debian/0000755000000000000000000000000013342251104007161 5ustar debian/changelog0000644000000000000000000007577413342251104011057 0ustar squirrelmail (2:1.4.23~svn20120406-2+deb8u3build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Mike Salvatore Fri, 31 Aug 2018 10:35:48 -0400 squirrelmail (2:1.4.23~svn20120406-2+deb8u3) jessie-security; urgency=high * Non-maintainer upload by the Debian LTS Team. * Fix for several XSS vulnerabilities CVE-2018-14950 CVE-2018-14951 CVE-2018-14952 CVE-2018-14953 CVE-2018-14954 CVE-2018-14955 (Closes: #905023) -- Abhijith PA Sat, 25 Aug 2018 22:06:19 +0530 squirrelmail (2:1.4.23~svn20120406-2+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Path traversal vulnerability (CVE-2018-8741) Directory traversal flaw in Deliver.class.php can allow a remote attacker to retrieve or delete arbitrary files. (Closes: #893202) -- Salvatore Bonaccorso Sat, 07 Apr 2018 15:24:43 +0200 squirrelmail (2:1.4.23~svn20120406-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team (CVE-2017-7692: post-auth RCE) -- Sebastien Delafond Sat, 13 May 2017 12:22:32 +0200 squirrelmail (2:1.4.23~svn20120406-2) unstable; urgency=medium * Add patch from upstream to cope with changed behaviour of htmlspecialchars() in PHP 5.4 (closes: #664895). * Add patch from upstream to cope with removal of session_unregister() in PHP 5.4. -- Thijs Kinkhorst Thu, 20 Dec 2012 20:41:02 +0100 squirrelmail (2:1.4.23~svn20120406-1) unstable; urgency=medium * New upstream snapshot release. - Addresses PHP 5.4 compatibility issues (closes: #664895). - Fixes PHP warning (closes: #641869). - Fixes hide_auth_header (closes: #661394). -- Thijs Kinkhorst Fri, 06 Apr 2012 13:18:54 +0200 squirrelmail (2:1.4.22-1) unstable; urgency=medium * New upstream release, fixes several security issues (CVE-2011-2023, CVE-2010-4554, CVE-2010-4555, CVE-2011-2752, CVE-2011-2753 closes: #593345, #634822). * Move to dpkg source format 3.0, separate out Debian patches. Small packaging cleanups. -- Thijs Kinkhorst Sun, 24 Jul 2011 14:40:01 +0000 squirrelmail (2:1.4.21-1) unstable; urgency=medium * New upstream release. + Addresses two low-imact security issues, bump urgency. [CVE-2010-1637, CVE-2010-2813] * Checked for policy 3.9.1, no changes necessary. -- Thijs Kinkhorst Sat, 31 Jul 2010 13:54:45 +0200 squirrelmail (2:1.4.20-1) unstable; urgency=low * New upstream release. + Addresses search bug (closes: #550763). * Update to policy 3.8.4, no changes necessary. -- Thijs Kinkhorst Sun, 07 Mar 2010 16:26:58 +0100 squirrelmail (2:1.4.20~rc2-1) unstable; urgency=medium * New upstream release candidate. + Addresses cross site request forgery (CVE-2009-2964, closes: #543818). * Update to policy 3.8.3, no changes necessary. -- Thijs Kinkhorst Sun, 27 Sep 2009 16:46:03 +0200 squirrelmail (2:1.4.19-1) unstable; urgency=high * New upstream release. + Corrects incomplete fix for CVE-2009-1579 [CVE-2009-1381] + Fixes filter plugin regression (closes: #529328) -- Thijs Kinkhorst Thu, 21 May 2009 20:16:48 +0200 squirrelmail (2:1.4.18-1) unstable; urgency=high * New upstream release. + Addresses several security issues (closes: #528528): CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581. * Update to debhelper 7 and policy 3.8.1. * Make squirrelmail.cron.daily cope with the administrator enabling the hashed dir feature, thanks Marcello Nuccio (closes: #508287). * Update Recommends and Suggests: + Remove all php4-related relations. + Add recommends for php5-mcode which speeds up crypto. + Suggest php5-recode for some character sets. + Recommend plugins: squirrelmail-viewashtml for HTML mail, squirrelmail-logger to provide logging. (closes: #523966, #527964) -- Thijs Kinkhorst Wed, 13 May 2009 19:42:57 +0200 squirrelmail (2:1.4.15-4) unstable; urgency=high * Address cross site scripting issue in the HTML filter (CVE-2008-2379). -- Thijs Kinkhorst Sun, 07 Dec 2008 16:18:03 +0100 squirrelmail (2:1.4.15-3) unstable; urgency=high * Cookies sent over HTTPS will now be confined to HTTPS only (cookie secure flag) and more support for the HTTPOnly cookie attribute. Patch taken from upstream release. (CVE-2008-3663, closes: #499942) -- Thijs Kinkhorst Sun, 28 Sep 2008 16:33:48 +0200 squirrelmail (2:1.4.15-2) unstable; urgency=low * Update fortune location to Debian's default, thanks Richard Nelson, closes: #484835. * Conforms to Debian policy 3.8.0, no changes required. -- Thijs Kinkhorst Sun, 13 Jul 2008 15:31:17 +0200 squirrelmail (2:1.4.15-1) unstable; urgency=low * New upstream bugfix release. * Remove Sam Johnston from Uploaders. * Update README.locales to be more verbose about which locales need to be enabled on the system, thanks Daniel Hahler. (closes: #473861) * Do not install index.html under /usr/share/doc, it doesn't add much value but requires Debian-specific patching which still doesn't work well with gzipped files (closes: #457524). -- Thijs Kinkhorst Sat, 24 May 2008 09:53:35 +0200 squirrelmail (2:1.4.13-2) unstable; urgency=low * Apply Debian-specific changes that somehow got lost in the previous upload (Closes: #457597, #457524). -- Thijs Kinkhorst Sun, 23 Dec 2007 22:36:27 +0100 squirrelmail (2:1.4.13-1) unstable; urgency=low * New upstream release. -- Thijs Kinkhorst Sat, 15 Dec 2007 13:57:31 +0100 squirrelmail (2:1.4.12-1) unstable; urgency=low * New upstream release. * Minor packaging cleanups. -- Thijs Kinkhorst Thu, 06 Dec 2007 17:27:56 +0100 squirrelmail (2:1.4.11-2) unstable; urgency=low * Fix broken attachment handling in PHP4 by applying patch from upstream. NOTE: this is only a courtesy to PHP4 users, it must be noted that Debian does not support PHP4 in current unstable anymore. (Closes: #444970) -- Thijs Kinkhorst Wed, 10 Oct 2007 09:56:53 +0200 squirrelmail (2:1.4.11-1) unstable; urgency=low * New upstream release. * Remove workaround for buglet in dictionaries-common SquirrelMail interface. -- Thijs Kinkhorst Sat, 29 Sep 2007 10:41:21 +0200 squirrelmail (2:1.4.10a-2) unstable; urgency=low * Make use of new dictionaries-common SquirrelMail interface to detect the installed squirrelspell dictionaries (Closes: #420877). * Remove obsolete upgrading code. * Make sure config files are not closed with '?>' since it's then too easy to get stray whitespace at the end of the file. -- Thijs Kinkhorst Thu, 31 May 2007 19:34:29 +0200 squirrelmail (2:1.4.10a-1) unstable; urgency=high * New upstream security release. - Fixes cross site scripting in the HTML filter [CVE-2007-1262, CVE-2007-2589]. - Tweaks SMTP error message display (Closes: #403705). - Fixes address duplication on reply-all (Closes: #408242). -- Thijs Kinkhorst Thu, 10 May 2007 12:04:48 +0200 squirrelmail (2:1.4.9a-1) unstable; urgency=high * New upstream security release. - Additionally tightens HTML filter for IE <= 5 parsing absolutely everything and its horse. -- Thijs Kinkhorst Mon, 4 Dec 2006 09:18:09 +0100 squirrelmail (2:1.4.9-1) unstable; urgency=high * New upstream bugfix release. - Includes cross site scripting security fix [CVE-2006-6142]. - Includes Internet Explorer security issue workaround. - Fixes misspelled constant (Closes: #401022) -- Thijs Kinkhorst Sat, 2 Dec 2006 17:35:43 +0100 squirrelmail (2:1.4.8-3) unstable; urgency=low * Add note to README.Debian about server side sorting (Closes: #394286) and regular_globals not being supported. * Add IfModule conditionals for register_globals setting in apache.conf (Closes: #398173). -- Thijs Kinkhorst Mon, 13 Nov 2006 16:29:33 +0100 squirrelmail (2:1.4.8-2) unstable; urgency=low * Update Debian patch to display options to cope with the custom charset plugin. Thanks Tomas Kuliavas, Closes: #385300. * Suggest php[45]-ldap, Closes: #392306. * Improve package description. -- Thijs Kinkhorst Fri, 20 Oct 2006 16:36:36 +0200 squirrelmail (2:1.4.8-1) unstable; urgency=high * New upstream release - Includes security fix: variable overwriting in compose.php by logged-in user [CVE-2006-4019] - Does not ship SquirrelMail developer's documentation anymore. * Remove duplicate content from README.locales. -- Thijs Kinkhorst Fri, 11 Aug 2006 13:53:20 +0200 squirrelmail (2:1.4.7-1) unstable; urgency=low * New upstream bugfix release. + Addresses some low-impact, theoretical or disputed security bugs, for which the code is tightened just-in-case: - Possible local file inclusion (Closes: #373731, CVE-2006-2842) - XSS in search.php (Closes: #375782, CVE-2006-3174) + Adds note to db-backend.txt about postgreSQL (Closes: #376605). * Checked for standards version to 3.7.2, no changes necessary. * Update maintainer address. -- Thijs Kinkhorst Tue, 4 Jul 2006 14:49:23 +0200 squirrelmail (2:1.4.6-1) unstable; urgency=high * New upstream release. * Includes the following security fixes: - Fix IMAP command injection in sqimap_mailbox_select with upstream patch. [CVE-2006-0377] (Closes: #354063) - Fix possible XSS in MagicHTML, concerning the parsing of u\rl and comments in styles. Internet Explorer specific. [CVE-2006-0195] (Closes: #354062) - Fix possible cross site scripting through the right_main parameter of webmail.php. This now uses a whitelist of acceptable values. [CVE-2006-0188] (Closes: #354064, #355424) -- Thijs Kinkhorst Tue, 7 Mar 2006 14:56:06 +0100 squirrelmail (2:1.4.5+1.4.6rc1-1) experimental; urgency=low * Experimental package * New upstream version: 1.4.6 Release Candidate 1 Many bugfixes, amongst which the following Debian bugs: + Works with newest PHP versions (Closes: #321565, #338649). + Fixes line wrapping for unicode characters (Closes: #330372). + Add support for limiting the length of the From address display (Closes: #279682). * Add Depends alternatives for PHP5. * Add Suggests for squirrelmail-decode, the library with charset decoding functions for complex and rare character sets. * Upgrade debhelper compatibility to the recommended level 5. * Add Homepage to package description. * Move package building from the binary-arch to the binary-indep target in debian/rules. -- Thijs Kinkhorst Sat, 10 Dec 2005 18:13:43 +0100 squirrelmail (2:1.4.5-2) unstable; urgency=low [ Jeroen van Wolffelaar ] * Restore squirrelmail-configure manpage, accidently dropped in -1 * Use debhelper compat level 4 [ Thijs Kinkhorst ] * Drop obsolete symlink for attachment dir. * Do not ship upstream README, which contains hardly any information relevant to Debian. Extend README.Debian a bit. Thanks W. Borgert. * Add years to copyright statement. -- Thijs Kinkhorst Mon, 15 Aug 2005 21:06:00 +0200 squirrelmail (2:1.4.5-1) unstable; urgency=low * New upstream release. (Closes: #319531) Many bugfixes, including the following Debian bugs: + Allows to use squirrelspell with PHP safe_mode (Closes: #220156). + Has multiple alternatives for locale names (Closes: #269790). + Option to set citation marker (Closes: #274595). * Dropped a lot of patches incorporated upstream * Add debian/watch file. * If default_pref file does not exist under var, do not attempt to move it to /etc (Closes: #309628). * Fix squirrelspell to read UTF8-encoded dictionary names correctly. (Closes: #311338) * Change Depends on squirrelmail-locales into Recommends; the depends was created to ease woody -> sarge upgrades, now a recommendation is sufficient (Closes: #319382). * Update Standards-Version to 3.6.2, no changes necessary. * Clean up rusty packaging. * Add depends-alternative for libapache-mod-php4, to prevent installs that have apache1 and libapache-mod-php4 but not the php4 meta package from dragging in apache2 (Closes: #320993). -- Thijs Kinkhorst Wed, 3 Aug 2005 20:00:16 +0200 squirrelmail (2:1.4.4-6sarge1) stable-security; urgency=high * Non-maintainer upload by the Security Team * Corrected the patch based on upstream input [src/options_identities.php, CAN-2005-2095] -- Martin Schulze Mon, 11 Jul 2005 15:21:59 +0000 squirrelmail (2:1.4.4-6) stable-security; urgency=high * Security fix, hence high urgency. * Apply patch provided by upstream to fix several cross site scripting flaws [CAN-2005-1769] (Closes: #314374) * Work around arbitrary variable injection via extract() [CAN-2005-2095] (Closes: #317094) -- Thijs Kinkhorst Sat, 09 Jul 2005 11:57:20 +0200 squirrelmail (2:1.4.4-5) unstable; urgency=low * Add Suggests for imapproxy. * Update README.Debian with documentation about the Recommends and Suggests of this package. * Add advice about setting default options for your specific IMAP server. * Move fix for reloading signout.php from there to auth.php, because it broke plug-ins. Patch from upstream CVS. (Closes: #304422) * Correct spelling errors in Debian documentation. * Change "no JavaScript" to "no JavaScript required" in the package description because JavaScript can be used if available but is not depended on. -- Thijs Kinkhorst Sat, 9 Apr 2005 13:35:19 +0200 squirrelmail (2:1.4.4-4) unstable; urgency=low * Make use of dictionaries-common (when available) to auto-detect spell checker settings (Closes: #283948) * Change default recommended spell checker to ispell. -- Thijs Kinkhorst Sat, 26 Mar 2005 15:28:48 +0100 squirrelmail (2:1.4.4-3) unstable; urgency=low * Move default_pref config file from /var to /etc, as per Debian policy (Closes: #293281) * [JvW] (finally) override two lintian warnings about nonstandard permissions that