diff -ruN /usr/ports/mail/squirrelmail/Makefile squirrelmail/Makefile --- /usr/ports/mail/squirrelmail/Makefile 2017-09-09 14:24:21.000000000 +0000 +++ squirrelmail/Makefile 2018-03-21 17:37:17.412370000 +0000 @@ -3,6 +3,7 @@ PORTNAME= squirrelmail PORTVERSION= 20170705 +PORTREVISION= 1 CATEGORIES= mail www MASTER_SITES= http://snapshots.squirrelmail.org/ \ http://freebsd.uzsolt.hu/src/ diff -ruN /usr/ports/mail/squirrelmail/distinfo squirrelmail/distinfo --- /usr/ports/mail/squirrelmail/distinfo 2017-08-22 17:25:09.000000000 +0000 +++ squirrelmail/distinfo 2018-03-21 17:37:29.090035000 +0000 @@ -1,3 +1,3 @@ -TIMESTAMP = 1499253804 +TIMESTAMP = 1521653849 SHA256 (squirrelmail/squirrelmail-20170705_0200-SVN.stable.tar.bz2) = 53ff6540eb46f737bb631f6d5e0fb80c19b42ab33b1e28a38b4bc469e26a63a8 SIZE (squirrelmail/squirrelmail-20170705_0200-SVN.stable.tar.bz2) = 563043 diff -ruN /usr/ports/mail/squirrelmail/files/patch-src_compose.php squirrelmail/files/patch-src_compose.php --- /usr/ports/mail/squirrelmail/files/patch-src_compose.php 1970-01-01 00:00:00.000000000 +0000 +++ squirrelmail/files/patch-src_compose.php 2018-03-21 17:35:29.279475000 +0000 @@ -0,0 +1,79 @@ +--- src/compose.php.orig 2017-01-27 20:31:33 UTC ++++ src/compose.php +@@ -148,6 +148,62 @@ $idents = get_identities(); + + /* --------------------- Specific Functions ------------------------------ */ + ++/* ++Validate the user input 'attachments'. ++If the input is ok, don't do anything. ++If the attachment's file name is in an unexpected format, empty the attachments. ++*/ ++function validateAttachments() { ++ ++ global $username, $attachment_dir, $attachments; ++ ++ // no attachments - nothing to validate ++ if (empty($attachments)) ++ { ++ return; ++ } ++ ++ // get the Messages array ++ $attach_arr = unserialize($attachments); ++ ++ if (empty($attach_arr) || !is_array($attach_arr)) ++ { ++ return; ++ } ++ ++ $hashed_attachment_dir = realpath(getHashedDir($username, $attachment_dir)); ++ ++ /* ++ For each attachment (of type Message), verify: ++ 1. That after calling realpath(), we are in the attachment directory. ++ 2. That the file name is 32 characters long (a fixed length used for attachments). ++ 3. That the file has no extension. ++ ++ Notes: The attachment file name is a random 32-long string. ++ The attachments directory contains other types of files as well, ++ but they either have an exention or are not 32-characters long. ++ */ ++ foreach ($attach_arr as $attach_msg_obj) ++ { ++ $received_file_name = $attach_msg_obj->att_local_name; ++ $full_path = realpath($hashed_attachment_dir . '/' . $received_file_name); ++ ++ $path_parts = pathinfo($full_path); ++ $file_name = $path_parts['basename']; ++ ++ if ((substr($full_path, 0, strlen($hashed_attachment_dir)) != $hashed_attachment_dir) or ++ (strlen($file_name) != 32) or ++ ($path_parts['extension'] != "")) ++ { ++ $attachments = ''; ++ return; ++ } ++ } ++ ++ return; ++} ++ ++ + function replyAllString($header) { + global $include_self_reply_all, $username, $data_dir; + $excl_ar = array(); +@@ -288,6 +344,8 @@ function getforwardHeader($orig_header) + } + /* ----------------------------------------------------------------------- */ + ++validateAttachments(); ++ + /* + * If the session is expired during a post this restores the compose session + * vars. +@@ -1853,4 +1911,3 @@ function deliverMessage(&$composeMessage + } + return $succes; + } +-