23
|
Revision: 13822 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13822&view=rev Author: pdontthink Date: 2009-08-12 08:53:16 +0000 (Wed, 12 Aug 2009) Log Message: ----------- FREEZE! Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:36:13 UTC (rev 13821) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:53:16 UTC (rev 13822) @@ -2,8 +2,8 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** -Version 1.4.20 - SVN --------------------- +Version 1.4.20RC1 - 12 Aug 2009 +------------------------------- - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Updated INSTALL doc to remove possible bad system admin typos (#2827153). Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-08-12 08:36:13 UTC (rev 13821) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-08-12 08:53:16 UTC (rev 13822) @@ -1,68 +1,66 @@ /***************************************************************** - * Release Notes: SquirrelMail 1.4.19 * - * The "Backticking Timebomb" Release * - * 21 May 2009 * + * Release Notes: SquirrelMail 1.4.20RC1 * + * The "Empire's Dying Breath" Release * + * 12 Aug 2009 * *****************************************************************/ In this edition of SquirrelMail Release Notes: * All about this Release! - * Locales / Translations / Charsets * Security issues - * Major updates + * Locales / Translations / Charsets * Reporting your favorite SquirrelMail bug All about this release ====================== -This release was made to address an incomplete fix to a security -issue, and regressions in the filters plugin introduced in the -previous release, plus some small other fixes. +This release addresses a security hole, removes the use of some +deprecated PHP functions, fixes a problem in the filters plugin +and addresses some privacy issues. +Because of the somewhat invasive nature of the changes required +for the security and deprecation issues addressed herein, we are +issuing a "release candidate" before we officially move to version +1.4.20. While we have been very careful to ensure the stability +of SquirrelMail, this version, 1.4.20 release candidate 1, has +undergone limited testing, and we'd like to have more feedback +before we make version 1.4.20 final. + For a complete list of changes, please see the file "ChangeLog" in the doc/ directory. + Security issues =============== -An issue was fixed that allowed arbitrary server-side code execution -when SquirrelMail was configured to use the example "map_yp_alias" -username mapping functionality. This was originally repaired in -1.4.18 but the fix turned out to be incomplete. Thanks go to Michal -Hlavinka for spotting this. The issue was originally tracked as -CVE-2009-1579, the fix being incomplete is named CVE-2009-1381. +All form submissions (send message, change preferences, etc.) in +SquirrelMail were previously subject to cross-site request forgery +(CSRF), wherein data could be sent to them from an offsite location, +which could allow an attacker to inject malicious content into user +preferences or possibly send emails without user consent. This +issue is tracked as Secunia Advisory SA34627. +Two fixes for this issue are available as of SquirrelMail 1.4.20RC1. +A security token system is enabled by default which protects all +page requests that change user state in any meaningful way. An +additional page referal verification system is available but not +enabled by default due to the less controllable nature of the +page "referer" (sic) that is sent by most browsers. In many cases, +it can be enabled without trouble, which can be done with the +configuration tool or in the SquirrelMail configuration file. The +administrator can also disable the security token system therein, +which we DO NOT recommend. + + Locales / Translations / Charsets ================================= -Since the release of SquirrelMail 1.4.4, translations are no longer -a part of the main package. They are now downloaded separately; you -can obtain all languages in one package or get an individual language. -You can find these packages on our web site. They also contain -installation instructions. +Translations are not a part of the main SquirrelMail package. They +are downloaded separately; you can obtain all languages in one +package or get an individual language. You can find these packages +on our web site. They also contain installation instructions. -The release of SquirrelMail 1.4.4 also introduced a backport of the -new Character set decoding functions from our development code