2 files changed, 34 insertions, 0 deletions

diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
new file mode 100644
index 000000000000..1024d05e1b65
--- /dev/null
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
@@ -0,0 +1,10 @@
+--- cgi-bin/openwebmail/openwebmail-tool.pl.orig	Wed Dec 18 21:10:06 2002
++++ cgi-bin/openwebmail/openwebmail-tool.pl	Wed Dec 18 21:14:14 2002
+@@ -325,6 +325,7 @@
+       print "done.\n";
+    }
+ 
++   return 0;
+    my $id = $ENV{'USER'} || $ENV{'LOGNAME'} || getlogin || (getpwuid($>))[0];
+    my $hostname=hostname();
+    my $realname=(getpwnam($id))[6]||$id;
diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
new file mode 100644
index 000000000000..9ec111e8cf83
--- /dev/null
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
@@ -0,0 +1,24 @@
+--- cgi-bin/openwebmail/ow-shared.pl.orig	Tue Nov 26 20:20:51 2002
++++ cgi-bin/openwebmail/ow-shared.pl	Sat Dec 21 01:07:47 2002
+@@ -231,6 +231,9 @@
+ sub readconf {
+    my ($r_config, $r_config_raw, $configfile)=@_;
+ 
++   if ($configfile=~/\.\./) {	# .. in path is not allowed for higher security
++      openwebmailerror("Invalid config file path $configfile");
++   }
+    # read config
+    open(CONFIG, $configfile) or
+       openwebmailerror("Couldn't open config file $configfile");
+@@ -340,6 +343,11 @@
+       }
+    }
+ 
++   # remove / and .. from variables that will be used in require statement for security
++   foreach $key ( 'default_language', 'auth_module') {
++      ${$r_config}{$key} =~ s|/||g;
++      ${$r_config}{$key} =~ s|\.\.||g;
++   }
+    # untaint pathname variable defined in openwebmail.conf
+    foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
+                   'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',