--- squirrelmail-1.4.8.orig/doc/index.html +++ squirrelmail-1.4.8/doc/index.html @@ -75,15 +75,13 @@
Basic documentation that comes with distribution:
- AUTHORS - Who's behind all this?
- INSTALL - Installation instructions
- UPGRADE - Upgrading instructions
- README - Everyone should read this.
- COPYING - Licencing of SquirrelMail
- ChangeLog - Differences between SquirrelMail - versions.
- ReleaseNotes - SquirrelMail release notes.
- ReleaseNotes archive - Notes for older SquirrelMail versions
+ AUTHORS - Who's behind all this?
+ README.Debian - README for Debian users by + the Debian maintainer
+ copyright - Licencing of SquirrelMail
+ changelog - Differences between official SquirrelMail versions.
+ changelog - Differences between the + Debian package versions of SquirrelMail.
--- squirrelmail-1.4.8.orig/src/right_main.php +++ squirrelmail-1.4.8/src/right_main.php @@ -154,7 +154,7 @@ if ($composenew) { $comp_uri = SM_PATH . 'src/compose.php?mailbox='. urlencode($mailbox). - "&session=$session"; + "&session=" .urlencode($session); displayPageHeader($color, $mailbox, "comp_in_new('$comp_uri');", false); } else { displayPageHeader($color, $mailbox); --- squirrelmail-1.4.8.orig/src/compose.php +++ squirrelmail-1.4.8/src/compose.php @@ -50,31 +50,43 @@ sqgetGlobalVar('compose_messages', $compose_messages, SQ_SESSION); /** SESSION/POST/GET VARS */ -sqgetGlobalVar('smaction',$action); -sqgetGlobalVar('session',$session); -sqgetGlobalVar('mailbox',$mailbox); -sqgetGlobalVar('identity',$identity); -sqgetGlobalVar('send_to',$send_to); -sqgetGlobalVar('send_to_cc',$send_to_cc); -sqgetGlobalVar('send_to_bcc',$send_to_bcc); -sqgetGlobalVar('subject',$subject); -sqgetGlobalVar('body',$body); -sqgetGlobalVar('mailprio',$mailprio); -sqgetGlobalVar('request_mdn',$request_mdn); -sqgetGlobalVar('request_dr',$request_dr); -sqgetGlobalVar('html_addr_search',$html_addr_search); -sqgetGlobalVar('mail_sent',$mail_sent); -sqgetGlobalVar('passed_id',$passed_id); -sqgetGlobalVar('passed_ent_id',$passed_ent_id); -sqgetGlobalVar('send',$send); - -sqgetGlobalVar('attach',$attach); - -sqgetGlobalVar('draft',$draft); -sqgetGlobalVar('draft_id',$draft_id); -sqgetGlobalVar('ent_num',$ent_num); -sqgetGlobalVar('saved_draft',$saved_draft); -sqgetGlobalVar('delete_draft',$delete_draft); +sqgetGlobalVar('send', $send, SQ_POST); +// Send can only be achieved by setting $_POST var. If Send = true then +// retrieve other form fields from $_POST +if (isset($send) && $send) { + $SQ_GLOBAL = SQ_POST; +} else { + $SQ_GLOBAL = SQ_FORM; +} +sqgetGlobalVar('smaction',$action, $SQ_GLOBAL); +sqgetGlobalVar('session',$session, $SQ_GLOBAL); +sqgetGlobalVar('mailbox',$mailbox, $SQ_GLOBAL); +if ( !sqgetGlobalVar('identity',$identity, $SQ_GLOBAL) ) { + $identity = 0; +} +sqgetGlobalVar('send_to',$send_to, $SQ_GLOBAL); +sqgetGlobalVar('send_to_cc',$send_to_cc, $SQ_GLOBAL); +sqgetGlobalVar('send_to_bcc',$send_to_bcc, $SQ_GLOBAL); +sqgetGlobalVar('subject',$subject, $SQ_GLOBAL); +sqgetGlobalVar('body',$body, $SQ_GLOBAL); +sqgetGlobalVar('mailprio',$mailprio, $SQ_GLOBAL); +sqgetGlobalVar('request_mdn',$request_mdn, $SQ_GLOBAL); +sqgetGlobalVar('request_dr',$request_dr, $SQ_GLOBAL); +sqgetGlobalVar('html_addr_search',$html_addr_search, SQ_FORM); +sqgetGlobalVar('mail_sent',$mail_sent, SQ_FORM); +sqgetGlobalVar('passed_id',$passed_id, $SQ_GLOBAL); +sqgetGlobalVar('passed_ent_id',$passed_ent_id, $SQ_GLOBAL); + +sqgetGlobalVar('attach',$attach, SQ_POST); +sqgetGlobalVar('draft',$draft, SQ_POST); +sqgetGlobalVar('draft_id',$draft_id, $SQ_GLOBAL); +sqgetGlobalVar('ent_num',$ent_num, $SQ_GLOBAL); +sqgetGlobalVar('saved_draft',$saved_draft, SQ_FORM); + +if ( sqgetGlobalVar('delete_draft',$delete_draft) ) { + $delete_draft = (int)$delete_draft; +} + if ( sqgetGlobalVar('startMessage',$startMessage) ) { $startMessage = (int)$startMessage; } else { @@ -96,6 +108,25 @@ /** GET VARS */ sqgetGlobalVar('attachedmessages', $attachedmessages, SQ_GET); +/** + * Here we decode the data passed in from mailto.php. + */ +if ( sqgetGlobalVar('mailtodata', $mailtodata, SQ_GET) ) { + $trtable = array('to' => 'send_to', + 'cc' => 'send_to_cc', + 'bcc' => 'send_to_bcc', + 'body' => 'body', + 'subject' => 'subject'); + $mtdata = unserialize($mailtodata); + + foreach ($trtable as $f => $t) { + if ( !empty($mtdata[$f]) ) { + $$t = $mtdata[$f]; + } + } + unset($mailtodata,$mtdata, $trtable); +} + /* Location (For HTTP 1.1 Header("Location: ...") redirects) */ $location = get_location(); @@ -296,6 +327,8 @@ if (!isset($composesession)) { $composesession = 0; sqsession_register(0,'composesession'); +} else { + $composesession = (int)$composesession; } if (!isset($session) || (isset($newmessage) && $newmessage)) { --- squirrelmail-1.4.8.orig/src/redirect.php +++ squirrelmail-1.4.8/src/redirect.php @@ -52,8 +52,8 @@ $squirrelmail_language = $squirrelmail_default_language; } -if (!sqgetGlobalVar('mailto', $mailto)) { - $mailto = ''; +if (!sqgetGlobalVar('mailtodata', $mailtodata)) { + $mailtodata = ''; } @@ -159,9 +159,9 @@ unset($session_expired_location); } -if($mailto != '') { - $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailto='; - $redirect_url .= urlencode($mailto); +if($mailtodata != '') { + $redirect_url = $location . '/webmail.php?right_frame=compose.php&mailtodata='; + $redirect_url .= urlencode($mailtodata); } --- squirrelmail-1.4.8.orig/src/login.php +++ squirrelmail-1.4.8/src/login.php @@ -112,11 +112,10 @@ $password_form_name = 'secretkey'; do_hook('login_top'); - -if(sqgetGlobalVar('mailto', $mailto)) { - $rcptaddress = addHidden('mailto', $mailto); +if(sqgetGlobalVar('mailtodata', $mailtodata)) { + $mailtofield = addHidden('mailtodata', $mailtodata); } else { - $rcptaddress = ''; + $mailtofield = ''; } /* If they don't have a logo, don't bother.. */ @@ -169,7 +168,7 @@ html_tag( 'td', addPwField($password_form_name). addHidden('js_autodetect_results', SMPREF_JS_OFF). - $rcptaddress . + $mailtofield . addHidden('just_logged_in', '1'), 'left', '', 'width="*"' ) ) , --- squirrelmail-1.4.8.orig/src/view_text.php +++ squirrelmail-1.4.8/src/view_text.php @@ -75,10 +75,10 @@ } if ($type1 == 'html' || (isset($override_type1) && $override_type1 == 'html')) { - $body = MagicHTML( $body, $passed_id, $message, $mailbox); // html attachment with character set information if (! empty($charset)) $body = charset_decode($charset,$body,false,true); + $body = magicHTML( $body, $passed_id, $message, $mailbox); } else { translateText($body, $wrap_at, $charset); } @@ -102,4 +102,4 @@ - \ No newline at end of file + --- squirrelmail-1.4.8.orig/src/mailto.php +++ squirrelmail-1.4.8/src/mailto.php @@ -41,6 +41,8 @@ 'subject' => 'subject'); $url = ''; +$data = array(); + if(sqgetGlobalVar('emailaddress', $emailaddress)) { $emailaddress = trim($emailaddress); if(stristr($emailaddress, 'mailto:')) { @@ -50,33 +52,33 @@ list($emailaddress, $a) = explode('?', $emailaddress, 2); if(strlen(trim($a)) > 0) { $a = explode('=', $a, 2); - $url .= $trtable[strtolower($a[0])] . '=' . urlencode($a[1]) . '&'; + $data[strtolower($a[0])] = $a[1]; } } - $url = 'send_to=' . urlencode($emailaddress) . '&' . $url; + $data['to'] = $emailaddress; + /* CC, BCC, etc could be any case, so we'll fix them here */ foreach($_GET as $k=>$g) { $k = strtolower($k); if(isset($trtable[$k])) { $k = $trtable[$k]; - $url .= $k . '=' . urlencode($g) . '&'; + $data[$k] = $g; } } - $url = substr($url, 0, -1); } sqsession_is_active(); if($force_login == false && sqsession_is_registered('user_is_logged_in')) { if($compose_only == true) { - $redirect = 'compose.php?' . $url; + $redirect = 'compose.php?mailtodata=' . urlencode(serialize($data)); } else { - $redirect = 'webmail.php?right_frame=compose.php?' . urlencode($url); + $redirect = 'webmail.php?mailtodata=' . urlencode(serialize($data)); } } else { - $redirect = 'login.php?mailto=' . urlencode($url); + $redirect = 'login.php?mailtodata=' . urlencode(serialize($data)); } session_write_close(); header('Location: ' . get_location() . '/' . $redirect); -?> \ No newline at end of file +?