branch, -vastly increasing the decoding performance and the number of supported -character sets. - -Major updates in 1.4 -==================== - -The 1.4.x series (as a result of 1.3 developent series) brings: - -* A complete rewrite of the way we send mail (Deliver class), - and of the way we parse mail (MIME bodystructure parsing). - This makes SquirrelMail more reliable and more efficient - at the same time! -* Support for IMAP UID which makes SquirrelMail more reliable. -* Optimizations to code and the number of IMAP calls; SquirrelMail - is now a very scalable webmail solution. -* Support for a wider range of authentication mechanisms. -* Lots of bugfixes, some new features and a couple of UI-tweaks. - - Reporting your favorite SquirrelMail bug ======================================== Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 08:36:13 UTC (rev 13821) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 08:53:16 UTC (rev 13822) @@ -16,7 +16,7 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.20 [SVN]'; +$version = '1.4.20RC1'; /** * SquirrelMail internal version number -- DO NOT CHANGE This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 09:35:19
|
Revision: 13824 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13824&view=rev Author: pdontthink Date: 2009-08-12 09:35:10 +0000 (Wed, 12 Aug 2009) Log Message: ----------- MELT! Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Added Paths: ----------- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.20RC1.txt Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 08:54:27 UTC (rev 13823) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 09:35:10 UTC (rev 13824) @@ -2,6 +2,9 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** +Version 1.4.20 - SVN +-------------------- + Version 1.4.20RC1 - 12 Aug 2009 ------------------------------- - Removed the shut down DSBL blocklists (#2796734). Copied: branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.20RC1.txt (from rev 13822, branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes) =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.20RC1.txt (rev 0) +++ branches/SM-1_4-STABLE/squirrelmail/doc/release_notes_archive/1.4/Notes-1.4.20RC1.txt 2009-08-12 09:35:10 UTC (rev 13824) @@ -0,0 +1,110 @@ +/***************************************************************** + * Release Notes: SquirrelMail 1.4.20RC1 * + * The "Empire's Dying Breath" Release * + * 12 Aug 2009 * + *****************************************************************/ + +In this edition of SquirrelMail Release Notes: + * All about this Release! + * Security issues + * Locales / Translations / Charsets + * Reporting your favorite SquirrelMail bug + + +All about this release +====================== + +This release addresses a security hole, removes the use of some +deprecated PHP functions, fixes a problem in the filters plugin +and addresses some privacy issues. + +Because of the somewhat invasive nature of the changes required +for the security and deprecation issues addressed herein, we are +issuing a "release candidate" before we officially move to version +1.4.20. While we have been very careful to ensure the stability +of SquirrelMail, this version, 1.4.20 release candidate 1, has +undergone limited testing, and we'd like to have more feedback +before we make version 1.4.20 final. + +For a complete list of changes, please see the file "ChangeLog" +in the doc/ directory. + + +Security issues +=============== + +All form submissions (send message, change preferences, etc.) in +SquirrelMail were previously subject to cross-site request forgery +(CSRF), wherein data could be sent to them from an offsite location, +which could allow an attacker to inject malicious content into user +preferences or possibly send emails without user consent. This +issue is tracked as Secunia Advisory SA34627. + +Two fixes for this issue are available as of SquirrelMail 1.4.20RC1. +A security token system is enabled by default which protects all +page requests that change user state in any meaningful way. An +additional page referal verification system is available but not +enabled by default due to the less controllable nature of the +page "referer" (sic) that is sent by most browsers. In many cases, +it can be enabled without trouble, which can be done with the +configuration tool or in the SquirrelMail configuration file. The +administrator can also disable the security token system therein, +which we DO NOT recommend. + + +Locales / Translations / Charsets +================================= + +Translations are not a part of the main SquirrelMail package. They +are downloaded separately; you can obtain all languages in one +package or get an individual language. You can find these packages +on our web site. They also contain installation instructions. + + +Reporting your favorite SquirrelMail bug +======================================== + +We constantly aim to make SquirrelMail even better. So we need you to +submit any bug you come across! However, before you do so, please have +a look at our various support resources to make sure the issue isn't +already known or solved: + + http://squirrelmail.org/docs/admin/admin-10.html + http://squirrelmail.org/docs/admin/admin-12.html + http://squirrelmail.org/wiki/KnownBugs + http://squirrelmail.org/wiki/SolvingProblems + +You should also search existing tracker items for your issue (remember +to check for CLOSED and PENDING items as well as OPEN ones) - if you +find such an (open) item, please do add any more details you have to +it to help us fix and close the bug report. + +When reporting a new bug, please mention what SquirrelMail release(s) +it pertains to, and list as many details about your system as possible, +including your IMAP server and web server details. + + http://squirrelmail.org/bugs + +Thanks for your cooperation! This helps us to make sure nothing slips +through the cracks. + +Any questions about installing or using SquirrelMail can be directed +to our user support list: + + squ...@li... + +When posting support requests there, please carefully follow our posting +guidelines: + + http://squirrelmail.org/postingguidelines + +If you want to join us in coding SquirrelMail, or have other things to +share with the developers, join the development mailinglist: + + squ...@li... + + + Happy SquirrelMailing! + + - The SquirrelMail Project Team + Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 08:54:27 UTC (rev 13823) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-12 09:35:10 UTC (rev 13824) @@ -16,7 +16,7 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.20RC1'; +$version = '1.4.20 [SVN]'; /** * SquirrelMail internal version number -- DO NOT CHANGE This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-17 23:17:51
|
Revision: 13825 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13825&view=rev Author: pdontthink Date: 2009-08-17 23:17:41 +0000 (Mon, 17 Aug 2009) Log Message: ----------- Protect message deletion with security token system. (Secunia Advisory SA34627) Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/plugins/delete_move_next/setup.php branches/SM-1_4-STABLE/squirrelmail/src/compose.php branches/SM-1_4-STABLE/squirrelmail/src/delete_message.php branches/SM-1_4-STABLE/squirrelmail/src/read_body.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-12 09:35:10 UTC (rev 13824) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-17 23:17:41 UTC (rev 13825) @@ -4,6 +4,7 @@ Version 1.4.20 - SVN -------------------- + - Protect message deletion with security token system. (Secunia Advisory SA34627) Version 1.4.20RC1 - 12 Aug 2009 ------------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/delete_move_next/setup.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/delete_move_next/setup.php 2009-08-12 09:35:10 UTC (rev 13824) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/delete_move_next/setup.php 2009-08-17 23:17:41 UTC (rev 13825) @@ -182,13 +182,13 @@ "<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\"><small>"; if ($prev > 0){ - echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Prev") . "</a>" . " | \n"; + echo "<a href=\"read_body.php?passed_id=$prev_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Prev") . "</a>" . " | \n"; } else { echo _("Delete & Prev") . " | "; } if ($next > 0){ - echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id\">" . _("Delete & Next") . "</a>\n"; + echo "<a href=\"read_body.php?passed_id=$next_if_del&mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&show_more=0&delete_id=$passed_id&smtoken=" . sm_generate_security_token() . "\">" . _("Delete & Next") . "</a>\n"; } else { echo _("Delete & Next"); } @@ -238,6 +238,7 @@ "<form action=\"read_body.