diff options
| author | itetcu <itetcu@FreeBSD.org> | 2006-06-06 18:30:47 +0800 |
|---|---|---|
| committer | itetcu <itetcu@FreeBSD.org> | 2006-06-06 18:30:47 +0800 |
| commit | 0086a3521b3797e1adb57d1e288141fc3611f9be (patch) | |
| tree | 8e84acb5bf100eb4542d3c14ce948f90dd6133b7 /mail/squirrelmail | |
| parent | 302731c05da2ea14340a2bbe8f2fa290141fb179 (diff) | |
| download | freebsd-ports-gnome-0086a3521b3797e1adb57d1e288141fc3611f9be.tar.gz freebsd-ports-gnome-0086a3521b3797e1adb57d1e288141fc3611f9be.tar.zst freebsd-ports-gnome-0086a3521b3797e1adb57d1e288141fc3611f9be.zip | |
Security fix for remote user able to access local files on the server without
requiring login.
PR: ports/98588
Submitted by: maintainer
Approved by: lawrance (mentor, implicit)
Security: http://vuxml.FreeBSD.org/00784d6e-f4ce-11da-87a1-000c6ec775d9.html
Diffstat (limited to 'mail/squirrelmail')
| -rw-r--r-- | mail/squirrelmail/Makefile | 3 | ||||
| -rw-r--r-- | mail/squirrelmail/files/patch-functions-global.php | 50 |
2 files changed, 52 insertions, 1 deletions
diff --git a/mail/squirrelmail/Makefile b/mail/squirrelmail/Makefile index c49d38845e78..3082794917ea 100644 --- a/mail/squirrelmail/Makefile +++ b/mail/squirrelmail/Makefile @@ -7,6 +7,7 @@ PORTNAME= squirrelmail PORTVERSION= 1.4.6 +PORTREVISION= 1 CATEGORIES= mail www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -57,7 +58,7 @@ pre-everything:: post-patch: .ifndef PATCH_DEBUG - @${RM} -f ${WRKSRC}/config/config_default.php.orig + @${RM} -f ${WRKSRC}/config/config_default.php.orig ${WRKSRC}/functions/global.php.orig .endif @${REINPLACE_CMD} -e 's|ispell|${LOCALBASE}/bin/ispell|g' \ ${WRKSRC}/plugins/squirrelspell/sqspell_config.php diff --git a/mail/squirrelmail/files/patch-functions-global.php b/mail/squirrelmail/files/patch-functions-global.php new file mode 100644 index 000000000000..9fd5e519cad7 --- /dev/null +++ b/mail/squirrelmail/files/patch-functions-global.php @@ -0,0 +1,50 @@ +--- functions/global.php.orig Fri Feb 3 22:27:47 2006 ++++ functions/global.php Tue Jun 6 10:12:22 2006 +@@ -62,6 +62,47 @@ + sqstripslashes($_POST); + } + ++/** ++ * If register_globals are on, unregister globals. ++ * Code requires PHP 4.1.0 or newer. ++ * Second test covers boolean set as string (php_value register_globals off). ++ */ ++if ((bool) @ini_get('register_globals') && ++ strtolower(ini_get('register_globals'))!='off') { ++ /** ++ * Remove all globals from $_GET, $_POST, and $_COOKIE. ++ */ ++ foreach ($_REQUEST as $key => $value) { ++ unset($GLOBALS[$key]); ++ } ++ /** ++ * Remove globalized $_FILES variables ++ * Before 4.3.0 $_FILES are included in $_REQUEST. ++ * Unglobalize them in separate call in order to remove dependency ++ * on PHP version. ++ */ ++ foreach ($_FILES as $key => $value) { ++ unset($GLOBALS[$key]); ++ // there are three undocumented $_FILES globals. ++ unset($GLOBALS[$key.'_type']); ++ unset($GLOBALS[$key.'_name']); ++ unset($GLOBALS[$key.'_size']); ++ } ++ /** ++ * Remove globalized environment variables. ++ */ ++ foreach ($_ENV as $key => $value) { ++ unset($GLOBALS[$key]); ++ } ++ /** ++ * Remove globalized server variables. ++ */ ++ foreach ($_SERVER as $key => $value) { ++ unset($GLOBALS[$key]); ++ } ++} ++ ++ + /* strip any tags added to the url from PHP_SELF. + This fixes hand crafted url XXS expoits for any + page that uses PHP_SELF as the FORM action */ |