> --- squirrelmail-1.4.8.orig/src/webmail.php +++ squirrelmail-1.4.8/src/webmail.php @@ -52,11 +52,12 @@ $mailbox = 'INBOX'; } -if(!sqgetGlobalVar('mailto', $mailto)) { - $mailto = ''; +if(sqgetGlobalVar('mailtodata', $mailtodata)) { + $mailtourl = 'mailtodata='.urlencode($mailtodata); +} else { + $mailtourl = ''; } - is_logged_in(); do_hook('webmail_top'); @@ -151,7 +152,7 @@ $right_frame_url = 'folders.php'; break; case 'compose.php': - $right_frame_url = 'compose.php?' . $mailto; + $right_frame_url = 'compose.php?' . $mailtourl; break; case '': $right_frame_url = 'right_main.php'; --- squirrelmail-1.4.8.orig/README +++ squirrelmail-1.4.8/README @@ -48,8 +48,9 @@ Installation: ------------- -For detailed instructions on how to install SquirrelMail on your server, -please refer to the INSTALL document in the same directory as this document. +On Debian systems, see /usr/share/doc/squirrelmail/README.Debian for +Debian-specific instructions about getting SquirrelMail running besides +installing the package. Licensing: ---------- --- squirrelmail-1.4.8.orig/README.locales +++ squirrelmail-1.4.8/README.locales @@ -0,0 +1,12 @@ +The locales (translations) for the SquirrelMail package are provided in +the package "squirrelmail-locales" on which the "squirrelmail" package +recommends. You need to install that package aswell if you want to use +SquirrelMail in languages other than English. + +You may need to reconfigure locales with: + dpkg-reconfigure locales +to make alternative languages work. + +In some cases it might also be needed to restart Apache after you've +upgraded or added locales, because of some internal caching of locale +information by Apache. --- squirrelmail-1.4.8.orig/debian/squirrelmail.postrm +++ squirrelmail-1.4.8/debian/squirrelmail.postrm @@ -0,0 +1,37 @@ +#! /bin/sh +# postrm script for squirrelmail +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' overwrit>r> +# for details, see /usr/share/doc/packaging-manual/ + +case "$1" in + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + purge) + # remove squirrelmail config and user data + rm -rf /etc/squirrelmail /var/lib/squirrelmail \ + /var/spool/squirrelmail + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. +#DEBHELPER# +# + --- squirrelmail-1.4.8.orig/debian/control +++ squirrelmail-1.4.8/debian/control @@ -0,0 +1,24 @@ +Source: squirrelmail +Section: web +Priority: optional +Maintainer: Jeroen van Wolffelaar +Uploaders: Thijs Kinkhorst , Sam Johnston +Build-Depends: debhelper (>= 5) +Standards-Version: 3.7.2 + +Package: squirrelmail +Architecture: all +Depends: apache2 | httpd, libapache2-mod-php4 | libapache-mod-php4 | php4 | php4-cgi | libapache2-mod-php5 | libapache-mod-php5 | php5-cgi | php5, perl, ${misc:Depends} +Recommends: squirrelmail-locales, ispell | aspell | aspell-bin +Suggests: squirrelmail-decode, imap-server, php4-pear | php-pear, imapproxy +Description: Webmail for nuts + SquirrelMail is a standards-based webmail package written in PHP4. It + includes built-in pure PHP support for the IMAP and SMTP protocols, and + all pages render in pure HTML 4.0 (with no Javascript required) for maximum + compatibility across browsers. It has very few requirements and is very + easy to configure and install. SquirrelMail has all the functionality + you would want from an email client, including strong MIME support, + address books, and folder manipulation. + . + Homepage: http://www.squirrelmail.org/ + --- squirrelmail-1.4.8.orig/debian/squirrelmail.links +++ squirrelmail-1.4.8/debian/squirrelmail.links @@ -0,0 +1,6 @@ +/etc/squirrelmail usr/share/squirrelmail/config +/usr/sbin/squirrelmail-configure etc/squirrelmail/conf.pl +/etc/squirrelmail/sqspell_config.php usr/share/squirrelmail/plugins/squirrelspell/sqspell_config.php +/etc/squirrelmail/filters_setup.php usr/share/squirrelmail/plugins/filters/setup.php + + --- squirrelmail-1.4.8.orig/debian/squirrelmail-configure.8 +++ squirrelmail-1.4.8/debian/squirrelmail-configure.8 @@ -0,0 +1,32 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH SQUIRRELMAIL-CONFIGURE 8 "October 8, 2003" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +squirrelmail-configure \- +.SH SYNOPSIS +.B squirrelmail-configure +.SH DESCRIPTION +Use this interactive command to create or modify your +/etc/squirrelmail/config.php file. The program contains online help. +Alternatively, you can edit this file by hand. For that, you can use +config_default.php as a reference. +.SH AUTHOR +The SquirrelMail Project Team + +This manual page was written by Sam Johnston , +for the Debian GNU/Linux system (but may be used by others) + --- squirrelmail-1.4.8.orig/debian/rules +++ squirrelmail-1.4.8/debian/rules @@ -0,0 +1,60 @@ +#!/usr/bin/make -f +# debian/rules makefile for squirrelmail + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +build: build-stamp +build-stamp: + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + dh_install + mv $(CURDIR)/debian/squirrelmail/etc/squirrelmail/conf.pl \ + $(CURDIR)/debian/squirrelmail/usr/sbin/squirrelmail-configure + mv $(CURDIR)/debian/squirrelmail/usr/share/squirrelmail/plugins/squirrelspell/sqspell_config.php \ + $(CURDIR)/debian/squirrelmail/etc/squirrelmail/ + mv $(CURDIR)/debian/squirrelmail/usr/share/squirrelmail/plugins/filters/setup.php \ + $(CURDIR)/debian/squirrelmail/etc/squirrelmail/filters_setup.php + find debian/squirrelmail -name .svn | xargs -r rm -r + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_installdebconf + dh_installdocs -X.svn + dh_installexamples + dh_installman + dh_installcron + mv $(CURDIR)/debian/squirrelmail/usr/share/lintian/overrides/squirrelmail.lintian \ + $(CURDIR)/debian/squirrelmail/usr/share/lintian/overrides/squirrelmail + dh_installchangelogs ChangeLog + chgrp www-data $(CURDIR)/debian/squirrelmail/var/spool/squirrelmail/attach \ + $(CURDIR)/debian/squirrelmail/var/lib/squirrelmail/data + chmod u=rwx,g=wx,o= $(CURDIR)/debian/squirrelmail/var/spool/squirrelmail/attach \ + $(CURDIR)/debian/squirrelmail/var/lib/squirrelmail/data + dh_link + dh_compress + dh_fixperms -X/var + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build architecture-dependent files here. +binary-arch: + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- squirrelmail-1.4.8.orig/debian/watch +++ squirrelmail-1.4.8/debian/watch @@ -0,0 +1,3 @@ +# Site Directory Pattern Version Script +version=2 +http://prdownloads.sourceforge.net/squirrelmail/squirrelmail-(\d+\.\d*[02468]\.[^-]+)\.tar\.gz --- squirrelmail-1.4.8.orig/debian/squirrelmail.install +++ squirrelmail-1.4.8/debian/squirrelmail.install @@ -0,0 +1,15 @@ +index.php /usr/share/squirrelmail +class /usr/share/squirrelmail +include /usr/share/squirrelmail +functions /usr/share/squirrelmail +help /usr/share/squirrelmail +images /usr/share/squirrelmail +locale /usr/share/squirrelmail +plugins /usr/share/squirrelmail +po /usr/share/squirrelmail +src /usr/share/squirrelmail +themes /usr/share/squirrelmail +config/* /etc/squirrelmail +data/default_pref /etc/squirrelmail + +debian/squirrelmail.lintian /usr/share/lintian/overrides --- squirrelmail-1.4.8.orig/debian/squirrelmail.preinst +++ squirrelmail-1.4.8/debian/squirrelmail.preinst @@ -0,0 +1,29 @@ +#!/bin/sh +# preinst script for squirrelmail + +set -e + +if [ "$1" = upgrade ] && dpkg --compare-versions "$2" lt 2:1.4.4-3; then + + if ! [ -e /var/lib/squirrelmail/data/default_pref ]; then + + # file does not exist, no need to move. do nothing. + : + + elif echo "f8a85f6e64806521a5e6c4cf9a0b7c0a /var/lib/squirrelmail/data/default_pref" | md5sum -c 2>/dev/null \ + || echo "a854095777d16833c9f1c148cddceffb /var/lib/squirrelmail/data/default_pref" | md5sum -c 2>/dev/null; then + + # unmodified woody or current version + rm /var/lib/squirrelmail/data/default_pref + + elif ! [ -e /etc/squirrelmail/default_pref ]; then + # local admin changed, move, so that dpkg goes asking + + mv /var/lib/squirrelmail/data/default_pref \ + /etc/squirrelmail/default_pref + + fi +fi + + +#DEBHELPER# --- squirrelmail-1.4.8.orig/debian/changelog +++ squirrelmail-1.4.8/debian/changelog @@ -0,0 +1,553 @@ +squirrelmail (2:1.4.8-1ubuntu0.1) edgy-security; urgency=low + + * SECURITY UPDATE: XSS and CSRF in various areas + * src/compose.php, src/right_main.php, src/login.php, src/mailto.php, + src/redirect.php, src/webmail.php, src/mime.php: back-ported fixes for + XSS in compose, draft and HTML mail. (CVE-2006-6142) + http://www.squirrelmail.org/security/issue/2006-12-02 + * fuctions/mime.php, src/compose.php, src/view_text.php: back-ported fixes + for XSS in HTML filter (CVE-2007-1262) + http://www.squirrelmail.org/security/issue/2007-05-09 + + -- Leonel Nunez Tue, 15 May 2007 18:49:35 -0600 + +squirrelmail (2:1.4.8-1) unstable; urgency=high + + * New upstream release + - Includes security fix: variable overwriting in compose.php + by logged-in user [CVE-2006-4019] + - Does not ship SquirrelMail developer's documentation anymore. + + * Remove duplicate content from README.locales. + + + -- Thijs Kinkhorst Fri, 11 Aug 2006 13:53:20 +0200 + +squirrelmail (2:1.4.7-1) unstable; urgency=low + + * New upstream bugfix release. + + Addresses some low-impact, theoretical or disputed security bugs, + for which the code is tightened just-in-case: + - Possible local file inclusion (Closes: #373731, CVE-2006-2842) + - XSS in search.php (Closes: #375782, CVE-2006-3174) + + Adds note to db-backend.txt about postgreSQL (Closes: #376605). + + * Checked for standards version to 3.7.2, no changes necessary. + * Update maintainer address. + + -- Thijs Kinkhorst Tue, 4 Jul 2006 14:49:23 +0200 + +squirrelmail (2:1.4.6-1) unstable; urgency=high + + * New upstream release. + * Includes the following security fixes: + - Fix IMAP command injection in sqimap_mailbox_select + with upstream patch. [CVE-2006-0377] (Closes: #354063) + - Fix possible XSS in MagicHTML, concerning the parsing + of u\rl and comments in styles. Internet Explorer + specific. [CVE-2006-0195] (Closes: #354062) + - Fix possible cross site scripting through the right_main + parameter of webmail.php. This now uses a whitelist of + acceptable values. [CVE-2006-0188] (Closes: #354064, #355424) + + + -- Thijs Kinkhorst Tue, 7 Mar 2006 14:56:06 +0100 + +squirrelmail (2:1.4.5+1.4.6rc1-1) experimental; urgency=low + + * Experimental package + * New upstream version: 1.4.6 Release Candidate 1 + Many bugfixes, amongst which the following Debian bugs: + + Works with newest PHP versions (Closes: #321565, #338649). + + Fixes line wrapping for unicode characters (Closes: #330372). + + Add support for limiting the length of the From address display + (Closes: #279682). + * Add Depends alternatives for PHP5. + * Add Suggests for squirrelmail-decode, the library with charset decoding + functions for complex and rare character sets. + * Upgrade debhelper compatibility to the recommended level 5. + * Add Homepage to package description. + * Move package building from the binary-arch to the binary-indep target + in debian/rules. + + -- Thijs Kinkhorst Sat, 10 Dec 2005 18:13:43 +0100 + +squirrelmail (2:1.4.5-2) unstable; urgency=low + + [ Jeroen van Wolffelaar ] + * Restore squirrelmail-configure manpage, accidently dropped in -1 + * Use debhelper compat level 4 + + [ Thijs Kinkhorst ] + * Drop obsolete symlink for attachment dir. + * Do not ship upstream README, which contains hardly any information + relevant to Debian. Extend README.Debian a bit. Thanks W. Borgert. + * Add years to copyright statement. + + -- Thijs Kinkhorst Mon, 15 Aug 2005 21:06:00 +0200 + +squirrelmail (2:1.4.5-1) unstable; urgency=low + + * New upstream release. (Closes: #319531) + Many bugfixes, including the following Debian bugs: + + Allows to use squirrelspell with PHP safe_mode (Closes: #220156). + + Has multiple alternatives for locale names (Closes: #269790). + + Option to set citation marker (Closes: #274595). + * Dropped a lot of patches incorporated upstream + * Add debian/watch file. + * If default_pref file does not exist under var, do not attempt to move it + to /etc (Closes: #309628). + * Fix squirrelspell to read UTF8-encoded dictionary names correctly. + (Closes: #311338) + * Change Depends on squirrelmail-locales into Recommends; the depends + was created to ease woody -> sarge upgrades, now a recommendation is + sufficient (Closes: #319382). + * Update Standards-Version to 3.6.2, no changes necessary. + * Clean up rusty packaging. + * Add depends-alternative for libapache-mod-php4, to prevent installs that + have apache1 and libapache-mod-php4 but not the php4 meta package from + dragging in apache2 (Closes: #320993). + + -- Thijs Kinkhorst Wed, 3 Aug 2005 20:00:16 +0200 + +squirrelmail (2:1.4.4-6sarge1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Corrected the patch based on upstream input + [src/options_identities.php, CAN-2005-2095] + + -- Martin Schulze Mon, 11 Jul 2005 15:21:59 +0000 + +squirrelmail (2:1.4.4-6) stable-security; urgency=high + + * Security fix, hence high urgency. + * Apply patch provided by upstream to fix several cross site scripting + flaws [CAN-2005-1769] (Closes: #314374) + * Work around arbitrary variable injection via extract() [CAN-2005-2095] + (Closes: #317094) + + -- Thijs Kinkhorst Sat, 09 Jul 2005 11:57:20 +0200 + +squirrelmail (2:1.4.4-5) unstable; urgency=low + + * Add Suggests for imapproxy. + * Update README.Debian with documentation about the Recommends and + Suggests of this package. + * Add advice about setting default options for your specific IMAP server. + * Move fix for reloading signout.php from there to auth.php, because it + broke plug-ins. Patch from upstream CVS. (Closes: #304422) + * Correct spelling errors in Debian documentation. + * Change "no JavaScript" to "no JavaScript required" in the package + description because JavaScript can be used if available but is not + depended on. + + -- Thijs Kinkhorst Sat, 9 Apr 2005 13:35:19 +0200 + +squirrelmail (2:1.4.4-4) unstable; urgency=low + + * Make use of dictionaries-common (when available) to auto-detect + spell checker settings (Closes: #283948) + * Change default recommended spell checker to ispell. + + -- Thijs Kinkhorst Sat, 26 Mar 2005 15:28:48 +0100 + +squirrelmail (2:1.4.4-3) unstable; urgency=low + + * Move default_pref config file from /var to /etc, as per Debian policy + (Closes: #293281) + * [JvW] (finally) override two lintian warnings about nonstandard + permissions that are intentional (Closes: #293366) + + -- Thijs Kinkhorst Sun, 6 Feb 2005 21:41:51 +0100 + +squirrelmail (2:1.4.4-2) unstable; urgency=low + + * Fix configtest.php to accept a non-readable data_dir, which is the + default Debian configuration + * [JvW] Depend on squirrelmail-locales, to ease upgrades woody->sarge + (Closes: #292490) + * Extend README.locales with information about the squirrelmail-locales + package and add hint that a restart of Apache might be needed + * Limit access to configtest.php to just localhost, to prevent + information leakage (Closes: #293133) + + -- Thijs Kinkhorst Tue, 1 Feb 2005 14:26:41 +0100 + +squirrelmail (2:1.4.4-1) unstable; urgency=high + + * New upstream version: 1.4.4 + + Security: Added hook for Preferences Backend to resolve potential + local file inclusion resulting in arbitrary code execution, warranting + high urgency [CAN-2005-0075] + + Security: Fix potential file inclusion issues in src/webmail.php. + [CAN-2005-0103] + + Security: Fix possible XSS issues in src/webmail.php. [CAN-2005-0104] + * Thijs Kinkhorst: Add missing docs to squirrelmail.docs file (Closes: + #289088) + + Thanks a lot to Thijs Kinkhorst who worked hard to get 1.4.4 released, and + helped tremendously with the packaging for Debian + + -- Jeroen van Wolffelaar Sat, 22 Jan 2005 23:33:16 +0100 + +squirrelmail (2:1.4.3a+1.4.4rc1-0exp1) experimental; urgency=low + + * Experimental package + * New upstream version: 1.4.4 Release Candidate 1 + + Fixes broken theme select box (Closes: #286374) + + Fixes wrong German translation (Closes: #282829) + + Fixes broken Unicode encoding (Closes: #270626) + + Fixes signout error when timed out (Closes: #275941) + + Removed several backported patches that are in 1.4.4 now + * Locales are not in the squirrelmail package anymore, but a separate + package, start to recommend it (squirrelmail-locales) + + -- Jeroen van Wolffelaar Mon, 3 Jan 2005 00:28:32 +0100 + +squirrelmail (2:1.4.3a-3) unstable; urgency=high + + * Fix security issue: a remote attacker can compromise an account by + sending a specially-crafted email containing JavaScript in a RFC2047 + encoded header [CAN-2004-1036] (Closes: #280591) + * Fix spelling mistake in the name of Thijs Kinkhorst in Uploaders + + -- Jeroen van Wolffelaar Tue, 16 Nov 2004 12:26:43 +0100 + +squirrelmail (2:1.4.3a-2) unstable; urgency=medium + + * Put myself as maintainer, and Sam Johnston as co-maintainer. Thijs + Kinkhorst will also keep assisting in this package, he's co-maintainer too + now. Thanks Sam, for the work you're putting into squirrelmail. + * Checked for policy compliance with 3.6.1, no changes were needed, updated + Standards-Version + * Fix conf.pl detection of magic $domain contents (Closes: #271374) + * Default to use /etc/mailname if it exists as default domain, use + /etc/hostname only as fallback, as indicated by policy 11.6 (Mail + transport, delivery and user agents) + * cron.daily now checks whether the to-be-cleaned directory actually exists, + and exits gracefully if not (Closes: #272046) + * Now really fix the default apache.conf ssl-redirection example, also noted + that it's just that, an example, and might not always work (Closes: #267777) + + -- Jeroen van Wolffelaar Wed, 22 Sep 2004 00:59:48 +0200 + +squirrelmail (2:1.4.3a-1) unstable; urgency=low + + * Signed and incremented by maintainer on vacation. Closes: #255752. + * Updated SSL RewriteCond directive to resolve loop. Closes: #267777. + + -- Sam Johnston Tue, 24 Aug 2004 23:27:24 +1000 + +squirrelmail (2:1.4.3a-0.3) unstable; urgency=low + + * Non-Maintainer Upload in cooperation with Thijs Kinkhorst + * Applied patch from stable CVS that refuses to LOGIN (plaintext + IMAP-authentication) if the server advertises that is not supported, and + gives an appropriate error message (Closes: #266099) + * Don't put a newline in $domain in the default config + + -- Jeroen van Wolffelaar Thu, 19 Aug 2004 01:08:01 +0200 + +squirrelmail (2:1.4.3a-0.2) unstable; urgency=medium + + * Non-Maintainer Upload in cooperation with Thijs Kinkhorst + * [TK] Apply simple patch from upstream stable CVS fixing sending of + RFC-violating Message-ID's (class/deliver/Deliver.class.php + r1.18.2.11 & r1.18.2.12) + * Remove symlink in /var/www/ that kept being recreated, updated + README.Debian accordingly (Closes: #261102) + * Prevent dh_fixperms from resetting special permission of + /var/lib/squirrelmail/data/ and /var/spool/squirrelmail/attach/, so that + the buggy workaround in postinst can be removed (Closes: #263936) + * Suggests php4-pear now (useful