From simond@home.irrelevant.org  Tue Jun  6 09:25:52 2006
Return-Path: <simond@home.irrelevant.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AFD0016AB15
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Jun 2006 09:22:16 +0000 (UTC)
	(envelope-from simond@home.irrelevant.org)
Received: from home.irrelevant.org (89-145-208-31.xdsl.murphx.net [89.145.208.31])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A02D43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  6 Jun 2006 09:22:15 +0000 (GMT)
	(envelope-from simond@home.irrelevant.org)
Received: from simond by home.irrelevant.org with local (Exim 4.62 (FreeBSD))
	(envelope-from <simond@home.irrelevant.org>)
	id 1FnXlO-000CON-Ex
	for FreeBSD-gnats-submit@freebsd.org; Tue, 06 Jun 2006 10:22:14 +0100
Message-Id: <E1FnXlO-000CON-Ex@home.irrelevant.org>
Date: Tue, 06 Jun 2006 10:22:14 +0100
From: Simon Dick <simond@irrelevant.org>
Sender: Simon Dick <simond@home.irrelevant.org>
Reply-To: Simon Dick <simond@irrelevant.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Maintainer port update: mail/squirrelmail
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         98588
>Category:       ports
>Synopsis:       Maintainer port update: mail/squirrelmail
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    itetcu
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 06 09:30:22 GMT 2006
>Closed-Date:    Tue Jun 06 10:32:45 GMT 2006
>Last-Modified:  Tue Jun 06 10:32:45 GMT 2006
>Originator:     Simon Dick
>Release:        FreeBSD 6.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD amd64.irrelevant.org 6.1-RELEASE FreeBSD 6.1-RELEASE #3: Tue May 9 10:53:21 BST 2006 root@amd64.irrelevant.org:/usr/obj/usr/src/sys/HOME amd64


	
>Description:

Apply a security fix to mail/squirrelmail

>How-To-Repeat:
	
>Fix:

diff -ruN /usr/ports/mail/squirrelmail/Makefile squirrelmail/Makefile
--- /usr/ports/mail/squirrelmail/Makefile	Mon Mar 20 16:24:33 2006
+++ squirrelmail/Makefile	Tue Jun  6 10:19:01 2006
@@ -7,6 +7,7 @@
 
 PORTNAME=	squirrelmail
 PORTVERSION=	1.4.6
+PORTREVISION=	1
 CATEGORIES=	mail www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -57,7 +58,7 @@
 
 post-patch:
 .ifndef PATCH_DEBUG
-	@${RM} -f ${WRKSRC}/config/config_default.php.orig
+	@${RM} -f ${WRKSRC}/config/config_default.php.orig ${WRKSRC}/functions/global.php.orig
 .endif
 	@${REINPLACE_CMD} -e 's|ispell|${LOCALBASE}/bin/ispell|g' \
 		${WRKSRC}/plugins/squirrelspell/sqspell_config.php
diff -ruN /usr/ports/mail/squirrelmail/files/patch-functions-global.php squirrelmail/files/patch-functions-global.php
--- /usr/ports/mail/squirrelmail/files/patch-functions-global.php	Thu Jan  1 01:00:00 1970
+++ squirrelmail/files/patch-functions-global.php	Tue Jun  6 10:13:04 2006
@@ -0,0 +1,50 @@
+--- functions/global.php.orig	Fri Feb  3 22:27:47 2006
++++ functions/global.php	Tue Jun  6 10:12:22 2006
+@@ -62,6 +62,47 @@
+     sqstripslashes($_POST);
+ }
+ 
++/**
++ * If register_globals are on, unregister globals.
++ * Code requires PHP 4.1.0 or newer.
++ * Second test covers boolean set as string (php_value register_globals off).
++ */
++if ((bool) @ini_get('register_globals') &&
++    strtolower(ini_get('register_globals'))!='off') {
++    /**
++     * Remove all globals from $_GET, $_POST, and $_COOKIE.
++     */
++    foreach ($_REQUEST as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized $_FILES variables
++     * Before 4.3.0 $_FILES are included in $_REQUEST.
++     * Unglobalize them in separate call in order to remove dependency
++     * on PHP version.
++     */
++    foreach ($_FILES as $key => $value) {
++        unset($GLOBALS[$key]);
++        // there are three undocumented $_FILES globals.
++        unset($GLOBALS[$key.'_type']);
++        unset($GLOBALS[$key.'_name']);
++        unset($GLOBALS[$key.'_size']);
++    }
++    /**
++     * Remove globalized environment variables.
++     */
++    foreach ($_ENV as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++    /**
++     * Remove globalized server variables.
++     */
++    foreach ($_SERVER as $key => $value) {
++        unset($GLOBALS[$key]);
++    }
++}
++
++
+ /* strip any tags added to the url from PHP_SELF.
+    This fixes hand crafted url XXS expoits for any
+    page that uses PHP_SELF as the FORM action */
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->itetcu 
Responsible-Changed-By: itetcu 
Responsible-Changed-When: Tue Jun 6 09:46:13 UTC 2006 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98588 
State-Changed-From-To: open->feedback 
State-Changed-By: itetcu 
State-Changed-When: Tue Jun 6 09:47:25 UTC 2006 
State-Changed-Why:  
Ask for submitter fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98588 

From: Ion-Mihai "IOnut" Tetcu <itetcu@FreeBSD.org>
To: Simon Dick <simond@irrelevant.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/98588: Maintainer port update: mail/squirrelmail
Date: Tue, 6 Jun 2006 12:47:05 +0300

 --Sig_jlxxcUnhCznE7znVx+92RAl
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable
 
 On Tue, 06 Jun 2006 10:22:14 +0100
 Simon Dick <simond@irrelevant.org> wrote:
 
 > >Description:
 >=20
 > Apply a security fix to mail/squirrelmail
 
 Could you please provide an VuXML entry for this ?
 
 Thanks,
 
 --=20
 IOnut - Un^d^dregistered ;) FreeBSD "user"
   "Intellectual Property" is   nowhere near as valuable   as "Intellect"
 
 BOFH excuse #315:
 The recent proliferation of Nuclear Testing
 
 
 
 --Sig_jlxxcUnhCznE7znVx+92RAl
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Disposition: attachment; filename=signature.asc
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3 (FreeBSD)
 
 iD8DBQFEhU8ZBX6fi0k6KXsRAvWnAKCrNbXk4QQkDVsRh31E2JFRvp7M0QCePibC
 Fq814biZ9vAj3hcJ7iGPcLY=
 =Sp5o
 -----END PGP SIGNATURE-----
 
 --Sig_jlxxcUnhCznE7znVx+92RAl--

From: Simon Dick <simond@irrelevant.org>
To: Ion-Mihai IOnut Tetcu <itetcu@FreeBSD.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/98588: Maintainer port update: mail/squirrelmail
Date: Tue, 06 Jun 2006 10:51:29 +0100

 On Tue, 2006-06-06 at 12:47 +0300, Ion-Mihai IOnut Tetcu wrote:
 > On Tue, 06 Jun 2006 10:22:14 +0100
 > Simon Dick <simond@irrelevant.org> wrote:
 > 
 > > >Description:
 > > 
 > > Apply a security fix to mail/squirrelmail
 > 
 > Could you please provide an VuXML entry for this ?
 
 Like
 http://vuxml.FreeBSD.org/00784d6e-f4ce-11da-87a1-000c6ec775d9.html ?
 
 simon@freebsd.org emailed me yesterday telling me that it had been
 added, this commit is a fix for the issue described in there.
 
State-Changed-From-To: feedback->open 
State-Changed-By: itetcu 
State-Changed-When: Tue Jun 6 10:00:53 UTC 2006 
State-Changed-Why:  
The problem fixed by this PR has a VuXML already 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98588 

From: Ion-Mihai "IOnut" Tetcu <itetcu@FreeBSD.org>
To: Simon Dick <simond@irrelevant.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/98588: Maintainer port update: mail/squirrelmail
Date: Tue, 6 Jun 2006 13:00:01 +0300

 --Sig_0_MjzfVz9.J_zKZ3OnKlLjm
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable
 
 On Tue, 06 Jun 2006 10:51:29 +0100
 Simon Dick <simond@irrelevant.org> wrote:
 
 > On Tue, 2006-06-06 at 12:47 +0300, Ion-Mihai IOnut Tetcu wrote:
 > > On Tue, 06 Jun 2006 10:22:14 +0100
 > > Simon Dick <simond@irrelevant.org> wrote:
 > >=20
 > > > >Description:
 > > >=20
 > > > Apply a security fix to mail/squirrelmail
 > >=20
 > > Could you please provide an VuXML entry for this ?
 >=20
 > Like
 > http://vuxml.FreeBSD.org/00784d6e-f4ce-11da-87a1-000c6ec775d9.html ?
 >=20
 > simon@freebsd.org emailed me yesterday telling me that it had been
 > added, this commit is a fix for the issue described in there.
 
 :) OK , thanks.
 
 I'll commit in a few minutes.
 
 --=20
 IOnut - Un^d^dregistered ;) FreeBSD "user"
   "Intellectual Property" is   nowhere near as valuable   as "Intellect"
 
 BOFH excuse #261:
 The Usenet news is out of date
 
 
 
 --Sig_0_MjzfVz9.J_zKZ3OnKlLjm
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Disposition: attachment; filename=signature.asc
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3 (FreeBSD)
 
 iD8DBQFEhVIhBX6fi0k6KXsRAhRmAJ4sz8jT1gfpVRiFfNOrmkaAATid/gCggXOi
 UTFCzM/RC+m46vVz4tvR7bY=
 =qd+h
 -----END PGP SIGNATURE-----
 
 --Sig_0_MjzfVz9.J_zKZ3OnKlLjm--
State-Changed-From-To: open->closed 
State-Changed-By: itetcu 
State-Changed-When: Tue Jun 6 10:32:44 UTC 2006 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98588 
>Unformatted:
