From: <pdo...@us...> - 2009-05-11 22:04:46
|
Revision: 13671 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13671&view=rev Author: pdontthink Date: 2009-05-11 22:04:40 +0000 (Mon, 11 May 2009) Log Message: ----------- Sanitize decrypt_headers.php form input (base64 decoding is not the same as sanitizing), general cleanup and grammatical fixes. Thanks to Niels Teusink. (also CVE-2009-1578) Modified Paths: -------------- trunk/squirrelmail/contrib/decrypt_headers.php trunk/squirrelmail/doc/ChangeLog Modified: trunk/squirrelmail/contrib/decrypt_headers.php =================================================================== --- trunk/squirrelmail/contrib/decrypt_headers.php 2009-05-11 21:49:37 UTC (rev 13670) +++ trunk/squirrelmail/contrib/decrypt_headers.php 2009-05-11 22:04:40 UTC (rev 13671) @@ -60,23 +60,30 @@ ."</head><body>"; if (sqgetGlobalVar('submit',$submit,SQ_POST)) { + $continue = TRUE; if (! sqgetGlobalVar('secret',$secret,SQ_POST) || - empty($secret)) - echo "<p>You must enter encryption key.</p>\n"; + empty($secret)) { + $continue = FALSE; + echo "<p>You must enter an encryption key.</p>\n"; + } if (! sqgetGlobalVar('enc_string',$enc_string,SQ_POST) || - empty($enc_string)) - echo "<p>You must enter encrypted string.</p>\n"; + empty($enc_string)) { + $continue = FALSE; + echo "<p>You must enter an encrypted string.</p>\n"; + } - if (isset($enc_string) && ! base64_decode($enc_string)) { - echo "<p>Encrypted string should be BASE64 encoded.<br />\n" - ."Please enter all characters that are listed after header name.</p>\n"; - } elseif (isset($secret)) { - $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); + if ($continue) { + if (isset($enc_string) && ! base64_decode($enc_string)) { + echo "<p>Encrypted string should be BASE64 encoded.<br />\n" + ."Please enter all characters that are listed after header name.</p>\n"; + } elseif (isset($secret)) { + $string=OneTimePadDecrypt($enc_string,base64_encode($secret)); - if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { - $string=hex2ip($string); + if (sqgetGlobalVar('ip_addr',$is_addr,SQ_POST)) { + $string=hex2ip($string); + } + echo "<p>Decoded string: ".htmlspecialchars($string)."</p>\n"; } - echo "<p>Decoded string: ".$string."</p>\n"; } echo "<hr />"; } @@ -85,7 +92,7 @@ <p> Secret key: <input type="password" name="secret"><br /> Encrypted string: <input type="text" name="enc_string"><br /> -Check, if it is an address string: <input type="checkbox" name="ip_addr" /><br /> +<label for="ip_addr">Check here if you are decoding an address string (FromHash/ProxyHash): </label><input type="checkbox" name="ip_addr" id="ip_addr" /><br /> <button type="submit" name="submit" value="submit">Submit</button> </p> </form> Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-11 21:49:37 UTC (rev 13670) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-11 22:04:40 UTC (rev 13671) @@ -296,8 +296,11 @@ - Remove ability for HTML emails to use CSS positioning to overlay SquirrelMail content (Thanks to Luc Beurton). (#2723196) [CVE-2009-1581] - Fixed improper sanitizing of PHP_SELF and the lack of sanitizing of - QUERY_STRING server environment variables. (Thanks to Niels Teusink + QUERY_STRING server environment variables (Thanks to Niels Teusink and Christian Balzer). [CVE-2009-1578] + - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; + also includes general cleanup of that page (Thanks to Niels Teusink). + [also CVE-2009-1578] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 22:17:54
|
Revision: 13675 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13675&view=rev Author: pdontthink Date: 2009-05-11 22:17:46 +0000 (Mon, 11 May 2009) Log Message: ----------- OMG - unsanitized shell command. Thanks to Niels Teusink. (CVE-2009-1579) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/imap_general.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-11 22:17:35 UTC (rev 13674) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-11 22:17:46 UTC (rev 13675) @@ -301,6 +301,8 @@ - Fixed the lack of sanitizing of contrib/decrypt_headers.php input; also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578] + - Fixed unsanitized shell command in example IMAP username mapping + function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/imap_general.php =================================================================== --- trunk/squirrelmail/functions/imap_general.php 2009-05-11 22:17:35 UTC (rev 13674) +++ trunk/squirrelmail/functions/imap_general.php 2009-05-11 22:17:46 UTC (rev 13675) @@ -1436,6 +1436,6 @@ * @since 1.3.0 */ function map_yp_alias($username) { - $yp = `ypmatch $username aliases`; + $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`; return chop(substr($yp, strlen($username)+1)); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-11 22:50:24
|
Revision: 13677 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13677&view=rev Author: pdontthink Date: 2009-05-11 22:50:16 +0000 (Mon, 11 May 2009) Log Message: ----------- Always generate $base_uri for every page request as opposed to doing it only on some pages. Always regenerate session ID at login to prevent session fixation by an attacker who has set a malicious cookie on the client browser. Try to clean up extraneous cookies, such as ones some browsers might actually obey from the src/ directory. Thanks to Tomas Hoger. (CVE-2009-1580) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/display_messages.php trunk/squirrelmail/functions/global.php trunk/squirrelmail/src/redirect.php trunk/squirrelmail/src/signout.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-11 22:48:03 UTC (rev 13676) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-11 22:50:16 UTC (rev 13677) @@ -303,6 +303,11 @@ [also CVE-2009-1578] - Fixed unsanitized shell command in example IMAP username mapping function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] + - Fixed session fixation issues where someone who can modify a user's + cookies could gain control of their login session. The SquirrelMail + base URI is now uniformly generated, extraneous cookies are cleaned + up and session IDs are regenerated upon every login (Thanks to Tomas + Hoger). [CVE-2009-1580] Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/display_messages.php =================================================================== --- trunk/squirrelmail/functions/display_messages.php 2009-05-11 22:48:03 UTC (rev 13676) +++ trunk/squirrelmail/functions/display_messages.php 2009-05-11 22:50:16 UTC (rev 13677) @@ -37,6 +37,7 @@ * Displays error message * * Second argument ($color array) is changed to boolean $return_output as of 1.5.2. + * * @param string $message error message * @param boolean $return_output When TRUE, output is returned to caller * instead of being sent to browser (OPTIONAL; @@ -57,10 +58,8 @@ */ function logout_error( $errString, $errTitle = '' ) { global $frame_top, $org_logo, $org_logo_width, $org_logo_height, $org_name, - $hide_sm_attributions, $squirrelmail_language, $oTemplate; + $hide_sm_attributions, $squirrelmail_language, $oTemplate, $base_uri; - $base_uri = sqm_baseuri(); - $login_link = array ( 'URI' => $base_uri . 'src/login.php', 'FRAME' => $frame_top Modified: trunk/squirrelmail/functions/global.php =================================================================== --- trunk/squirrelmail/functions/global.php 2009-05-11 22:48:03 UTC (rev 13676) +++ trunk/squirrelmail/functions/global.php 2009-05-11 22:50:16 UTC (rev 13677) @@ -442,9 +442,29 @@ global $base_uri, $_COOKIE, $_SESSION; - if (isset($_COOKIE[session_name()]) && session_name()) sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + if (isset($_COOKIE[session_name()]) && session_name()) { + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri); + + /* + * Make sure to kill /src and /src/ cookies, just in case there are + * some left-over or malicious ones set in user's browser. + * NB: Note that an attacker could try to plant a cookie for one + * of the /plugins/* directories. Such cookies can block + * access to certain plugin pages, but they do not influence + * or fixate the $base_uri cookie, so we don't worry about + * trying to delete all of them here. + */ + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src'); + sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri . 'src/'); + } + if (isset($_COOKIE['key']) && $_COOKIE['key']) sqsetcookie('key','SQMTRASH',1,$base_uri); + /* Make sure new session id is generated on subsequent session_start() */ + unset($_COOKIE[session_name()]); + unset($_GET[session_name()]); + unset($_POST[session_name()]); + $sessid = session_id(); if (!empty( $sessid )) { $_SESSION = array(); Modified: trunk/squirrelmail/src/redirect.php =================================================================== --- trunk/squirrelmail/src/redirect.php 2009-05-11 22:48:03 UTC (rev 13676) +++ trunk/squirrelmail/src/redirect.php 2009-05-11 22:50:16 UTC (rev 13677) @@ -70,12 +70,24 @@ $imapConnection = sqimap_login($login_username, $key, $imapServerAddress, $imapPort, 0); /* From now on we are logged it. If the login failed then sqimap_login handles it */ -/* regenerate the session id to avoid session hyijacking */ -//FIXME! IMPORTANT! SOMEONE PLEASE EXPLAIN THE SECURITY CONCERN HERE; THIS session_destroy() BORKS ANY SESSION INFORMATION ADDED ON THE LOGIN PAGE (SPECIFICALLY THE SESSION RESTORE DATA, BUT ALSO ANYTHING ADDED BY PLUGINS, ETC)... I HAVE DISABLED THIS (AND NOTE THAT THE LOGIN PAGE ALREADY EXECUTES A session_destroy() (see includes/init.php)), SO PLEASE, WHOEVER ADDED THIS, PLEASE ANALYSE THIS SITUATION AND COMMENT ON IF IT IS OK LIKE THIS!! WHAT HIJACKING ISSUES ARE WE SUPPOSED TO BE PREVENTING HERE? -//sqsession_destroy(); -//@sqsession_is_active(); -//session_regenerate_id(); /** + * Regenerate session id to make sure that authenticated session uses + * different ID than one used before user authenticated. This is a + * countermeasure against session fixation attacks. + * NB: session_regenerate_id() was added in PHP 4.3.2 (and new session + * cookie is only sent out in this call as of PHP 4.3.3), but PHP 4 + * is not vulnerable to session fixation problems in SquirrelMail + * because it prioritizes $base_uri subdirectory cookies differently + * than PHP 5, which is otherwise vulnerable. If we really want to, + * we could define our own session_regenerate_id() when one does not + * exist, but there seems to be no reason to do so. + */ +sqsession_is_active(); +if (function_exists('session_regenerate_id')) { + session_regenerate_id(); +} + +/** * The cookie part. session_start and session_regenerate_session normally set * their own cookie. SquirrelMail sets another cookie which overwites the * php cookies. The sqsetcookie function sets the cookie by using the header Modified: trunk/squirrelmail/src/signout.php =================================================================== --- trunk/squirrelmail/src/signout.php 2009-05-11 22:48:03 UTC (rev 13676) +++ trunk/squirrelmail/src/signout.php 2009-05-11 22:50:16 UTC (rev 13677) @@ -32,12 +32,6 @@ $frame_top = '_top'; } -/* If a user hits reload on the last page, $base_uri isn't set - * because it was deleted with the session. */ -if (! sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION) ) { - $base_uri = sqm_baseuri(); -} - $login_uri = 'login.php'; do_hook('logout', $login_uri); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jer...@us...> - 2009-05-15 15:10:01
|