are intentional (Closes: #293366) -- Thijs Kinkhorst Sun, 6 Feb 2005 21:41:51 +0100 squirrelmail (2:1.4.4-2) unstable; urgency=low * Fix configtest.php to accept a non-readable data_dir, which is the default Debian configuration * [JvW] Depend on squirrelmail-locales, to ease upgrades woody->sarge (Closes: #292490) * Extend README.locales with information about the squirrelmail-locales package and add hint that a restart of Apache might be needed * Limit access to configtest.php to just localhost, to prevent information leakage (Closes: #293133) -- Thijs Kinkhorst Tue, 1 Feb 2005 14:26:41 +0100 squirrelmail (2:1.4.4-1) unstable; urgency=high * New upstream version: 1.4.4 + Security: Added hook for Preferences Backend to resolve potential local file inclusion resulting in arbitrary code execution, warranting high urgency [CAN-2005-0075] + Security: Fix potential file inclusion issues in src/webmail.php. [CAN-2005-0103] + Security: Fix possible XSS issues in src/webmail.php. [CAN-2005-0104] * Thijs Kinkhorst: Add missing docs to squirrelmail.docs file (Closes: #289088) Thanks a lot to Thijs Kinkhorst who worked hard to get 1.4.4 released, and helped tremendously with the packaging for Debian -- Jeroen van Wolffelaar Sat, 22 Jan 2005 23:33:16 +0100 squirrelmail (2:1.4.3a+1.4.4rc1-0exp1) experimental; urgency=low * Experimental package * New upstream version: 1.4.4 Release Candidate 1 + Fixes broken theme select box (Closes: #286374) + Fixes wrong German translation (Closes: #282829) + Fixes broken Unicode encoding (Closes: #270626) + Fixes signout error when timed out (Closes: #275941) + Removed several backported patches that are in 1.4.4 now * Locales are not in the squirrelmail package anymore, but a separate package, start to recommend it (squirrelmail-locales) -- Jeroen van Wolffelaar Mon, 3 Jan 2005 00:28:32 +0100 squirrelmail (2:1.4.3a-3) unstable; urgency=high * Fix security issue: a remote attacker can compromise an account by sending a specially-crafted email containing JavaScript in a RFC2047 encoded header [CAN-2004-1036] (Closes: #280591) * Fix spelling mistake in the name of Thijs Kinkhorst in Uploaders -- Jeroen van Wolffelaar Tue, 16 Nov 2004 12:26:43 +0100 squirrelmail (2:1.4.3a-2) unstable; urgency=medium * Put myself as maintainer, and Sam Johnston as co-maintainer. Thijs Kinkhorst will also keep assisting in this package, he's co-maintainer too now. Thanks Sam, for the work you're putting into squirrelmail. * Checked for policy compliance with 3.6.1, no changes were needed, updated Standards-Version * Fix conf.pl detection of magic $domain contents (Closes: #271374) * Default to use /etc/mailname if it exists as default domain, use /etc/hostname only as fallback, as indicated by policy 11.6 (Mail transport, delivery and user agents) * cron.daily now checks whether the to-be-cleaned directory actually exists, and exits gracefully if not (Closes: #272046) * Now really fix the default apache.conf ssl-redirection example, also noted that it's just that, an example, and might not always work (Closes: #267777) -- Jeroen van Wolffelaar Wed, 22 Sep 2004 00:59:48 +0200 squirrelmail (2:1.4.3a-1) unstable; urgency=low * Signed and incremented by maintainer on vacation. Closes: #255752. * Updated SSL RewriteCond directive to resolve loop. Closes: #267777. -- Sam Johnston Tue, 24 Aug 2004 23:27:24 +1000 squirrelmail (2:1.4.3a-0.3) unstable; urgency=low * Non-Maintainer Upload in cooperation with Thijs Kinkhorst * Applied patch from stable CVS that refuses to LOGIN (plaintext IMAP-authentication) if the server advertises that is not supported, and gives an appropriate error message (Closes: #266099) * Don't put a newline in $domain in the default config -- Jeroen van Wolffelaar Thu, 19 Aug 2004 01:08:01 +0200 squirrelmail (2:1.4.3a-0.2) unstable; urgency=medium * Non-Maintainer Upload in cooperation with Thijs Kinkhorst * [TK] Apply simple patch from upstream stable CVS fixing sending of RFC-violating Message-ID's (class/deliver/Deliver.class.php r1.18.2.11 & r1.18.2.12) * Remove symlink in /var/www/ that kept being recreated, updated README.Debian accordingly (Closes: #261102) * Prevent dh_fixperms from resetting special permission of /var/lib/squirrelmail/data/ and /var/spool/squirrelmail/attach/, so that the buggy workaround in postinst can be removed (Closes: #263936) * Suggests php4-pear now (useful for database-backed preferences and addressbooks) -- Jeroen van Wolffelaar Fri, 13 Aug 2004 14:46:25 +0200 squirrelmail (2:1.4.3a-0.1) unstable; urgency=low * Non-Maintainer Upload in cooperation with Thijs Kinkhorst , upstream SquirrelMail developer * Reverted away from the development branch to the stable branch (Closes: #232995) - This re-introduces the translations (Closes: #232944) - Experimental mailbox-tree code is 1.5.x only (Closes: #231687, #233550, also closes: #250411) - imap_general experimental code was buggy in 1.5.0 only (Closes: #246097) - A buggy CRAM-MD5 check was 1.5.0 only too (Closes: #239566) * New upstream * Backport fix that was already in the 1.5.0 package fixing RFC3501 compliance for mailbox naming, keeping #176590 and #215183 closed (by Thijs, he committed it in upstream CVS on the 1.4 branch as functions/imap_mailbox.php 1.172.2.11) * Prefer apache2 and its php4 module in the Depends (Closes: #250303, #251656) * Dropped dependency on php4-pear, and added a proper error when using the preferences/addressbook-in-database feature suggesting to install it * Turn register_globals off for SquirrelMail, rather than on, since this is supported (even recommended) for nowaday's SquirrelMail * Add debhelper tokens to the postinst and postrm, this removes the now needless debconf purge on package purge, and the debconf dependency * On purge, remove user data in /var/{lib,spool}/squirrelmail too * Stop distributing UPGRADE and a duplicate copy of the upstream changelog * In README, tell about README.Debian instead of referring to 'INSTALL' * The README.Debian is more clear about configuring with Apache * Update 'copyright' file with general download location and correct the copyright holder to "The SquirrelMail Project Team". * In index.html, have proper (though still not complete) references to available documents in /usr/share/doc/squirrelmail (Closes: #246722) * Removed bogus 'Closes' line in last changelog entry -- Jeroen van Wolffelaar Tue, 22 Jun 2004 19:37:36 +0200 squirrelmail (1:1.5.0-1) unstable; urgency=low * New upstream release. * RFC3501 compliance for mailbox naming (eg trailing spaces). Closes: #176590, #215183. * Adds a squirrelmail symlink in /var/www/. Closes: #229282. * Adds PHP safe_mode workaround to README.Debian. Closes: #222071. * Adds daily cron job to clean attachments directory. Closes: #228400. * Checks for config_default.php before copying in postinst. Closes: #229737. -- Sam Johnston Wed, 4 Feb 2004 01:42:12 +1100 squirrelmail (1:1.4.2-1) unstable; urgency=medium * New upstream release. Closes: #204058. * Significant improvements over (broken) 1.4.0-1 package. * PHP compatability fixes. Closes: #202368. * conf.pl corrupts theme paths issue resolved. Closes: #175773, #180108, #188441, #190315, #190923, #191028. * Backwards compatible with stripped path themes (previous debs). * Highlighting issue (1.4.0) resolved. Closes: #188631. * Rendering issues with problem emails resolved. Closes: #205572. * Resource utilisation improvements. Closes: #191856, #189602. * README reference to upstream INSTALL document updated. Closes: #173367, 178951. * All known XSS exploits resolved. Closes: #167471. * Folder list refreshes on login. Closes: #165753. * $domain variable set to contents of /etc/hostname. Closes: #198747. * Trims of HTTP_HOST port number for use in SMTP HELO. Closes: #200108. * Fails gracefully when IMAP server unavailable. Closes: #192239. * Recommends rather than depends on spell checker. Closes: #193680. * DirectoryIndex directive added to apache.conf. Closes: #201022. * Plugin config(s) moved to /etc. Closes: #146416. * Properly handles accents and tildes in To:, Subject: etc headers. Closes: #150338, #179166. * No (broken) 'Save' button in printable version. Closes: #185602. * Removes /usr/share/squirrelmail/data iff is is a symbolic link. Closes: #188143. * Resolves policy violation by replacing conf.pl (executable in /etc) with a symlink to /usr/sbin/squirrelmail-configure. Closes: #163995. -- Sam Johnston Mon, 6 Oct 2003 07:44:12 +1000 squirrelmail (1:1.4.0-1) unstable; urgency=low * New upstream release. Closes: #179864, 134237. * Resolves XSS security issues. Closes: #182008. * Resolves default theme login problem. Closes: #174262. * conf.pl cwd calls hardwired. Closes: #173516. * conf.pl no longer breaks existing configs. Closes: #175773. * blank lines no longer removed by compose.php. Closes: #175842. * proto checking more robust. Closes: #178130. * uses /etc/mailname instead of mydomain.com. Closes: #181619, 176777. * added https redirect to example apache.conf. Closes: #172938. * depends on php4-pear. Closes: #173256. * indent problem resolved. Closes: #186506. * no longer creates data symlink, removes existing. Closes: #181537. * default_pref is a conffile - no longer written over. Closes: #178815. -- Sam Johnston Tue, 8 Apr 2003 02:06:40 +1000 squirrelmail (1:1.3.2+1.4.0rc1-1) unstable; urgency=low * New upstream release candidate -- Sam Johnston Thu, 2 Jan 2003 09:03:47 +1100 squirrelmail (1:1.3.2-2) unstable; urgency=high * Fixed cross site scripting problem in read_body.php (BugTraq ID 6302, CAN-2002-1341) -- Sam Johnston Sun, 22 Dec 2002 03:56:23 +1100 squirrelmail (1:1.3.2-1) unstable; urgency=low * New upstream release - tracking development * Removed debconf/wwwconfig scripts. Closes: #164605, #136612, #137165. * Fixed dependencies (php4-cgi httpd). Closes: #152062, #152882. * Japanese patch included upstream. Closes: #159454. * Folder rename issue resolved upstream. Closes: #166297. * display_messages doc root issue resolved upstream. Closes: #165103. -- Sam Johnston Thu, 7 Nov 2002 12:02:23 +1100 squirrelmail (1:1.2.8-1) unstable; urgency=low * New upstream release -- Sam Johnston Mon, 7 Oct 2002 23:37:40 +1000 squirrelmail (1:1.2.7-1) unstable; urgency=low * New upstream release -- Sam Johnston Mon, 24 Jun 2002 01:08:23 +1000 squirrelmail (1:1.2.6-1) unstable; urgency=high * New upstream *SECURITY* release * Resolves local unprivileged exploit. Closes: #144496. * Adds README.locales with information about languages. Closes #143277. * Resolves typo in conf.pl (Save data repeated). Closes: #140506. * Adds russian templates for debconf. Closes #136612, #137165. -- Sam Johnston Tue, 30 Apr 2002 18:53:46 +1000 squirrelmail (1:1.2.5-1) unstable; urgency=low * New upstream release. Closes: #138181. * Fixed typo in debconf template. Closes: #131755. * Installs default config_default.php file on new installations. Closes: #136776. -- Sam Johnston Tue, 19 Mar 2002 01:51:08 +1100 squirrelmail (1:1.2.4-1) unstable; urgency=high * New upstream *SECURITY* release * Fixes remote exploit in squirrelspell plugin. Closes: #130754. -- Sam Johnston Sat, 26 Jan 2002 06:22:30 +1100 squirrelmail (1:1.2.3-2) unstable; urgency=low * Resolves theme path issue (themes work again). Closes: #129406. -- Sam Johnston Thu, 24 Jan 2002 03:46:14 +1100 squirrelmail (1:1.2.3-1) unstable; urgency=medium * New upstream release -- Sam Johnston Wed, 23 Jan 2002 03:12:34 +1100 squirrelmail (1:1.2.2.20020116-1) unstable; urgency=low * New upstream release (tracking CVS due to problems with releases, PHP 4.1 migration, etc.) Closes: #128228. * Fixes typo in the control file (description). Closes: #129350. * Uses php_flags syntax for register_globals workaround. Closes: #128226. * Resolves conf.pl hanging problem by calling db_stop from maintainer scripts when debconf is finished with. Closes: #128142. * Various fixes to keep lintian happy -- Sam Johnston Thu, 17 Jan 2002 02:49:05 +1100 squirrelmail (1:1.2.2-2) unstable; urgency=medium * Added support for apache-ssl. SSL (not necessarily apache-ssl) is recommended for all installations which involve sessions over untrusted networks as passwords are sent in clear text, and message contents may be confidential. Closes: #114545, #115140. * Added preliminary debconf support for selecting webserver type for autoconfiguration (we can set up PHP, and #include the SquirrelMail apache.conf file in most cases, avoiding the need for any manual changes). Closes: #125590. -- Sam Johnston Wed, 2 Jan 2002 17:23:56 +1100 squirrelmail (1:1.2.2-1) unstable; urgency=medium * New upstream release * Resolved problem finding plugins by replacing relative plugin dir references with absolute references. Closes: #115163. * Resolved problem finding themes by removing relative themes dir (unnecessarily included in each theme definition), instead hardcoding it in the php script(s) which reference themes. Closes: #116285. * Resolved conf.pl problems preventing it from being executed from outside the squirrelmail dir by referencing /etc/squirrelmail. Closes: #119859. * Suggests imap-server. Does not depend as many (most?) sites will/ should be running SM on a separate machine. Feedback about this decision welcome. Closes: #114543. * Suggests ispell | aspell as SquirrelSpell is now included in the main distribution. The sqspell config file is now a conffile to prevent overwrites. -- Sam Johnston Wed, 2 Jan 2002 15:20:07 +1100 squirrelmail (1:1.2.0-1) unstable; urgency=low * New upstream release * Plugin detection/symlink problem in conf.pl fixed * Merry Christmas -- Sam Johnston Tue, 25 Dec 2001 18:31:05 +1100 squirrelmail (1.2.0-rc3-2) unstable; urgency=low * Edited apache configuration to resolve 404 errors. There is some discussion upstream about incompatibilities between SM and PHP 4.1.0, including a discussion about get_location returning null so I expect these issues will be resolved by the (christmas day) release of 1.2.0. Closes #125866. -- Sam Johnston Thu, 20 Dec 2001 11:37:00 +1100 squirrelmail (1.2.0-rc3-1) unstable; urgency=low * New upstream release * Fixed up description formatting problem. Closes: #114871 * Removed require_once patches applied in rc2-2. Fixed upstream. * Fixed password parsing problem. Closes: #115225 * Speed improvements and optimisations * Several plugins integrated into the core or added as 'official' * New paginator, rewrite of option pages code, etc. -- Sam Johnston Sun, 16 Dec 2001 23:53:36 +1100 squirrelmail (1.2.0-rc2-3) unstable; urgency=low * Created a fairly intelligent script for packaging up plugins. It goes by the name of smpackage and it lives in the examples directory, for want of a better home. * Uploaded 40-something libsquirrelmail-* plugin packages. Enjoy. -- Sam Johnston Mon, 8 Oct 2001 03:16:24 +1000 squirrelmail (1.2.0-rc2-2) unstable; urgency=low * Resolved problems with redeclaring functions by replacing include()s with require_once()s * Closes: 114531 -- Sam Johnston Fri, 5 Oct 2001 18:18:53 +1000 squirrelmail (1.2.0-rc2-1) unstable; urgency=low * New upstream release -- Sam Johnston Wed, 3 Oct 2001 00:08:20 +1000 squirrelmail (1.0.6-2) unstable; urgency=low * Added support to conf.pl for automated plugin installation and removal -- Sam Johnston Tue, 2 Oct 2001 22:15:25 +1000 squirrelmail (1.0.6-1) unstable; urgency=low * Initial Release * Kudos to Bart Bunting for his initial work on packaging squirrelmail * Closes #86125 -- Sam Johnston Tue, 2 Oct 2001 21:39:10 +1000 vim: et debian/squirrelmail.docs0000644000000000000000000000027613262143233012555 0ustar debian/README.locales doc/AUTHORS doc/ReleaseNotes doc/russian_apache.txt doc/authentication.txt doc/ie_ssl.txt doc/presets.txt doc/security.txt doc/translating.txt doc/translating_help.txt debian/compat0000644000000000000000000000000213262143233010363 0ustar 7 debian/squirrelmail-configure.80000644000000000000000000000236613262143233013755 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SQUIRRELMAIL-CONFIGURE 8 "October 8, 2003" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME squirrelmail-configure \- Interactively configure SquirrelMail .SH SYNOPSIS .B squirrelmail-configure .SH DESCRIPTION Use this interactive command to create or modify your /etc/squirrelmail/config.php file. The program contains online help. Alternatively, you can edit this file by hand. For that, you can use config_default.php as a reference. .SH AUTHOR The SquirrelMail Project Team This manual page was written by Sam Johnston , for the Debian GNU/Linux system (but may be used by others) debian/squirrelmail.dirs0000644000000000000000000000015113262143233012556 0ustar etc/squirrelmail usr/share/squirrelmail usr/sbin var/spool/squirrelmail/attach var/lib/squirrelmail/data debian/rules0000755000000000000000000000371213262143233010250 0ustar #!/usr/bin/make -f # debian/rules makefile for squirrelmail # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 build: build-arch build-indep build-arch: build-stamp build-indep: build-stamp build-stamp: dh_testdir touch build-stamp clean: dh_testdir dh_testroot rm -f build-stamp dh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs dh_install mv $(CURDIR)/debian/squirrelmail/etc/squirrelmail/conf.pl \ $(CURDIR)/debian/squirrelmail/usr/sbin/squirrelmail-configure mv $(CURDIR)/debian/squirrelmail/usr/share/squirrelmail/plugins/squirrelspell/sqspell_config.php \ $(CURDIR)/debian/squirrelmail/etc/squirrelmail/ mv $(CURDIR)/debian/squirrelmail/usr/share/squirrelmail/plugins/filters/setup.php \ $(CURDIR)/debian/squirrelmail/etc/squirrelmail/filters_setup.php find debian/squirrelmail -name .svn | xargs -r rm -r rm -f debian/squirrelmail/usr/share/squirrelmail/plugins/demo/COPYING \ debian/squirrelmail/usr/share/squirrelmail/plugins/test/COPYING chmod +x debian/squirrelmail/usr/share/squirrelmail/plugins/demo/getpot # Build architecture-independent files here. binary-indep: build install dh_testdir dh_testroot dh_installdebconf dh_installdocs -X.svn dh_installexamples dh_installman dh_installcron mv $(CURDIR)/debian/squirrelmail/usr/share/lintian/overrides/squirrelmail.lintian \ $(CURDIR)/debian/squirrelmail/usr/share/lintian/overrides/squirrelmail dh_installchangelogs doc/ChangeLog chgrp www-data $(CURDIR)/debian/squirrelmail/var/spool/squirrelmail/attach \ $(CURDIR)/debian/squirrelmail/var/lib/squirrelmail/data chmod u=rwx,g=wx,o= $(CURDIR)/debian/squirrelmail/var/spool/squirrelmail/attach \ $(CURDIR)/debian/squirrelmail/var/lib/squirrelmail/data dh_link dh_compress dh_fixperms -X/var dh_installdeb dh_gencontrol dh_md5sums dh_builddeb # Build architecture-dependent files here. binary-arch: binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install debian/patches/0000755000000000000000000000000013342007444010616 5ustar debian/patches/php54_htmlspecialchars0000644000000000000000000024643113262143233015117 0ustar Description: htmlspecialchars() semantics changed in PHP 5.4. Replace all calls to that function with a SquirrelMail-internal function that restores the previous behaviour. Origin: upstream, http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14345 Bug-Debian: http://bugs.debian.org/664895 --- a/plugins/fortune/fortune_functions.php +++ b/plugins/fortune/fortune_functions.php @@ -30,7 +30,7 @@ if (!$exist) { $sMsg = sprintf(_("%s is not found."),$fortune_location); } else { - $sMsg = htmlspecialchars(shell_exec($fortune_location . ' -s')); + $sMsg = sm_encode_html_special_chars(shell_exec($fortune_location . ' -s')); } --- a/plugins/message_details/message_details_bottom.php +++ b/plugins/message_details/message_details_bottom.php @@ -215,7 +215,7 @@ $entities["$entStr"]['contenttype']=$reg[2].'/'.$reg[3]; } } else if (!$nameset && preg_match("/^.*(name=\s*)\"(.*)\".*/i",$line,$reg)) { - $name = htmlspecialchars($reg[2]); + $name = sm_encode_html_special_chars($reg[2]); $content[$content_indx]['name'] = decodeHeader($name); $nameset = true; if (isset($entities["$entStr"])) { @@ -246,7 +246,7 @@ } } */ - $line = htmlspecialchars($line); + $line = sm_encode_html_special_chars($line); $message_body .= "$pre"."$line"."$end".'
'."\r\n"; } --- a/plugins/info/options.php +++ b/plugins/info/options.php @@ -75,7 +75,7 @@ print "Server Capability response:
\n"; foreach($caps_array[0] as $value) { - print htmlspecialchars($value); + print sm_encode_html_special_chars($value); } print "\n"; @@ -94,8 +94,8 @@ } } else { - print 'folder_prefix = ' . htmlspecialchars($folder_prefix) . "
\n". - 'default_charset = ' . htmlspecialchars($default_charset) . "\n"; + print 'folder_prefix = ' . sm_encode_html_special_chars($folder_prefix) . "
\n". + 'default_charset = ' . sm_encode_html_special_chars($default_charset) . "\n"; } print "

\n"; --- a/plugins/info/functions.php +++ b/plugins/info/functions.php @@ -30,7 +30,7 @@ $sid = sqimap_session_id(); $results = array(); $query = "$sid ".trim($string)."\r\n"; - print "".htmlspecialchars($query).""; + print "".sm_encode_html_special_chars($query).""; fputs ($imap_stream, $query); $response = sqimap_read_data_list($imap_stream, $sid, false, $responses, $message); array_push($response, $message); @@ -43,7 +43,7 @@ print_response($value); } else { - print htmlspecialchars($value)."
\n"; + print sm_encode_html_special_chars($value)."
\n"; } } } --- a/plugins/mail_fetch/fetch.php +++ b/plugins/mail_fetch/fetch.php @@ -34,7 +34,7 @@ function Mail_Fetch_Status($msg) { echo html_tag( 'table', html_tag( 'tr', - html_tag( 'td', htmlspecialchars( $msg ) , 'left' ) + html_tag( 'td', sm_encode_html_special_chars( $msg ) , 'left' ) ), '', '', 'width="90%"' ); flush(); @@ -82,7 +82,7 @@ '' . "\n"; } echo '' . @@ -94,7 +94,7 @@ if ($mailfetch_pass_[$i]=='') { echo html_tag( 'tr', html_tag( 'td', _("Password for") . ' ' . - htmlspecialchars((($mailfetch_alias_[$i]=='')?$mailfetch_server_[$i]:$mailfetch_alias_[$i])) . + sm_encode_html_special_chars((($mailfetch_alias_[$i]=='')?$mailfetch_server_[$i]:$mailfetch_alias_[$i])) . ':     ', 'right' ) . html_tag( 'td', '', 'left' ) @@ -137,7 +137,7 @@ html_tag( 'table', html_tag( 'tr', html_tag( 'td', '' . _("Fetching from ") . - htmlspecialchars((($mailfetch_alias_[$i_loop] == '')?$mailfetch_server:$mailfetch_alias_[$i_loop])) . + sm_encode_html_special_chars((($mailfetch_alias_[$i_loop] == '')?$mailfetch_server:$mailfetch_alias_[$i_loop])) . '', 'center' ) , '', $color[9] ) , @@ -227,7 +227,7 @@ } $Count = $pop3->login($mailfetch_user, $mailfetch_pass); if (($Count == false || $Count == -1) && $pop3->ERROR != '') { - Mail_Fetch_Status(_("Login Failed:") . ' ' . htmlspecialchars($pop3->ERROR) ); + Mail_Fetch_Status(_("Login Failed:") . ' ' . sm_encode_html_special_chars($pop3->ERROR) ); Mail_Fetch_Status(_("Saving UIDL")); setPref($data_dir,$username,"mailfetch_uidl_$i_loop", $mailfetch_uidl[$i-1]); @@ -266,7 +266,7 @@ if( $pop3->delete($i) ) { Mail_Fetch_Status(sprintf(_("Message %d deleted from remote server!"), $i)); } else { - Mail_Fetch_Status(_("Delete failed:") . htmlspecialchars($pop3->ERROR) ); + Mail_Fetch_Status(_("Delete failed:") . sm_encode_html_special_chars($pop3->ERROR) ); } } } else { --- a/plugins/mail_fetch/options.php +++ b/plugins/mail_fetch/options.php @@ -316,7 +316,7 @@ echo '' . _("Server Name:") . ' '. '  '. @@ -342,7 +342,7 @@ html_tag( 'td', "" . '' . - '
' . _("Selected Server:") . " " . htmlspecialchars($mailfetch_server_[$mf_sn]) . "
" . + '
' . _("Selected Server:") . " " . sm_encode_html_special_chars($mailfetch_server_[$mf_sn]) . "
" . _("Confirm delete of selected server?") . '

' . '' . '
' , @@ -369,23 +369,23 @@ html_tag( 'table' ) . html_tag( 'tr', html_tag( 'th', _("Server:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Port:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Alias:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Username:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr', html_tag( 'th', _("Password:"), 'right' ) . - html_tag( 'td', '', 'left' ) + html_tag( 'td', '', 'left' ) ) . html_tag( 'tr' ) . html_tag( 'th', _("Store in Folder:"), 'right' ) . --- a/plugins/newmail/newmail_opt.php +++ b/plugins/newmail/newmail_opt.php @@ -159,8 +159,8 @@ if ($fname == $media) { echo 'selected="selected" '; } - echo 'value="' . htmlspecialchars($fname) . '">' . - htmlspecialchars($entry) . "\n"; + echo 'value="' . sm_encode_html_special_chars($fname) . '">' . + sm_encode_html_special_chars($entry) . "\n"; } } $d->close(); @@ -174,8 +174,8 @@ html_tag( 'tr', "\n" . html_tag( 'td', _("Current File:"), 'right', '', 'nowrap' ) . html_tag( 'td', '' . - htmlspecialchars($media_output) . '', 'left' ) + sm_encode_html_special_chars($media) . '" name="media_default">' . + sm_encode_html_special_chars($media_output) . '', 'left' ) ) . "\n"; } echo html_tag( 'tr', "\n" . --- a/plugins/newmail/setup.php +++ b/plugins/newmail/setup.php @@ -242,7 +242,7 @@ if ($totalNew > 0 && $newmail_enable == 'on' && $newmail_media != '' && $newmail_media != '(none)') { $newmail_media=sqm_baseuri().'plugins/newmail/sounds/'.basename($newmail_media); - echo '\n"; } if ($totalNew > 0 && $newmail_popup == 'on') { --- a/plugins/newmail/testsound.php +++ b/plugins/newmail/testsound.php @@ -34,7 +34,7 @@ echo html_tag( 'table', html_tag( 'tr', html_tag( 'td', - ''. + ''. '
'. '' . _("Loading the sound...") . '
'. '
'. --- a/plugins/translate/setup.php +++ b/plugins/translate/setup.php @@ -226,7 +226,7 @@ } if (! is_null($charset)) - echo ' accept-charset="'.htmlspecialchars($charset).'"'; + echo ' accept-charset="'.sm_encode_html_special_chars($charset).'"'; echo ">\n"; @@ -251,7 +251,7 @@ - + '; @@ -65,20 +65,20 @@ echo '' . "\n" ; } else { - echo htmlspecialchars('"'.$idents[0]['full_name'].'" <'.$idents[0]['email_address'].'>'); + echo sm_encode_html_special_chars('"'.$idents[0]['full_name'].'" <'.$idents[0]['email_address'].'>'); } echo '

' -. '' -. '' -. '' -. '' +. '' +. '' +. '' +. '' . '

' . '
'; --- a/plugins/spamcop/options.php +++ b/plugins/spamcop/options.php @@ -130,7 +130,7 @@ '(' . _("see below") . ')','right','','valign="top"'); ?>
- + \n"; --- a/plugins/spamcop/spamcop.php +++ b/plugins/spamcop/spamcop.php @@ -130,8 +130,8 @@ echo '\n"; } else { ?> - - + + \n"; } @@ -147,9 +147,9 @@ $form_action = sqm_baseuri() . 'src/compose.php'; ?> - - - + + + @@ -171,7 +171,7 @@ } ?> - + "; } --- a/plugins/squirrelspell/modules/edit_dic.mod +++ b/plugins/squirrelspell/modules/edit_dic.mod @@ -82,8 +82,8 @@ $msg .= "\n"; } $msg .= ' ' - . htmlspecialchars($words_ary[$j])."