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage&passed_id=$next\" method=\"post\"><small>". "<input type=\"hidden\" name=\"show_more\" value=\"0\">". "<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">". + "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">". _("Move to:") . ' <select name="targetMailbox">'; get_move_target_list(); @@ -261,6 +262,7 @@ "<td bgcolor=\"$color[9]\" width=\"100%\" align=\"center\">". "<form action=\"right_main.php?mailbox=$urlMailbox&sort=$sort&startMessage=$startMessage\" method=\"post\"><small>" . "<input type=\"hidden\" name=\"move_id\" value=\"$passed_id\">". + "<input type=\"hidden\" name=\"smtoken\" value=\"" . sm_generate_security_token() . "\">". _("Move to:") . ' <select name="targetMailbox">'; get_move_target_list(); @@ -277,7 +279,13 @@ sqgetGlobalVar('delete_id', $delete_id, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); + if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; + } + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + sqimap_msgs_list_delete($imapConnection, $mailbox, $delete_id); if ($auto_expunge) { delete_move_expunge_from_all($delete_id); @@ -291,7 +299,13 @@ sqgetGlobalVar('move_id', $move_id, SQ_POST); sqgetGlobalVar('mailbox', $mailbox, SQ_FORM); sqgetGlobalVar('targetMailbox', $targetMailbox, SQ_POST); + if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_POST)) { + $submitted_token = ''; + } + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + // Move message sqimap_msgs_list_move($imapConnection, $move_id, $targetMailbox); if ($auto_expunge) { @@ -380,3 +394,4 @@ } +?> Modified: branches/SM-1_4-STABLE/squirrelmail/src/compose.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-08-12 09:35:10 UTC (rev 13824) +++ branches/SM-1_4-STABLE/squirrelmail/src/compose.php 2009-08-17 23:17:41 UTC (rev 13825) @@ -399,11 +399,11 @@ if(isset($delete_draft)) { if ( !isset($pageheader_sent) || !$pageheader_sent ) { Header("Location: $location/delete_message.php?mailbox=" . urlencode($draft_folder) . - "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes"); + "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token()); } else { echo ' <br><br><center><a href="' . $location . "/delete_message.php?mailbox=" . urlencode($draft_folder) - . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes\">" + . "&message=$delete_draft&sort=$sort&startMessage=1&saved_draft=yes&smtoken=" . sm_generate_security_token() . "\">" . _("Return") . '</a></center>'; } exit(); @@ -499,7 +499,7 @@ /* if it is resumed draft, delete draft message */ if ( isset($delete_draft)) { Header("Location: $location/delete_message.php?mailbox=" . urlencode( $draft_folder ). - "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes"); + "&message=$delete_draft&sort=$sort&startMessage=1&mail_sent=yes&smtoken=" . sm_generate_security_token()); exit(); } if ($compose_new_win == '1') { Modified: branches/SM-1_4-STABLE/squirrelmail/src/delete_message.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/delete_message.php 2009-08-12 09:35:10 UTC (rev 13824) +++ branches/SM-1_4-STABLE/squirrelmail/src/delete_message.php 2009-08-17 23:17:41 UTC (rev 13825) @@ -29,6 +29,9 @@ sqgetGlobalVar('message', $message, SQ_GET); sqgetGlobalVar('mailbox', $mailbox, SQ_GET); +if (!sqgetGlobalVar('smtoken',$submitted_token, SQ_GET)) { + $submitted_token = ''; +} /* end globals */ if (isset($_GET['saved_draft'])) { @@ -50,6 +53,9 @@ $startMessage = (int) $_GET['startMessage']; } +// first, validate security token +sm_validate_security_token($submitted_token, 3600, TRUE); + $imapConnection = sqimap_login($username, $key, $imapServerAddress, $imapPort, 0); sqimap_mailbox_select($imapConnection, $mailbox); Modified: branches/SM-1_4-STABLE/squirrelmail/src/read_body.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/read_body.php 2009-08-12 09:35:10 UTC (rev 13824) +++ branches/SM-1_4-STABLE/squirrelmail/src/read_body.php 2009-08-17 23:17:41 UTC (rev 13825) @@ -544,7 +544,7 @@ $s .= '<a href="' . $msgs_url . '">' . $msgs_str . '</a>'; $delete_url = $base_uri . 'src/delete_message.php?mailbox=' . $urlMailbox . - '&message=' . $passed_id . '&'; + '&message=' . $passed_id . '&smtoken=' . sm_generate_security_token() . '&'; if (!(isset($passed_ent_id) && $passed_ent_id)) { if ($where && $what) { $delete_url .= 'where=' . urlencode($where) . '&what=' . urlencode($what); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-17 23:23:22
|