for database-backed preferences and + addressbooks) + + -- Jeroen van Wolffelaar Fri, 13 Aug 2004 14:46:25 +0200 + +squirrelmail (2:1.4.3a-0.1) unstable; urgency=low + + * Non-Maintainer Upload in cooperation with Thijs Kinkhorst + , upstream SquirrelMail developer + * Reverted away from the development branch to the stable branch + (Closes: #232995) + - This re-introduces the translations (Closes: #232944) + - Experimental mailbox-tree code is 1.5.x only (Closes: #231687, #233550, + also closes: #250411) + - imap_general experimental code was buggy in 1.5.0 only (Closes: #246097) + - A buggy CRAM-MD5 check was 1.5.0 only too (Closes: #239566) + * New upstream + * Backport fix that was already in the 1.5.0 package fixing RFC3501 + compliance for mailbox naming, keeping #176590 and #215183 closed + (by Thijs, he committed it in upstream CVS on the 1.4 branch as + functions/imap_mailbox.php 1.172.2.11) + * Prefer apache2 and its php4 module in the Depends + (Closes: #250303, #251656) + * Dropped dependency on php4-pear, and added a proper error when using the + preferences/addressbook-in-database feature suggesting to install it + * Turn register_globals off for SquirrelMail, rather than on, since this is + supported (even recommended) for nowaday's SquirrelMail + * Add debhelper tokens to the postinst and postrm, this removes the now + needless debconf purge on package purge, and the debconf dependency + * On purge, remove user data in /var/{lib,spool}/squirrelmail too + * Stop distributing UPGRADE and a duplicate copy of the upstream changelog + * In README, tell about README.Debian instead of referring to 'INSTALL' + * The README.Debian is more clear about configuring with Apache + * Update 'copyright' file with general download location and correct the + copyright holder to "The SquirrelMail Project Team". + * In index.html, have proper (though still not complete) references to + available documents in /usr/share/doc/squirrelmail (Closes: #246722) + * Removed bogus 'Closes' line in last changelog entry + + -- Jeroen van Wolffelaar Tue, 22 Jun 2004 19:37:36 +0200 + +squirrelmail (1:1.5.0-1) unstable; urgency=low + + * New upstream release. + * RFC3501 compliance for mailbox naming (eg trailing spaces). + Closes: #176590, #215183. + * Adds a squirrelmail symlink in /var/www/. Closes: #229282. + * Adds PHP safe_mode workaround to README.Debian. Closes: #222071. + * Adds daily cron job to clean attachments directory. Closes: #228400. + * Checks for config_default.php before copying in postinst. + Closes: #229737. + + -- Sam Johnston Wed, 4 Feb 2004 01:42:12 +1100 + +squirrelmail (1:1.4.2-1) unstable; urgency=medium + + * New upstream release. Closes: #204058. + * Significant improvements over (broken) 1.4.0-1 package. + * PHP compatability fixes. Closes: #202368. + * conf.pl corrupts theme paths issue resolved. + Closes: #175773, #180108, #188441, #190315, #190923, #191028. + * Backwards compatible with stripped path themes (previous debs). + * Highlighting issue (1.4.0) resolved. Closes: #188631. + * Rendering issues with problem emails resolved. Closes: #205572. + * Resource utilisation improvements. Closes: #191856, #189602. + * README reference to upstream INSTALL document updated. + Closes: #173367, 178951. + * All known XSS exploits resolved. Closes: #167471. + * Folder list refreshes on login. Closes: #165753. + * $domain variable set to contents of /etc/hostname. Closes: #198747. + * Trims of HTTP_HOST port number for use in SMTP HELO. Closes: #200108. + * Fails gracefully when IMAP server unavailable. Closes: #192239. + * Recommends rather than depends on spell checker. Closes: #193680. + * DirectoryIndex directive added to apache.conf. Closes: #201022. + * Plugin config(s) moved to /etc. Closes: #146416. + * Properly handles accents and tildes in To:, Subject: etc headers. + Closes: #150338, #179166. + * No (broken) 'Save' button in printable version. Closes: #185602. + * Removes /usr/share/squirrelmail/data iff is is a symbolic link. + Closes: #188143. + * Resolves policy violation by replacing conf.pl (executable in /etc) + with a symlink to /usr/sbin/squirrelmail-configure. Closes: #163995. + + -- Sam Johnston Mon, 6 Oct 2003 07:44:12 +1000 + +squirrelmail (1:1.4.0-1) unstable; urgency=low + + * New upstream release. Closes: #179864, 134237. + * Resolves XSS security issues. Closes: #182008. + * Resolves default theme login problem. Closes: #174262. + * conf.pl cwd calls hardwired. Closes: #173516. + * conf.pl no longer breaks existing configs. Closes: #175773. + * blank lines no longer removed by compose.php. Closes: #175842. + * proto checking more robust. Closes: #178130. + * uses /etc/mailname instead of mydomain.com. Closes: #181619, 176777. + * added https redirect to example apache.conf. Closes: #172938. + * depends on php4-pear. Closes: #173256. + * indent problem resolved. Closes: #186506. + * no longer creates data symlink, removes existing. Closes: #181537. + * default_pref is a conffile - no longer written over. Closes: #178815. + + -- Sam Johnston Tue, 8 Apr 2003 02:06:40 +1000 + +squirrelmail (1:1.3.2+1.4.0rc1-1) unstable; urgency=low + + * New upstream release candidate + + -- Sam Johnston Thu, 2 Jan 2003 09:03:47 +1100 + +squirrelmail (1:1.3.2-2) unstable; urgency=high + + * Fixed cross site scripting problem in read_body.php (BugTraq ID 6302, + CAN-2002-1341) + + -- Sam Johnston Sun, 22 Dec 2002 03:56:23 +1100 + +squirrelmail (1:1.3.2-1) unstable; urgency=low + + * New upstream release - tracking development + * Removed debconf/wwwconfig scripts. Closes: #164605, #136612, #137165. + * Fixed dependencies (php4-cgi httpd). Closes: #152062, #152882. + * Japanese patch included upstream. Closes: #159454. + * Folder rename issue resolved upstream. Closes: #166297. + * display_messages doc root issue resolved upstream. Closes: #165103. + + -- Sam Johnston Thu, 7 Nov 2002 12:02:23 +1100 + +squirrelmail (1:1.2.8-1) unstable; urgency=low + + * New upstream release + + -- Sam Johnston Mon, 7 Oct 2002 23:37:40 +1000 + +squirrelmail (1:1.2.7-1) unstable; urgency=low + + * New upstream release + + -- Sam Johnston Mon, 24 Jun 2002 01:08:23 +1000 + +squirrelmail (1:1.2.6-1) unstable; urgency=high + + * New upstream *SECURITY* release + * Resolves local unprivileged exploit. Closes: #144496. + * Adds README.locales with information about languages. Closes #143277. + * Resolves typo in conf.pl (Save data repeated). Closes: #140506. + * Adds russian templates for debconf. Closes #136612, #137165. + + -- Sam Johnston Tue, 30 Apr 2002 18:53:46 +1000 + +squirrelmail (1:1.2.5-1) unstable; urgency=low + + * New upstream release. Closes: #138181. + * Fixed typo in debconf template. Closes: #131755. + * Installs default config_default.php file on new installations. + Closes: #136776. + + -- Sam Johnston Tue, 19 Mar 2002 01:51:08 +1100 + +squirrelmail (1:1.2.4-1) unstable; urgency=high + + * New upstream *SECURITY* release + * Fixes remote exploit in squirrelspell plugin. Closes: #130754. + + -- Sam Johnston Sat, 26 Jan 2002 06:22:30 +1100 + +squirrelmail (1:1.2.3-2) unstable; urgency=low + + * Resolves theme path issue (themes work again). Closes: #129406. + + -- Sam Johnston Thu, 24 Jan 2002 03:46:14 +1100 + +squirrelmail (1:1.2.3-1) unstable; urgency=medium + + * New upstream release + + -- Sam Johnston Wed, 23 Jan 2002 03:12:34 +1100 + +squirrelmail (1:1.2.2.20020116-1) unstable; urgency=low + + * New upstream release (tracking CVS due to problems with releases, PHP + 4.1 migration, etc.) Closes: #128228. + * Fixes typo in the control file (description). Closes: #129350. + * Uses php_flags syntax for register_globals workaround. + Closes: #128226. + * Resolves conf.pl hanging problem by calling db_stop from maintainer + scripts when debconf is finished with. Closes: #128142. + * Various fixes to keep lintian happy + + -- Sam Johnston Thu, 17 Jan 2002 02:49:05 +1100 + +squirrelmail (1:1.2.2-2) unstable; urgency=medium + + * Added support for apache-ssl. SSL (not necessarily apache-ssl) is + recommended for all installations which involve sessions over untrusted + networks as passwords are sent in clear text, and message contents + may be confidential. Closes: #114545, #115140. + * Added preliminary debconf support for selecting webserver type for + autoconfiguration (we can set up PHP, and #include the SquirrelMail + apache.conf file in most cases, avoiding the need for any manual + changes). Closes: #125590. + + -- Sam Johnston Wed, 2 Jan 2002 17:23:56 +1100 + +squirrelmail (1:1.2.2-1) unstable; urgency=medium + + * New upstream release + * Resolved problem finding plugins by replacing relative plugin dir + references with absolute references. Closes: #115163. + * Resolved problem finding themes by removing relative themes dir + (unnecessarily included in each theme definition), instead hardcoding + it in the php script(s) which reference themes. Closes: #116285. + * Resolved conf.pl problems preventing it from being executed from + outside the squirrelmail dir by referencing /etc/squirrelmail. + Closes: #119859. + * Suggests imap-server. Does not depend as many (most?) sites will/ + should be running SM on a separate machine. Feedback about this + decision welcome. Closes: #114543. + * Suggests ispell | aspell as SquirrelSpell is now included in the + main distribution. The sqspell config file is now a conffile to + prevent overwrites. + + -- Sam Johnston Wed, 2 Jan 2002 15:20:07 +1100 + +squirrelmail (1:1.2.0-1) unstable; urgency=low + + * New upstream release + * Plugin detection/symlink problem in conf.pl fixed + * Merry Christmas + + -- Sam Johnston Tue, 25 Dec 2001 18:31:05 +1100 + +squirrelmail (1.2.0-rc3-2) unstable; urgency=low + + * Edited apache configuration to resolve 404 errors. There is some + discussion upstream about incompatibilities between SM and PHP + 4.1.0, including a discussion about get_location returning null + so I expect these issues will be resolved by the (christmas day) + release of 1.2.0. Closes #125866. + + -- Sam Johnston Thu, 20 Dec 2001 11:37:00 +1100 + +squirrelmail (1.2.0-rc3-1) unstable; urgency=low + + * New upstream release + * Fixed up description formatting problem. Closes: #114871 + * Removed require_once patches applied in rc2-2. Fixed upstream. + * Fixed password parsing problem. Closes: #115225 + * Speed improvements and optimisations + * Several plugins integrated into the core or added as 'official' + * New paginator, rewrite of option pages code, etc. + + -- Sam Johnston Sun, 16 Dec 2001 23:53:36 +1100 + +squirrelmail (1.2.0-rc2-3) unstable; urgency=low + + * Created a fairly intelligent script for packaging up plugins. + It goes by the name of smpackage and it lives in the examples + directory, for want of a better home. + * Uploaded 40-something libsquirrelmail-* plugin packages. Enjoy. + + -- Sam Johnston Mon, 8 Oct 2001 03:16:24 +1000 + +squirrelmail (1.2.0-rc2-2) unstable; urgency=low + + * Resolved problems with redeclaring functions by replacing include()s + with require_once()s + * Closes: 114531 + + -- Sam Johnston Fri, 5 Oct 2001 18:18:53 +1000 + +squirrelmail (1.2.0-rc2-1) unstable; urgency=low + + * New upstream release + + -- Sam Johnston Wed, 3 Oct 2001 00:08:20 +1000 + +squirrelmail (1.0.6-2) unstable; urgency=low + + * Added support to conf.pl for automated plugin installation and removal + + -- Sam Johnston Tue, 2 Oct 2001 22:15:25 +1000 + +squirrelmail (1.0.6-1) unstable; urgency=low + + * Initial Release + * Kudos to Bart Bunting for his initial work on packaging + squirrelmail + * Closes #86125 + + -- Sam Johnston Tue, 2 Oct 2001 21:39:10 +1000 + +vim: et --- squirrelmail-1.4.8.orig/debian/squirrelmail.postinst +++ squirrelmail-1.4.8/debian/squirrelmail.postinst @@ -0,0 +1,58 @@ +#!/bin/sh +# postinst script for squirrelmail +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the `postinst' is called with `abort-upgrade', +# `abort-remove' or `abort-deconfigure'. + +case "$1" in + configure) + # 20021107 debconf/wwwconfig removed + + # remove data symlink as per bug 181537 + [ -L /usr/share/squirrelmail/data ] && rm -f /usr/share/squirrelmail/data + + if [ ! -f /etc/squirrelmail/config.php ]; then + # /etc/squirrelmail/conf.pl # debconf messes with FDs which breaks conf.pl + if [ -f /etc/squirrelmail/config_default.php ]; then + echo "Installing default squirrelmail config." + cp /etc/squirrelmail/config_default.php /etc/squirrelmail/config.php + else + echo "Default squirrelmail config (config_default.php) not found." + fi + fi + echo "Run /usr/sbin/squirrelmail-configure as root to configure/upgrade config." + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. +#DEBHELPER# +# + --- squirrelmail-1.4.8.orig/debian/squirrelmail.manpages +++ squirrelmail-1.4.8/debian/squirrelmail.manpages @@ -0,0 +1 @@ +debian/squirrelmail-configure.8 --- squirrelmail-1.4.8.orig/debian/squirrelmail.dirs +++ squirrelmail-1.4.8/debian/squirrelmail.dirs @@ -0,0 +1,5 @@ +etc/squirrelmail +usr/share/squirrelmail +usr/sbin +var/spool/squirrelmail/attach +var/lib/squirrelmail/data --- squirrelmail-1.4.8.orig/debian/squirrelmail.docs +++ squirrelmail-1.4.8/debian/squirrelmail.docs @@ -0,0 +1,13 @@ +README.locales +AUTHORS +ReleaseNotes +doc/russian_apache.txt +doc/authentication.txt +doc/db-backend.txt +doc/ie_ssl.txt +doc/index.html +doc/presets.txt +doc/security.txt +doc/themes.txt +doc/translating.txt +doc/translating_help.txt --- squirrelmail-1.4.8.orig/debian/compat +++ squirrelmail-1.4.8/debian/compat @@ -0,0 +1 @@ +5 --- squirrelmail-1.4.8.orig/debian/squirrelmail.lintian +++ squirrelmail-1.4.8/debian/squirrelmail.lintian @@ -0,0 +1,2 @@ +non-standard-dir-perm var/spool/squirrelmail/attach/ 0730 != 0755 +non-standard-dir-perm var/lib/squirrelmail/data/ 0730 != 0755 --- squirrelmail-1.4.8.orig/debian/README.Debian +++ squirrelmail-1.4.8/debian/README.Debian @@ -0,0 +1,142 @@ +SquirrelMail for Debian +======================= + +Contents of this file: +0. IMAP Server SquirrelMail runs on top of almost any IMAP server +1. Apache Configuring Apache with SquirrelMail +2. Virtual Hosts How to make a virtual host like webmail.example.com +3. Other Webservers Configuring other webservers with SquirrelMail +4. Security Some security considerations +5. Default Preferences New location for default user preferences file +6. Recommended packages Other packages that can be useful with SquirrelMail +7. Getting help Still having trouble? Here's where to go. + +IMAP Server +=========== + +SquirrelMail needs an IMAP server to authorise users and access their +mailboxes. It does not run on a POP3 server. Almost any server supporting +IMAP4 will do (see the imap-server virtual package for references to +IMAP servers packaged for Debian). For optimal behaviour of SquirrelMail +it is important that you set the predefined setting for your IMAP server +in squirrelmail-configure through the "D" option in the main menu. + +For performance reasons it's wise to have 'server side sorting' set to on +in your SquirrelMail configuration if your IMAP server supports it (almost +all modern do). + + +Apache +====== + +If you want to use squirrelmail with apache, it is recommended to modify +/etc/squirrelmail/apache.conf to your own wishes, and then add a symlink to +that file from /etc/apache{,-ssl,-perl,2}/conf.d, like: + + $ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf + +Alternatively, you could also 'Include' the configuration file in the relevant +apache configuration file(s). + + +Virtual Hosts +============= + +Note that users will prefer a simple URL like http://webmail.example.com +I recommend you set this functionality up even if only so if you ever +choose to use another webmail package you don't have to change the URL. +There are some example Apache directives in /etc/squirrelmail/apache.conf + + +Other webservers +================ + +You need to create an alias in your web server pointing: + +http://localhost/squirrelmail/ + +at /usr/share/squirrelmail/, then log in using your IMAP credentials. +Adding a symlink in your webroot may be all you need. + + +Security +======== + +HTTPS is also recommended, to prevent passwords and other sensitive +information being sent over the Internet in the clear. Most modern web +servers support SSL, but configuring it is left as an exercise for the +reader. + +STARTTLS is neither supported nor recommended as SM creates many IMAP +sessions. You should use a persistent tunnel (e.g. SSH port forwarding) and/or +an IMAP proxy. + +PHP safe_mode is not supported out of the box due to root:root ownerships. +You may be able to work around this limitation by changing the group of +the files in /usr/share/squirrelmail to the web server group (www-data). i.e.: + + chgrp -R www-data /usr/share/squirrelmail/ + + +Default preferences +=================== + +In squirrelmail 1.4.4-3, the default preferences file has moved from +/var/lib/squirrelmail/data/default_pref to /etc/squirrelmail/default_pref + +Usually, on upgrade your config file should be moved, but in some cases, this +might fail. If both files exist, the /var/lib/squirrelmail one takes +precedence! + + +Recommended and Suggested Packages +================================== + +The SquirrelMail Debian package recommends or suggests the following other +Debian packages. Here's a summary of what value they might add to your +installation: + +- squirrelmail-locales: Translations of SquirrelMail. + If you only want the English language you don't need this, but if you + want your users to select a different translation, install this package. + +- squirrelmail-decode: Extra decoding routines for complex character sets. + This extra decoding library provides support for some complex Eastern + character sets and some rarely used Apple character sets. Only needed if + your users actually receive messages encoded with these charsets. + +- ispell | aspell: This is needed for the SquirrelSpell spell checking + plug-in to work. If you have the choice, choose ispell since that's + automatically configured using dictionaries-common. + +- imap-server: this is of course needed for SquirrelMail to access mailboxes, + but is not a hard depend since the IMAP server can be on a different host. + +- php4-pear: you need this package only if you want to store user preferences + or address books in an SQL database. + +- imapproxy: since SquirrelMail is a web application, it needs to reconnect + to the IMAP server on each page load. On heavily loaded sites, this can be + a problem; use the excellent imapproxy package to cache connections between + page requests and reduce the load on your IMAP server. + + +Where to get help +================= + +The first stop would be the SquirrelMail website: http://www.squirrelmail.org +It has frequently asked questions, tutorials for specific setups and other +troubleshooting hints. + +Still need help? You could check out the +squirrelmail-users@lists.sourceforge.net mailinglist, or the #squirrelmail IRC +channel on irc.freenode.net. Seasoned users and developers regularly hang out +there. + +Found a bug or have a wishlist item? In Debian, you can check existing reports +at http://bugs.debian.org/squirrelmail and report new issues through the +"reportbug" utility. + + + +$Id: README.Debian 203 2005-11-21 18:38:13Z kink $ --- squirrelmail-1.4.8.orig/debian/copyright +++ squirrelmail-1.4.8/debian/copyright @@ -0,0 +1,32 @@ +This package was debianized by Sam Johnston on +Fri, 14 Sep 2001 18:28:01 +1000. Current maintainer is Jeroen van +Wolffelaar with co-maintainers Thijs +Kinkhorst and Sam Johnston . + +It was downloaded from http://www.squirrelmail.org/download.php + +Upstream Authors: The SquirrelMail Project Team + +Copyright: + + Copyright (C) 1999-2006 The SquirrelMail Project Team + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +On Debian GNU/Linux systems, the complete text of the GNU General Public +License can be found in the `/usr/share/common-licenses' directory. + +The Debian packaging of SquirrelMail is licenced under the same terms +as SquirrelMail itself. --- squirrelmail-1.4.8.orig/debian/squirrelmail.cron.daily +++ squirrelmail-1.4.8/debian/squirrelmail.cron.daily @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +test -d /var/spool/squirrelmail/attach || exit 0 + +cd /var/spool/squirrelmail/attach + +find \ + -maxdepth 1 \ + -xdev \ + -type f \ + \! -name '*.*' \ + \! -name '*_*' \ + -atime +2 \ + -print0 \ +| xargs \ + -0 \ + --no-run-if-empty \ + rm -- + --- squirrelmail-1.4.8.orig/config/conf.pl +++ squirrelmail-1.4.8/config/conf.pl @@ -38,15 +38,16 @@ # (the Basename stuff above will sometimes return '.' as # the base directory, which is not helpful here). ############################################################ -use Cwd; -$dir = cwd(); +#use Cwd; +#$dir = cwd(); +$dir = '/usr/share/squirrelmail/config'; ############################################################ # First, lets read in the data already in there... ############################################################ -if ( -e "config.php" ) { - open( FILE, "config.php" ); +if ( -e "/etc/squirrelmail/config.php" ) { + open( FILE, "/etc/squirrelmail/config.php" ); while ( $line = ) { $line =~ s/^\s+//; $line =~ s/^\$//; @@ -97,9 +98,9 @@ } $config = 1; - open( FILE, "config.php" ); -} elsif ( -e "config_default.php" ) { - open( FILE, "config_default.php" ); + open( FILE, "/etc/squirrelmail/config.php" ); +} elsif ( -e "/etc/squirrelmail/config_default.php" ) { + open( FILE, "/etc/squirrelmail/config_default.php" ); while ( $line = ) { $line =~ s/^\s+//; $line =~ s/^\$//; @@ -149,7 +150,7 @@ $print_config_version = $config_version; } $config = 2; - open( FILE, "config_default.php" ); + open( FILE, "/etc/squirrelmail/config_default.php" ); } else { print "No configuration file found. Please get config_default.php\n"; print "or config.php before running this again. This program needs\n"; @@ -179,8 +180,13 @@ $sub = $options[0]; $sub =~ s/\]\[['|"]PATH['|"]\]//; $sub =~ s/.*\[//; - if ( -e "../themes" ) { + if ( -e "/usr/share/squirrelmail/themes" ) { $options[1] =~ s/^\.\.\/config/\.\.\/themes/; + $options[1] =~ s/^SM_PATH \. \'config/\.\.\/themes/; + if ( $options[1] !~ /\// ) { + # no path information courtesy early debs + $options[1] = '../themes/' . $options[1]; + } } $theme_path[$sub] = &change_to_rel_path($options[1]); } elsif ( $options[0] =~ /^theme\[[0-9]+\]\[['|"]NAME['|"]\]/ ) { @@ -545,12 +551,12 @@ print " $num. $plugins[$count]\n"; } print "\n Available Plugins:\n"; - opendir( DIR, "../plugins" ); + opendir( DIR, "/usr/share/squirrelmail/plugins" ); @files = readdir(DIR); $pos = 0; @unused_plugins = (); for ( $i = 0 ; $i <= $#files ; $i++ ) { - if ( -d "../plugins/" . $files[$i] && $files[$i] !~ /^\./ && $files[$i] ne "CVS" ) { + if ( -d "/usr/share/squirrelmail/plugins/" . $files[$i] && $files[$i] !~ /^\./ && $files[$i] ne "CVS" ) { $match = 0; for ( $k = 0 ; $k <= $#plugins ; $k++ ) { if ( $plugins[$k] eq $files[$i] ) { @@ -2315,8 +2321,6 @@ $name = ; $name =~ s/[\r|\n]//g; $theme_name[ $#theme_name + 1 ] = $name; - print "Be sure to put ../themes/ before the filename.\n"; - print "What file is this stored in (ex: ../themes/default_theme.php): "; $name = ; $name =~ s/[\r|\n]//g; $theme_path[ $#theme_path + 1 ] = $name; @@ -2350,7 +2354,7 @@ } elsif ( $input =~ /^\s*t\s*/i ) { print "\nStarting detection...\n\n"; - opendir( DIR, "../themes" ); + opendir( DIR, "/usr/share/squirrelmail/themes" ); @files = grep { /\.php$/i } readdir(DIR); $cnt = 0; while ( $cnt <= $#files ) { @@ -2376,7 +2380,7 @@ print "\n"; for ( $cnt = 0 ; $cnt <= $#theme_path ; $cnt++ ) { $filename = $theme_path[$cnt]; - if ( !( -e $filename ) ) { + if ( !( -e '/usr/share/squirrelmail/themes/' . $filename ) ) { print " Removing $filename (file not found)\n"; $offset = 0; @new_theme_name = (); @@ -2976,7 +2980,7 @@ sub save_data { $tab = " "; - if ( open( CF, ">config.php" ) ) { + if ( open( CF, ">/etc/squirrelmail/config.php" ) ) { print CF " + php_flag register_globals off + Options Indexes FollowSymLinks + + DirectoryIndex index.php + + + # access to configtest is limited by default to prevent information leak + + order deny,allow + deny from all + allow from 127.0.0.1 + + + +# users will prefer a simple URL like http://webmail.example.com +# +# DocumentRoot /usr/share/squirrelmail +# ServerName webmail.example.com +# + +# redirect to https when available (thanks omen@descolada.dartmouth.edu) +# +# Note: There are multiple ways to do this, and which one is suitable for +# your site's configuration depends. Consult the apache documentation if +# you're unsure, as this example might not work everywhere. +# +# +# +# +# RewriteEngine on +# RewriteCond %{HTTPS} !^on$ [NC] +# RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] +# +# +# + --- squirrelmail-1.4.8.orig/config/config_default.php +++ squirrelmail-1.4.8/config/config_default.php @@ -115,7 +115,7 @@ * Example: In bob@example.com, example.com is the domain. * @global string $domain */ -$domain = 'example.com'; +$domain = trim(implode('', file('/etc/'.(file_exists('/etc/mailname')?'mail':'host').'name'))); /** * Time offset inversion @@ -453,13 +453,13 @@ * are two examples: * * Absolute: - * $data_dir = '/usr/local/squirrelmail/data/'; + * $data_dir = '/var/lib/squirrelmail/data/'; * * Relative (to main SM directory): * $data_dir = SM_PATH . 'data/'; * @global string $data_dir */ -$data_dir = SM_PATH . 'data/'; +$data_dir = '/var/lib/squirrelmail/data/'; /** * Attachments directory @@ -477,7 +477,7 @@ * + It should probably be another directory than data_dir. * @global string $attachment_dir */ -$attachment_dir = $data_dir; +$attachment_dir = '/var/spool/squirrelmail/attach/'; /** * Hash level used for data directory. --- squirrelmail-1.4.8.orig/functions/mime.php +++ squirrelmail-1.4.8/functions/mime.php @@ -349,8 +349,10 @@ translateText($body, $wrap_at, $body_message->header->getParameter('charset')); } else { + $charset = $body_message->header->getParameter('charset'); + if (!empty($charset)) + $body = charset_decode($charset,$body,false,true); $body = magicHTML($body, $id, $message, $mailbox); - $body = charset_decode($body_message->header->getParameter('charset'),$body,false,true); } } else { translateText($body, $wrap_at, @@ -477,6 +479,11 @@ if ($where && $what) { $defaultlink .= '&where='. urlencode($where).'&what='.urlencode($what); } + // IE does make use of mime content sniffing. Forcing a download + // prohibit execution of XSS inside an application/octet-stream attachment + if ($type0 == 'application' && $type1 == 'octet-stream') { + $defaultlink .= '&absolute_dl=true'; + } /* This executes the attachment hook with a specific MIME-type. * If that doesn't have results, it tries if there's a rule @@ -1018,6 +1025,84 @@ } } + /** + * Translate all dangerous Unicode or Shift_JIS characters which are accepted by + * IE as regular characters. + * + * @param attvalue The attribute value before dangerous characters are translated. + * @return attvalue Nothing, modifies a reference value. + * @author Marc Groot Koerkamp. + */ +function sq_fixIE_idiocy(&$attvalue) { + // remove NUL + $attvalue = str_replace("\0", "", $attvalue); + // remove comments + $attvalue = preg_replace("/(\/\*.