\n"; + . 'value="' . sm_encode_html_special_chars($words_ary[$j]) . '" /> ' + . sm_encode_html_special_chars($words_ary[$j])."
\n"; } $msg .= '' . "" --- a/plugins/squirrelspell/modules/lang_change.mod +++ b/plugins/squirrelspell/modules/lang_change.mod @@ -74,11 +74,11 @@ $lang_array = explode( ',', $lang_string ); $dsp_string = ''; foreach( $lang_array as $a) { - $dsp_string .= _(htmlspecialchars(trim($a))) . _(", "); + $dsp_string .= _(sm_encode_html_special_chars(trim($a))) . _(", "); } $dsp_string = substr( $dsp_string, 0, -2 ); $msg = '

' - . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._(htmlspecialchars($lang_default)).'') + . sprintf(_("Settings adjusted to: %s with %s as default dictionary."), ''.$dsp_string.'', ''._(sm_encode_html_special_chars($lang_default)).'') . '

'; } else { /** --- a/plugins/squirrelspell/modules/forget_me.mod +++ b/plugins/squirrelspell/modules/forget_me.mod @@ -39,7 +39,7 @@ * Remove word by word... */ $lang_words=str_replace("$words_ary[$i]\n", "", $lang_words); - $msg .= '
  • ' . htmlspecialchars($words_ary[$i]) . "
    • \n"; + $msg .= '
  • ' . sm_encode_html_special_chars($words_ary[$i]) . "
    • \n"; } $new_words_ary=split("\n", $lang_words); /** --- a/plugins/squirrelspell/modules/check_me.mod +++ b/plugins/squirrelspell/modules/check_me.mod @@ -95,7 +95,7 @@ $spell_proc = @proc_open($sqspell_command, $descriptorspec, $pipes); if ( ! is_resource ( $spell_proc ) ) { error_box ( sprintf(_("Could not run the spellchecker command (%s)."), - htmlspecialchars($sqspell_command) ) , $color ); + sm_encode_html_special_chars($sqspell_command) ) , $color ); // close html tags and abort script. echo ""; exit(); @@ -133,14 +133,14 @@ $fp = @fopen($floc, 'w'); if ( ! is_resource ($fp) ) { error_box ( sprintf(_("Could not open temporary file '%s'."), - htmlspecialchars($floc) ) , $color ); + sm_encode_html_special_chars($floc) ) , $color ); // failed to open temp file. abort script. echo ""; exit(); } if ( ! @fwrite($fp, $sqspell_new_text) ) { error_box ( sprintf(_("Error while writing to temporary file '%s'."), - htmlspecialchars($floc) ) , $color ); + sm_encode_html_special_chars($floc) ) , $color ); // close file descriptor fclose($fp); // failed writing to temp file. abort script. @@ -159,7 +159,7 @@ $msg= "
    " . sprintf(_("I tried to execute '%s', but it returned:"), $sqspell_command) . "
    "
-     . htmlspecialchars(join("\n", $sqspell_output)) . '
    ' + . sm_encode_html_special_chars(join("\n", $sqspell_output)) . '' . '' . '
    '; --- a/plugins/filters/options.php +++ b/plugins/filters/options.php @@ -203,7 +203,7 @@ html_tag( 'td', '', 'left' ) . ''. ''. @@ -265,7 +265,7 @@ printf( _("If %s contains %s then move to %s"), ''.$filters[$i]['where'].'', ''.$filters[$i]['what'].'', - ''.htmlspecialchars(imap_utf7_decode_local($fdr)).''); + ''.sm_encode_html_special_chars(imap_utf7_decode_local($fdr)).''); echo ''; } --- a/plugins/filters/spamoptions.php +++ b/plugins/filters/spamoptions.php @@ -199,7 +199,7 @@ echo html_tag( 'p', '', 'center' ) . '[' . _("Edit") . ']' . ' - [' . _("Done") . ']

    '; - printf( _("Spam is sent to %s."), ($filters_spam_folder?''.htmlspecialchars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); + printf( _("Spam is sent to %s."), ($filters_spam_folder?''.sm_encode_html_special_chars(imap_utf7_decode_local($filters_spam_folder)).'':'['._("not set yet").']' ) ); echo '
    '; printf( _("Spam scan is limited to %s."), '' . ( ($filters_spam_scan == 'new')?_("Unread messages only"):_("All messages") ) . '' ); echo '

    '. --- a/plugins/bug_report/bug_report.php +++ b/plugins/bug_report/bug_report.php @@ -163,7 +163,7 @@ $body_top .= "----------------------------------------------\n"; } -$body = htmlspecialchars($body_top . $body); +$body = sm_encode_html_special_chars($body_top . $body); ?>
    --- a/plugins/calendar/calendar.php +++ b/plugins/calendar/calendar.php @@ -114,11 +114,11 @@ $calbar = $calendardata[$cdate][$calfoo['key']]; // FIXME: how to display multiline task $title = '['. $calfoo['key']. '] ' . - str_replace(array("\r","\n"),array(' ',' '),htmlspecialchars($calbar['message'])); + str_replace(array("\r","\n"),array(' ',' '),sm_encode_html_special_chars($calbar['message'])); // FIXME: link to nowhere echo "".htmlspecialchars($calbar['title'])."
    \n"; + ."\" title=\"$title\">".sm_encode_html_special_chars($calbar['title'])."
    \n"; $i=$i+1; if($i==2){ break; --- a/plugins/calendar/day.php +++ b/plugins/calendar/day.php @@ -127,9 +127,9 @@ html_tag( 'td', date_intl(_("H:i"),mktime($ehour,$eminute,0,1,1,0)) . $elength, 'left' ) . html_tag( 'td', '', 'left' ) . '['; echo ($calbar['priority']==1) ? - "".htmlspecialchars($calbar['title']).'' : - htmlspecialchars($calbar['title']); - echo']
    '.nl2br(htmlspecialchars($calbar['message'])).'
    ' . + "".sm_encode_html_special_chars($calbar['title']).'' : + sm_encode_html_special_chars($calbar['title']); + echo']
    '.nl2br(sm_encode_html_special_chars($calbar['message'])).'
    ' . html_tag( 'td', "\n" . "\n", '', $color[4], 'colspan="2"' ) ."\n" @@ -198,11 +198,11 @@ ) . html_tag( 'tr', html_tag( 'td', _("Title:") , 'right', $color[4] ) ."\n" . - html_tag( 'td', htmlspecialchars($event_title) , 'left', $color[4] ) ."\n" + html_tag( 'td', sm_encode_html_special_chars($event_title) , 'left', $color[4] ) ."\n" ) . html_tag( 'tr', html_tag( 'td', _("Message:") , 'right', $color[4] ) ."\n" . - html_tag( 'td', nl2br(htmlspecialchars($event_text)) , 'left', $color[4] ) ."\n" + html_tag( 'td', nl2br(sm_encode_html_special_chars($event_text)) , 'left', $color[4] ) ."\n" ) . html_tag( 'tr', html_tag( 'td', --- a/src/addrbook_search_html.php +++ b/src/addrbook_search_html.php @@ -136,15 +136,15 @@ echo html_tag( 'tr', '', '', $tr_bgcolor, 'nowrap' ) . html_tag( 'td', ' ' . _("To") . ' ' . + sm_encode_html_special_chars($email) . '" /> ' . _("To") . ' ' . ' ' . _("Cc") . ' ' . + sm_encode_html_special_chars($email) . '" /> ' . _("Cc") . ' ' . ' ' . _("Bcc") . ' ' , + sm_encode_html_special_chars($email) . '" /> ' . _("Bcc") . ' ' , 'center', '', 'width="5%" nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['lastname']) . ' ' . htmlspecialchars($row['firstname']) . ' ', 'left', '', 'nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['email']) . ' ', 'left', '', 'nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['label']) . ' ', 'left', '', 'nowrap' ); + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['lastname']) . ' ' . sm_encode_html_special_chars($row['firstname']) . ' ', 'left', '', 'nowrap' ) . + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['email']) . ' ', 'left', '', 'nowrap' ) . + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['label']) . ' ', 'left', '', 'nowrap' ); } else { echo html_tag( 'tr', '', '', $tr_bgcolor, 'nowrap' ) . html_tag( 'td', @@ -155,9 +155,9 @@ addCheckBox('send_to_search[B'.$line.']', FALSE, $email). ' ' . _("Bcc") . ' ' , 'center', '', 'width="5%" nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['name']) . ' ', 'left', '', 'nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['email']) . ' ', 'left', '', 'nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['label']) . ' ', 'left', '', 'nowrap' ); + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['name']) . ' ', 'left', '', 'nowrap' ) . + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['email']) . ' ', 'left', '', 'nowrap' ) . + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['label']) . ' ', 'left', '', 'nowrap' ); } if ($includesource) { --- a/src/addressbook.php +++ b/src/addressbook.php @@ -345,7 +345,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '' . _("ERROR") . ': ' . htmlspecialchars($abook->error) . '' ."\n", + '">' . _("ERROR") . ': ' . sm_encode_html_special_chars($abook->error) . '' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -400,7 +400,7 @@ html_tag( 'tr', html_tag( 'td', "\n". '
    ' . _("ERROR") . ': ' . htmlspecialchars($formerror) . '' ."\n", + '">' . _("ERROR") . ': ' . sm_encode_html_special_chars($formerror) . '' ."\n", 'center' ) ), 'center', '', 'width="100%"' ); @@ -412,7 +412,7 @@ /* Get and sort address list */ $alist = $abook->list_addr(); if(!is_array($alist)) { - $abook->error = htmlspecialchars($abook->error); + $abook->error = sm_encode_html_special_chars($abook->error); plain_error_message($abook->error, $color); exit; } @@ -522,8 +522,8 @@ ' ' , 'center', '', 'valign="top" width="1%"' ); } - echo html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . - html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . + echo html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . + html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . html_tag( 'td', '', 'left', '', 'valign="top" width="10%" nowrap' ) . ' '; } else { echo html_tag( 'tr', '', '', $tr_bgcolor); @@ -538,16 +538,16 @@ ' ' , 'center', '', 'valign="top" width="1%"' ); } - echo html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . - html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . + echo html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . + html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%" nowrap' ) . html_tag( 'td', '', 'left', '', 'valign="top" width="10%" nowrap' ) . ' '; } $email = $abook->full_address($row); echo addHidden($row['backend'] . ':' . $row['nickname'], rawurlencode($email)) . makeComposeLink('src/compose.php?send_to='.rawurlencode($email), - htmlspecialchars($row['email'])). + sm_encode_html_special_chars($row['email'])). ' '."\n". - html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%"' ); + html_tag( 'td', '  ', 'left', '', 'valign="top" width="10%"' ); // add extra column if third party backend needs it if ($abook->add_extra_field) { --- a/src/printer_friendly_bottom.php +++ b/src/printer_friendly_bottom.php @@ -131,7 +131,7 @@ ) . "\n" . html_tag( 'tr', html_tag( 'td', _("Date").': ', 'left' ) . - html_tag( 'td', htmlspecialchars($date), 'left' ) + html_tag( 'td', sm_encode_html_special_chars($date), 'left' ) ) . "\n" . html_tag( 'tr', html_tag( 'td', _("To").': ', 'left','','valign="top"' ) . @@ -280,7 +280,7 @@ html_tag( 'td',show_readable_size($header->size), 'left') . '' . html_tag( 'td',_("Type:"), 'right') . - html_tag( 'td',htmlspecialchars($type0).'/'.htmlspecialchars($type1), 'left') . + html_tag( 'td',sm_encode_html_special_chars($type0).'/'.sm_encode_html_special_chars($type1), 'left') . ''; if (! empty($description)) { $attachments .= $description; --- a/src/configtest.php +++ b/src/configtest.php @@ -156,7 +156,7 @@ || strpos($variables_order, 'P') === FALSE || strpos($variables_order, 'C') === FALSE || strpos($variables_order, 'S') === FALSE) { - do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . htmlspecialchars($variables_order) . '"', true); + do_err('Your variables_order setting is insufficient for SquirrelMail to function. It needs at least "GPCS", but you have it set to "' . sm_encode_html_special_chars($variables_order) . '"', true); } else { echo $IND . "variables_order OK: $variables_order.
    \n"; } @@ -179,7 +179,7 @@ else if (strpos($gpc_order, 'G') === FALSE || strpos($gpc_order, 'P') === FALSE || strpos($gpc_order, 'C') === FALSE) { - do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . htmlspecialchars($gpc_order) . '"', true); + do_err('Your gpc_order setting is insufficient for SquirrelMail to function. It needs to be set to "GPC", but you have it set to "' . sm_encode_html_special_chars($gpc_order) . '"', true); } else { echo $IND . "gpc_order OK: $gpc_order.
    \n"; } @@ -310,7 +310,7 @@ ob_end_clean(); // if plugins output more than newlines and spacing, stop script execution. if (!empty($output)) { - $plugin_load_error = 'Some output is produced when plugins are loaded. Usually this means there is an error in one of the plugin setup or configuration files. The output was: '.htmlspecialchars($output); + $plugin_load_error = 'Some output is produced when plugins are loaded. Usually this means there is an error in one of the plugin setup or configuration files. The output was: '.sm_encode_html_special_chars($output); do_err($plugin_load_error); } /** @@ -354,9 +354,9 @@ echo $IND . "Default language OK.
