From d3a9a80ea4fad08f22f6a7a58e2f4bc8320c268c Mon Sep 17 00:00:00 2001
From: Yen-Ming Lee <leeym@FreeBSD.org>
Date: Fri, 20 Dec 2002 18:15:44 +0000
Subject: 1. disable sending report and unforbid openwebmail 2. add security
 patch 3. clear pkg-plist

Submitted by:	2. http://openwebmail.org/openwebmail/download/cert/advisories/SA-02:01.txt
Reviewed by:	portmgr, tung@turtle.ee.ncku.edu.tw (author)
Approved by:	1. Steve Price (portmgr)
---
 ...patch-cgi-bin::openwebmail::openwebmail-tool.pl | 10 +++++++++
 .../files/patch-cgi-bin::openwebmail::ow-shared.pl | 24 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
 create mode 100644 mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl

(limited to 'mail/openwebmail/files')

diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
new file mode 100644
index 000000000000..1024d05e1b65
--- /dev/null
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
@@ -0,0 +1,10 @@
+--- cgi-bin/openwebmail/openwebmail-tool.pl.orig	Wed Dec 18 21:10:06 2002
++++ cgi-bin/openwebmail/openwebmail-tool.pl	Wed Dec 18 21:14:14 2002
+@@ -325,6 +325,7 @@
+       print "done.\n";
+    }
+ 
++   return 0;
+    my $id = $ENV{'USER'} || $ENV{'LOGNAME'} || getlogin || (getpwuid($>))[0];
+    my $hostname=hostname();
+    my $realname=(getpwnam($id))[6]||$id;
diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
new file mode 100644
index 000000000000..9ec111e8cf83
--- /dev/null
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
@@ -0,0 +1,24 @@
+--- cgi-bin/openwebmail/ow-shared.pl.orig	Tue Nov 26 20:20:51 2002
++++ cgi-bin/openwebmail/ow-shared.pl	Sat Dec 21 01:07:47 2002
+@@ -231,6 +231,9 @@
+ sub readconf {
+    my ($r_config, $r_config_raw, $configfile)=@_;
+ 
++   if ($configfile=~/\.\./) {	# .. in path is not allowed for higher security
++      openwebmailerror("Invalid config file path $configfile");
++   }
+    # read config
+    open(CONFIG, $configfile) or
+       openwebmailerror("Couldn't open config file $configfile");
+@@ -340,6 +343,11 @@
+       }
+    }
+ 
++   # remove / and .. from variables that will be used in require statement for security
++   foreach $key ( 'default_language', 'auth_module') {
++      ${$r_config}{$key} =~ s|/||g;
++      ${$r_config}{$key} =~ s|\.\.||g;
++   }
+    # untaint pathname variable defined in openwebmail.conf
+    foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
+                   'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',
-- 
cgit v1.2.3