*?\*\/)/","",$attvalue); + + // IE has the evil habit of accepting every possible value for the attribute expression + // The table below contains characters which are parsed by IE if they are used in the "expression" + // attribute value. + $aDangerousCharsReplacementTable = array( + array('ʟ', 'ʟ' ,/* L UNICODE IPA Extension */ + 'ʀ', 'ʀ' ,/* R UNICODE IPA Extension */ + 'ɴ', 'ɴ' ,/* N UNICODE IPA Extension */ + 'E', 'E' ,/* Unicode FULLWIDTH LATIN CAPITAL LETTER E */ + 'e', 'e' ,/* Unicode FULLWIDTH LATIN SMALL LETTER E */ + 'X', 'X',/* Unicode FULLWIDTH LATIN CAPITAL LETTER X */ + 'x', 'x',/* Unicode FULLWIDTH LATIN SMALL LETTER X */ + 'P', 'P',/* Unicode FULLWIDTH LATIN CAPITAL LETTER P */ + 'p', 'p',/* Unicode FULLWIDTH LATIN SMALL LETTER P */ + 'R', 'R',/* Unicode FULLWIDTH LATIN CAPITAL LETTER R */ + 'r', 'r',/* Unicode FULLWIDTH LATIN SMALL LETTER R */ + 'S', 'S',/* Unicode FULLWIDTH LATIN CAPITAL LETTER S */ + 's', 's',/* Unicode FULLWIDTH LATIN SMALL LETTER S */ + 'I', 'I',/* Unicode FULLWIDTH LATIN CAPITAL LETTER I */ + 'i', 'i',/* Unicode FULLWIDTH LATIN SMALL LETTER I */ + 'O', 'O',/* Unicode FULLWIDTH LATIN CAPITAL LETTER O */ + 'o', 'o',/* Unicode FULLWIDTH LATIN SMALL LETTER O */ + 'N', 'N',/* Unicode FULLWIDTH LATIN CAPITAL LETTER N */ + 'n', 'n',/* Unicode FULLWIDTH LATIN SMALL LETTER N */ + 'L', 'L',/* Unicode FULLWIDTH LATIN CAPITAL LETTER L */ + 'l', 'l',/* Unicode FULLWIDTH LATIN SMALL LETTER L */ + 'U', 'U',/* Unicode FULLWIDTH LATIN CAPITAL LETTER U */ + 'u', 'u',/* Unicode FULLWIDTH LATIN SMALL LETTER U */ + 'ⁿ', 'ⁿ' ,/* Unicode SUPERSCRIPT LATIN SMALL LETTER N */ + "\xEF\xBC\xA5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER E */ // in unicode this is some Chinese char range + "\xEF\xBD\x85", /* Shift JIS FULLWIDTH LATIN SMALL LETTER E */ + "\xEF\xBC\xB8", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER X */ + "\xEF\xBD\x98", /* Shift JIS FULLWIDTH LATIN SMALL LETTER X */ + "\xEF\xBC\xB0", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER P */ + "\xEF\xBD\x90", /* Shift JIS FULLWIDTH LATIN SMALL LETTER P */ + "\xEF\xBC\xB2", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER R */ + "\xEF\xBD\x92", /* Shift JIS FULLWIDTH LATIN SMALL LETTER R */ + "\xEF\xBC\xB3", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER S */ + "\xEF\xBD\x93", /* Shift JIS FULLWIDTH LATIN SMALL LETTER S */ + "\xEF\xBC\xA9", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER I */ + "\xEF\xBD\x89", /* Shift JIS FULLWIDTH LATIN SMALL LETTER I */ + "\xEF\xBC\xAF", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER O */ + "\xEF\xBD\x8F", /* Shift JIS FULLWIDTH LATIN SMALL LETTER O */ + "\xEF\xBC\xAE", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER N */ + "\xEF\xBD\x8E", /* Shift JIS FULLWIDTH LATIN SMALL LETTER N */ + "\xEF\xBC\xAC", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER L */ + "\xEF\xBD\x8C", /* Shift JIS FULLWIDTH LATIN SMALL LETTER L */ + "\xEF\xBC\xB5", /* Shift JIS FULLWIDTH LATIN CAPITAL LETTER U */ + "\xEF\xBD\x95", /* Shift JIS FULLWIDTH LATIN SMALL LETTER U */ + "\xE2\x81\xBF", /* Shift JIS FULLWIDTH SUPERSCRIPT N */ + "\xCA\x9F", /* L UNICODE IPA Extension */ + "\xCA\x80", /* R UNICODE IPA Extension */ + "\xC9\xB4"), /* N UNICODE IPA Extension */ + array('l', 'l', 'r','r','n','n', + 'E','E','e','e','X','X','x','x','P','P','p','p','R','R','r','r','S','S','s','s','I','I', + 'i','i','O','O','o','o','N','N','n','n','L','L','l','l','U','U','u','u','n','n', + 'E','e','X','x','P','p','R','r','S','s','I','i','O','o','N','n','L','l','U','u','n','l','r','n')); + $attvalue = str_replace($aDangerousCharsReplacementTable[0],$aDangerousCharsReplacementTable[1],$attvalue); + + // Escapes are useful for special characters like "{}[]()'&. In other cases they are + // used for XSS + $attvalue = preg_replace("/(\\\\)([a-zA-Z]{1})/",'$2',$attvalue); +} + + /** * This function returns the final tag out of the tag name, an array * of attributes, and the type of the tag. This function is called by @@ -1484,10 +1569,24 @@ } } } + + /** + * Workaround for IE quirks + */ + sq_fixIE_idiocy($attvalue); + /** * Remove any backslashes, entities, and extraneous whitespace. */ + $oldattvalue = $attvalue; sq_defang($attvalue); + if ($attname == 'style' && $attvalue !== $oldattvalue) { + // entities are used in the attribute value. In 99% of the cases it's there as XSS + // i.e.
+ $attvalue = "idiocy"; + $attary{$attname} = $attvalue; + } + sq_unspace($attvalue); /** @@ -1510,36 +1609,34 @@ preg_replace($valmatch, $valrepl, $attvalue); if ($newvalue != $attvalue){ $attary{$attname} = $newvalue; + $attvalue = $newvalue; } } } } } - - /** - * Replace empty src tags with the blank image. src is only used - * for frames, images, and image inputs. Doing a replace should - * not affect them working as should be, however it will stop - * IE from being kicked off when src for img tags are not set - */ - if (($attname == 'src') && ($attvalue == '""')) { - $attary{$attname} = '"' . SM_PATH . 'images/blank.png"'; - } - - /** - * Turn cid: urls into http-friendly ones. - */ - if (preg_match("/^[\'\"]\s*cid:/si", $attvalue)){ - $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); + if ($attname == 'style') { + if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) { + // 8bit and control characters in style attribute values can be used for XSS, remove them + $attary{$attname} = '"disallowed character"'; + } + preg_match_all("/url\s*\((.+)\)/si",$attvalue,$aMatch); + if (count($aMatch)) { + foreach($aMatch[1] as $sMatch) { + // url value + $urlvalue = $sMatch; + sq_fix_url($attname, $urlvalue, $message, $id, $mailbox,"'"); + $attary{$attname} = str_replace($sMatch,$urlvalue,$attvalue); + } + } } /** - * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. - * One day MS might actually make it match something useful, for now, falling - * back to using cid2http, so we can grab the blank.png. + * Use white list based filtering on attributes which can contain url's */ - if (preg_match("/^[\'\"]\s*outbind:\/\//si", $attvalue)) { - $attary{$attname} = sq_cid2http($message, $id, $attvalue, $mailbox); + else if ($attname == 'href' || $attname == 'src' || $attname == 'background') { + sq_fix_url($attname, $attvalue, $message, $id, $mailbox); + $attary{$attname} = $attvalue; } } @@ -1555,6 +1652,98 @@ } /** + * This function filters url's + * + * @param $attvalue String with attribute value to filter + * @param $message message object + * @param $id message id + * @param $mailbox mailbox + * @param $sQuote quoting characters around url's + */ +function sq_fix_url($attname, &$attvalue, $message, $id, $mailbox,$sQuote = '"') { + $attvalue = trim($attvalue); + if ($attvalue && ($attvalue[0] =='"'|| $attvalue[0] == "'")) { + // remove the double quotes + $sQuote = $attvalue[0]; + $attvalue = trim(substr($attvalue,1,-1)); + } + + if( !sqgetGlobalVar('view_unsafe_images', $view_unsafe_images, SQ_GET) ) { + $view_unsafe_images = false; + } + $secremoveimg = '../images/' . _("sec_remove_eng.png"); + + /** + * Replace empty src tags with the blank image. src is only used + * for frames, images, and image inputs. Doing a replace should + * not affect them working as should be, however it will stop + * IE from being kicked off when src for img tags are not set + */ + if ($attvalue == '') { + $attvalue = '"' . SM_PATH . 'images/blank.png"'; + } else { + // first, disallow 8 bit characters and control characters + if (preg_match('/[\0-\37\200-\377]+/',$attvalue)) { + switch ($attname) { + case 'href': + $attvalue = $sQuote . 'http://invalid-stuff-detected.example.com' . $sQuote; + break; + default: + $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; + break; + } + } else { + $aUrl = parse_url($attvalue); + if (isset($aUrl['scheme'])) { + switch(strtolower($aUrl['scheme'])) { + case 'http': + case 'https': + case 'ftp': + if ($attname != 'href') { + if ($view_unsafe_images == false) { + $attvalue = $sQuote . $secremoveimg . $sQuote; + } else { + if (isset($aUrl['path'])) { + // validate image extension. + $ext = strtolower(substr($aUrl['path'],strrpos($aUrl['path'],'.'))); + if (!in_array($ext,array('.jpeg','.jpg','xjpeg','.gif','.bmp','.jpe','.png','.xbm'))) { + $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; + } + } else { + $attvalue = $sQuote . SM_PATH . 'images/blank.png'. $sQuote; + } + } + } + break; + case 'outbind': + /** + * "Hack" fix for Outlook using propriatary outbind:// protocol in img tags. + * One day MS might actually make it match something useful, for now, falling + * back to using cid2http, so we can grab the blank.png. + */ + $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + break; + case 'cid': + /** + * Turn cid: urls into http-friendly ones. + */ + $attvalue = sq_cid2http($message, $id, $attvalue, $mailbox); + break; + default: + $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote; + break; + } + } else { + if (!