    \n"; } -echo $IND . "Base URL detected as: " . htmlspecialchars($test_location) . +echo $IND . "Base URL detected as: " . sm_encode_html_special_chars($test_location) . " (location base " . (empty($config_location_base) ? 'autodetected' : 'set to ' . - htmlspecialchars($config_location_base)."") . ")
    \n"; + sm_encode_html_special_chars($config_location_base)."    ") . ")
    \n"; /* check outgoing mail */ @@ -386,20 +386,20 @@ $errorNumber, $errorString); if(!$stream) { do_err("Error connecting to SMTP server \"$smtpServerAddress:$smtpPort\".". - "Server error: ($errorNumber) ".htmlspecialchars($errorString)); + "Server error: ($errorNumber) ".sm_encode_html_special_chars($errorString)); } // check for SMTP code; should be 2xx to allow us access $smtpline = fgets($stream, 1024); if(((int) $smtpline{0}) > 3) { do_err("Error connecting to SMTP server. Server error: ". - htmlspecialchars($smtpline)); + sm_encode_html_special_chars($smtpline)); } fputs($stream, 'QUIT'); fclose($stream); echo $IND . 'SMTP server OK ('. - trim(htmlspecialchars($smtpline)).")
    \n"; + trim(sm_encode_html_special_chars($smtpline)).")
    \n"; /* POP before SMTP */ if($pop_before_smtp) { @@ -407,13 +407,13 @@ $stream = fsockopen($pop_before_smtp_host, 110, $err_no, $err_str); if (!$stream) { do_err("Error connecting to POP Server ($pop_before_smtp_host:110) " - . $err_no . ' : ' . htmlspecialchars($err_str)); + . $err_no . ' : ' . sm_encode_html_special_chars($err_str)); } $tmp = fgets($stream, 1024); if (substr($tmp, 0, 3) != '+OK') { do_err("Error connecting to POP Server ($pop_before_smtp_host:110)" - . ' '.htmlspecialchars($tmp)); + . ' '.sm_encode_html_special_chars($tmp)); } fputs($stream, 'QUIT'); fclose($stream); @@ -432,24 +432,24 @@ if(!$stream) { do_err("Error connecting to IMAP server \"$imapServerAddress:$imapPort\".". "Server error: ($errorNumber) ". - htmlspecialchars($errorString)); + sm_encode_html_special_chars($errorString)); } /** Is the first response 'OK'? */ $imapline = fgets($stream, 1024); if(substr($imapline, 0,4) != '* OK') { do_err('Error connecting to IMAP server. Server error: '. - htmlspecialchars($imapline)); + sm_encode_html_special_chars($imapline)); } echo $IND . 'IMAP server ready ('. - htmlspecialchars(trim($imapline)).")
    \n"; + sm_encode_html_special_chars(trim($imapline)).")
    \n"; /** Check capabilities */ fputs($stream, "A001 CAPABILITY\r\n"); $capline = fgets($stream, 1024); -echo $IND . 'Capabilities: '.htmlspecialchars($capline)."
    \n"; +echo $IND . 'Capabilities: '.sm_encode_html_special_chars($capline)."
    \n"; if($imap_auth_mech == 'login' && stristr($capline, 'LOGINDISABLED') !== FALSE) { do_err('Your server doesn\'t allow plaintext logins. '. @@ -581,7 +581,7 @@ $dbh = DB::connect($dsn, true); if (DB::isError($dbh)) { - do_err('Database error: '. htmlspecialchars(DB::errorMessage($dbh)) . + do_err('Database error: '. sm_encode_html_special_chars(DB::errorMessage($dbh)) . ' in ' .$type .' DSN.'); } $dbh->disconnect(); --- a/src/search.php +++ b/src/search.php @@ -238,7 +238,7 @@ $showbox = imap_utf7_decode_local($mailbox); } echo html_tag( 'div', '' . _("Folder:") . ' '. - htmlspecialchars($showbox) .'','center') . "\n"; + sm_encode_html_special_chars($showbox) .'','center') . "\n"; $msg_cnt_str = get_msgcnt_str(1, $cnt, $cnt); $toggle_all = get_selectall_link(1, $sort); @@ -248,7 +248,7 @@ $safe_name = preg_replace("/[^0-9A-Za-z_]/", '_', $mailbox); $form_name = "FormMsgs" . $safe_name; echo '
    ' ."\n" . - '' . "\n" . + '' . "\n" . '' . "\n" . addHidden('smtoken', sm_generate_security_token()) . "\n"; @@ -373,9 +373,9 @@ } else { echo html_tag( 'tr', '', '', $color[4] ); } - echo html_tag( 'td', htmlspecialchars(imap_utf7_decode_local($saved_attributes['saved_folder'][$i + 1])), 'left', '', 'width="35%"' ) - . html_tag( 'td', htmlspecialchars($saved_attributes['saved_what'][$i + 1]), 'left' ) - . html_tag( 'td', htmlspecialchars($saved_attributes['saved_where'][$i + 1]), 'center' ) + echo html_tag( 'td', sm_encode_html_special_chars(imap_utf7_decode_local($saved_attributes['saved_folder'][$i + 1])), 'left', '', 'width="35%"' ) + . html_tag( 'td', sm_encode_html_special_chars($saved_attributes['saved_what'][$i + 1]), 'left' ) + . html_tag( 'td', sm_encode_html_special_chars($saved_attributes['saved_where'][$i + 1]), 'center' ) . html_tag( 'td', '', 'right' ) . '' . _("save") --- a/src/login.php +++ b/src/login.php @@ -118,7 +118,7 @@ do_hook('login_cookie'); -$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? htmlspecialchars($loginname) : ''); +$loginname_value = (sqGetGlobalVar('loginname', $loginname) ? sm_encode_html_special_chars($loginname) : ''); /* Output the javascript onload function. */ --- a/src/options_identities.php +++ b/src/options_identities.php @@ -174,7 +174,7 @@ $str = ''; $str .= '\n"; $str .= ' ' . $title . ' ' . "\n"; - $str .= ' ' . "\n"; + $str .= ' ' . "\n"; $str .= ''; return $str; @@ -185,7 +185,7 @@ $str = ''; $str .= '\n"; $str .= ' ' . $title . ' ' . "\n"; - $str .= ' ' . "\n"; + $str .= ' ' . "\n"; $str .= ''; return $str; --- a/src/options_highlight.php +++ b/src/options_highlight.php @@ -179,11 +179,11 @@ $links, 'left', $color[4], 'width="20%" nowrap' ) . html_tag( 'td', - htmlspecialchars($message_highlight_list[$i]['name']) , + sm_encode_html_special_chars($message_highlight_list[$i]['name']) , 'left' ) . html_tag( 'td', $match_type . ' = ' . - htmlspecialchars($message_highlight_list[$i]['value']) , + sm_encode_html_special_chars($message_highlight_list[$i]['value']) , 'left' ) , '', '#' . $message_highlight_list[$i]['color'] ) . "\n"; } --- a/src/vcard.php +++ b/src/vcard.php @@ -97,14 +97,14 @@ } else { echo '' . sprintf(_("vCard Version %s is not supported. Some information might not be converted correctly."), - htmlspecialchars($vcard_nice['version'])) . + sm_encode_html_special_chars($vcard_nice['version'])) . "\n"; $vcard_nice['firstname'] = ''; $vcard_nice['lastname'] = ''; } foreach ($vcard_nice as $k => $v) { - $v = htmlspecialchars($v); + $v = sm_encode_html_special_chars($v); $v = trim($v); $vcard_safe[$k] = trim(nl2br($v)); } @@ -166,44 +166,44 @@ ''; @@ -212,7 +212,7 @@ ' . + sm_encode_html_special_chars(!empty($vcard_nice['email;internet'])?$vcard_nice['email;internet']:'') . '" />' . '' . '' . htmlspecialchars( + echo '>' . sm_encode_html_special_chars( $data['full_name'] . ' <' . $data['email_address'] . '>') . "\n"; @@ -1231,10 +1231,10 @@ } else { echo "\n\n".($prefix_sig==true? "-- \n":'').decodeHeader($signature,false,false,true); } - echo "\n\n".htmlspecialchars(decodeHeader($body,false,false,true)); + echo "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false,true)); } else { - echo "\n\n".htmlspecialchars(decodeHeader($body,false,false,true)); + echo "\n\n".sm_encode_html_special_chars(decodeHeader($body,false,false,true)); if ($default_charset == 'iso-2022-jp') { echo "\n\n".($prefix_sig==true? "-- \n":'').mb_convert_encoding($signature, 'EUC-JP'); }else{ @@ -1242,7 +1242,7 @@ } } } else { - echo htmlspecialchars(decodeHeader($body,false,false,true)); + echo sm_encode_html_special_chars(decodeHeader($body,false,false,true)); } echo '
    ' . "\n" . ' ' . "\n" . @@ -1691,7 +1691,7 @@ return $succes; } else { $msg = '
    '.sprintf(_("Error: Draft folder %s does not exist."), - htmlspecialchars($draft_folder)); + sm_encode_html_special_chars($draft_folder)); plain_error_message($msg, $color); return false; } --- a/src/addrbook_search.php +++ b/src/addrbook_search.php @@ -138,7 +138,7 @@ echo "\n"; while (list($undef, $row) = each($res)) { - $email = htmlspecialchars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES); + $email = sm_encode_html_special_chars(addcslashes(AddressBook::full_address($row), "'"), ENT_QUOTES); if ($line % 2) { $tr_bgcolor = $color[12]; } else { @@ -153,12 +153,12 @@ '    "._("Bcc")."", 'center', '', 'valign="top" width="5%" nowrap' ) . - html_tag( 'td', ' ' . htmlspecialchars($row['name']), 'left', '', 'valign="top" nowrap' ) . + html_tag( 'td', ' ' . sm_encode_html_special_chars($row['name']), 'left', '', 'valign="top" nowrap' ) . html_tag( 'td', ' ' . '" . htmlspecialchars($row['email']) . '' + "'" . $email . "');\">" . sm_encode_html_special_chars($row['email']) . '' , 'left', '', 'valign="top"' ) . - html_tag( 'td', htmlspecialchars($row['label']), 'left', '', 'valign="top" nowrap' ); + html_tag( 'td', sm_encode_html_special_chars($row['label']), 'left', '', 'valign="top" nowrap' ); if ($includesource) { echo html_tag( 'td', ' ' . $row['source'], 'left', '', 'valign="top" nowrap' ); } --- a/src/right_main.php +++ b/src/right_main.php @@ -174,7 +174,7 @@ do_hook('right_main_after_header'); if (isset($note)) { - echo html_tag( 'div', '' . htmlspecialchars($note) .'', 'center' ) . "
    \n"; + echo html_tag( 'div', '' . sm_encode_html_special_chars($note) .'', 'center' ) . "
    \n"; } if ( sqgetGlobalVar('just_logged_in', $just_logged_in, SQ_SESSION) ) { --- a/src/view_header.php +++ b/src/view_header.php @@ -46,7 +46,7 @@ $cnum = 0; for ($i=1; $i < count($read); $i++) { - $line = htmlspecialchars($read[$i]); + $line = sm_encode_html_special_chars($read[$i]); switch (true) { case (preg_match('/^>/i', $line)): $second[$i] = $line; --- a/src/folders_rename_getname.php +++ b/src/folders_rename_getname.php @@ -64,7 +64,7 @@ if (strpos($displayable_old, $delimiter)) { $old_name = substr($displayable_old, strrpos($displayable_old, $delimiter)+1); - $parent = htmlspecialchars(substr($displayable_old, + $parent = sm_encode_html_special_chars(substr($displayable_old, 0, strrpos($displayable_old, $delimiter)) . ' ' . $delimiter); --- a/src/read_body.php +++ b/src/read_body.php @@ -458,7 +458,7 @@ $env[_("Cc")] = formatRecipientString($header->cc, "cc"); $env[_("Bcc")] = formatRecipientString($header->bcc, "bcc"); if ($default_use_priority) { - $env[_("Priority")] = htmlspecialchars(getPriorityStr($header->priority)); + $env[_("Priority")] = sm_encode_html_special_chars(getPriorityStr($header->priority)); } if ($show_xmailer_default) { $env[_("Mailer")] = decodeHeader($header->xmailer); --- a/class/mime/Rfc822Header.class.php +++ b/class/mime/Rfc822Header.class.php @@ -706,7 +706,7 @@ $value = substr($value,strlen($charset)+1); /* FIXME: What's the status of charset decode with language information ???? * Maybe language information contains only ascii text and charset_decode() - * only runs htmlspecialchars() on it. If it contains 8bit information, you + * only runs sm_encode_html_special_chars() on it. If it contains 8bit information, you * get html encoded text in charset used by selected translation. */ $value = charset_decode($charset,$value); --- a/class/deliver/Deliver_SMTP.class.php +++ b/class/deliver/Deliver_SMTP.class.php @@ -337,7 +337,7 @@ } $this->dlv_msg = $message; - $this->dlv_server_msg = nl2br(htmlspecialchars($server_msg)); + $this->dlv_server_msg = nl2br(sm_encode_html_special_chars($server_msg)); return true; } --- a/functions/strings.php +++ b/functions/strings.php @@ -1476,4 +1476,38 @@ } +/** + * Wrapper for PHP's htmlspecialchars() that + * attempts to add the correct character encoding + * + * @param string $string The string to be converted + * @param int $flags A bitmask that controls the behavior of htmlspecialchars() + * (See http://php.net/manual/function.htmlspecialchars.php ) + * (OPTIONAL; default ENT_COMPAT) + * @param string $encoding The character encoding to use in the conversion + * (OPTIONAL; default automatic detection) + * @param boolean $double_encode Whether or not to convert entities that are + * already in the string (only supported in + * PHP 5.2.3+) (OPTIONAL; default TRUE) + * + * @return string The converted text + * + */ +function sm_encode_html_special_chars($string, $flags=ENT_COMPAT, + $encoding=NULL, $double_encode=TRUE) +{ + if (!$encoding) + { + global $default_charset; + if ($default_charset == 'iso-2022-jp') + $default_charset = 'EUC-JP'; + $encoding = $default_charset; + } + + if (check_php_version(5, 2, 3)) + return htmlspecialchars($string, $flags, $encoding, $double_encode); + + return htmlspecialchars($string, $flags, $encoding); +} + $PHP_SELF = php_self(); --- a/functions/addressbook.php +++ b/functions/addressbook.php @@ -154,7 +154,7 @@ * display address book init errors. */ if ($abook_init_error!='' && $showerr) { - $abook_init_error = htmlspecialchars($abook_init_error); + $abook_init_error = sm_encode_html_special_chars($abook_init_error); error_box($abook_init_error,$color); } --- a/functions/imap_mailbox.php +++ b/functions/imap_mailbox.php @@ -254,7 +254,7 @@ if (strstr($mailbox, '../') || substr($mailbox, 0, 1) == '/') { global $color; include_once(SM_PATH . 'functions/display_messages.php'); - error_box(sprintf(_("Invalid mailbox name: %s"),htmlspecialchars($mailbox)),$color); + error_box(sprintf(_("Invalid mailbox name: %s"),sm_encode_html_special_chars($mailbox)),$color); sqimap_logout($imap_stream); die(''); } @@ -555,16 +555,16 @@ $box2 = $boxes_part['formatted']; break; default: /* default, long names, style = 0 */ - $box2 = str_replace(' ', ' ', htmlspecialchars(imap_utf7_decode_local($boxes_part['unformatted-disp']))); + $box2 = str_replace(' ', ' ', sm_encode_html_special_chars(imap_utf7_decode_local($boxes_part['unformatted-disp']))); break; } } $box2 = str_replace(array('<','>'), array('<','>') , $box2); if ($show_selected != 0 && in_array($lowerbox, $show_selected) ) { - $mbox_options .