Revision: 13706 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13706&view=rev Author: jervfors Date: 2009-05-15 15:09:55 +0000 (Fri, 15 May 2009) Log Message: ----------- Including the colon in the string. Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot branches/SM-1_4-STABLE/squirrelmail/src/options.php trunk/locales/po/squirrelmail.pot trunk/squirrelmail/po/squirrelmail.pot trunk/squirrelmail/src/options.php Modified: branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot 2009-05-15 05:50:31 UTC (rev 13705) +++ branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot 2009-05-15 15:09:55 UTC (rev 13706) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail STABLE\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-04-17 14:35+0200\n" +"POT-Creation-Date: 2009-05-15 16:50+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -533,6 +533,7 @@ msgid "Other:" msgstr "" +#. i18n: This is an example on how to write a color in RGB, literally meaning "For example: 63aa7f". msgid "Ex: 63aa7f" msgstr "" @@ -618,7 +619,9 @@ msgid "Some of your preference changes were not applied." msgstr "" -msgid "Successfully Saved Options" +#. i18n: The %s represents the name of the option page saving the options +#, php-format +msgid "Successfully Saved Options: %s" msgstr "" msgid "Refresh Folder List" Modified: branches/SM-1_4-STABLE/squirrelmail/src/options.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/src/options.php 2009-05-15 05:50:31 UTC (rev 13705) +++ branches/SM-1_4-STABLE/squirrelmail/src/options.php 2009-05-15 15:09:55 UTC (rev 13706) @@ -320,7 +320,8 @@ echo '<b>' . _("Some of your preference changes were not applied.") . "</b><br />\n"; } else { /* Display a message indicating a successful save. */ - echo '<b>' . _("Successfully Saved Options") . ": $optpage_name</b><br />\n"; + // i18n: The %s represents the name of the option page saving the options + echo '<b>' . sprintf(_("Successfully Saved Options: %s"), $optpage_name) . "</b><br />\n"; } /* If $max_refresh != SMOPT_REFRESH_NONE, provide a refresh link. */ Modified: trunk/locales/po/squirrelmail.pot =================================================================== --- trunk/locales/po/squirrelmail.pot 2009-05-15 05:50:31 UTC (rev 13705) +++ trunk/locales/po/squirrelmail.pot 2009-05-15 15:09:55 UTC (rev 13706) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail HEAD\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-04-17 14:34+0200\n" +"POT-Creation-Date: 2009-05-15 16:59+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -149,6 +149,7 @@ msgid "Add to %s" msgstr "" +#. i18n: %s is for author's name #, php-format msgid "%s wrote:" msgstr "" @@ -159,6 +160,14 @@ msgid "who" msgstr "" +#. i18n: +#. The first %s is for date string, the second %s is for author's name. +#. The date uses formating from "D, F j, Y g:i a" and "D, F j, Y H:i" +#. translations. +#. Example string: +#. "On Sat, December 24, 2004 23:59, Santa wrote:" +#. If you have to put author's name in front of date string, check comments about +#. argument swapping at http://php.net/sprintf #, php-format msgid "On %s, %s wrote:" msgstr "" @@ -440,6 +449,7 @@ msgid "By the SquirrelMail Project Team" msgstr "" +#. i18n: The %s represents the service provider's name #, php-format msgid "%s Login" msgstr "" @@ -534,6 +544,7 @@ msgid "Other:" msgstr "" +#. i18n: This is an example on how to write a color in RGB, literally meaning "For example: 63aa7f". msgid "Ex: 63aa7f" msgstr "" @@ -619,7 +630,9 @@ msgid "Some of your preference changes were not applied." msgstr "" -msgid "Successfully Saved Options" +#. i18n: The %s represents the name of the option page saving the options +#, php-format +msgid "Successfully Saved Options: %s" msgstr "" msgid "Refresh Folder List" @@ -689,6 +702,7 @@ msgid "Your message" msgstr "" +#. i18n: Name of Sent folder msgid "Sent" msgstr "" @@ -884,10 +898,12 @@ msgid "Address book is read-only" msgstr "" +#. i18n: don't use html formating in translation #, php-format msgid "User \"%s\" already exists" msgstr "" +#. i18n: don't use html formating in translation #, php-format msgid "User \"%s\" does not exist" msgstr "" @@ -3807,12 +3823,14 @@ "via the web." msgstr "" +#. i18n: %s displays org_name variable value enclosed in () or empty string. #, php-format msgid "" "If you have questions about or problems with your mail account, passwords, " "abuse etc, please refer to your system administrator or provider%s." msgstr "" +#. i18n: %s tags are used in order to remove html URL attributes from translation #, php-format msgid "" "They can assist you adequately with these issues. The SquirrelMail Project " @@ -3820,6 +3838,7 @@ "frequently asked questions." msgstr "" +#. i18n: %s tags are used in order to remove html URL attributes from translation #, php-format msgid "" "SquirrelMail is a feature rich, standards compliant webmail application " @@ -3828,6 +3847,7 @@ "under the %sGNU General Public License%s." msgstr "" +#. i18n: %s tags are used in order to remove html URL attributes from translation #, php-format msgid "" "For more information about SquirrelMail and the SquirrelMail Project Team, " @@ -3853,6 +3873,7 @@ msgid "SquirrelMail Webmail" msgstr "" +#. i18n: The %s represents the service provider's name #, php-format msgid "The %s logo" msgstr "" @@ -4084,6 +4105,13 @@ msgid "Unknown address book backend" msgstr "" +#. i18n: allows to control fullname layout in address book listing +#. first %s is for first name, second %s is for last name. +#. Translate it to '%2$s %1$s', if surname must be displayed first in your language. +#. Please note that variables can be set to empty string and extra formating +#. (for example '%2$s, %1$s' as in 'Smith, John') might break. Use it only for +#. setting name and surname order. scripts will remove all prepended and appended +#. whitespace. #, php-format msgid "%s %s" msgstr "" @@ -4094,7 +4122,7 @@ msgstr "" #, php-format -msgid "%s should be writable by user %s." +msgid "%s should be writable by the user %s." msgstr "" msgid "Illegal filesystem access was requested" @@ -4148,9 +4176,11 @@ "consult your system administrator" msgstr "" +#. i18n: Name of Trash folder msgid "Trash" msgstr "" +#. i18n: Name of Drafts folder msgid "Drafts" msgstr "" @@ -4528,6 +4558,7 @@ msgid "Use this to change your email password." msgstr "" +#. i18n: is displayed after "Successfully Saved Options:" msgid "User's Password" msgstr "" @@ -4734,6 +4765,7 @@ msgid "Empty new password" msgstr "" +#. i18n: %s shows executed fortune cookie command. #, php-format msgid "Unable to execute \"%s\"." msgstr "" @@ -4895,6 +4927,7 @@ msgid "Media file %s will be removed, if you upload other media file." msgstr "" +#. i18n: %s inserts the organisation name (typically SquirrelMail) #, php-format msgid "%s notice:" msgstr "" @@ -5103,6 +5136,7 @@ msgid "Add an index" msgstr "" +#. i18n: The parameters are: subject, sender, and date. #, php-format msgid "%s from %s on %s" msgstr "" Modified: trunk/squirrelmail/po/squirrelmail.pot =================================================================== --- trunk/squirrelmail/po/squirrelmail.pot 2009-05-15 05:50:31 UTC (rev 13705) +++ trunk/squirrelmail/po/squirrelmail.pot 2009-05-15 15:09:55 UTC (rev 13706) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail DEVEL\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-04-17 14:34+0200\n" +"POT-Creation-Date: 2009-05-15 16:47+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -369,7 +369,9 @@ msgid "Some of your preference changes were not applied." msgstr "" -msgid "Successfully Saved Options" +#. i18n: The %s represents the name of the option page saving the options +#, php-format +msgid "Successfully Saved Options: %s" msgstr "" #, php-format @@ -1009,7 +1011,7 @@ msgstr "" #, php-format -msgid "%s should be writable by user %s." +msgid "%s should be writable by the user %s." msgstr "" msgid "Signature is too big." @@ -4527,6 +4529,7 @@ msgid "Other" msgstr "" +#. i18n: This is an example on how to write a color in RGB, literally meaning "For example: 63aa7f". msgid "Ex: 63aa7f" msgstr "" Modified: trunk/squirrelmail/src/options.php =================================================================== --- trunk/squirrelmail/src/options.php 2009-05-15 05:50:31 UTC (rev 13705) +++ trunk/squirrelmail/src/options.php 2009-05-15 15:09:55 UTC (rev 13706) @@ -291,7 +291,8 @@ $notice.= "</ul>\n" . _("Some of your preference changes were not applied.") . "\n"; } else { /* Display a message indicating a successful save. */ - $notice = _("Successfully Saved Options") . ": $optpage_name</b><br />\n"; + // i18n: The %s represents the name of the option page saving the options + $notice = sprintf(_("Successfully Saved Options: %s"), $optpage_name) . "<br />\n"; } /* If $max_refresh != SMOPT_REFRESH_NONE, provide a refresh link. */ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-05-17 00:38:50
|
Revision: 13713 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13713&view=rev Author: jangliss Date: 2009-05-17 00:38:30 +0000 (Sun, 17 May 2009) Log Message: ----------- - Cleanup variable name in address search for compose to clearup confusion. - Remove Javascript from address search page when JavaScript is disabled. - Add "Check All" function to address book when using "in-page" addressbook. Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/src/addrbook_search.php trunk/squirrelmail/src/addrbook_search_html.php trunk/squirrelmail/templates/default/addrbook_search_list.tpl trunk/squirrelmail/templates/default/addressbook_popup.tpl trunk/squirrelmail/templates/util_addressbook.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-17 00:38:30 UTC (rev 13713) @@ -310,6 +310,9 @@ base URI is now uniformly generated, extraneous cookies are cleaned up and session IDs are regenerated upon every login (Thanks to Tomas Hoger). [CVE-2009-1580] + - Cleanup variable name in address search for compose to clearup confusion. + - Remove Javascript from address search page when JavaScript is disabled. + - Add "Check All" function to address book when using "in-page" addressbook. Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/src/addrbook_search.php =================================================================== --- trunk/squirrelmail/src/addrbook_search.php 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/src/addrbook_search.php 2009-05-17 00:38:30 UTC (rev 13713) @@ -38,7 +38,7 @@ if(sizeof($res) <= 0) return; - $oTemplate->assign('use_js', true); + $oTemplate->assign('compose_addr_pop', true); $oTemplate->assign('include_abook_name', $includesource); $oTemplate->assign('addresses', formatAddressList($res)); @@ -83,7 +83,7 @@ if ($show == 'form' && ! isset($listall)) { echo "<form name=\"sform\" target=\"abookres\" action=\"addrbook_search.php\" method=\"post\">\n"; - $oTemplate->assign('use_js', true); + $oTemplate->assign('compose_addr_pop', true); $oTemplate->assign('backends', getBackends()); $oTemplate->display('addressbook_search_form.tpl'); Modified: trunk/squirrelmail/src/addrbook_search_html.php =================================================================== --- trunk/squirrelmail/src/addrbook_search_html.php 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/src/addrbook_search_html.php 2009-05-17 00:38:30 UTC (rev 13713) @@ -82,7 +82,7 @@ addHidden('html_addr_search_done', 'true'); addr_insert_hidden(); - $oTemplate->assign('use_js', false); + $oTemplate->assign('compose_addr_pop', false); $oTemplate->assign('include_abook_name', $includesource); $oTemplate->assign('addresses', formatAddressList($res)); @@ -114,7 +114,7 @@ echo addHidden('session', $session); } -$oTemplate->assign('use_js', false); +$oTemplate->assign('compose_addr_pop', false); $oTemplate->assign('backends', getBackends()); $oTemplate->display('addressbook_search_form.tpl'); Modified: trunk/squirrelmail/templates/default/addrbook_search_list.tpl =================================================================== --- trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-17 00:38:30 UTC (rev 13713) @@ -39,14 +39,24 @@ $colspan = $include_abook_name ? 5 : 4; ?> <?php -if ($use_js) { +if ($javascript_on) { insert_javascript(); } ?> <div id="addressList"> <table cellspacing="0"> <tr> - <td class="colHeader" style="width:1%"></td> + <td class="colHeader" style="width:1%; font-size: 8pt; white-space: nowrap;"> +<?php +if ($javascript_on && !$compose_addr_pop) { +?> + <input type="checkbox" id="checkAllTo" onClick="CheckAll('T');"><label for="checkAllTo"><?php echo _("All");?></label> + <input type="checkbox" id="checkAllCc" onClick="CheckAll('C');"><label for="checkAllCc"><?php echo _("Cc");?></label> + <input type="checkbox" id="checkAllBcc" onClick="CheckAll('B');"><label for="checkAllBcc"><?php echo _("Bcc");?></label> +<?php +} +?> + </td> <td class="colHeader"><?php echo _("Name"); ?></td> <td class="colHeader"><?php echo _("E-mail"); ?></td> <td class="colHeader"><?php echo _("Info"); ?></td> @@ -60,12 +70,19 @@ if (count($addresses) == 0) { echo '<tr><td class="abookEmpty" colspan="'.$colspan.'">'._("Address book is empty").'</td></tr>'."\n"; } + + if ($compose_addr_pop) { + $addr_str = '<a href="javascript:to_and_close(\'%1$s\')">%1$s</a>'; + } else { + $addr_str = '%1$s'; + } + foreach ($addresses as $index=>$contact) { ?> <tr class=<?php echo '"'.(($index+1)%2 ? 'even' : 'odd').'"'; ?>> <td class="abookCompose" style="width:1%"> <?php - if ($use_js) { + if ($compose_addr_pop) { ?> <a href="javascript:to_address('<?php echo $contact['JSEmail']; ?>')"><?php echo _("To"); ?></a> | <a href="javascript:cc_address('<?php echo $contact['JSEmail']; ?>')"><?php echo _("Cc"); ?></a> | @@ -81,7 +98,7 @@ ?> </td> <td class="abookField"><?php echo $contact['FullName']; ?></td> - <td class="abookField"><a href="javascript:to_and_close('<?php echo $contact['JSEmail']; ?>')"><?php echo $contact['Email']; ?></a></td> + <td class="abookField"><?php echo sprintf($addr_str, $contact['Email']); ?></td> <td class="abookField"><?php echo $contact['Info']; ?></td> <?php if ($include_abook_name) { @@ -94,9 +111,11 @@ ?> </table> <?php -if (!$use_js) { +if (!$compose_addr_pop) { echo '<input type="submit" name="addr_search_done" value="'. _("Use Addresses") .'" />'."\n"; echo '<input type="submit" name="addr_search_cancel" value="'. _("Cancel") .'" />'."\n"; +} else { + echo '<input type="submit" onClick="javascript:parent.close();" name="close_window" value="' . _("Close Window") . '" />'. "\n"; } ?> </div> Modified: trunk/squirrelmail/templates/default/addressbook_popup.tpl =================================================================== --- trunk/squirrelmail/templates/default/addressbook_popup.tpl 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/templates/default/addressbook_popup.tpl 2009-05-17 00:38:30 UTC (rev 13713) @@ -20,7 +20,7 @@ /** Begin template **/ ?> -<frameset rows="80,*" border="0"> +<frameset rows="95,*" border="0"> <frame name="abookmain" marginwidth="0" scrolling="no" Modified: trunk/squirrelmail/templates/util_addressbook.php =================================================================== --- trunk/squirrelmail/templates/util_addressbook.php 2009-05-16 11:49:04 UTC (rev 13712) +++ trunk/squirrelmail/templates/util_addressbook.php 2009-05-17 00:38:30 UTC (rev 13713) @@ -123,6 +123,16 @@ } } + function CheckAll(ch) { + var chkObj = ""; + for (var i = 0; i < document.addressbook.elements.length; i++) { + chkObj = document.addressbook.elements[i]; + if (chkObj.type == "checkbox" && chkObj.name.substr(0,16) == "send_to_search[" + ch) { + chkObj.checked = !(chkObj.checked); + } + } + } + // --></script> <?php } /* End of included JavaScript */ This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: Paul L. <pa...@sq...> - 2009-05-17 08:24:30