Revision: 13827 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13827&view=rev Author: pdontthink Date: 2009-08-17 23:23:15 +0000 (Mon, 17 Aug 2009) Log Message: ----------- SVN freeze - no more commits until unfrozen please Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes branches/SM-1_4-STABLE/squirrelmail/functions/strings.php Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-17 23:18:47 UTC (rev 13826) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-08-17 23:23:15 UTC (rev 13827) @@ -2,12 +2,12 @@ *** SquirrelMail Stable Series 1.4 *** ************************************** -Version 1.4.20 - SVN --------------------- +Version 1.4.20 RC2 - 17 Aug 2009 +-------------------------------- - Protect message deletion with security token system. (Secunia Advisory SA34627) -Version 1.4.20RC1 - 12 Aug 2009 -------------------------------- +Version 1.4.20 RC1 - 12 Aug 2009 +-------------------------------- - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Updated INSTALL doc to remove possible bad system admin typos (#2827153). Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-08-17 23:18:47 UTC (rev 13826) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ReleaseNotes 2009-08-17 23:23:15 UTC (rev 13827) @@ -1,7 +1,7 @@ /***************************************************************** - * Release Notes: SquirrelMail 1.4.20RC1 * - * The "Empire's Dying Breath" Release * - * 12 Aug 2009 * + * Release Notes: SquirrelMail 1.4.20-RC2 * + * The "Squirrels Would Rather Be Outdoors" Release * + * 17 Aug 2009 * *****************************************************************/ In this edition of SquirrelMail Release Notes: @@ -14,17 +14,15 @@ All about this release ====================== -This release addresses a security hole, removes the use of some -deprecated PHP functions, fixes a problem in the filters plugin -and addresses some privacy issues. +This release extends the security fixes in the previous release +candidate package to protect delete message functionalities. -Because of the somewhat invasive nature of the changes required -for the security and deprecation issues addressed herein, we are -issuing a "release candidate" before we officially move to version -1.4.20. While we have been very careful to ensure the stability -of SquirrelMail, this version, 1.4.20 release candidate 1, has -undergone limited testing, and we'd like to have more feedback -before we make version 1.4.20 final. +The risk of using the 1.4.20 release candidate 1 package instead +of this one is very low, since a user's message IDs would need +to be a known quantity to an attacker. However, the intent of +release candidates is to encourage the SquirrelMail community to +test code that we hope to release as officially stable in the +near future, so those who can upgrade are encouraged to do so. For a complete list of changes, please see the file "ChangeLog" in the doc/ directory. @@ -33,25 +31,14 @@ Security issues =============== -All form submissions (send message, change preferences, etc.) in -SquirrelMail were previously subject to cross-site request forgery -(CSRF), wherein data could be sent to them from an offsite location, -which could allow an attacker to inject malicious content into user -preferences or possibly send emails without user consent. This -issue is tracked as Secunia Advisory SA34627. +The security token system in 1.4.20 release candidate 1 did not +protect message deletion actions, which, under this release +candidate, are now protected. For more details about the +vulnerability being addressed and how it was fixed, please see +the release notes for 1.4.20 release candidate 1 or Secunia +Advisory SA34627. -Two fixes for this issue are available as of SquirrelMail 1.4.20RC1. -A security token system is enabled by default which protects all -page requests that change user state in any meaningful way. An -additional page referal verification system is available but not -enabled by default due to the less controllable nature of the -page "referer" (sic) that is sent by most browsers. In many cases, -it can be enabled without trouble, which can be done with the -configuration tool or in the SquirrelMail configuration file. The -administrator can also disable the security token system therein, -which we DO NOT recommend. - Locales / Translations / Charsets ================================= Modified: branches/SM-1_4-STABLE/squirrelmail/functions/strings.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-17 23:18:47 UTC (rev 13826) +++ branches/SM-1_4-STABLE/squirrelmail/functions/strings.php 2009-08-17 23:23:15 UTC (rev 13827) @@ -16,7 +16,7 @@ * SquirrelMail version number -- DO NOT CHANGE */ global $version; -$version = '1.4.20 [SVN]'; +$version = '1.4.20-RC2'; /** * SquirrelMail internal version number -- DO NOT CHANGE This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |