sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-15 16:29:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
ports/mail/openwebmail/files/patch-CVE-2006-3233
Yen-Ming Lee 89d3dc0029 - fix cross-site scripting (XSS) vulnerability in openwebmail-read.pl 
- bump PORTREVISION

Submitted by:	rafan
Security:	CVE-2006-3233
2006-09-28 13:15:41 +00:00

29 lines
4.8 KiB
Text
Raw Blame History

--- openwebmail-read.pl.orig Sun May 1 20:00:00 2005
+++ openwebmail-read.pl Thu Sep 28 16:36:55 2006
@@ -755,7 +755,8 @@
$temphtml .= "<BR>\n";
my ($ename, $eaddr)=ow::tool::email2nameaddr($message{from});
- $temphtml .= qq|<B>$lang_text{'from'}:</B> <a href="http://www.google.com/search?q=$eaddr" title="google $lang_text{'search'}..." target="_blank">$from</a>&nbsp; \n|;
+ my $jseaddr = $eaddr; $jseaddr=~ s/'/\\'/g; # escape ' with \'
+ $temphtml .= qq|<B>$lang_text{'from'}:</B> <a href="http://www.google.com/search?q=|.ow::tool::escapeURL($eaddr).qq|" title="google $lang_text{'search'}..." target="_blank">$from</a>&nbsp; \n|;
if ($printfriendly ne "yes") {
if ($config{'enable_addressbook'}) {
my $is_writableabook_found=0;
@@ -774,13 +775,13 @@
if ($is_writableabook_found) {
my $fullname=(iconv($message{charset}, $prefs{charset}, $ename))[0];
my ($firstname, $lastname) = split(/\s+/, $fullname, 2);
- $temphtml .= qq|&nbsp;|. iconlink("import.s.gif", "$lang_text{'importadd'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addreditform&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid&amp;N.0.VALUE.GIVENNAME=|.ow::tool::escapeURL($firstname).qq|&amp;N.0.VALUE.FAMILYNAME=|.ow::tool::escapeURL($lastname).qq|&amp;FN.0.VALUE=|.ow::tool::escapeURL($fullname).qq|&amp;EMAIL.0.VALUE=|.ow::tool::escapeURL($eaddr).qq|&amp;formchange=1" onclick="return confirm('$lang_text{importadd} $eaddr ?');"|) . qq|\n|;
+ $temphtml .= qq|&nbsp;|. iconlink("import.s.gif", qq|$lang_text{'importadd'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addreditform&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid&amp;N.0.VALUE.GIVENNAME=|.ow::tool::escapeURL($firstname).qq|&amp;N.0.VALUE.FAMILYNAME=|.ow::tool::escapeURL($lastname).qq|&amp;FN.0.VALUE=|.ow::tool::escapeURL($fullname).qq|&amp;EMAIL.0.VALUE=|.ow::tool::escapeURL($eaddr).qq|&amp;formchange=1" onclick="return confirm('$lang_text{importadd} |.ow::htmltext::str2html($jseaddr).qq| ?');"|) . qq|\n|;
} else {
- $temphtml .= qq|&nbsp;|. iconlink("import.s.gif", "$lang_text{'importadd'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addrbookedit&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid" onclick="return confirm('$lang_err{abook_all_readonly}');"|) . qq|\n|;
+ $temphtml .= qq|&nbsp;|. iconlink("import.s.gif", qq|$lang_text{'importadd'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-abook.pl?action=addrbookedit&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid" onclick="return confirm('$lang_err{abook_all_readonly}');"|) . qq|\n|;
}
}
if ($config{'enable_userfilter'}) {
- $temphtml .= qq|&nbsp;|. iconlink("blockemail.gif", "$lang_text{'blockemail'} $eaddr", qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid&amp;priority=20&amp;ruletype=from&amp;include=include&amp;text=$eaddr&amp;destination=mail-trash&amp;enable=1" onclick="return confirm('$lang_text{blockemail} $eaddr ?');"|) . qq|\n|;
+ $temphtml .= qq|&nbsp;|. iconlink("blockemail.gif", qq|$lang_text{'blockemail'} |.ow::htmltext::str2html($eaddr), qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid&amp;priority=20&amp;ruletype=from&amp;include=include&amp;text=|.ow::tool::escapeURL($eaddr).qq|&amp;destination=mail-trash&amp;enable=1" onclick="return confirm('$lang_text{blockemail} |.ow::htmltext::str2html($jseaddr).qq| ?');"|) . qq|\n|;
if ($message{smtprelay} !~ /^\s*$/) {
$temphtml .= qq|&nbsp; |.iconlink("blockrelay.gif", "$lang_text{'blockrelay'} $message{smtprelay}", qq|href="$config{'ow_cgiurl'}/openwebmail-prefs.pl?action=addfilter&amp;sessionid=$thissession&amp;sort=$sort&amp;msgdatetype=$msgdatetype&amp;page=$page&amp;folder=$escapedfolder&amp;message_id=$escapedmessageid&amp;priority=20&amp;ruletype=smtprelay&amp;include=include&amp;text=$message{smtprelay}&amp;destination=mail-trash&amp;enable=1" onclick="return confirm('$lang_text{blockrelay} $message{smtprelay} ?');"|) . qq|\n|;
}
Reference in a new issue View git blame Copy permalink