|
=================================================================== > --- trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-16 11:49:04 UTC (rev 13712) > +++ trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-17 00:38:30 UTC (rev 13713) > @@ -39,14 +39,24 @@ > $colspan = $include_abook_name ? 5 : 4; > ?> > <?php > -if ($use_js) { > +if ($javascript_on) { > insert_javascript(); > } I don't think this is right - insert_javascript() seems to only add content to the page that operates the functions used when $compose_addr_pop (formerly $use_js) is turned on, so instead of $javascript_on, this should be $compose_addr_pop, no? |
From: Jonathan A. <jo...@sq...> - 2009-05-18 00:40:43
|
On Sun, 17 May 2009 01:24:20 -0700, Paul Lesniewski <pau...@pu...> wrote: >=================================================================== >> --- trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-16 11:49:04 UTC (rev 13712) >> +++ trunk/squirrelmail/templates/default/addrbook_search_list.tpl 2009-05-17 00:38:30 UTC (rev 13713) >> @@ -39,14 +39,24 @@ >> $colspan = $include_abook_name ? 5 : 4; >> ?> >> <?php >> -if ($use_js) { >> +if ($javascript_on) { >> insert_javascript(); >> } > >I don't think this is right - insert_javascript() seems to only add >content to the page that operates the functions used when >$compose_addr_pop (formerly $use_js) is turned on, so instead of >$javascript_on, this should be $compose_addr_pop, no? It adds the new function "CheckAll" as well. I figured JS would be on with the compose_addr_pop, and javascript_on, so both are safe if javascript_on is enabled. -- Jonathan Angliss <jo...@sq...> -- Jonathan Angliss <jo...@sq...> |
From: <pdo...@us...> - 2009-05-19 02:02:49
|
Revision: 13721 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13721&view=rev Author: pdontthink Date: 2009-05-19 01:51:16 +0000 (Tue, 19 May 2009) Log Message: ----------- - Fixed the Filters plugin to allow commas in filter criteria text Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/plugins/filters/filters.php trunk/squirrelmail/plugins/filters/options.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-19 01:49:24 UTC (rev 13720) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-19 01:51:16 UTC (rev 13721) @@ -313,6 +313,7 @@ - Cleanup variable name in address search for compose to clearup confusion. - Remove Javascript from address search page when JavaScript is disabled. - Add "Check All" function to address book when using "in-page" addressbook. + - Fixed the Filters plugin to allow commas in filter criteria text Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/plugins/filters/filters.php =================================================================== --- trunk/squirrelmail/plugins/filters/filters.php 2009-05-19 01:49:24 UTC (rev 13720) +++ trunk/squirrelmail/plugins/filters/filters.php 2009-05-19 01:51:16 UTC (rev 13721) @@ -592,7 +592,7 @@ for ($i = 0; $fltr = getPref($data_dir, $username, 'filter' . $i); $i++) { $ary = explode(',', $fltr); $filters[$i]['where'] = $ary[0]; - $filters[$i]['what'] = $ary[1]; + $filters[$i]['what'] = str_replace('###COMMA###', ',', $ary[1]); $filters[$i]['folder'] = $ary[2]; } return $filters; Modified: trunk/squirrelmail/plugins/filters/options.php =================================================================== --- trunk/squirrelmail/plugins/filters/options.php 2009-05-19 01:49:24 UTC (rev 13720) +++ trunk/squirrelmail/plugins/filters/options.php 2009-05-19 01:51:16 UTC (rev 13721) @@ -52,7 +52,7 @@ } if ($complete_post) { - $filter_what = str_replace(',', ' ', $filter_what); + $filter_what = str_replace(',', '###COMMA###', $filter_what); $filter_what = str_replace("\\\\", "\\", $filter_what); $filter_what = str_replace("\\\"", '"', $filter_what); $filter_what = str_replace('"', '"', $filter_what); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-20 20:59:57
|
Revision: 13728 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13728&view=rev Author: pdontthink Date: 2009-05-20 20:59:44 +0000 (Wed, 20 May 2009) Log Message: ----------- When sending an address literal to an SMTP EHLO command, do it with the right syntax Modified Paths: -------------- trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php trunk/squirrelmail/src/configtest.php Modified: trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php =================================================================== --- trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php 2009-05-20 20:54:14 UTC (rev 13727) +++ trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php 2009-05-20 20:59:44 UTC (rev 13728) @@ -135,6 +135,11 @@ $helohost = $domain; } + // if the host is an IPv4 address, enclose it in brackets + // + if (preg_match('/\d+\.\d+\.\d+\.\d+/', $helohost)) + $helohost = '[' . $helohost . ']'; + /* Lets introduce ourselves */ fputs($stream, "EHLO $helohost\r\n"); // Read ehlo response Modified: trunk/squirrelmail/src/configtest.php =================================================================== --- trunk/squirrelmail/src/configtest.php 2009-05-20 20:54:14 UTC (rev 13727) +++ trunk/squirrelmail/src/configtest.php 2009-05-20 20:59:44 UTC (rev 13728) @@ -622,8 +622,17 @@ if ($use_smtp_tls===2) { // if something breaks, script should close smtp connection on exit. + + // format EHLO argument correctly if needed + // + if (preg_match('/\d+\.\d+\.\d+\.\d+/', $client_ip)) + $helohost = '[' . $client_ip . ']'; + else // some day might add IPv6 here + $helohost = $client_ip; + + // say helo - fwrite($stream,"EHLO $client_ip\r\n"); + fwrite($stream,"EHLO $helohost\r\n"); $ehlo=array(); $ehlo_error = false; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-05-21 09:22:05
|
Revision: 13730 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13730&view=rev Author: pdontthink Date: 2009-05-21 09:21:56 +0000 (Thu, 21 May 2009) Log Message: ----------- Anchor the regexp. Thanks Thijs Kinkhorst. Modified Paths: -------------- trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php trunk/squirrelmail/src/configtest.php Modified: trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php =================================================================== --- trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php 2009-05-21 09:20:01 UTC (rev 13729) +++ trunk/squirrelmail/class/deliver/Deliver_SMTP.class.php 2009-05-21 09:21:56 UTC (rev 13730) @@ -137,7 +137,7 @@ // if the host is an IPv4 address, enclose it in brackets // - if (preg_match('/\d+\.\d+\.\d+\.\d+/', $helohost)) + if (preg_match('/^\d+\.\d+\.\d+\.\d+$/', $helohost)) $helohost = '[' . $helohost . ']'; /* Lets introduce ourselves */ Modified: trunk/squirrelmail/src/configtest.php =================================================================== --- trunk/squirrelmail/src/configtest.php 2009-05-21 09:20:01 UTC (rev 13729) +++ trunk/squirrelmail/src/configtest.php 2009-05-21 09:21:56 UTC (rev 13730) @@ -625,7 +625,7 @@ // format EHLO argument correctly if needed // - if (preg_match('/\d+\.\d+\.\d+\.\d+/', $client_ip)) + if (preg_match('/^\d+\.\d+\.\d+\.\d+$/', $client_ip)) $helohost = '[' . $client_ip . ']'; else // some day might add IPv6 here $helohost = $client_ip; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-21 17:11:50
|
Revision: 13734 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13734&view=rev Author: kink Date: 2009-05-21 17:11:22 +0000 (Thu, 21 May 2009) Log Message: ----------- The shell escaping fix in map_yp_alias (CVE-2009-1579) was incomplete. Thanks Michal Hlavinka for noticing this. [CVE-2009-1381] Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/imap_general.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-21 17:11:04 UTC (rev 13733) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-21 17:11:22 UTC (rev 13734) @@ -304,7 +304,8 @@ also includes general cleanup of that page (Thanks to Niels Teusink). [also CVE-2009-1578] - Fixed unsanitized shell command in example IMAP username mapping - function (map_yp_alias) (Thanks to Niels Teusink). [CVE-2009-1579] + function (map_yp_alias) (Thanks to Niels Teusink). + [CVE-2009-1579, CVE-2009-1381] - Fixed session fixation issues where someone who can modify a user's cookies could gain control of their login session. The SquirrelMail base URI is now uniformly generated, extraneous cookies are cleaned Modified: trunk/squirrelmail/functions/imap_general.php =================================================================== --- trunk/squirrelmail/functions/imap_general.php 2009-05-21 17:11:04 UTC (rev 13733) +++ trunk/squirrelmail/functions/imap_general.php 2009-05-21 17:11:22 UTC (rev 13734) @@ -1436,6 +1436,7 @@ * @since 1.3.0 */ function map_yp_alias($username) { - $yp = `ypmatch ' . escapeshellarg($username) . ' aliases`; + $safe_username = escapeshellarg($username); + $yp = `ypmatch $safe_username aliases`; return chop(substr($yp, strlen($username)+1)); } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-05-24 06:09:24
|
Revision: 13753 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13753&view=rev Author: jangliss Date: 2009-05-24 06:08:56 +0000 (Sun, 24 May 2009) Log Message: ----------- Fix for bug_report plugin not handling multiple values for same key (AUTH= AUTH=) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/plugins/bug_report/system_specs.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-24 01:27:57 UTC (rev 13752) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-24 06:08:56 UTC (rev 13753) @@ -316,6 +316,8 @@ - Add "Check All" function to address book when using "in-page" addressbook. - Fixed the Filters plugin to allow commas in filter criteria text. - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154). + - Bug Report plugin not handling multiple same key capabilities (thread/auth) + (#2796007). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/plugins/bug_report/system_specs.php =================================================================== --- trunk/squirrelmail/plugins/bug_report/system_specs.php 2009-05-24 01:27:57 UTC (rev 13752) +++ trunk/squirrelmail/plugins/bug_report/system_specs.php 2009-05-24 06:08:56 UTC (rev 13753) @@ -141,7 +141,13 @@ $body.= ' Capabilities: '; if ($imap_capabilities = sqimap_capability($imap_stream)) { foreach ($imap_capabilities as $capability => $value) { - $body.= $capability . (is_bool($value) ? ' ' : "=$value "); + if (is_array($value)) { + foreach($value as $val) { + $body .= $capability . "=$val "; + } + } else { + $body.= $capability . (is_bool($value) ? ' ' : "=$value "); + } } } $body.="\n"; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <ki...@us...> - 2009-05-24 10:00:21
|
Revision: 13755 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13755&view=rev Author: kink Date: 2009-05-24 10:00:10 +0000 (Sun, 24 May 2009) Log Message: ----------- add more labling for options pages Modified Paths: -------------- trunk/squirrelmail/functions/forms.php trunk/squirrelmail/templates/default/options.tpl Modified: trunk/squirrelmail/functions/forms.php =================================================================== --- trunk/squirrelmail/functions/forms.php 2009-05-24 09:59:41 UTC (rev 13754) +++ trunk/squirrelmail/functions/forms.php 2009-05-24 10:00:10 UTC (rev 13755) @@ -190,6 +190,7 @@ . htmlspecialchars($v); } + if (! isset($aAttribs['id'])) $aAttribs['id'] = $sName; // make sure $default is an array, since multiple select lists // need the chance to have more than one default... @@ -292,6 +293,10 @@ // add default css else if (!isset($aAttribs['class'])) $aAttribs['class'] = 'sqmtextarea'; + + if ( empty( $aAttribs['id'] ) ) { + $aAttribs['id'] = strtr($sName,'[]','__'); + } global $oTemplate; Modified: trunk/squirrelmail/templates/default/options.tpl =================================================================== --- trunk/squirrelmail/templates/default/options.tpl 2009-05-24 09:59:41 UTC (rev 13754) +++ trunk/squirrelmail/templates/default/options.tpl 2009-05-24 10:00:10 UTC (rev 13755) @@ -61,15 +61,11 @@ echo "<tr>\n" . " <td class=\"optionName\"" . ($opt->caption_wrap ? '' : ' style="white-space:nowrap"') . ">\n "; - if ($opt->type == SMOPT_TYPE_BOOLEAN_CHECKBOX - || $opt->type == SMOPT_TYPE_BOOLEAN) { - echo '<label for="new_' . $opt->name . '">' - . $opt->caption . '</label>'; - } else if ($opt->type == SMOPT_TYPE_TEXTAREA && !empty($opt->trailing_text)) { - echo $opt->caption . '<br /><small>' . $opt->trailing_text . '</small>'; - } else { - echo $opt->caption; + echo '<label for="new_' . $opt->name . '">' . $opt->caption; + if ($opt->type == SMOPT_TYPE_TEXTAREA && !empty($opt->trailing_text)) { + echo '<br /><small>' . $opt->trailing_text . '</small>'; } + echo '</label>'; echo "\n </td>\n" . " <td class=\"optionValue\">\n" . This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jer...@us...> - 2009-05-26 11:52:17
|
Revision: 13763 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13763&view=rev Author: jervfors Date: 2009-05-26 11:52:09 +0000 (Tue, 26 May 2009) Log Message: ----------- Removing the shut down DSBL blocklists. Thanks to Martin Jalakas for the report (#2796734). Modified Paths: -------------- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot trunk/locales/po/squirrelmail.pot trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/plugins/filters/filters.php trunk/squirrelmail/po/squirrelmail.pot Modified: branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-26 10:49:50 UTC (rev 13762) +++ branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog 2009-05-26 11:52:09 UTC (rev 13763) @@ -4,6 +4,7 @@ Version 1.4.20 - SVN -------------------- + - Removed the shut down DSBL blocklists (#2796734). Version 1.4.19 - 21 May 2009 ---------------------------- Modified: branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-26 10:49:50 UTC (rev 13762) +++ branches/SM-1_4-STABLE/squirrelmail/plugins/filters/filters.php 2009-05-26 11:52:09 UTC (rev 13763) @@ -776,30 +776,6 @@ $filters['NJABL DUL']['comment'] = _("FREE, for now - Not Just Another Blacklist - Dial-up IPs."); - $filters['Conf DSBL.ORG Relay']['prefname'] = 'filters_spam_dsbl_conf_ss'; - $filters['Conf DSBL.ORG Relay']['name'] = 'DSBL.org Confirmed Relay List'; - $filters['Conf DSBL.ORG Relay']['link'] = 'http://www.dsbl.org/'; - $filters['Conf DSBL.ORG Relay']['dns'] = 'list.dsbl.org'; - $filters['Conf DSBL.ORG Relay']['result'] = '127.0.0.2'; - $filters['Conf DSBL.ORG Relay']['comment'] = - _("FREE - Distributed Sender Boycott List - Confirmed Relays"); - - $filters['Conf DSBL.ORG Multi-Stage']['prefname'] = 'filters_spam_dsbl_conf_ms'; - $filters['Conf DSBL.ORG Multi-Stage']['name'] = 'DSBL.org Confirmed Multi-Stage Relay List'; - $filters['Conf DSBL.ORG Multi-Stage']['link'] = 'http://www.dsbl.org/'; - $filters['Conf DSBL.ORG Multi-Stage']['dns'] = 'multihop.dsbl.org'; - $filters['Conf DSBL.ORG Multi-Stage']['result'] = '127.0.0.2'; - $filters['Conf DSBL.ORG Multi-Stage']['comment'] = - _("FREE - Distributed Sender Boycott List - Confirmed Multi-stage Relays"); - - $filters['UN-Conf DSBL.ORG']['prefname'] = 'filters_spam_dsbl_unc'; - $filters['UN-Conf DSBL.ORG']['name'] = 'DSBL.org UN-Confirmed Relay List'; - $filters['UN-Conf DSBL.ORG']['link'] = 'http://www.dsbl.org/'; - $filters['UN-Conf DSBL.ORG']['dns'] = 'unconfirmed.dsbl.org'; - $filters['UN-Conf DSBL.ORG']['result'] = '127.0.0.2'; - $filters['UN-Conf DSBL.ORG']['comment'] = - _("FREE - Distributed Sender Boycott List - UN-Confirmed Relays"); - foreach ($filters as $Key => $Value) { $filters[$Key]['enabled'] = (bool)getPref($data_dir, $username, $filters[$Key]['prefname']); } Modified: branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot =================================================================== --- branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot 2009-05-26 10:49:50 UTC (rev 13762) +++ branches/SM-1_4-STABLE/squirrelmail/po/squirrelmail.pot 2009-05-26 11:52:09 UTC (rev 13763) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail STABLE\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-05-15 16:50+0200\n" +"POT-Creation-Date: 2009-05-26 13:37+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -2529,15 +2529,6 @@ msgid "FREE, for now - Not Just Another Blacklist - Dial-up IPs." msgstr "" -msgid "FREE - Distributed Sender Boycott List - Confirmed Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - Confirmed Multi-stage Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - UN-Confirmed Relays" -msgstr "" - msgid "WARNING! You must enter something to search for." msgstr "" Modified: trunk/locales/po/squirrelmail.pot =================================================================== --- trunk/locales/po/squirrelmail.pot 2009-05-26 10:49:50 UTC (rev 13762) +++ trunk/locales/po/squirrelmail.pot 2009-05-26 11:52:09 UTC (rev 13763) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail HEAD\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-05-15 16:59+0200\n" +"POT-Creation-Date: 2009-05-26 13:44+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -2541,15 +2541,6 @@ msgid "FREE, for now - Not Just Another Blacklist - Dial-up IPs." msgstr "" -msgid "FREE - Distributed Sender Boycott List - Confirmed Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - Confirmed Multi-stage Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - UN-Confirmed Relays" -msgstr "" - msgid "WARNING! You must enter something to search for." msgstr "" Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-05-26 10:49:50 UTC (rev 13762) +++ trunk/squirrelmail/doc/ChangeLog 2009-05-26 11:52:09 UTC (rev 13763) @@ -318,6 +318,7 @@ - In SMTP, when we EHLO with an IP, wrap it in brackets (#2793154). - Bug Report plugin not handling multiple same key capabilities (thread/auth) (#2796007). + - Removed the shut down DSBL blocklists (#2796734). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/plugins/filters/filters.php =================================================================== --- trunk/squirrelmail/plugins/filters/filters.php 2009-05-26 10:49:50 UTC (rev 13762) +++ trunk/squirrelmail/plugins/filters/filters.php 2009-05-26 11:52:09 UTC (rev 13763) @@ -840,30 +840,6 @@ $filters['NJABL DUL']['comment'] = _("FREE, for now - Not Just Another Blacklist - Dial-up IPs."); - $filters['Conf DSBL.ORG Relay']['prefname'] = 'filters_spam_dsbl_conf_ss'; - $filters['Conf DSBL.ORG Relay']['name'] = 'DSBL.org Confirmed Relay List'; - $filters['Conf DSBL.ORG Relay']['link'] = 'http://www.dsbl.org/'; - $filters['Conf DSBL.ORG Relay']['dns'] = 'list.dsbl.org'; - $filters['Conf DSBL.ORG Relay']['result'] = '127.0.0.2'; - $filters['Conf DSBL.ORG Relay']['comment'] = - _("FREE - Distributed Sender Boycott List - Confirmed Relays"); - - $filters['Conf DSBL.ORG Multi-Stage']['prefname'] = 'filters_spam_dsbl_conf_ms'; - $filters['Conf DSBL.ORG Multi-Stage']['name'] = 'DSBL.org Confirmed Multi-Stage Relay List'; - $filters['Conf DSBL.ORG Multi-Stage']['link'] = 'http://www.dsbl.org/'; - $filters['Conf DSBL.ORG Multi-Stage']['dns'] = 'multihop.dsbl.org'; - $filters['Conf DSBL.ORG Multi-Stage']['result'] = '127.0.0.2'; - $filters['Conf DSBL.ORG Multi-Stage']['comment'] = - _("FREE - Distributed Sender Boycott List - Confirmed Multi-stage Relays"); - - $filters['UN-Conf DSBL.ORG']['prefname'] = 'filters_spam_dsbl_unc'; - $filters['UN-Conf DSBL.ORG']['name'] = 'DSBL.org UN-Confirmed Relay List'; - $filters['UN-Conf DSBL.ORG']['link'] = 'http://www.dsbl.org/'; - $filters['UN-Conf DSBL.ORG']['dns'] = 'unconfirmed.dsbl.org'; - $filters['UN-Conf DSBL.ORG']['result'] = '127.0.0.2'; - $filters['UN-Conf DSBL.ORG']['comment'] = - _("FREE - Distributed Sender Boycott List - UN-Confirmed Relays"); - foreach ($filters as $Key => $Value) { $filters[$Key]['enabled'] = (bool)getPref($data_dir, $username, $filters[$Key]['prefname']); } Modified: trunk/squirrelmail/po/squirrelmail.pot =================================================================== --- trunk/squirrelmail/po/squirrelmail.pot 2009-05-26 10:49:50 UTC (rev 13762) +++ trunk/squirrelmail/po/squirrelmail.pot 2009-05-26 11:52:09 UTC (rev 13763) @@ -9,7 +9,7 @@ "Project-Id-Version: SquirrelMail DEVEL\n" "Report-Msgid-Bugs-To: SquirrelMail Internationalization <squirrelmail-" "i1...@li...>\n" -"POT-Creation-Date: 2009-05-15 16:47+0200\n" +"POT-Creation-Date: 2009-05-26 13:37+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <squ...@li...>\n" @@ -2974,15 +2974,6 @@ msgid "FREE, for now - Not Just Another Blacklist - Dial-up IPs." msgstr "" -msgid "FREE - Distributed Sender Boycott List - Confirmed Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - Confirmed Multi-stage Relays" -msgstr "" - -msgid "FREE - Distributed Sender Boycott List - UN-Confirmed Relays" -msgstr "" - msgid "WARNING! You must enter something to search for." msgstr "" This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-06-02 03:22:12
|
Revision: 13778 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13778&view=rev Author: jangliss Date: 2009-06-02 02:10:56 +0000 (Tue, 02 Jun 2009) Log Message: ----------- Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). This probably needs further discussion Modified Paths: -------------- trunk/squirrelmail/contrib/.htaccess trunk/squirrelmail/doc/.htaccess trunk/squirrelmail/doc/ChangeLog Modified: trunk/squirrelmail/contrib/.htaccess =================================================================== --- trunk/squirrelmail/contrib/.htaccess 2009-06-02 02:04:46 UTC (rev 13777) +++ trunk/squirrelmail/contrib/.htaccess 2009-06-02 02:10:56 UTC (rev 13778) @@ -2,4 +2,5 @@ Deny from All Allow from 127 Allow from 10 -Allow from 192 +Allow from 172.16 +Allow from 192.168 \ No newline at end of file Modified: trunk/squirrelmail/doc/.htaccess =================================================================== --- trunk/squirrelmail/doc/.htaccess 2009-06-02 02:04:46 UTC (rev 13777) +++ trunk/squirrelmail/doc/.htaccess 2009-06-02 02:10:56 UTC (rev 13778) @@ -2,4 +2,5 @@ Deny from All Allow from 127 Allow from 10 -Allow from 192 +Allow from 172.16 +Allow from 192.168 \ No newline at end of file Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-06-02 02:04:46 UTC (rev 13777) +++ trunk/squirrelmail/doc/ChangeLog 2009-06-02 02:10:56 UTC (rev 13778) @@ -319,6 +319,7 @@ - Bug Report plugin not handling multiple same key capabilities (thread/auth) (#2796007). - Removed the shut down DSBL blocklists (#2796734). + - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-07-29 01:55:29
|
Revision: 13799 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13799&view=rev Author: pdontthink Date: 2009-07-29 01:55:21 +0000 (Wed, 29 Jul 2009) Log Message: ----------- Stop using deprecated ereg() functions (#2820952) Modified Paths: -------------- trunk/squirrelmail/class/l10n/gettext.class.php trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/abook_local_file.php trunk/squirrelmail/functions/addressbook.php trunk/squirrelmail/functions/attachment_common.php trunk/squirrelmail/functions/folder_manip.php trunk/squirrelmail/functions/imap_asearch.php trunk/squirrelmail/functions/imap_general.php trunk/squirrelmail/functions/mime.php trunk/squirrelmail/functions/strings.php trunk/squirrelmail/functions/url_parser.php trunk/squirrelmail/plugins/squirrelspell/sqspell_config.php trunk/squirrelmail/src/addressbook.php trunk/squirrelmail/src/view_header.php Modified: trunk/squirrelmail/class/l10n/gettext.class.php =================================================================== --- trunk/squirrelmail/class/l10n/gettext.class.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/class/l10n/gettext.class.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -229,7 +229,7 @@ else { $header = $this->get_translation_number(0); - if (eregi("plural-forms: (.*)\n",$header,$regs)) { + if (preg_match('/plural-forms: (.*)\n/i',$header,$regs)) { $expr = $regs[1]; } else { $expr = "nplurals=2; plural=n == 1 ? 0 : 1;"; Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/doc/ChangeLog 2009-07-29 01:55:21 UTC (rev 13799) @@ -320,6 +320,7 @@ (#2796007). - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). + - Stop using deprecated ereg functions. (#2820952) Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/abook_local_file.php =================================================================== --- trunk/squirrelmail/functions/abook_local_file.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/abook_local_file.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -300,8 +300,8 @@ * TODO: regexp search is supported only in local_file backend. * Do we check format of regexp or ignore errors? */ - // errors on eregi call are suppressed in order to prevent display of regexp compilation errors - if(@eregi($expr, $line)) { + // errors on preg_match call are suppressed in order to prevent display of regexp compilation errors + if(@preg_match('/' . $expr . '/i', $line)) { array_push($res, array('nickname' => $row[0], 'name' => $this->fullname($row[1], $row[2]), 'firstname' => $row[1], @@ -433,7 +433,8 @@ $this->quotevalue((!empty($userdata['label'])?$userdata['label']:'')); /* Strip linefeeds */ - $data = ereg_replace("[\r\n]", ' ', $data); + $nl_str = array("\r","\n"); + $data = str_replace($nl_str, ' ', $data); /** * Make sure that entry fits into allocated record space. @@ -588,7 +589,7 @@ function quotevalue($value) { /* Quote the field if it contains | or ". Double quotes need to * be replaced with "" */ - if(ereg("[|\"]", $value)) { + if(stristr('"', $value) || stristr('|', $value)) { $value = '"' . str_replace('"', '""', $value) . '"'; } return $value; Modified: trunk/squirrelmail/functions/addressbook.php =================================================================== --- trunk/squirrelmail/functions/addressbook.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/addressbook.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -731,7 +731,7 @@ } /* Blocks use of space, :, |, #, " and ! in nickname */ - if (eregi('[ \\:\\|\\#\\"\\!]', $userdata['nickname'])) { + if (preg_match('/[ :|#"!]/', $userdata['nickname'])) { $this->error = _("Nickname contains illegal characters"); return false; } @@ -831,7 +831,7 @@ return false; } - if (eregi('[\\: \\|\\#"\\!]', $userdata['nickname'])) { + if (preg_match('/[: |#"!]