= '' . "\n"; + $mbox_options .= '' . "\n"; } else { - $mbox_options .= '' . "\n"; + $mbox_options .= '' . "\n"; } } } --- a/functions/i18n.php +++ b/functions/i18n.php @@ -171,7 +171,7 @@ * @param string $string Text to be decoded * @param boolean $force_decode converts string to html without $charset!=$default_charset check. * Argument is available since 1.4.5 and 1.5.1. - * @param boolean $save_html disables htmlspecialchars() in order to preserve + * @param boolean $save_html disables sm_encode_html_special_chars() in order to preserve * html formating. Use with care. Available since 1.4.6 and 1.5.1 * @return string decoded string */ @@ -184,7 +184,7 @@ } /* All HTML special characters are 7 bit and can be replaced first */ - if (! $save_html) $string = htmlspecialchars ($string); + if (! $save_html) $string = sm_encode_html_special_chars ($string); $charset = strtolower($charset); set_my_charset(); @@ -214,7 +214,7 @@ * @since 1.4.4 and 1.5.1 * @param string $string * @param string $charset - * @param boolean $htmlencode keep htmlspecialchars encoding + * @param boolean $htmlencode keep sm_encode_html_special_chars encoding * @return string */ function charset_encode($string,$charset,$htmlencode=true) { @@ -258,7 +258,7 @@ * @param string $in_charset initial charset * @param string $string string that has to be converted * @param string $out_charset final charset - * @param boolean $htmlencode keep htmlspecialchars encoding + * @param boolean $htmlencode keep sm_encode_html_special_chars encoding * @return string converted string */ function charset_convert($in_charset,$string,$out_charset,$htmlencode=true) { --- a/functions/mailbox_display.php +++ b/functions/mailbox_display.php @@ -110,10 +110,10 @@ if ($senderNames_part[1]) { $senderName .= decodeHeader($senderNames_part[1]); } else { - $senderName .= htmlspecialchars($senderNames_part[0]); + $senderName .= sm_encode_html_special_chars($senderNames_part[0]); } - $senderFrom .= htmlspecialchars($senderNames_part[0]); + $senderFrom .= sm_encode_html_special_chars($senderNames_part[0]); } } $senderName = str_replace(' ',' ',$senderName); @@ -530,8 +530,8 @@ $form_name = "FormMsgs" . $safe_name; echo '' ."\n" . '' . "\n" . - '' . "\n" . - '' . "\n"; + '' . "\n" . + '' . "\n"; echo ''; echo '' . '' . - '' . + '' . '' - . '' - . '' + . '' + . '' . "\n"; } @@ -821,9 +821,9 @@ function createWidget_Submit() { $result = "name\" value=\"" - . htmlspecialchars($this->comment) + . sm_encode_html_special_chars($this->comment) . "\" $this->script />" - . htmlspecialchars($this->trailing_text) . "\n"; + . sm_encode_html_special_chars($this->trailing_text) . "\n"; return $result; @@ -953,7 +953,7 @@ function create_hidden_element($name, $value) { $result = ''; + . 'value="' . sm_encode_html_special_chars($value) . '" />'; return ($result); } --- a/functions/display_messages.php +++ b/functions/display_messages.php @@ -32,7 +32,7 @@ } $string .= sprintf (_("Click here to return to %s"), - htmlspecialchars(imap_utf7_decode_local($mailbox))). + sm_encode_html_special_chars(imap_utf7_decode_local($mailbox))). ''; error_box($string, $color); } --- a/functions/imap_search.php +++ b/functions/imap_search.php @@ -126,7 +126,7 @@ if (strstr($errors,'* SEARCH')) { return array(); } - echo ''; + echo ''; } --- a/functions/imap_messages.php +++ b/functions/imap_messages.php @@ -786,7 +786,7 @@ _("ERROR: Could not complete request.") . '
    ' . _("Unknown response from IMAP server:") . ' 1.' . - htmlspecialchars($read) . "
    \n"; + sm_encode_html_special_chars($read) . "
    \n"; break; } $i = strpos($read,'(',$i_space+5); debian/patches/CVE-2018-8741.patch0000644000000000000000000000363613262143233013253 0ustar Description: CVE-2018-8741: path traversal vulnerability Origin: upstream, https://sourceforge.net/p/squirrelmail/code/14751/ Bug: https://sourceforge.net/p/squirrelmail/bugs/2846/ Bug-Debian: https://bugs.debian.org/893202 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-8741 Forwarded: no Author: Paul Lesniewski Reviewed-by: Salvatore Bonaccorso Last-Update: 2018-04-07 =================================================================== --- a/src/compose.php +++ b/src/compose.php @@ -369,8 +369,25 @@ if (!empty($compose_messages[$session])) // should never directly manipulate an object like this if (!empty($attachments)) { $attachments = unserialize($attachments); - if (!empty($attachments) && is_array($attachments)) - $composeMessage->entities = $attachments; + if (!empty($attachments) && is_array($attachments)) { + // sanitize the "att_local_name" since it is user-supplied and used to access the file system + // it must be alpha-numeric and 32 characters long (see the use of GenerateRandomString() below) + foreach ($attachments as $i => $attachment) { + if (empty($attachment->att_local_name) || strlen($attachment->att_local_name) !== 32) { + unset($attachments[$i]); + continue; + } + // probably marginal difference between (ctype_alnum + function_exists) and preg_match + if (function_exists('ctype_alnum')) { + if (!ctype_alnum($attachment->att_local_name)) + unset($attachments[$i]); + } + else if (preg_match('/[^0-9a-zA-Z]/', $attachment->att_local_name)) + unset($attachments[$i]); + } + if (!empty($attachments)) + $composeMessage->entities = $attachments; + } } if (!isset($mailbox) || $mailbox == '' || ($mailbox == 'None')) { debian/patches/series0000644000000000000000000000020113342007444012024 0ustar debian-specifics php54_session_unregister php54_htmlspecialchars CVE-2017-7692.patch CVE-2018-8741.patch CVE-2018-14950-55.patch debian/patches/CVE-2017-7692.patch0000644000000000000000000000151013262143233013243 0ustar Origin: http://www.openwall.com/lists/oss-security/2017/04/19/6 --- a/class/deliver/Deliver_SendMail.class.php +++ b/class/deliver/Deliver_SendMail.class.php @@ -95,9 +95,9 @@ class Deliver_SendMail extends Deliver { $envelopefrom = trim($from->mailbox.'@'.$from->host); $envelopefrom = str_replace(array("\0","\n"),array('',''),$envelopefrom); // save executed command for future reference - $this->sendmail_command = "$sendmail_path $this->sendmail_args -f$envelopefrom"; + $this->sendmail_command = escapeshellcmd("$sendmail_path $this->sendmail_args -f") . escapeshellarg($envelopefrom); // open process handle for writing - $stream = popen(escapeshellcmd($this->sendmail_command), "w"); + $stream = popen($this->sendmail_command, "w"); return $stream; } debian/patches/php54_session_unregister0000644000000000000000000000105413262143233015511 0ustar Description: PHP 5.4 removed the session_unregister function. Replace it with the SquirrelMail-internal custom implementation. Origin: upstream, http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14343 --- a/plugins/message_details/message_details_bottom.php +++ b/plugins/message_details/message_details_bottom.php @@ -85,7 +85,7 @@ $messageheaderstart=false; $boundaries = array(); $entities = array(); -session_unregister("entities"); +sqsession_unregister("entities"); $pre = ''; $end = ''; $entStr = ''; debian/patches/debian-specifics0000644000000000000000000003120413262143233013727 0ustar Description: Debian-specific changes in paths, program locations etc. Forwarded: not-needed Origin: vendor Author: Thijs Kinkhorst --- squirrelmail-1.4.21.orig/include/load_prefs.php +++ squirrelmail-1.4.21/include/load_prefs.php @@ -33,6 +33,11 @@ $found_theme = false; /* need to adjust $chosen_theme path with SM_PATH */ $chosen_theme = preg_replace("/(\.\.\/){1,}/", SM_PATH, $chosen_theme); +/* need to prepend path where none exists */ +if ( !preg_match("/\//", $chosen_theme) ) { + $chosen_theme = SM_PATH . "themes/" . $chosen_theme; +} + for ($i = 0; $i < count($theme); ++$i){ if ($theme[$i]['PATH'] == $chosen_theme) { $found_theme = true; --- squirrelmail-1.4.21.orig/include/options/display.php +++ squirrelmail-1.4.21/include/options/display.php @@ -88,23 +88,29 @@ function load_optpage_data_display() { $language_values = array(); foreach ($languages as $lang_key => $lang_attributes) { + # Debian: cope with squirrelmail-locales not being installed: do not offer + # non-existant languages for selection. This has been fixed in 1.5.x upstream. + if ( isset($lang_attributes['NAME']) && ($lang_key != 'en_US') && ($lang_key != 'custom') && + !file_exists ( SM_PATH . 'locale/'. $lang_key ) ) continue; if (isset($lang_attributes['NAME'])) { $language_values[$lang_key] = $lang_attributes['NAME']; } } - - asort($language_values); - $language_values = - array_merge(array('' => _("Default")), $language_values); - $language = $squirrelmail_language; - $optvals[SMOPT_GRP_GENERAL][] = array( - 'name' => 'language', - 'caption' => _("Language"), - 'type' => SMOPT_TYPE_STRLIST, - 'refresh' => SMOPT_REFRESH_ALL, - 'posvals' => $language_values, - 'htmlencoded' => true - ); + # Debian: only display this option if there's actually a choice. + if ( count($language_values) > 1) { + asort($language_values); + $language_values = + array_merge(array('' => _("Default")), $language_values); + $language = $squirrelmail_language; + $optvals[SMOPT_GRP_GENERAL][] = array( + 'name' => 'language', + 'caption' => _("Language"), + 'type' => SMOPT_TYPE_STRLIST, + 'refresh' => SMOPT_REFRESH_ALL, + 'posvals' => $language_values, + 'htmlencoded' => true + ); + } /* Set values for the "use javascript" option. */ $optvals[SMOPT_GRP_GENERAL][] = array( --- squirrelmail-1.4.21.orig/plugins/fortune/fortune_functions.php +++ squirrelmail-1.4.21/plugins/fortune/fortune_functions.php @@ -24,7 +24,7 @@ function fortune_show() { global $color; - $fortune_location = '/usr/bin/fortune'; + $fortune_location = '/usr/games/fortune'; $exist = is_executable($fortune_location); if (!$exist) { --- squirrelmail-1.4.21.orig/plugins/squirrelspell/sqspell_config.php +++ squirrelmail-1.4.21/plugins/squirrelspell/sqspell_config.php @@ -20,18 +20,30 @@ sqgetGlobalVar('username', $username, SQ /** * Example: * - * $SQSPELL_APP = array( 'English' => 'ispell -a', - * 'Spanish' => 'ispell -d spanish -a' ); + * $SQSPELL_APP = array( 'american (American English)' => 'ispell -a', + * 'spanish (Spanish)' => 'ispell -d spanish -a' ); * You can replace ispell with aspell keeping the same commandline: - * $SQSPELL_APP = array( 'English' => 'aspell -a', - * 'Spanish' => 'aspell -d spanish -a' ); + * $SQSPELL_APP = array( 'american (American English)' => 'aspell -a', + * 'spanish (Spanish)' => 'aspell -d spanish -a' ); */ -$SQSPELL_APP = array('English' => 'ispell -a', - 'Spanish' => 'ispell -d spanish -a'); -$SQSPELL_APP_DEFAULT = 'English'; + +# Debian: if dictionaries-common >= 2.81.1 is available, detect the +# installed dictionaries automatically, else use the list below. +if ( ! @include('/var/cache/dictionaries-common/sqspell.php') ) { + $SQSPELL_APP = array('american (American English)' => 'ispell -a', + 'spanish (Spanish)' => 'ispell -d spanish -a'); +} + +# Debian: if dictionaries-common >= 2.50 is available, detect the +# default dictionary automatically. +if ( is_readable ( '/etc/dictionaries-common/ispell-default' ) ) { + $SQSPELL_APP_DEFAULT = file_get_contents ( '/etc/dictionaries-common/ispell-default' ); +} else { + $SQSPELL_APP_DEFAULT = 'american (American English)'; +} + $SQSPELL_WORDS_FILE = getHashedFile($username, $data_dir, "$username.words"); $SQSPELL_EREG = 'ereg'; -?> \ No newline at end of file --- squirrelmail-1.4.21.orig/functions/file_prefs.php +++ squirrelmail-1.4.21/functions/file_prefs.php @@ -185,17 +185,26 @@ function checkForPrefs($data_dir, $usern /* Then, check if the file exists. */ if (!@file_exists($filename) ) { - /* First, check the $data_dir for the default preference file. */ + + /* If it does not exist, check for default_prefs */ + + /* First, check legacy locations: data dir */ if(substr($data_dir,-1) != '/') { $data_dir .= '/'; } $default_pref = $data_dir . 'default_pref'; - /* If it is not there, check the internal data directory. */ + /* or legacy location: internal data dir */ if (!@file_exists($default_pref)) { $default_pref = SM_PATH . 'data/default_pref'; } + /* If no legacies, check where we'd expect it to be located: + * under config/ */ + if (!@file_exists($default_pref)) { + $default_pref = SM_PATH . 'config/default_pref'; + } + /* Otherwise, report an error. */ $errTitle = sprintf( _("Error opening %s"), $default_pref ); if (!is_readable($default_pref)) { --- squirrelmail-1.4.21.orig/config/config_default.php +++ squirrelmail-1.4.21/config/config_default.php @@ -115,7 +115,7 @@ $provider_uri = 'http://squirrelmail.org * Example: In bob@example.com, example.com is the domain. * @global string $domain */ -$domain = 'example.com'; +$domain = trim(implode('', file('/etc/'.(file_exists('/etc/mailname')?'mail':'host').'name'))); /** * Time offset inversion @@ -487,7 +487,7 @@ $noselect_fix_enable = false; * Here are two examples: * * Absolute: - * $data_dir = '/var/local/squirrelmail/data/'; + * $data_dir = '/var/lib/squirrelmail/data/'; * * Relative (to main SM directory): * $data_dir = SM_PATH . 'data/'; @@ -496,7 +496,7 @@ $noselect_fix_enable = false; * * @global string $data_dir */ -$data_dir = '/var/local/squirrelmail/data/'; +$data_dir = '/var/lib/squirrelmail/data/'; /** * Attachments directory @@ -514,7 +514,7 @@ $data_dir = '/var/local/squirrelmail/dat * + It should probably be another directory than data_dir. * @global string $attachment_dir */ -$attachment_dir = '/var/local/squirrelmail/attach/'; +$attachment_dir = '/var/spool/squirrelmail/attach/'; /** * Hash level used for data directory. --- squirrelmail-1.4.21.orig/config/conf.pl +++ squirrelmail-1.4.21/config/conf.pl @@ -38,16 +38,17 @@ if ( defined( $ENV{'PATH_INFO'} ) # (the Basename stuff above will sometimes return '.' as # the base directory, which is not helpful here). ############################################################ -use Cwd; -$dir = cwd(); +#use Cwd; +#$dir = cwd(); +$dir = '/usr/share/squirrelmail/config'; ############################################################ # First, lets read in the data already in there... ############################################################ -if ( -e "config.php" ) { +if ( -e "/etc/squirrelmail/config.php" ) { # Make sure that file is readable - if (! -r "config.php") { + if (! -r "/etc/squirrelmail/config.php") { clear_screen(); print "WARNING:\n"; print "The file \"config/config.php\" was found, but you don't\n"; @@ -57,7 +58,7 @@ if ( -e "config.php" ) { $ctu = ; exit; } - open( FILE, "config.php" ); + open( FILE, "/etc/squirrelmail/config.php" ); while ( $line = ) { $line =~ s/^\s+//; $line =~ s/^\$//; @@ -108,9 +109,9 @@ if ( -e "config.php" ) { } $config = 1; - open( FILE, "config.php" ); -} elsif ( -e "config_default.php" ) { - open( FILE, "config_default.php" ); + open( FILE, "/etc/squirrelmail/config.php" ); +} elsif ( -e "/etc/squirrelmail/config_default.php" ) { + open( FILE, "/etc/squirrelmail/config_default.php" ); while ( $line = ) { $line =~ s/^\s+//; $line =~ s/^\$//; @@ -160,7 +161,7 @@ if ( -e "config.php" ) { $print_config_version = $config_version; } $config = 2; - open( FILE, "config_default.php" ); + open( FILE, "/etc/squirrelmail/config_default.php" ); } else { print "No configuration file found. Please get config_default.php\n"; print "or config.php before running this again. This program needs\n"; @@ -190,8 +191,13 @@ while ( $line = ) { $sub = $options[0]; $sub =~ s/\]\[['|"]PATH['|"]\]//; $sub =~ s/.*\[//; - if ( -e "../themes" ) { + if ( -e "/usr/share/squirrelmail/themes" ) { $options[1] =~ s/^\.\.\/config/\.\.\/themes/; + $options[1] =~ s/^SM_PATH \. \'config/\.\.\/themes/; + if ( $options[1] !~ /\// ) { + # no path information courtesy early debs + $options[1] = '../themes/' . $options[1]; + } } $theme_path[$sub] = &change_to_rel_path($options[1]); } elsif ( $options[0] =~ /^theme\[[0-9]+\]\[['|"]NAME['|"]\]/ ) { @@ -362,7 +368,7 @@ $check_referrer = '' if ( $ARGV[0] eq '--install-plugin' ) { print "Activating plugin " . $ARGV[1] . "\n"; - if ( -d "../plugins/" . $ARGV[1]) { + if ( -d "/usr/share/squirrelmail/plugins/" . $ARGV[1]) { push @plugins, $ARGV[1]; save_data(); exit(0); @@ -599,12 +605,12 @@ while ( ( $command ne "q" ) && ( $comman print " $num. $plugins[$count]\n"; } print "\n Available Plugins:\n"; - opendir( DIR, "../plugins" ); + opendir( DIR, "/usr/share/squirrelmail/plugins" ); @files = sort(readdir(DIR)); $pos = 0; @unused_plugins = (); for ( $i = 0 ; $i <= $#files ; $i++ ) { - if ( -d "../plugins/" . $files[$i] && $files[$i] !~ /^\./ && $files[$i] ne "CVS" ) { + if ( -d "/usr/share/squirrelmail/plugins/" . $files[$i] && $files[$i] !~ /^\./ && $files[$i] ne "CVS" ) { $match = 0; for ( $k = 0 ; $k <= $#plugins ; $k++ ) { if ( $plugins[$k] eq $files[$i] ) { @@ -2566,8 +2572,6 @@ sub command41 { $name = ; $name =~ s/[\r|\n]//g; $theme_name[ $#theme_name + 1 ] = $name; - print "Be sure to put ../themes/ before the filename.\n"; - print "What file is this stored in (ex: ../themes/default_theme.php): "; $name = ; $name =~ s/[\r|\n]//g; $theme_path[ $#theme_path + 1 ] = $name; @@ -2601,7 +2605,7 @@ sub command41 { } elsif ( $input =~ /^\s*t\s*/i ) { print "\nStarting detection...\n\n"; - opendir( DIR, "../themes" ); + opendir( DIR, "/usr/share/squirrelmail/themes" ); @files = grep { /\.php$/i } sort(readdir(DIR)); $cnt = 0; while ( $cnt <= $#files ) { @@ -2635,7 +2639,7 @@ sub command41 { print "\n"; for ( $cnt = 0 ; $cnt <= $#theme_path ; $cnt++ ) { $filename = $theme_path[$cnt]; - if ( !( -e $filename ) ) { + if ( !( -e '/usr/share/squirrelmail/themes/' . $filename ) ) { print " Removing $filename (file not found)\n"; $offset = 0; @new_theme_name = (); @@ -3288,7 +3292,7 @@ sub commandA3 { sub save_data { $tab = " "; - if ( open( CF, ">config.php" ) ) { + if ( open( CF, ">/etc/squirrelmail/config.php" ) ) { print CF " Origin: https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/e2d32eb3/72f1/attachment/squirrelmail-fix-xss-sf-bug-2831.diff Bug: https://sourceforge.net/p/squirrelmail/bugs/2831/ Bug-Debian: https://bugs.debian.org/905023 Last-Update: 2018-08-25 Index: squirrelmail-1.4.23~svn20120406/functions/mime.php =================================================================== --- squirrelmail-1.4.23~svn20120406.orig/functions/mime.php +++ squirrelmail-1.4.23~svn20120406/functions/mime.php @@ -1668,7 +1668,8 @@ function sq_fixatts($tagname, /** * Use white list based filtering on attributes which can contain url's */ - else if ($attname == 'href' || $attname == 'src' || $attname == 'background') { + else if ($attname == 'href' || $attname == 'src' || $attname == 'background' || $attname == 'xlink:href' || + $attname == 'action' || $attname == 'formaction' || $attname == 'to') { sq_fix_url($attname, $attvalue, $message, $id, $mailbox); $attary{$attname} = $attvalue; } @@ -2311,7 +2312,11 @@ function magicHTML($body, $id, $message, "frame", "iframe", "plaintext", - "marquee" + "marquee", + "animate", + "form", + "math", + "param" ); $rm_tags_with_content = Array( @@ -2321,7 +2326,8 @@ function magicHTML($body, $id, $message, "title", "frameset", "xmp", - "xml" + "xml", + "svg" ); $self_closing_tags = Array( debian/squirrelmail.postinst0000644000000000000000000000245513262143233013511 0ustar #!/bin/sh # postinst script for squirrelmail # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/share/doc/packaging-manual/ case "$1" in configure) if [ ! -f /etc/squirrelmail/config.php ]; then if [ -f /etc/squirrelmail/config_default.php ]; then echo "Installing default squirrelmail config." cp /etc/squirrelmail/config_default.php /etc/squirrelmail/config.php else echo "Default squirrelmail config (config_default.php) not found." fi fi echo "Run /usr/sbin/squirrelmail-configure as root to configure/upgrade config." ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/control0000644000000000000000000000222513262143233010571 0ustar Source: squirrelmail Section: web Priority: optional Maintainer: Jeroen van Wolffelaar Uploaders: Thijs Kinkhorst Build-Depends: debhelper (>= 7) Standards-Version: 3.9.3 Homepage: http://www.squirrelmail.org/ Vcs-Svn: http://svn.wolffelaar.nl/squirrelmail/trunk Vcs-Browser: http://svn.wolffelaar.nl/wsvn/squirrelmail/trunk Package: squirrelmail Architecture: all Depends: apache2 | httpd, libapache2-mod-php5 | php5 | php5-cgi, perl, ${misc:Depends} Recommends: squirrelmail-locales, squirrelmail-viewashtml, php5-mhash, ispell | aspell | aspell-bin Suggests: squirrelmail-decode, php5-recode, imap-server, imapproxy, php-pear, php5-ldap Description: Webmail for nuts SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and is designed for maximum compatibility across browsers. SquirrelMail has few requirements and is easy to configure and install. It runs on top of any IMAP server. . SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books and folder manipulation. debian/source/0000755000000000000000000000000013262143233010465 5ustar debian/source/format0000644000000000000000000000001413262143233011673 0ustar 3.0 (quilt) debian/squirrelmail.lintian0000644000000000000000000000020013262143233013246 0ustar non-standard-dir-perm var/spool/squirrelmail/attach/ 0730 != 0755 non-standard-dir-perm var/lib/squirrelmail/data/ 0730 != 0755 debian/README.Debian0000644000000000000000000001247413262143233011236 0ustar SquirrelMail for Debian ======================= Contents of this file: 0. IMAP Server SquirrelMail runs on top of almost any IMAP server 1. Apache Configuring Apache with SquirrelMail 2. Virtual Hosts How to make a virtual host like webmail.example.com 3. Other Webservers Configuring other webservers with SquirrelMail 4. Security Some security considerations 5. Default Preferences New location for default user preferences file 6. Recommended packages Other packages that can be useful with SquirrelMail 7. Getting help Still having trouble? Here's where to go. IMAP Server =========== SquirrelMail needs an IMAP server to authorise users and access their mailboxes. It does not run on a POP3 server. Almost any server supporting IMAP4 will do (see the imap-server virtual package for references to IMAP servers packaged for Debian). For optimal behaviour of SquirrelMail it is important that you set the predefined setting for your IMAP server in squirrelmail-configure through the "D" option in the main menu. For performance reasons it's wise to have 'server side sorting' set to on in your SquirrelMail configuration if your IMAP server supports it (almost all modern do). This can also prevent users with very large mailboxes getting a timeout or an empty page when viewing it. Apache ====== If you want to use squirrelmail with apache, it is recommended to modify /etc/squirrelmail/apache.conf to your own wishes, and then add a symlink to that file from /etc/apache2/conf.d, like: $ ln -s /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf Alternatively, you could also 'Include' the configuration file in the relevant apache configuration file(s). Virtual Hosts ============= Note that users will prefer a simple URL like http://webmail.example.com I recommend you set this functionality up even if only so if you ever choose to use another webmail package you don't have to change the URL. There are some example Apache directives in /etc/squirrelmail/apache.conf Other webservers ================ You need to create an alias in your web server pointing: http://localhost/squirrelmail/ at /usr/share/squirrelmail/, then log in using your IMAP credentials. Adding a symlink in your webroot may be all you need. Security ======== Register Globals: Debian does not provide security support for installations with the PHP register_globals setting turned On. It's also not required for SquirrelMail to operate. Make sure it's off. It's trivial to turn it on just for specific legacy sites that may need it. HTTPS is recommended, to prevent passwords and other sensitive information being sent over the Internet in the clear. Most modern web servers support SSL, but configuring it is left as an exercise for the reader (and depends on the webserver used). STARTTLS is neither supported nor recommended as SM creates many IMAP sessions. You should use a persistent tunnel (e.g. SSH port forwarding) and/or an IMAP proxy. PHP safe_mode is not supported out of the box due to root:root ownerships. You may be able to work around this limitation by changing the group of the files in /usr/share/squirrelmail to the web server group (www-data). i.e.: chgrp -R www-data /usr/share/squirrelmail/ Recommended and Suggested Packages ================================== The SquirrelMail Debian package recommends or suggests the following other Debian packages. Here's a summary of what value they might add to your installation: - squirrelmail-locales: Translations of SquirrelMail. If you only want the English language you don't need this, but if you want your users to select a different translation, install this package. - squirrelmail-decode: Extra decoding routines for complex character sets. This extra decoding library provides support for some complex Eastern character sets and some rarely used Apple character sets. Only needed if your users actually receive messages encoded with these charsets. - ispell | aspell: This is needed for the SquirrelSpell spell checking plug-in to work. If you have the choice, choose ispell since that's automatically configured using dictionaries-common. - imap-server: this is of course needed for SquirrelMail to access mailboxes, but is not a hard depend since the IMAP server can be on a different host. - php-pear: you need this package only if you want to store user preferences or address books in an SQL database. - imapproxy: since SquirrelMail is a web application, it needs to reconnect to the IMAP server on each page load. On heavily loaded sites, this can be a problem; use the excellent imapproxy package to cache connections between page requests and reduce the load on your IMAP server. Where to get help ================= The first stop would be the SquirrelMail website: http://www.squirrelmail.org It has frequently asked questions, tutorials for specific setups and other troubleshooting hints. Still need help? You could check out the squirrelmail-users@lists.sourceforge.net mailinglist, or the #squirrelmail IRC channel on irc.freenode.net. Seasoned users and developers regularly hang out there. Found a bug or have a wishlist item? In Debian, you can check existing reports at http://bugs.debian.org/squirrelmail and report new issues through the "reportbug" utility. $Id: README.Debian 375 2009-05-13 17:24:13Z kink $ debian/squirrelmail.cron.daily0000644000000000000000000000051213262143233013660 0ustar #!