diff options
| author | leeym <leeym@FreeBSD.org> | 2002-12-20 18:15:44 +0000 |
|---|---|---|
| committer | leeym <leeym@FreeBSD.org> | 2002-12-20 18:15:44 +0000 |
| commit | a6ad98a07a17a8be399aca4c6eae8fc872ca37bf (patch) | |
| tree | 72680bf4a23df26cb6ba5fe93adebfa518d9d3cf /mail | |
| parent | d35403282019b8bb98467b7ab03097c038eb5e35 (diff) | |
| download | FreeBSD-ports-a6ad98a07a17a8be399aca4c6eae8fc872ca37bf.zip FreeBSD-ports-a6ad98a07a17a8be399aca4c6eae8fc872ca37bf.tar.gz | |
1. disable sending report and unforbid openwebmail
2. add security patch
3. clear pkg-plist
Submitted by: 2. http://openwebmail.org/openwebmail/download/cert/advisories/SA-02:01.txt
Reviewed by: portmgr, tung@turtle.ee.ncku.edu.tw (author)
Approved by: 1. Steve Price (portmgr)
Diffstat (limited to 'mail')
| -rw-r--r-- | mail/openwebmail/Makefile | 5 | ||||
| -rw-r--r-- | mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl | 10 | ||||
| -rw-r--r-- | mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl | 24 | ||||
| -rw-r--r-- | mail/openwebmail/pkg-plist | 12 |
4 files changed, 36 insertions, 15 deletions
diff --git a/mail/openwebmail/Makefile b/mail/openwebmail/Makefile index f54259f..87f6f13 100644 --- a/mail/openwebmail/Makefile +++ b/mail/openwebmail/Makefile @@ -7,7 +7,7 @@ PORTNAME= openwebmail PORTVERSION= 1.81 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= mail MASTER_SITES= http://openwebmail.org/openwebmail/download/ \ http://turtle.ee.ncku.edu.tw/openwebmail/download/ @@ -15,8 +15,6 @@ EXTRACT_SUFX= .tgz MAINTAINER= leeym@FreeBSD.org -FORBIDDEN= "Sends mail to developers at install-time" - RUN_DEPENDS= ${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/CGI.pm:${PORTSDIR}/www/p5-CGI.pm \ ${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/Net/SMTP.pm:${PORTSDIR}/net/p5-Net \ ${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/${PERL_ARCH}/Text/Iconv.pm:${PORTSDIR}/converters/p5-Text-Iconv \ @@ -45,5 +43,6 @@ do-install: .endfor @${PERL5} ${WRKSRC}/cgi-bin/openwebmail/uty/wrapsuid.pl ${OWCGIDIR} @${OWCGIDIR}/openwebmail-tool.pl --init -y + @${RM} ${OWCGIDIR}/*orig ${OWCGIDIR}/*bak .include <bsd.port.mk> diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl new file mode 100644 index 0000000..1024d05 --- /dev/null +++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl @@ -0,0 +1,10 @@ +--- cgi-bin/openwebmail/openwebmail-tool.pl.orig Wed Dec 18 21:10:06 2002 ++++ cgi-bin/openwebmail/openwebmail-tool.pl Wed Dec 18 21:14:14 2002 +@@ -325,6 +325,7 @@ + print "done.\n"; + } + ++ return 0; + my $id = $ENV{'USER'} || $ENV{'LOGNAME'} || getlogin || (getpwuid($>))[0]; + my $hostname=hostname(); + my $realname=(getpwnam($id))[6]||$id; diff --git a/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl new file mode 100644 index 0000000..9ec111e --- /dev/null +++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl @@ -0,0 +1,24 @@ +--- cgi-bin/openwebmail/ow-shared.pl.orig Tue Nov 26 20:20:51 2002 ++++ cgi-bin/openwebmail/ow-shared.pl Sat Dec 21 01:07:47 2002 +@@ -231,6 +231,9 @@ + sub readconf { + my ($r_config, $r_config_raw, $configfile)=@_; + ++ if ($configfile=~/\.\./) { # .. in path is not allowed for higher security ++ openwebmailerror("Invalid config file path $configfile"); ++ } + # read config + open(CONFIG, $configfile) or + openwebmailerror("Couldn't open config file $configfile"); +@@ -340,6 +343,11 @@ + } + } + ++ # remove / and .. from variables that will be used in require statement for security ++ foreach $key ( 'default_language', 'auth_module') { ++ ${$r_config}{$key} =~ s|/||g; ++ ${$r_config}{$key} =~ s|\.\.||g; ++ } + # untaint pathname variable defined in openwebmail.conf + foreach $key ( 'smtpserver', 'auth_module', 'virtusertable', + 'mailspooldir', 'homedirspoolname', 'homedirfolderdirname', diff --git a/mail/openwebmail/pkg-plist b/mail/openwebmail/pkg-plist index 1db6baa..dd75bb5 100644 --- a/mail/openwebmail/pkg-plist +++ b/mail/openwebmail/pkg-plist @@ -1268,29 +1268,17 @@ www/cgi-bin/openwebmail/maildb.pl www/cgi-bin/openwebmail/mailfilter.pl www/cgi-bin/openwebmail/mime.pl www/cgi-bin/openwebmail/openwebmail-abook.pl -www/cgi-bin/openwebmail/openwebmail-abook.pl.bak www/cgi-bin/openwebmail/openwebmail-advsearch.pl -www/cgi-bin/openwebmail/openwebmail-advsearch.pl.bak www/cgi-bin/openwebmail/openwebmail-cal.pl -www/cgi-bin/openwebmail/openwebmail-cal.pl.bak www/cgi-bin/openwebmail/openwebmail-folder.pl -www/cgi-bin/openwebmail/openwebmail-folder.pl.bak www/cgi-bin/openwebmail/openwebmail-main.pl -www/cgi-bin/openwebmail/openwebmail-main.pl.bak www/cgi-bin/openwebmail/openwebmail-prefs.pl -www/cgi-bin/openwebmail/openwebmail-prefs.pl.bak www/cgi-bin/openwebmail/openwebmail-read.pl -www/cgi-bin/openwebmail/openwebmail-read.pl.bak www/cgi-bin/openwebmail/openwebmail-send.pl -www/cgi-bin/openwebmail/openwebmail-send.pl.bak www/cgi-bin/openwebmail/openwebmail-spell.pl -www/cgi-bin/openwebmail/openwebmail-spell.pl.bak www/cgi-bin/openwebmail/openwebmail-tool.pl -www/cgi-bin/openwebmail/openwebmail-tool.pl.bak www/cgi-bin/openwebmail/openwebmail-viewatt.pl -www/cgi-bin/openwebmail/openwebmail-viewatt.pl.bak www/cgi-bin/openwebmail/openwebmail.pl -www/cgi-bin/openwebmail/openwebmail.pl.bak www/cgi-bin/openwebmail/ow-shared.pl www/cgi-bin/openwebmail/pop3mail.pl www/cgi-bin/openwebmail/uty/dbmtest.pl |