/', $userdata['nickname'])) { $this->error = _("Nickname contains illegal characters"); return false; } Modified: trunk/squirrelmail/functions/attachment_common.php =================================================================== --- trunk/squirrelmail/functions/attachment_common.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/attachment_common.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -265,8 +265,13 @@ //FIXME: or at least we can move this hook up to the top of this file where $FileExtensionToMimeType is defined. What else is this hook here for? What plugins use it? do_hook('attachment_common-load_mime_types', $null); - ereg('\\.([^\\.]+)$', $Args[6], $Regs); + preg_match('/\.([^.]+)$/', $Args[7], $Regs); + $Ext = ''; + if (is_array($Regs) && isset($Regs[1])) { + $Ext = $Regs[1]; + } + $Ext = strtolower($Regs[1]); if ($Ext == '' || ! isset($FileExtensionToMimeType[$Ext])) Modified: trunk/squirrelmail/functions/folder_manip.php =================================================================== --- trunk/squirrelmail/functions/folder_manip.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/folder_manip.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -226,7 +226,7 @@ /** lets see if we CAN move folders to the trash.. otherwise, ** just delete them **/ - if ($delete_folder || eregi('^'.$trash_folder.'.+', $folder_name) ) { + if ($delete_folder || preg_match('/^' . $trash_folder . '.+/i', $folder_name) ) { $can_move_to_trash = FALSE; } else { /* Otherwise, check if trash folder exits and support sub-folders */ Modified: trunk/squirrelmail/functions/imap_asearch.php =================================================================== --- trunk/squirrelmail/functions/imap_asearch.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/imap_asearch.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -190,7 +190,7 @@ global $imap_asearch_months; $what = trim($what); - $what = ereg_replace('[ /\\.,]+', '-', $what); + $what = preg_replace('/[ \/\\.,]+/', '-', $what); if ($what) { preg_match('/^([0-9]+)-+([^\-]+)-+([0-9]+)$/', $what, $what_parts); if (count($what_parts) == 4) { @@ -232,7 +232,7 @@ default: case 'anum': $what = str_replace(' ', '', $what); - $what = ereg_replace('[^0-9]+[^KMG]$', '', strtoupper($what)); + $what = preg_replace('/[^0-9]+[^KMG]$/', '', strtoupper($what)); if ($what != '') { switch (substr($what, -1)) { case 'G': @@ -268,7 +268,7 @@ $criteria = $opcode . ' ' . sqimap_asearch_encode_string($what, $charset) . ' '; break; case 'asequence': - $what = ereg_replace('[^0-9:\(\)]+', '', $what); + $what = preg_replace('/[^0-9:()]+/', '', $what); if ($what != '') $criteria = $opcode . ' ' . $what . ' '; break; Modified: trunk/squirrelmail/functions/imap_general.php =================================================================== --- trunk/squirrelmail/functions/imap_general.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/imap_general.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -1075,8 +1075,8 @@ * TODO: remove this in favour of the information from sqimap_get_namespace() */ $read = sqimap_run_command($imap_stream, 'NAMESPACE', true, $a, $b); - if (eregi('\\* NAMESPACE +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL) +(\\( *\\(.+\\) *\\)|NIL)', $read[0], $data)) { - if (eregi('^\\( *\\((.*)\\) *\\)', $data[1], $data2)) { + if (preg_match('/\* NAMESPACE +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL) +(\( *\(.+\) *\)|NIL)/i', $read[0], $data)) { + if (preg_match('/^\( *\((.*)\) *\)/', $data[1], $data2)) { $pn = $data2[1]; } $pna = explode(')(', $pn); @@ -1138,7 +1138,7 @@ $ns_strings = array(1=>'personal', 2=>'users', 3=>'shared'); $namespace = array(); - if(ereg('NAMESPACE (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL)', $input, $regs) !== false) { + if (preg_match('/NAMESPACE (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL) (\(\(.*\)\)|NIL)/', $input, $regs)) { for($i=1; $i<=3; $i++) { if($regs[$i] == 'NIL') { $namespace[$ns_strings[$i]] = array(); @@ -1174,7 +1174,7 @@ */ function sqimap_encode_mailbox_name($what) { - if (ereg("[\"\\\r\n]", $what)) + if (preg_match('/["\\\r\n]/', $what)) return '{' . strlen($what) . "}\r\n" . $what; /* 4.3 literal form */ return '"' . $what . '"'; /* 4.3 quoted string form */ } Modified: trunk/squirrelmail/functions/mime.php =================================================================== --- trunk/squirrelmail/functions/mime.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/mime.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -140,7 +140,7 @@ } while($topline && ($topline[0] == '*') && !preg_match('/\* [0-9]+ FETCH.*/i', $topline)) ; $wholemessage = implode('', $data); - if (ereg('\\{([^\\}]*)\\}', $topline, $regs)) { + if (preg_match('/\{([^\}]*)\}/', $topline, $regs)) { $ret = substr($wholemessage, 0, $regs[1]); /* There is some information in the content info header that could be important * in order to parse html messages. Let's get them here. @@ -148,7 +148,7 @@ // if ($ret{0} == '<') { // $data = sqimap_run_command ($imap_stream, "FETCH $id BODY[$ent_id.MIME]", true, $response, $message, TRUE); // } - } else if (ereg('"([^"]*)"', $topline, $regs)) { + } else if (preg_match('/"([^"]*)"/', $topline, $regs)) { $ret = $regs[1]; } else if ((stristr($topline, 'nil') !== false) && (empty($wholemessage))) { $ret = $wholemessage; @@ -2734,7 +2734,7 @@ $filename = call_user_func($languages[$squirrelmail_language]['XTRA_CODE'] . '_downloadfilename', $filename, $HTTP_USER_AGENT); } else { - $filename = ereg_replace('[\\/:\*\?"<>\|;]', '_', str_replace(' ', ' ', $filename)); + $filename = preg_replace('/[\\\/:*?"<>|;]/', '_', str_replace(' ', ' ', $filename)); } // A Pox on Microsoft and it's Internet Explorer! Modified: trunk/squirrelmail/functions/strings.php =================================================================== --- trunk/squirrelmail/functions/strings.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/strings.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -349,7 +349,7 @@ } } - ereg("^([\t >]*)([^\t >].*)?$", $line, $regs); + preg_match('/^([\t >]*)([^\t >].*)?$/', $line, $regs); $beginning_spaces = $regs[1]; if (isset($regs[2])) { $words = explode(' ', $regs[2]); Modified: trunk/squirrelmail/functions/url_parser.php =================================================================== --- trunk/squirrelmail/functions/url_parser.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/functions/url_parser.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -55,7 +55,7 @@ $addresses = array(); /* Find all the email addresses in the body */ - while(eregi($Email_RegExp_Match, $sbody, $regs)) { + while (preg_match('/' . $Email_RegExp_Match . '/i', $sbody, $regs)) { $addresses[$regs[0]] = strtr($regs[0], array('&' => '&')); $start = strpos($sbody, $regs[0]) + strlen($regs[0]); $sbody = substr($sbody, $start); @@ -183,7 +183,7 @@ $url = substr($body, $target_pos, $end-$target_pos); /* Needed since lines are not passed with \n or \r */ - while ( ereg("[,\.]$", $url) ) { + while ( preg_match('/[,.]$/', $url) ) { $url = substr( $url, 0, -1 ); $end--; } @@ -217,7 +217,7 @@ $addresses = array(); /* Find all the email addresses in the body */ - while (eregi($Email_RegExp_Match, $string, $regs)) { + while (preg_match('/' . $Email_RegExp_Match . '/i', $string, $regs)) { $addresses[$regs[0]] = strtr($regs[0], array('&' => '&')); $start = strpos($string, $regs[0]) + strlen($regs[0]); $string = substr($string, $start); Modified: trunk/squirrelmail/plugins/squirrelspell/sqspell_config.php =================================================================== --- trunk/squirrelmail/plugins/squirrelspell/sqspell_config.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/plugins/squirrelspell/sqspell_config.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -105,9 +105,3 @@ $SQSPELL_WORDS_FILE = getHashedFile($username, $data_dir, "$username.words"); -/** - * Function used for checking words in user's dictionary - * @global string $SQSPELL_EREG - * @deprecated It is not used since 1.5.1 (sqspell 0.5) - */ -$SQSPELL_EREG = 'ereg'; Modified: trunk/squirrelmail/src/addressbook.php =================================================================== --- trunk/squirrelmail/src/addressbook.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/src/addressbook.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -111,7 +111,7 @@ if (!$r) { /* Remove backend name from error string */ $errstr = $abook->error; - $errstr = ereg_replace('^\[.*\] *', '', $errstr); + $errstr = preg_replace('/^\[.*\] */', '', $errstr); $formerror = $errstr; $showaddrlist = false; Modified: trunk/squirrelmail/src/view_header.php =================================================================== --- trunk/squirrelmail/src/view_header.php 2009-07-29 01:35:45 UTC (rev 13798) +++ trunk/squirrelmail/src/view_header.php 2009-07-29 01:55:21 UTC (rev 13799) @@ -41,16 +41,17 @@ for ($i=1; $i < count($read); $i++) { $line = htmlspecialchars($read[$i]); switch (true) { - case (eregi("^>", $line)): + case (preg_match('/^>/i', $line)): $second[$i] = $line; $first[$i] = ' '; $cnum++; break; - case (eregi("^[ |\t]", $line)): +// FIXME: is the pipe character below a mistake? I think the original author might have thought it carried special meaning in the character class, which it does not... but then again, I am not currently trying to understand what this code actually does + case (preg_match('/^[ |\t]/', $line)): $second[$i] = $line; $first[$i] = ''; break; - case (eregi("^([^:]+):(.+)", $line, $regs)): + case (preg_match('/^([^:]+):(.+)/', $line, $regs)): $first[$i] = $regs[1] . ':'; $second[$i] = $regs[2]; $cnum++; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: Paul L. <pa...@sq...> - 2009-07-29 02:55:17
|
On 7/28/09, pdo...@us... <pdo...@us...> wrote: > Revision: 13799 > > http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13799&view=rev > Author: pdontthink > Date: 2009-07-29 01:55:21 +0000 (Wed, 29 Jul 2009) > > Log Message: > ----------- > Stop using deprecated ereg() functions (#2820952) 100% untested |
From: Jonathan A. <jo...@sq...> - 2009-08-02 00:39:38
|
On Tue, 28 Jul 2009 19:55:10 -0700, in gmane.mail.squirrelmail.cvs you wrote: >On 7/28/09, pdo...@pu... ><pdo...@pu...> wrote: >> Revision: 13799 >> >> http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13799&view=rev >> Author: pdontthink >> Date: 2009-07-29 01:55:21 +0000 (Wed, 29 Jul 2009) >> >> Log Message: >> ----------- >> Stop using deprecated ereg() functions (#2820952) > >100% untested In devel maybe. Been running it in stable with no errors :) I was going to do these in devel this weekend after doing some painting, thanks for jumping on it for me. As for the . in the character class, when I tested, it made no difference which option I specified, and matched suitable on several test cases. -- Jonathan Angliss <jo...@sq...> |
From: <pdo...@us...> - 2009-07-31 05:23:10
|
Revision: 13805 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13805&view=rev Author: pdontthink Date: 2009-07-31 05:23:04 +0000 (Fri, 31 Jul 2009) Log Message: ----------- Remove personal data from Message ID seed. (#880029/847107) Modified Paths: -------------- trunk/squirrelmail/class/deliver/Deliver.class.php trunk/squirrelmail/doc/ChangeLog Modified: trunk/squirrelmail/class/deliver/Deliver.class.php =================================================================== --- trunk/squirrelmail/class/deliver/Deliver.class.php 2009-07-31 05:22:35 UTC (rev 13804) +++ trunk/squirrelmail/class/deliver/Deliver.class.php 2009-07-31 05:23:04 UTC (rev 13805) @@ -590,15 +590,9 @@ /* Create a message-id */ $message_id = 'MESSAGE ID GENERATION ERROR! PLEASE CONTACT SQUIRRELMAIL DEVELOPERS'; if (empty($rfc822_header->message_id)) { - $message_id = '<'; - /* user-specifc data to decrease collision chance */ - $seed_data = $username . '.'; - $seed_data .= (!empty($REMOTE_PORT) ? $REMOTE_PORT . '.' : ''); - $seed_data .= (!empty($REMOTE_ADDR) ? $REMOTE_ADDR . '.' : ''); - /* add the current time in milliseconds and randomness */ - $seed_data .= uniqid(mt_rand(),true); - /* put it through one-way hash and add it to the ID */ - $message_id .= md5($seed_data) . '.squirrel@' . $SERVER_NAME .'>'; + $message_id = '<' + . md5(GenerateRandomString(16, '', 7) . uniqid(mt_rand(),true)) + . '.squirrel@' . $SERVER_NAME .'>'; } /* Make an RFC822 Received: line */ Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-07-31 05:22:35 UTC (rev 13804) +++ trunk/squirrelmail/doc/ChangeLog 2009-07-31 05:23:04 UTC (rev 13805) @@ -321,6 +321,7 @@ - Removed the shut down DSBL blocklists (#2796734). - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Stop using deprecated ereg functions. (#2820952) + - Remove personal data from Message ID seed. (#880029/847107) Version 1.5.1 (branched on 2006-02-12) -------------------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 08:20:53
|