(isset($aUrl['path']) && $aUrl['path'] == $secremoveimg)) { + // parse_url did not lead to satisfying result + $attvalue = $sQuote . SM_PATH . 'images/blank.png' . $sQuote; + } + } + } + } +} + +/** * This function edits the style definition to make them friendly and * usable in SquirrelMail. * @@ -1581,57 +1770,38 @@ */ $content = preg_replace("|body(\s*\{.*?\})|si", ".bodyclass\\1", $content); $secremoveimg = '../images/' . _("sec_remove_eng.png"); + + // first check for 8bit sequences and disallowed control characters + if (preg_match('/[\16-\37\200-\377]+/',$content)) { + $content = ''; + return array($content, $newpos); + } + + + // IE Sucks hard. We have a special function for it. + sq_fixIE_idiocy($content); + + // remove @import line + $content = preg_replace("/^\s*(@import.*)$/mi","\n\n",$content); + /** * Fix url('blah') declarations. */ - // remove NUL - $content = str_replace("\0", "", $content); // translate ur\l and variations into url (IE parses that) + // TODO check if the sq_fixIE_idiocy function already handles this. $content = preg_replace("/(\\\\)?u(\\\\)?r(\\\\)?l(\\\\)?/i",'url', $content); - // NB I insert NUL characters to keep to avoid an infinite loop. They are removed after the loop. - while (preg_match("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", $content, $matches)) { - $sProto = strtolower($matches[1]); - switch ($sProto) { - /** - * Fix url('https*://.*) declarations but only if $view_unsafe_images - * is false. - */ - case 'https': - case 'http': - if (!$view_unsafe_images){ - - $sExpr = "/url\s*\(\s*[\'\"]?\s*$sProto*:.*[\'\"]?\s*\)/si"; - $content = preg_replace($sExpr, "u\0r\0l(\\1$secremoveimg\\2)", $content); - - } else { - $content = preg_replace('/url/i',"u\0r\0l",$content); - } - break; - - /** - * Fix urls that refer to cid: - */ - case 'cid': - $cidurl = 'cid:'. $matches[2]; - $httpurl = sq_cid2http($message, $id, $cidurl, $mailbox); - // escape parentheses that can modify the regular expression - $cidurl = str_replace(array('(',')'),array('\\(','\\)'),$cidurl); - $content = preg_replace("|url\s*\(\s*$cidurl\s*\)|si", - "u\0r\0l($httpurl)", $content); - break; - default: - /** - * replace url with protocol other then the white list - * http,https and cid by an empty string. - */ - $content = preg_replace("/url\s*\(\s*[\'\"]?([^:]+):(.*)?[\'\"]?\s*\)/si", - "", $content); - break; + preg_match_all("/url\s*\((.+)\)/si",$content,$aMatch); + if (count($aMatch)) { + $aValue = $aReplace = array(); + foreach($aMatch[1] as $sMatch) { + // url value + $urlvalue = $sMatch; + sq_fix_url('style',$urlvalue, $message, $id, $mailbox,"'"); + $aValue[] = $sMatch; + $aReplace[] = $urlvalue; } - break; + $content = str_replace($aValue,$aReplace,$content); } - // remove NUL - $content = str_replace("\0", "", $content); /** * Remove any backslashes, entities, and extraneous whitespace. @@ -1648,8 +1818,11 @@ '/expression/i', '/behaviou*r/i', '/binding/i', - '/include-source/i'); - $replace = Array('', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + '/include-source/i', + '/javascript/i', + '/script/i'); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy'); + $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { // insecure css declarations are used. From now on we don't care @@ -2049,7 +2222,7 @@ "idiocy", "idiocy", "idiocy", - "", + "idiocy", "url", "url(\\1#\\1)", "url(\\1#\\1)", @@ -2095,7 +2268,7 @@ $id, $mailbox ); - if (preg_match("|$secremoveimg|i", $trusted)){ + if (strpos($trusted,$secremoveimg)){ $has_unsafe_images = true; } return $trusted; @@ -2191,11 +2364,17 @@ // This works for most types, but doesn't work with Word files header ("Content-Type: application/download; name=\"$filename\""); + // This is to prevent IE for MIME sniffing and auto open a file in IE + header ("Content-Type: application/force-download; name=\"$filename\""); // These are spares, just in case. :-) //header("Content-Type: $type0/$type1; name=\"$filename\""); //header("Content-Type: application/x-msdownload; name=\"$filename\""); //header("Content-Type: application/octet-stream; name=\"$filename\""); + } else if ($isIE) { + // This is to prevent IE for MIME sniffing and auto open a file in IE + header ("Content-Type: application/force-download; name=\"$filename\""); + } else { // another application/octet-stream forces download for Netscape header ("Content-Type: application/octet-stream; name=\"$filename\""); @@ -2209,4 +2388,4 @@ } // end fn SendDownloadHeaders -?> \ No newline at end of file +?> --- squirrelmail-1.4.8.orig/functions/file_prefs.php +++ squirrelmail-1.4.8/functions/file_prefs.php @@ -182,17 +182,26 @@ /* Then, check if the file exists. */ if (!@file_exists($filename) ) { - /* First, check the $data_dir for the default preference file. */ + + /* If it does not exist, check for default_prefs */ + + /* First, check legacy locations: data dir */ if(substr($data_dir,-1) != '/') { $data_dir .= '/'; } $default_pref = $data_dir . 'default_pref'; - /* If it is not there, check the internal data directory. */ + /* or legacy location: internal data dir */ if (!@file_exists($default_pref)) { $default_pref = SM_PATH . 'data/default_pref'; } + /* If no legacies, check where we'd expect it to be located: + * under config/ */ + if (!@file_exists($default_pref)) { + $default_pref = SM_PATH . 'config/default_pref'; + } + /* Otherwise, report an error. */ $errTitle = sprintf( _("Error opening %s"), $default_pref ); if (!is_readable($default_pref)) { --- squirrelmail-1.4.8.orig/include/options/display.php +++ squirrelmail-1.4.8/include/options/display.php @@ -88,23 +88,29 @@ $language_values = array(); foreach ($languages as $lang_key => $lang_attributes) { + # Debian: cope with squirrelmail-locales not being installed: do not offer + # non-existant languages for selection. This has been fixed in 1.5.x upstream. + if ( isset($lang_attributes['NAME']) && ($lang_key != 'en_US') && + !file_exists ( SM_PATH . 'locale/'. $lang_key ) ) continue; if (isset($lang_attributes['NAME'])) { $language_values[$lang_key] = $lang_attributes['NAME']; } } - - asort($language_values); - $language_values = - array_merge(array('' => _("Default")), $language_values); - $language = $squirrelmail_language; - $optvals[SMOPT_GRP_GENERAL][] = array( - 'name' => 'language', - 'caption' => _("Language"), - 'type' => SMOPT_TYPE_STRLIST, - 'refresh' => SMOPT_REFRESH_ALL, - 'posvals' => $language_values, - 'htmlencoded' => true - ); + # Debian: only display this option if there's actually a choice. + if ( count($language_values) > 1) { + asort($language_values); + $language_values = + array_merge(array('' => _("Default")), $language_values); + $language = $squirrelmail_language; + $optvals[SMOPT_GRP_GENERAL][] = array( + 'name' => 'language', + 'caption' => _("Language"), + 'type' => SMOPT_TYPE_STRLIST, + 'refresh' => SMOPT_REFRESH_ALL, + 'posvals' => $language_values, + 'htmlencoded' => true + ); + } /* Set values for the "use javascript" option. */ $optvals[SMOPT_GRP_GENERAL][] = array( --- squirrelmail-1.4.8.orig/include/load_prefs.php +++ squirrelmail-1.4.8/include/load_prefs.php @@ -33,6 +33,11 @@ /* need to adjust $chosen_theme path with SM_PATH */ $chosen_theme = preg_replace("/(\.\.\/){1,}/", SM_PATH, $chosen_theme); +/* need to prepend path where none exists */ +if ( !preg_match("/\//", $chosen_theme) ) { + $chosen_theme = SM_PATH . "themes/" . $chosen_theme; +} + for ($i = 0; $i < count($theme); ++$i){ if ($theme[$i]['PATH'] == $chosen_theme) { $found_theme = true; --- squirrelmail-1.4.8.orig/plugins/squirrelspell/sqspell_config.php +++ squirrelmail-1.4.8/plugins/squirrelspell/sqspell_config.php @@ -26,9 +26,31 @@ * $SQSPELL_APP = array( 'English' => 'aspell -a', * 'Spanish' => 'aspell -d spanish -a' ); */ -$SQSPELL_APP = array('English' => 'ispell -a', - 'Spanish' => 'ispell -d spanish -a'); -$SQSPELL_APP_DEFAULT = 'English'; + +# Debian: if dictionaries-common >= 2.50 is available, detect the +# installed dictionaries automatically. +if ( is_readable ( '/var/cache/dictionaries-common/ispell-dicts-list.txt' ) ) { + $dicts = file( '/var/cache/dictionaries-common/ispell-dicts-list.txt' ); + $SQSPELL_APP = array(); + foreach ($dicts as $dict) { + preg_match('/(\S+)\s+\((.+)\)/', $dict, $dparts); + $SQSPELL_APP[$dparts[2]] = 'ispell -d ' . $dparts[1] . ' -a'; + } +} else { + $SQSPELL_APP = array('English' => 'ispell -a', + 'Spanish' => 'ispell -d spanish -a'); +} + +# Debian: if dictionaries-common >= 2.50 is available, detect the +# default dictionary automatically. +if ( is_readable ( '/etc/dictionaries-common/ispell-default' ) ) { + $dictdefault = file ( '/etc/dictionaries-common/ispell-default' ); + preg_match('/(\w+)\s+\((.+)\)/', $dictdefault[0], $dparts); + $SQSPELL_APP_DEFAULT = $dparts[2]; +} else { + $SQSPELL_APP_DEFAULT = 'English'; +} + $SQSPELL_WORDS_FILE = getHashedFile($username, $data_dir, "$username.words");