From d3a9a80ea4fad08f22f6a7a58e2f4bc8320c268c Mon Sep 17 00:00:00 2001 From: Yen-Ming Lee Date: Fri, 20 Dec 2002 18:15:44 +0000 Subject: 1. disable sending report and unforbid openwebmail 2. add security patch 3. clear pkg-plist Submitted by: 2. http://openwebmail.org/openwebmail/download/cert/advisories/SA-02:01.txt Reviewed by: portmgr, tung@turtle.ee.ncku.edu.tw (author) Approved by: 1. Steve Price (portmgr) --- .../files/patch-cgi-bin::openwebmail::ow-shared.pl | 24 ++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl (limited to 'mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl') diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl new file mode 100644 index 000000000000..9ec111e8cf83 --- /dev/null +++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl @@ -0,0 +1,24 @@ +--- cgi-bin/openwebmail/ow-shared.pl.orig Tue Nov 26 20:20:51 2002 ++++ cgi-bin/openwebmail/ow-shared.pl Sat Dec 21 01:07:47 2002 +@@ -231,6 +231,9 @@ + sub readconf { + my ($r_config, $r_config_raw, $configfile)=@_; + ++ if ($configfile=~/\.\./) { # .. in path is not allowed for higher security ++ openwebmailerror("Invalid config file path $configfile"); ++ } + # read config + open(CONFIG, $configfile) or + openwebmailerror("Couldn't open config file $configfile"); +@@ -340,6 +343,11 @@ + } + } + ++ # remove / and .. from variables that will be used in require statement for security ++ foreach $key ( 'default_language', 'auth_module') { ++ ${$r_config}{$key} =~ s|/||g; ++ ${$r_config}{$key} =~ s|\.\.||g; ++ } + # untaint pathname variable defined in openwebmail.conf + foreach $key ( 'smtpserver', 'auth_module', 'virtusertable', + 'mailspooldir', 'homedirspoolname', 'homedirfolderdirname', -- cgit v1.2.3