/bin/sh set -e test -d /var/spool/squirrelmail/attach || exit 0 cd /var/spool/squirrelmail/attach find \ -maxdepth 2 \ -xdev \ -type f \ \! -name '*.*' \ \! -name '*_*' \ -atime +2 \ -print0 \ | xargs \ -0 \ --no-run-if-empty \ rm -- debian/copyright0000644000000000000000000000263313262143233011124 0ustar This package was debianized by Sam Johnston on Fri, 14 Sep 2001 18:28:01 +1000. Current maintainer is Jeroen van Wolffelaar with co-maintainers Thijs Kinkhorst and Sam Johnston . It was downloaded from http://www.squirrelmail.org/download.php Upstream Authors: The SquirrelMail Project Team Copyright: Copyright (C) 1999-2010 The SquirrelMail Project Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in the `/usr/share/common-licenses' directory. The Debian packaging of SquirrelMail is licenced under the same terms as SquirrelMail itself. debian/README.locales0000644000000000000000000000223113262143233011464 0ustar The locales (translations) for the SquirrelMail package are provided in the package "squirrelmail-locales" on which the "squirrelmail" package recommends. You need to install that package as well if you want to use SquirrelMail in languages other than English. You may need to reconfigure locales with: dpkg-reconfigure locales to make alternative languages work. In some cases it might also be needed to restart Apache after you've upgraded or added locales, because of some internal caching of locale information by Apache. === Locale with correct charset needs to be configured === The locale of the language file you want to use has to be configured on the server. E.g., to make the "French" translation work, you need to setup the fr_FR.ISO-8859-1 locale. Currently it will not work if you only have the fr_FR.UTF-8 locale enabled, you need the ISO-8859-1 one as well. You can generate locales using: locale-gen LOCALE You can see which locale names get used for a given language in the setup.php file of the translations, e.g. /usr/share/squirrelmail/locale/fr_FR/setup.php for fr_FR. See the "locale" program to display installed locales, e.g. "locale -a -v". debian/squirrelmail.install0000644000000000000000000000102413262143233013263 0ustar index.php /usr/share/squirrelmail class /usr/share/squirrelmail include /usr/share/squirrelmail functions /usr/share/squirrelmail help /usr/share/squirrelmail images /usr/share/squirrelmail locale /usr/share/squirrelmail plugins /usr/share/squirrelmail po /usr/share/squirrelmail src /usr/share/squirrelmail themes /usr/share/squirrelmail config/* /etc/squirrelmail data/default_pref /etc/squirrelmail debian/apache.conf /etc/squirrelmail debian/squirrelmail.lintian /usr/share/lintian/overrides debian/watch0000644000000000000000000000020013262143233010206 0ustar # Site Directory Pattern Version Script version=3 http://sf.net/squirrelmail/squirrelmail-(\d+\.\d*[02468]\.[^-]+)\.tar\.gz debian/apache.conf0000644000000000000000000000217613262143233011263 0ustar Alias /squirrelmail /usr/share/squirrelmail Options FollowSymLinks php_flag register_globals off DirectoryIndex index.php # access to configtest is limited by default to prevent information leak order deny,allow deny from all allow from 127.0.0.1 # users will prefer a simple URL like http://webmail.example.com # # DocumentRoot /usr/share/squirrelmail # ServerName webmail.example.com # # redirect to https when available (thanks omen@descolada.dartmouth.edu) # # Note: There are multiple ways to do this, and which one is suitable for # your site's configuration depends. Consult the apache documentation if # you're unsure, as this example might not work everywhere. # # # # # RewriteEngine on # RewriteCond %{HTTPS} !^on$ [NC] # RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] # # # debian/squirrelmail.manpages0000644000000000000000000000004013262143233013405 0ustar debian/squirrelmail-configure.8 debian/squirrelmail.postrm0000644000000000000000000000172213262143233013146 0ustar #! /bin/sh # postrm script for squirrelmail # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/share/doc/packaging-manual/ case "$1" in remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; purge) # remove squirrelmail config and user data rm -rf /etc/squirrelmail /var/lib/squirrelmail \ /var/spool/squirrelmail ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/squirrelmail.links0000644000000000000000000000044613262143233012744 0ustar /etc/squirrelmail usr/share/squirrelmail/config /usr/sbin/squirrelmail-configure etc/squirrelmail/conf.pl /etc/squirrelmail/sqspell_config.php usr/share/squirrelmail/plugins/squirrelspell/sqspell_config.php /etc/squirrelmail/filters_setup.php usr/share/squirrelmail/plugins/filters/setup.php
    '; --- a/functions/imap_general.php +++ b/functions/imap_general.php @@ -367,7 +367,7 @@ $cmd = explode(' ',$query); $cmd = strtolower($cmd[0]); if ($query != '' && $cmd != 'login') { - $string .= ("Query:") . ' '. htmlspecialchars($query) + $string .= ("Query:") . ' '. sm_encode_html_special_chars($query) . '
    ' . "
    \n"; } error_box($string,$color); @@ -399,9 +399,9 @@ _("ERROR: Could not complete request.") . "
    \n" . _("Query:") . ' ' . - htmlspecialchars($query) . '
    ' . + sm_encode_html_special_chars($query) . '
    ' . _("Reason Given:") . ' ' . - htmlspecialchars($message) . "
    \n"; + sm_encode_html_special_chars($message) . "
    \n"; error_box($string,$color); echo ''; exit; @@ -414,9 +414,9 @@ _("ERROR: Bad or malformed request.") . "
    \n" . _("Query:") . ' '. - htmlspecialchars($query) . '
    ' . + sm_encode_html_special_chars($query) . '
    ' . _("Server responded:") . ' ' . - htmlspecialchars($message) . "
    \n"; + sm_encode_html_special_chars($message) . "
    \n"; error_box($string,$color); echo ''; exit; @@ -427,9 +427,9 @@ _("ERROR: IMAP server closed the connection.") . "
    \n" . _("Query:") . ' '. - htmlspecialchars($query) . '
    ' . + sm_encode_html_special_chars($query) . '
    ' . _("Server responded:") . ' ' . - htmlspecialchars($message) . "
    \n"; + sm_encode_html_special_chars($message) . "
    \n"; error_box($string,$color); echo ''; exit; @@ -440,9 +440,9 @@ _("ERROR: Unknown IMAP response.") . "
    \n" . _("Query:") . ' '. - htmlspecialchars($query) . '
    ' . + sm_encode_html_special_chars($query) . '
    ' . _("Server responded:") . ' ' . - htmlspecialchars($message) . "
    \n"; + sm_encode_html_special_chars($message) . "
    \n"; error_box($string,$color); /* the error is displayed but because we don't know the reponse we return the result anyway */ @@ -653,7 +653,7 @@ if (!$hide) { if ($response != 'NO') { /* "BAD" and anything else gets reported here. */ - $message = htmlspecialchars($message); + $message = sm_encode_html_special_chars($message); set_up_language($squirrelmail_language, true); require_once(SM_PATH . 'functions/display_messages.php'); if ($response == 'BAD') { @@ -664,7 +664,7 @@ if (isset($read) && is_array($read)) { $string .= '
    ' . _("Read data:") . "
    \n"; foreach ($read as $line) { - $string .= htmlspecialchars($line) . "
    \n"; + $string .= sm_encode_html_special_chars($line) . "
    \n"; } } error_box($string,$color); --- a/functions/page_header.php +++ b/functions/page_header.php @@ -272,7 +272,7 @@ echo "\n\n"; /** Here is the header and wrapping table **/ - $shortBoxName = htmlspecialchars(imap_utf7_decode_local( + $shortBoxName = sm_encode_html_special_chars(imap_utf7_decode_local( readShortMailboxName($mailbox, $delimiter))); if ( $shortBoxName == 'INBOX' ) { $shortBoxName = _("INBOX"); --- a/functions/forms.php +++ b/functions/forms.php @@ -23,8 +23,8 @@ */ function addInputField($type, $name = null, $value = null, $attributes = '') { return '\n"; } @@ -89,16 +89,16 @@ if(count($values) == 1) { $k = key($values); $v = array_pop($values); return addHidden($name, ($usekeys ? $k:$v)). - htmlspecialchars($v) . "\n"; + sm_encode_html_special_chars($v) . "\n"; } - $ret = '\n"; foreach ($values as $k => $v) { if(!$usekeys) $k = $v; $ret .= '\n"; + '>' . sm_encode_html_special_chars($v) ."\n"; } $ret .= "\n"; @@ -123,9 +123,9 @@ * Textarea form element. */ function addTextArea($name, $text = '', $cols = 40, $rows = 10, $attr = '') { - return '\n"; + $attr . '>'.sm_encode_html_special_chars($text) ."\n"; } /** @@ -156,7 +156,7 @@ $enctype = ' enctype="'.$enctype.'"'; } if($charset) { - $charset = ' accept-charset="'.htmlspecialchars($charset).'"'; + $charset = ' accept-charset="'.sm_encode_html_special_chars($charset).'"'; } $form_string = ''; $errormessage = _("SquirrelMail could not decode the bodystructure of the message"); $errormessage .= '
    '._("The bodystructure provided by your IMAP server:").'

    '; - $errormessage .= '
    ' . htmlspecialchars($read) . '
    '; + $errormessage .= '
    ' . sm_encode_html_special_chars($read) . '
    '; plain_error_message( $errormessage, $color ); echo ''; exit; @@ -540,7 +540,7 @@ ''.decodeHeader($display_filename).'     		' . show_readable_size($header->size) . '  [ '.htmlspecialchars($type0).'/'.htmlspecialchars($type1).' ] [ '.sm_encode_html_special_chars($type0).'/'.sm_encode_html_special_chars($type1).' ] '; $attachments .= '' . $description . ''; $attachments .= ' '; @@ -671,7 +671,7 @@ $iLastMatch = $i; $j = $i; if ($htmlsave) { - $ret .= htmlspecialchars($res[1]); + $ret .= sm_encode_html_special_chars($res[1]); } else { $ret .= $res[1]; } @@ -696,7 +696,7 @@ $replace = charset_decode($res[2],$replace); } elseif ($htmlsave) { // string is not converted, but still sanitized - $replace = htmlspecialchars($replace); + $replace = sm_encode_html_special_chars($replace); } $ret.= $replace; break; @@ -712,7 +712,7 @@ $replace = charset_decode($res[2], $replace); } elseif ($htmlsave) { // string is not converted, but still sanizited - $replace = htmlspecialchars($replace); + $replace = sm_encode_html_special_chars($replace); } $ret .= $replace; break; @@ -731,7 +731,7 @@ } if (!$encoded && $htmlsave) { - $ret .= htmlspecialchars($chunk); + $ret .= sm_encode_html_special_chars($chunk); } else { $ret .= $chunk; } --- a/functions/options.php +++ b/functions/options.php @@ -305,7 +305,7 @@ } function createWidget_Info() { - $result = htmlspecialchars($this->value) . "\n"; + $result = sm_encode_html_special_chars($this->value) . "\n"; return $result; } @@ -341,9 +341,9 @@ $result = "name\" value=\"" - . htmlspecialchars($this->value) + . sm_encode_html_special_chars($this->value) . "\" size=\"$width\" $this->script /> " - . htmlspecialchars($this->trailing_text) . "\n"; + . sm_encode_html_special_chars($this->trailing_text) . "\n"; return $result; } @@ -384,14 +384,14 @@ foreach ($this->possible_values as $real_value => $disp_value) { $result .= "\n" . 'value ? ' checked="checked"' : '') . ' /> '; if ($this->size != SMOPT_SIZE_TINY) $result .= '
    '; @@ -437,7 +437,7 @@ foreach ($this->possible_values as $real_value => $disp_value) { /* Start the next new option string. */ $new_option = '\n"; + $new_option .= '>' . ($this->htmlencoded ? $disp_value : sm_encode_html_special_chars($disp_value)) . "\n"; /* And add the new option string to our select tag. */ $result .= $new_option; } /* Close the select tag and return our happy result. */ - $result .= '' . htmlspecialchars($this->trailing_text) . "\n"; + $result .= '' . sm_encode_html_special_chars($this->trailing_text) . "\n"; return $result; } @@ -520,7 +520,7 @@ } else { /* Start the next new option string. */ - $new_option = '\n"; } /* And add the new option string to our select tag. */ $result .= $new_option; } /* Close the select tag and return our happy result. */ - $result .= '' . htmlspecialchars($this->trailing_text) . "\n"; + $result .= '' . sm_encode_html_special_chars($this->trailing_text) . "\n"; return $result; } @@ -560,7 +560,7 @@ } $result = "\n"; + . sm_encode_html_special_chars($this->value) . "\n"; return ($result); } @@ -628,7 +628,7 @@ . '" id="new_' . $this->name . '" value="' . SMPREF_YES . "\" $yes_chk " . $this->script . ' /> ' . ''; + . sm_encode_html_special_chars($this->trailing_text) . ''; } // radio buttons... @@ -639,13 +639,13 @@ $yes_option = 'script /> " - . ''; + . ''; /* Build the no choice. */ $no_option = 'script /> " - . ''; + . ''; /* Build the combined "boolean widget". */ $result = "$yes_option    $no_option"; @@ -657,7 +657,7 @@ function createWidget_Hidden() { $result = 'script . ' />'; return ($result); } @@ -733,7 +733,7 @@ // Start the next new option string. // - $result .= '\n"; } @@ -783,8 +783,8 @@ else $bgcolor = 4; $result .= '