FreeBSD Bugzilla – Attachment 191714 Details for
Bug 226831
[PATCH] mail/squirrelmail: update to patch security flaw in attachment processing
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
Update and security fix for squirrelmail
squirrelmail-update.txt (text/plain), 3.42 KB, created by
Jesse Smith
on 2018-03-21 17:46:46 UTC
(
hide
)
Description:
Update and security fix for squirrelmail
Filename:
MIME Type:
Creator:
Jesse Smith
Created:
2018-03-21 17:46:46 UTC
Size:
3.42 KB
patch
obsolete
>diff -ruN /usr/ports/mail/squirrelmail/Makefile squirrelmail/Makefile >--- /usr/ports/mail/squirrelmail/Makefile 2017-09-09 14:24:21.000000000 +0000 >+++ squirrelmail/Makefile 2018-03-21 17:37:17.412370000 +0000 >@@ -3,6 +3,7 @@ > > PORTNAME= squirrelmail > PORTVERSION= 20170705 >+PORTREVISION= 1 > CATEGORIES= mail www > MASTER_SITES= http://snapshots.squirrelmail.org/ \ > http://freebsd.uzsolt.hu/src/ >diff -ruN /usr/ports/mail/squirrelmail/distinfo squirrelmail/distinfo >--- /usr/ports/mail/squirrelmail/distinfo 2017-08-22 17:25:09.000000000 +0000 >+++ squirrelmail/distinfo 2018-03-21 17:37:29.090035000 +0000 >@@ -1,3 +1,3 @@ >-TIMESTAMP = 1499253804 >+TIMESTAMP = 1521653849 > SHA256 (squirrelmail/squirrelmail-20170705_0200-SVN.stable.tar.bz2) = 53ff6540eb46f737bb631f6d5e0fb80c19b42ab33b1e28a38b4bc469e26a63a8 > SIZE (squirrelmail/squirrelmail-20170705_0200-SVN.stable.tar.bz2) = 563043 >diff -ruN /usr/ports/mail/squirrelmail/files/patch-src_compose.php squirrelmail/files/patch-src_compose.php >--- /usr/ports/mail/squirrelmail/files/patch-src_compose.php 1970-01-01 00:00:00.000000000 +0000 >+++ squirrelmail/files/patch-src_compose.php 2018-03-21 17:35:29.279475000 +0000 >@@ -0,0 +1,79 @@ >+--- src/compose.php.orig 2017-01-27 20:31:33 UTC >++++ src/compose.php >+@@ -148,6 +148,62 @@ $idents = get_identities(); >+ >+ /* --------------------- Specific Functions ------------------------------ */ >+ >++/* >++Validate the user input 'attachments'. >++If the input is ok, don't do anything. >++If the attachment's file name is in an unexpected format, empty the attachments. >++*/ >++function validateAttachments() { >++ >++ global $username, $attachment_dir, $attachments; >++ >++ // no attachments - nothing to validate >++ if (empty($attachments)) >++ { >++ return; >++ } >++ >++ // get the Messages array >++ $attach_arr = unserialize($attachments); >++ >++ if (empty($attach_arr) || !is_array($attach_arr)) >++ { >++ return; >++ } >++ >++ $hashed_attachment_dir = realpath(getHashedDir($username, $attachment_dir)); >++ >++ /* >++ For each attachment (of type Message), verify: >++ 1. That after calling realpath(), we are in the attachment directory. >++ 2. That the file name is 32 characters long (a fixed length used for attachments). >++ 3. That the file has no extension. >++ >++ Notes: The attachment file name is a random 32-long string. >++ The attachments directory contains other types of files as well, >++ but they either have an exention or are not 32-characters long. >++ */ >++ foreach ($attach_arr as $attach_msg_obj) >++ { >++ $received_file_name = $attach_msg_obj->att_local_name; >++ $full_path = realpath($hashed_attachment_dir . '/' . $received_file_name); >++ >++ $path_parts = pathinfo($full_path); >++ $file_name = $path_parts['basename']; >++ >++ if ((substr($full_path, 0, strlen($hashed_attachment_dir)) != $hashed_attachment_dir) or >++ (strlen($file_name) != 32) or >++ ($path_parts['extension'] != "")) >++ { >++ $attachments = ''; >++ return; >++ } >++ } >++ >++ return; >++} >++ >++ >+ function replyAllString($header) { >+ global $include_self_reply_all, $username, $data_dir; >+ $excl_ar = array(); >+@@ -288,6 +344,8 @@ function getforwardHeader($orig_header) >+ } >+ /* ----------------------------------------------------------------------- */ >+ >++validateAttachments(); >++ >+ /* >+ * If the session is expired during a post this restores the compose session >+ * vars. >+@@ -1853,4 +1911,3 @@ function deliverMessage(&$composeMessage >+ } >+ return $succes; >+ } >+-
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 226831
: 191714 |
192200