Revision: 13816 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13816&view=rev Author: pdontthink Date: 2009-08-12 08:20:46 +0000 (Wed, 12 Aug 2009) Log Message: ----------- Implemented page referal verification mechanism. (Secunia Advisory SA34627) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/auth.php trunk/squirrelmail/include/init.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-08-12 08:19:16 UTC (rev 13815) +++ trunk/squirrelmail/doc/ChangeLog 2009-08-12 08:20:46 UTC (rev 13816) @@ -322,6 +322,7 @@ - Fixed broken RFC1918 reference in contrib/.htaccess and doc/.htaccess (#2798839). - Stop using deprecated ereg functions. (#2820952) - Remove personal data from Message ID seed. (#880029/847107) + - Implemented page referal verification mechanism. (Secunia Advisory SA34627) Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/auth.php =================================================================== --- trunk/squirrelmail/functions/auth.php 2009-08-12 08:19:16 UTC (rev 13815) +++ trunk/squirrelmail/functions/auth.php 2009-08-12 08:20:46 UTC (rev 13816) @@ -24,13 +24,44 @@ * and PAGE_NAME in session and returns false. POST information is saved in * 'session_expired_post' variable, PAGE_NAME is saved in 'session_expired_location'. * + * This function optionally checks the referrer of this page request. If the + * administrator wants to impose a check that the referrer of this page request + * is another page on the same domain (otherwise, the page request is likely + * the result of a XSS or phishing attack), then they need to specify the + * acceptable referrer domain in a variable named $check_referrer in + * config/config.php (or the configuration tool) for which the value is + * usually the same as the $domain setting (for example: + * $check_referrer = 'example.com'; + * However, in some cases (where proxy servers are in use, etc.), the + * acceptable referrer might be different. If $check_referrer is set to + * "###DOMAIN###", then the current value of $domain is used (useful in + * situations where $domain might change at runtime (when using the Login + * Manager plugin to host multiple domains with one SquirrelMail installation, + * for example)): + * $check_referrer = '###DOMAIN###'; + * NOTE HOWEVER, that referrer checks are not foolproof - they can be spoofed + * by browsers, and some browsers intentionally don't send them, in which + * case SquirrelMail silently ignores referrer checks. + * * Script that uses this function instead of is_logged_in() function, must handle user * level messages. * @return boolean * @since 1.5.1 */ function sqauth_is_logged_in() { - if ( sqsession_is_registered('user_is_logged_in') ) { + + global $check_referrer, $domain; + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $check_referrer = 'http://' . $check_referrer; + } + if (sqsession_is_registered('user_is_logged_in') + && (!$check_referrer || empty($referrer) + || ($check_referrer && !empty($referrer) + && (strpos(strtolower($referrer), strtolower($check_referrer)) === 0 + || strpos(strtolower($referrer), strtolower($ssl_check_referrer)) === 0)))) { return true; } Modified: trunk/squirrelmail/include/init.php =================================================================== --- trunk/squirrelmail/include/init.php 2009-08-12 08:19:16 UTC (rev 13815) +++ trunk/squirrelmail/include/init.php 2009-08-12 08:20:46 UTC (rev 13816) @@ -118,7 +118,7 @@ } $seed .= uniqid(mt_rand(),TRUE); -$seed .= implode( '', stat( __FILE__) ); +$seed .= implode('', stat( __FILE__)); // mt_srand() uses an integer to seed, so we need to distill our // very large seed to something useful (without taking a sub-string, @@ -571,16 +571,28 @@ /** - * Check if we are logged in + * Check if we are logged in and does optional referrer check */ require(SM_PATH . 'functions/auth.php'); - if ( !sqsession_is_registered('user_is_logged_in') ) { + global $check_referrer, $domain; + if (!sqgetGlobalVar('HTTP_REFERER', $referrer, SQ_SERVER)) $referrer = ''; + if ($check_referrer == '###DOMAIN###') $check_referrer = $domain; + if (!empty($check_referrer)) { + $ssl_check_referrer = 'https://' . $check_referrer; + $check_referrer = 'http://' . $check_referrer; + } + if (!sqsession_is_registered('user_is_logged_in') + || ($check_referrer && !empty($referrer) + && strpos(strtolower($referrer), strtolower($check_referrer)) !== 0 + && strpos(strtolower($referrer), strtolower($ssl_check_referrer)) !== 0)) { // use $message to indicate what logout text the user // will see... if 0, typical "You must be logged in" // if 1, information that the user session was saved - // and will be resumed after (re)login + // and will be resumed after (re)login, if 2, there + // seems to have been a XSS or phishing attack (bad + // referrer) // $message = 0; @@ -597,6 +609,13 @@ if ($session_expired_location == 'compose') $message = 1; } + + // was bad referrer the reason we were rejected? + // + if (sqsession_is_registered('user_is_logged_in') + && $check_referrer && !empty($referrer)) + $message = 2; + // signout page will deal with users who aren't logged // in on its own; don't show error here // @@ -622,8 +641,10 @@ set_up_language($squirrelmail_language, true); if (!$message) logout_error( _("You must be logged in to access this page.") ); - else + else if ($message == 1) logout_error( _("Your session has expired, but will be resumed after logging in again.") ); + else if ($message == 2) + logout_error( _("The current page request appears to have originated from an unrecognized source.") ); exit; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-12 08:28:46
|
Revision: 13817 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13817&view=rev Author: pdontthink Date: 2009-08-12 08:28:38 +0000 (Wed, 12 Aug 2009) Log Message: ----------- Implemented security token system. (Secunia Advisory SA34627) Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/addressbook.php trunk/squirrelmail/functions/forms.php trunk/squirrelmail/functions/mailbox_display.php trunk/squirrelmail/functions/strings.php trunk/squirrelmail/src/addrbook_search_html.php trunk/squirrelmail/src/addressbook.php trunk/squirrelmail/src/compose.php trunk/squirrelmail/src/folders.php trunk/squirrelmail/src/options.php trunk/squirrelmail/src/options_highlight.php trunk/squirrelmail/src/options_identities.php trunk/squirrelmail/src/search.php trunk/squirrelmail/templates/default/addressbook_list.tpl trunk/squirrelmail/templates/default/folder_manip.tpl trunk/squirrelmail/templates/default/folder_manip_dialog.tpl trunk/squirrelmail/templates/default/message_list.tpl trunk/squirrelmail/templates/default/read_menubar_buttons.tpl trunk/squirrelmail/templates/default/vcard.tpl trunk/squirrelmail/templates/default_advanced/read_menubar_buttons.tpl Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/doc/ChangeLog 2009-08-12 08:28:38 UTC (rev 13817) @@ -323,6 +323,7 @@ - Stop using deprecated ereg functions. (#2820952) - Remove personal data from Message ID seed. (#880029/847107) - Implemented page referal verification mechanism. (Secunia Advisory SA34627) + - Implemented security token system. (Secunia Advisory SA34627) Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/addressbook.php =================================================================== --- trunk/squirrelmail/functions/addressbook.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/functions/addressbook.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -192,7 +192,7 @@ global $oTemplate; - $output = addForm($form_url, 'post', 'f_add'); + $output = addForm($form_url, 'post', 'f_add', '', '', array(), TRUE); if ($button == _("Update address")) { $edit = true; Modified: trunk/squirrelmail/functions/forms.php =================================================================== --- trunk/squirrelmail/functions/forms.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/functions/forms.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -313,20 +313,26 @@ /** * Make a <form> start-tag. * - * @param string $sAction form handler URL - * @param string $sMethod http method used to submit form data. 'get' or 'post' - * @param string $sName form name used for identification (used for backward - * compatibility). Use of id is recommended instead. - * @param string $sEnctype content type that is used to submit data. html 4.01 - * defaults to 'application/x-www-form-urlencoded'. Form - * with file field needs 'multipart/form-data' encoding type. - * @param string $sCharset charset that is used for submitted data - * @param array $aAttribs (since 1.5.1) extra attributes + * @param string $sAction form handler URL + * @param string $sMethod http method used to submit form data. 'get' or 'post' + * @param string $sName form name used for identification (used for backward + * compatibility). Use of id is recommended instead. + * @param string $sEnctype content type that is used to submit data. html 4.01 + * defaults to 'application/x-www-form-urlencoded'. Form + * with file field needs 'multipart/form-data' encoding type. + * @param string $sCharset charset that is used for submitted data + * @param array $aAttribs (since 1.5.1) extra attributes + * @param boolean $bAddToken (since 1.5.2) When given as a string or as boolean TRUE, + * a hidden input is also added to the form containing a + * security token. When given as TRUE, the input name is + * "smtoken"; otherwise the name is the string that is + * given for this parameter. When FALSE, no hidden token + * input field is added. (OPTIONAL; default not used) * * @return string html formated form start string * */ -function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array()) { +function addForm($sAction, $sMethod = 'post', $sName = '', $sEnctype = '', $sCharset = '', $aAttribs = array(), $bAddToken = FALSE) { global $oTemplate; @@ -338,7 +344,14 @@ $oTemplate->assign('enctype', $sEnctype); $oTemplate->assign('charset', $sCharset); - return $oTemplate->fetch('form.tpl'); + $sForm = $oTemplate->fetch('form.tpl'); + + if ($bAddToken) { + $sForm .= addHidden((is_string($bAddToken) ? $bAddToken : 'smtoken'), + sm_generate_security_token()); + } + + return $sForm; } /** Modified: trunk/squirrelmail/functions/mailbox_display.php =================================================================== --- trunk/squirrelmail/functions/mailbox_display.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/functions/mailbox_display.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -1341,6 +1341,12 @@ $aUid = (isset($msg) && is_array($msg)) ? array_values($msg) : $aUid; if (count($aUid) && $sButton != 'expunge') { + // don't do anything to any messages until we have done security check + // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture + // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?) + sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); + sm_validate_security_token($submitted_token, 3600, TRUE); + // make sure message UIDs are sanitized (BIGINT) foreach ($aUid as $i => $uid) $aUid[$i] = (preg_match('/^[0-9]+$/', $uid) ? $uid : '0'); Modified: trunk/squirrelmail/functions/strings.php =================================================================== --- trunk/squirrelmail/functions/strings.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/functions/strings.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -1250,3 +1250,185 @@ function sq_trim_value ( &$value ) { $value = trim($value); } + +/** + * Gathers the list of secuirty tokens currently + * stored in the user's preferences and optionally + * purges old ones from the list. + * + * @param boolean $purge_old Indicates if old tokens + * should be purged from the + * list ("old" is 30 days or + * older unless the administrator + * overrides that value using + * $max_security_token_age in + * config/config_local.php) + * (OPTIONAL; default is to always + * purge old tokens) + * + * @return array The list of tokens + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_get_user_security_tokens($purge_old=TRUE) +{ + + global $data_dir, $username, $max_token_age_days; + + $tokens = getPref($data_dir, $username, 'security_tokens', ''); + if (($tokens = unserialize($tokens)) === FALSE || !is_array($tokens)) + $tokens = array(); + + // purge old tokens if necessary + // + if ($purge_old) + { + if (empty($max_token_age_days)) $max_token_age_days = 30; + $now = time(); + $discard_token_date = $now - ($max_token_age_days * 86400); + $cleaned_tokens = array(); + foreach ($tokens as $token => $timestamp) + if ($timestamp >= $discard_token_date) + $cleaned_tokens[$token] = $timestamp; + $tokens = $cleaned_tokens; + } + + return $tokens; + +} + +/** + * Generates a security token that is then stored in + * the user's preferences with a timestamp for later + * verification/use. + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config_local.php, this function will not + * store tokens in the user preferences (but it will + * still generate and return a random string). + * + * @return void + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_generate_security_token() +{ + + global $data_dir, $username, $disable_security_tokens; + $max_generation_tries = 1000; + + $tokens = sm_get_user_security_tokens(); + + $new_token = GenerateRandomString(12, '', 7); + $count = 0; + while (isset($tokens[$new_token])) + { + $new_token = GenerateRandomString(12, '', 7); + if (++$count > $max_generation_tries) + { + logout_error(_("Fatal token generation error; please contact your system administrator or the SquirrelMail Team")); + exit; + } + } + + // is the token system enabled? CAREFUL! + // + if (!$disable_security_tokens) + { + $tokens[$new_token] = time(); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + return $new_token; + +} + +/** + * Validates a given security token and optionally remove it + * from the user's preferences if it was valid. If the token + * is too old but otherwise valid, it will still be rejected. + * + * "Too old" is 30 days or older unless the administrator + * overrides that value using $max_security_token_age in + * config/config_local.php + * + * WARNING: If the administrator has turned the token system + * off by setting $disable_security_tokens to TRUE in + * config/config_local.php, this function will always + * return TRUE. + * + * @param string $token The token to validate + * @param int $validity_period The number of seconds tokens are valid + * for (set to zero to remove valid tokens + * after only one use; use 3600 to allow + * tokens to be reused for an hour) + * (OPTIONAL; default is to only allow tokens + * to be used once) + * @param boolean $show_error Indicates that if the token is not + * valid, this function should display + * a generic error, log the user out + * and exit - this function will never + * return in that case. + * (OPTIONAL; default FALSE) + * + * @return boolean TRUE if the token validated; FALSE otherwise + * + * @since 1.4.19 and 1.5.2 + * + */ +function sm_validate_security_token($token, $validity_period=0, $show_error=FALSE) +{ + + global $data_dir, $username, $max_token_age_days, + $disable_security_tokens; + + // bypass token validation? CAREFUL! + // + if ($disable_security_tokens) return TRUE; + + // don't purge old tokens here because we already + // do it when generating tokens + // + $tokens = sm_get_user_security_tokens(FALSE); + + // token not found? + // + if (empty($tokens[$token])) + { + if (!$show_error) return FALSE; + logout_error(_("This page request could not be verified and appears to have expired.")); + exit; + } + + $now = time(); + $timestamp = $tokens[$token]; + + // whether valid or not, we want to remove it from + // user prefs if it's old enough + // + if ($timestamp < $now - $validity_period) + { + unset($tokens[$token]); + setPref($data_dir, $username, 'security_tokens', serialize($tokens)); + } + + // reject tokens that are too old + // + if (empty($max_token_age_days)) $max_token_age_days = 30; + $old_token_date = $now - ($max_token_age_days * 86400); + if ($timestamp < $old_token_date) + { + if (!$show_error) return FALSE; + logout_error(_("The current page request appears to have originated from an untrusted source.")); + exit; + } + + // token OK! + // + return TRUE; + +} + Modified: trunk/squirrelmail/src/addrbook_search_html.php =================================================================== --- trunk/squirrelmail/src/addrbook_search_html.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/addrbook_search_html.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -78,7 +78,8 @@ global $PHP_SELF, $oTemplate, $oErrorHandler; - echo addForm($PHP_SELF, 'post', 'addressbook'). +//FIXME: no HTML output from core + echo addForm($PHP_SELF, 'post', 'addressbook', '', '', array(), TRUE). addHidden('html_addr_search_done', 'true'); addr_insert_hidden(); @@ -172,7 +173,7 @@ if ($addrquery == '' || sizeof($res) == 0) { //FIXME don't echo HTML from core -- especially convoluted given that there is template code immediately above AND below this block echo '<div style="text-align: center;">'. - addForm('compose.php','post','k'); + addForm('compose.php','post','k', '', '', array(), TRUE); addr_insert_hidden(); echo '<input type="submit" value="' . _("Return") . '" name="return" />' . "\n" . '</form></div></nobr>'; Modified: trunk/squirrelmail/src/addressbook.php =================================================================== --- trunk/squirrelmail/src/addressbook.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/addressbook.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -31,6 +31,7 @@ /** lets get the global vars we may need */ /* From the address form */ +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); sqgetGlobalVar('addaddr', $addaddr, SQ_POST); sqgetGlobalVar('editaddr', $editaddr, SQ_POST); sqgetGlobalVar('deladdr', $deladdr, SQ_POST); @@ -97,6 +98,9 @@ /* Handle user's actions */ if(sqgetGlobalVar('REQUEST_METHOD', $req_method, SQ_SERVER) && $req_method == 'POST') { + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + /************************************************** * Add new address * **************************************************/ Modified: trunk/squirrelmail/src/compose.php =================================================================== --- trunk/squirrelmail/src/compose.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/compose.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -138,6 +138,8 @@ if ( sqgetGlobalVar('smaction_edit_new',$tmp) ) $action = 'edit_as_new'; } +sqgetGlobalVar('smtoken', $submitted_token, $SQ_GLOBAL, ''); + /** * Here we decode the data passed in from mailto.php. */ @@ -412,6 +414,11 @@ } if ($draft) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + /* * Set $default_charset to correspond with the user's selection * of language interface. @@ -466,6 +473,11 @@ } if ($send) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if (isset($_FILES['attachfile']) && $_FILES['attachfile']['tmp_name'] && $_FILES['attachfile']['tmp_name'] != 'none') { @@ -587,6 +599,11 @@ /* sqimap_logout($imapConnection); */ } } elseif (isset($html_addr_search_done)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } @@ -631,6 +648,11 @@ */ include_once('./addrbook_search_html.php'); } elseif (isset($attach)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } else { @@ -642,6 +664,11 @@ showInputForm($session); } elseif (isset($sigappend)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + $signature = $idents[$identity]['signature']; $body .= "\n\n".($prefix_sig==true? "-- \n":'').$signature; @@ -652,6 +679,11 @@ } showInputForm($session); } elseif (isset($do_delete)) { + + // validate security token + // + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($compose_new_win == '1') { compose_Header($color, $mailbox); } else { @@ -1163,6 +1195,9 @@ echo ">\n"; //FIXME: DON'T ECHO HTML FROM CORE! + echo addHidden('smtoken', sm_generate_security_token()); + +//FIXME: DON'T ECHO HTML FROM CORE! echo addHidden('startMessage', $startMessage); if ($action == 'draft') { Modified: trunk/squirrelmail/src/folders.php =================================================================== --- trunk/squirrelmail/src/folders.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/folders.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -30,6 +30,7 @@ /* get globals we may need */ sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); sqgetGlobalVar('smaction', $action, SQ_POST); +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); /* end of get globals */ @@ -40,6 +41,10 @@ switch ($action) { case 'create': + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + sqgetGlobalVar('folder_name', $folder_name, SQ_POST); sqgetGlobalVar('subfolder', $subfolder, SQ_POST); sqgetGlobalVar('contain_subs', $contain_subs, SQ_POST); @@ -54,6 +59,10 @@ sqgetGlobalVar('old_name', $old_name, SQ_POST); folders_rename_getname($imapConnection, $delimiter, $old_name); } else { + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + sqgetGlobalVar('orig', $orig, SQ_POST); sqgetGlobalVar('old_name', $old_name, SQ_POST); folders_rename_do($imapConnection, $delimiter, $orig, $old_name, $new_name); @@ -66,6 +75,10 @@ } sqgetGlobalVar('folder_name', $folder_name, SQ_POST); if ( sqgetGlobalVar('confirmed', $dummy, SQ_POST) ) { + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + folders_delete_do($imapConnection, $delimiter, $folder_name); $td_str = _("Deleted folder successfully."); } else { @@ -73,11 +86,19 @@ } break; case 'subscribe': + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + sqgetGlobalVar('folder_names', $folder_names, SQ_POST); folders_subscribe($imapConnection, $folder_names); $td_str = _("Subscribed successfully."); break; case 'unsubscribe': + + // first, validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + sqgetGlobalVar('folder_names', $folder_names, SQ_POST); folders_unsubscribe($imapConnection, $folder_names); $td_str = _("Unsubscribed successfully."); Modified: trunk/squirrelmail/src/options.php =================================================================== --- trunk/squirrelmail/src/options.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/options.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -103,8 +103,9 @@ /* get the globals that we may need */ sqgetGlobalVar('optpage', $optpage); -sqgetGlobalVar('optmode', $optmode, SQ_FORM); -sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST); +sqgetGlobalVar('optmode', $optmode, SQ_FORM); +sqgetGlobalVar('optpage_data',$optpage_data, SQ_POST); +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); /* end of getting globals */ /* Make sure we have an Option Page set. Default to main. */ @@ -199,6 +200,12 @@ /*** Next, process anything that needs to be processed. ***/ /***********************************************************/ +// security check before saving anything... +//FIXME: what about SMOPT_MODE_LINK?? +if ($optmode == SMOPT_MODE_SUBMIT) { + sm_validate_security_token($submitted_token, 3600, TRUE); +} + $optpage_save_error=array(); if ( isset( $optpage_data ) ) { @@ -464,7 +471,7 @@ } // Begin output form - echo addForm('options.php', 'post', 'option_form') + echo addForm('options.php', 'post', 'option_form', '', '', array(), TRUE) . create_optpage_element($optpage) . create_optmode_element(SMOPT_MODE_SUBMIT); Modified: trunk/squirrelmail/src/options_highlight.php =================================================================== --- trunk/squirrelmail/src/options_highlight.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/options_highlight.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -32,6 +32,7 @@ sqGetGlobalVar('color_type', $color_type); sqGetGlobalVar('match_type', $match_type); sqGetGlobalVar('value', $value); +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); /* end of get globals */ @@ -52,6 +53,10 @@ if (isset($theid) && ($action == 'delete') || ($action == 'up') || ($action == 'down')) { + + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $new_rules = array(); switch($action) { case('delete'): @@ -86,6 +91,9 @@ exit; } else if ($action == 'save') { + // security check + sm_validate_security_token($submitted_token, 3600, TRUE); + if ($color_type == 1) $newcolor = $newcolor_choose; elseif ($color_type == 2) $newcolor = $newcolor_input; else $newcolor = $color_type; @@ -336,7 +344,7 @@ $oTemplate->assign('color_radio', ($selected_choose ? 1 : ($selected_input ? 2 : 0))); $oTemplate->assign('color_input', ($selected_input ? $color : '')); - echo addForm('options_highlight.php', 'post', 'f'). + echo addForm('options_highlight.php', 'post', 'f', '', '', array(), TRUE). addHidden('action', 'save'); if($action == 'edit') { echo addHidden('theid', (isset($theid)?$theid:'')); Modified: trunk/squirrelmail/src/options_identities.php =================================================================== --- trunk/squirrelmail/src/options_identities.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/options_identities.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -23,6 +23,7 @@ /* SquirrelMail required files. */ require_once(SM_PATH . 'functions/identity.php'); +require_once(SM_PATH . 'functions/forms.php'); /* make sure that page is not available when $edit_identity is false */ if (!$edit_identity) { @@ -37,10 +38,14 @@ sqgetGlobalVar('newidentities', $newidentities, SQ_POST); sqgetGlobalVar('smaction', $smaction, SQ_POST); sqgetGlobalVar('return', $return, SQ_POST); +sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); // First lets see if there are any actions to perform // if (!empty($smaction) && is_array($smaction)) { + // first do a security check + sm_validate_security_token($submitted_token, 3600, TRUE); + $doaction = ''; $identid = 0; @@ -93,7 +98,8 @@ $i[count($i)] = $a; //FIXME: NO HTML IN THE CORE -echo '<form name="f" action="options_identities.php" method="post">' . "\n"; +echo '<form name="f" action="options_identities.php" method="post">' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->assign('identities', $i); $oTemplate->display('options_advidentity_list.tpl'); Modified: trunk/squirrelmail/src/search.php =================================================================== --- trunk/squirrelmail/src/search.php 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/src/search.php 2009-08-12 08:28:38 UTC (rev 13817) @@ -806,7 +806,8 @@ $oTemplate->assign('criteria', $c); - echo '<form action="../src/search.php" name="form_asearch">' . "\n"; + echo '<form action="../src/search.php" name="form_asearch">' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search_advanced.tpl'); echo "</form>\n"; } @@ -866,7 +867,8 @@ $oTemplate->assign('where_sel', $where); $oTemplate->assign('what_val', $what); - echo '<form action="../src/search.php" name="form_asearch">' . "\n"; + echo '<form action="../src/search.php" name="form_asearch">' . "\n" + . addHidden('smtoken', sm_generate_security_token()) . "\n"; $oTemplate->display('search.tpl'); echo "</form>\n"; } @@ -891,6 +893,7 @@ /* ------------------------ main ------------------------ */ /* get globals we will need */ +sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, ''); sqgetGlobalVar('delimiter', $delimiter, SQ_SESSION); if (!sqgetGlobalVar('checkall',$checkall,SQ_GET)) { @@ -1179,6 +1182,10 @@ if (!isset($submit)) { $submit = ''; } else { + + // first validate security token + sm_validate_security_token($submitted_token, 3600, TRUE); + switch ($submit) { case $search_button_text: if (asearch_check_query($where_array, $what_array, $exclude_array) == '') { Modified: trunk/squirrelmail/templates/default/addressbook_list.tpl =================================================================== --- trunk/squirrelmail/templates/default/addressbook_list.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/addressbook_list.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -65,6 +65,7 @@ $colspan = $abook_has_extra_field ? 6 : 5; ?> <form action="<?php echo $form_action; ?>" method="post" id="address_book_form" name="address_book_form"> +<input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <div id="addressList"> <table cellspacing="0"> <tr> Modified: trunk/squirrelmail/templates/default/folder_manip.tpl =================================================================== --- trunk/squirrelmail/templates/default/folder_manip.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/folder_manip.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -52,6 +52,7 @@ <tr> <td> <form method="post" action="folders.php" name="cf" id="cf"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="smaction" value="create" /> <input type="text" name="folder_name" size="25" value="" /> <br /> @@ -157,6 +158,7 @@ if (!empty($rendel_folder_list)) { ?> <form method="post" action="folders.php" name="uf" id="uf"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="smaction" value="unsubscribe" /> <select name="folder_names[]" multiple="multiple" size="8"> <?php echo $rendel_folder_list ?> @@ -175,6 +177,7 @@ if ($no_list_for_subscribe) { ?> <form method="post" action="folders.php" name="sf" id="sf"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="smaction" value="subscribe" /> <input type="text" name="folder_names[]" size="25" /> <input type="submit" value="<?php echo _("Subscribe") ?>" /> @@ -183,6 +186,7 @@ } elseif (!empty($subbox_option_list)) { ?> <form method="post" action="folders.php" name="sf" id="sf"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="smaction" value="subscribe" /> <div> <?php Modified: trunk/squirrelmail/templates/default/folder_manip_dialog.tpl =================================================================== --- trunk/squirrelmail/templates/default/folder_manip_dialog.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/folder_manip_dialog.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -31,6 +31,7 @@ ?> <div class="dialogbox"> <form action="folders.php" method="post"> +<input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <table cellspacing="0" class="wrapper"> <?php if ( $dialog_type == 'rename' ) { Modified: trunk/squirrelmail/templates/default/message_list.tpl =================================================================== --- trunk/squirrelmail/templates/default/message_list.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/message_list.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -118,6 +118,7 @@ ?> <div id="message_list"> <form id="<?php echo $form_name;?>" name="<?php echo $form_name;?>" method="post" action="<?php echo $php_self;?>"> +<input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <table class="table_empty" cellspacing="0"> <tr> <td> Modified: trunk/squirrelmail/templates/default/read_menubar_buttons.tpl =================================================================== --- trunk/squirrelmail/templates/default/read_menubar_buttons.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/read_menubar_buttons.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -123,6 +123,7 @@ if ($can_be_deleted) { ?> <form name="deleteMessageForm" action="<?php echo $move_delete_form_action; ?>" method="post"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <?php echo $delete_form_extra; ?> <small> <input type="submit" name="delete" <?php if ($accesskey_read_msg_delete != 'NONE') echo 'accesskey="' . $accesskey_read_msg_delete . '" '; ?>value="<?php echo _("Delete"); ?>" /> @@ -139,6 +140,7 @@ if ($can_be_moved) { ?> <form name="moveMessageForm" action="<?php echo $move_delete_form_action; ?>" method="post"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <?php echo $move_form_extra; ?> <small> <?php echo _("Move To"); ?>: Modified: trunk/squirrelmail/templates/default/vcard.tpl =================================================================== --- trunk/squirrelmail/templates/default/vcard.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default/vcard.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -67,6 +67,7 @@ </tr> </table> <form action="../src/addressbook.php" method="post" name="f_add"> +<input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <input type="hidden" name="addaddr[firstname]" value="<?php echo $firstname; ?>" /> <input type="hidden" name="addaddr[lastname]" value="<?php echo $lastname; ?>" /> <table cellspacing="0" class="table1"> @@ -130,4 +131,4 @@ </tr> </table> </form> -</div> \ No newline at end of file +</div> Modified: trunk/squirrelmail/templates/default_advanced/read_menubar_buttons.tpl =================================================================== --- trunk/squirrelmail/templates/default_advanced/read_menubar_buttons.tpl 2009-08-12 08:20:46 UTC (rev 13816) +++ trunk/squirrelmail/templates/default_advanced/read_menubar_buttons.tpl 2009-08-12 08:28:38 UTC (rev 13817) @@ -131,6 +131,7 @@ if ($can_be_deleted) { ?> <form name="deleteMessageForm" action="<?php echo $move_delete_form_action; ?>" method="post"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <?php echo $delete_form_extra; ?> <small> <input type="submit" name="delete" <?php if ($accesskey_read_msg_delete != 'NONE') echo 'accesskey="' . $accesskey_read_msg_delete . '" '; ?>value="<?php @@ -157,6 +158,7 @@ if ($can_be_moved) { ?> <form name="moveMessageForm" action="<?php echo $move_delete_form_action; ?>" method="post"> + <input type="hidden" name="smtoken" value="<?php echo sm_generate_security_token(); ?>" /> <?php echo $move_form_extra; ?> <small> <?php echo _("Move To"); ?>: This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <pdo...@us...> - 2009-08-17 23:19:01
|
Revision: 13826 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13826&view=rev Author: pdontthink Date: 2009-08-17 23:18:47 +0000 (Mon, 17 Aug 2009) Log Message: ----------- Protect message deletion with security token system. (Secunia Advisory SA34627) Modified Paths: -------------- trunk/squirrelmail/functions/mailbox_display.php trunk/squirrelmail/src/read_body.php Modified: trunk/squirrelmail/functions/mailbox_display.php =================================================================== --- trunk/squirrelmail/functions/mailbox_display.php 2009-08-17 23:17:41 UTC (rev 13825) +++ trunk/squirrelmail/functions/mailbox_display.php 2009-08-17 23:18:47 UTC (rev 13826) @@ -1343,8 +1343,7 @@ // don't do anything to any messages until we have done security check // FIXME: not sure this code really belongs here, but there's nowhere else to put it with this architecture - // FIXME: we might need to open this up to SQ_FORM instead, especially for plugins (?) - sqgetGlobalVar('smtoken', $submitted_token, SQ_POST, ''); + sqgetGlobalVar('smtoken', $submitted_token, SQ_GET, ''); sm_validate_security_token($submitted_token, 3600, TRUE); // make sure message UIDs are sanitized (BIGINT) Modified: trunk/squirrelmail/src/read_body.php =================================================================== --- trunk/squirrelmail/src/read_body.php 2009-08-17 23:17:41 UTC (rev 13825) +++ trunk/squirrelmail/src/read_body.php 2009-08-17 23:18:47 UTC (rev 13826) @@ -554,7 +554,8 @@ '&mailbox='.$urlMailbox.'&sort='.$sort. '&startMessage='.$startMessage.'&show_more=0'. "&where=$where&what=$what" . - '&delete_id='.$passed_id; + '&delete_id='.$passed_id . + '&smtoken='.sm_generate_security_token(); } if ($next >= 0) { @@ -562,7 +563,8 @@ '&mailbox='.$urlMailbox.'&sort='.$sort. '&startMessage='.$startMessage.'&show_more=0'. "&where=$where&what=$what" . - '&delete_id='.$passed_id; + '&delete_id='.$passed_id . + '&smtoken='.sm_generate_security_token(); } } } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-11-22 16:19:58
|
Revision: 13874 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13874&view=rev Author: jangliss Date: 2009-11-22 16:19:52 +0000 (Sun, 22 Nov 2009) Log Message: ----------- Fix issue with multi-part related messages not showing all attachments (#2830140). Modified Paths: -------------- trunk/squirrelmail/class/mime/Message.class.php trunk/squirrelmail/doc/ChangeLog Modified: trunk/squirrelmail/class/mime/Message.class.php =================================================================== --- trunk/squirrelmail/class/mime/Message.class.php 2009-11-22 16:10:35 UTC (rev 13873) +++ trunk/squirrelmail/class/mime/Message.class.php 2009-11-22 16:19:52 UTC (rev 13874) @@ -1123,8 +1123,7 @@ } if (!$exclude) { - if (($entity->type0 == 'multipart') && - ($entity->type1 != 'related')) { + if ($entity->type0 == 'multipart') { $result = $entity->getAttachments($exclude_id, $result); } else if ($entity->type0 != 'multipart') { $result[] = $entity; Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-11-22 16:10:35 UTC (rev 13873) +++ trunk/squirrelmail/doc/ChangeLog 2009-11-22 16:19:52 UTC (rev 13874) @@ -324,6 +324,7 @@ - Remove personal data from Message ID seed. (#880029/847107) - Implemented page referal verification mechanism. (Secunia Advisory SA34627) - Implemented security token system. (Secunia Advisory SA34627) + - Fix issue with multi-part related messages not showing all attachments (#2830140). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2009-12-22 17:15:44
|
Revision: 13880 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13880&view=rev Author: jangliss Date: 2009-12-22 17:15:34 +0000 (Tue, 22 Dec 2009) Log Message: ----------- Fix for security token missing in newmail plugin (#2919418). Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/plugins/newmail/newmail_opt.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2009-12-22 17:14:48 UTC (rev 13879) +++ trunk/squirrelmail/doc/ChangeLog 2009-12-22 17:15:34 UTC (rev 13880) @@ -325,6 +325,7 @@ - Implemented page referal verification mechanism. (Secunia Advisory SA34627) - Implemented security token system. (Secunia Advisory SA34627) - Fix issue with multi-part related messages not showing all attachments (#2830140). + - Fix for security token missing in newmail plugin (#2919418). Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/plugins/newmail/newmail_opt.php =================================================================== --- trunk/squirrelmail/plugins/newmail/newmail_opt.php 2009-12-22 17:14:48 UTC (rev 13879) +++ trunk/squirrelmail/plugins/newmail/newmail_opt.php 2009-12-22 17:15:34 UTC (rev 13880) @@ -227,6 +227,7 @@ html_tag( 'td', '<input type="hidden" name="optmode" value="submit" />' . '<input type="hidden" name="optpage" value="newmail" />' . + '<input type="hidden" name="smtoken" value="' . sm_generate_security_token() . '" />' . '<input type="submit" value="' . _("Submit") . '" name="submit_newmail" />', 'left' ) ) . "\n"; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
From: <jan...@us...> - 2010-01-19 03:17:21
|
Revision: 13885 http://squirrelmail.svn.sourceforge.net/squirrelmail/?rev=13885&view=rev Author: jangliss Date: 2010-01-19 03:17:14 +0000 (Tue, 19 Jan 2010) Log Message: ----------- Fix for mailto: URLs containing a + sign. Thanks to Michael Puls II for the patch. Modified Paths: -------------- trunk/squirrelmail/doc/ChangeLog trunk/squirrelmail/functions/url_parser.php Modified: trunk/squirrelmail/doc/ChangeLog =================================================================== --- trunk/squirrelmail/doc/ChangeLog 2010-01-19 03:15:12 UTC (rev 13884) +++ trunk/squirrelmail/doc/ChangeLog 2010-01-19 03:17:14 UTC (rev 13885) @@ -326,6 +326,8 @@ - Implemented security token system. (Secunia Advisory SA34627) - Fix issue with multi-part related messages not showing all attachments (#2830140). - Fix for security token missing in newmail plugin (#2919418). + - Fix for mailto: urls containing + characters, thanks to Michael Puls II for the + patch. Version 1.5.1 (branched on 2006-02-12) -------------------------------------- Modified: trunk/squirrelmail/functions/url_parser.php =================================================================== --- trunk/squirrelmail/functions/url_parser.php 2010-01-19 03:15:12 UTC (rev 13884) +++ trunk/squirrelmail/functions/url_parser.php 2010-01-19 03:17:14 UTC (rev 13885) @@ -146,9 +146,15 @@ if ((preg_match($MailTo_PReg_Match, $mailto, $regs)) && ($regs[0] != '')) { //sm_print_r($regs); $mailto_before = $target_token . $regs[0]; - $mailto_params = $regs[10]; + /** + * '+' characters in a mailto URI don't need to be percent-encoded. + * However, when mailto URI data is transported via HTTP, '+' must + * be percent-encoded as %2B so that when the HTTP data is + * percent-decoded, you get '+' back and not a space. + */ + $mailto_params = str_replace("+", "%2B", $regs[10]); if ($regs[1]) { //if there is an email addr before '?', we need to merge it with the params - $to = 'to=' . $regs[1]; + $to = 'to=' . str_replace("+", "%2B", $regs[1]); if (strpos($mailto_params, 'to=') > -1) //already a 'to=' $mailto_params = str_replace('to=', $to . '%2C%20', $mailto_params); else { This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |