1. disable sending report and unforbid openwebmail

2. add security patch 3. clear pkg-plist Submitted by: 2. http://openwebmail.org/openwebmail/download/cert/advisories/SA-02:01.txt Reviewed by: portmgr, tung@turtle.ee.ncku.edu.tw (author) Approved by: 1. Steve Price (portmgr)
svn path=/head/; revision=71744
2002-12-20 18:15:44 +00:00 · 2002-12-20 18:15:44 +00:00 · d3a9a80ea4 · 2021-03-31 03:12:20 +00:00
commit d3a9a80ea4
parent 1caa7c6345
4 changed files with 36 additions and 15 deletions
--- a/mail/openwebmail/Makefile
+++ b/mail/openwebmail/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	openwebmail
 PORTVERSION=	1.81
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	mail
 MASTER_SITES=	http://openwebmail.org/openwebmail/download/ \
 		http://turtle.ee.ncku.edu.tw/openwebmail/download/
@ -15,8 +15,6 @@ EXTRACT_SUFX=	.tgz

 MAINTAINER=	leeym@FreeBSD.org

-FORBIDDEN=	"Sends mail to developers at install-time"
-
 RUN_DEPENDS=	${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/CGI.pm:${PORTSDIR}/www/p5-CGI.pm \
 		${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/Net/SMTP.pm:${PORTSDIR}/net/p5-Net \
 		${LOCALBASE}/lib/perl5/site_perl/${PERL_VER}/${PERL_ARCH}/Text/Iconv.pm:${PORTSDIR}/converters/p5-Text-Iconv \
@ -45,5 +43,6 @@ do-install:
 .endfor
 	@${PERL5} ${WRKSRC}/cgi-bin/openwebmail/uty/wrapsuid.pl ${OWCGIDIR}
 	@${OWCGIDIR}/openwebmail-tool.pl --init -y
+	@${RM} ${OWCGIDIR}/*orig ${OWCGIDIR}/*bak

 .include <bsd.port.mk>
--- a/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::openwebmail-tool.pl
@ -0,0 +1,10 @@
+--- cgi-bin/openwebmail/openwebmail-tool.pl.orig	Wed Dec 18 21:10:06 2002
+++ cgi-bin/openwebmail/openwebmail-tool.pl	Wed Dec 18 21:14:14 2002
+@@ -325,6 +325,7 @@
+       print "done.\n";
+    }
+ 
+   return 0;
+    my $id = $ENV{'USER'} || $ENV{'LOGNAME'} || getlogin || (getpwuid($>))[0];
+    my $hostname=hostname();
+    my $realname=(getpwnam($id))[6]||$id;
--- a/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
+++ b/mail/openwebmail/files/patch-cgi-bin::openwebmail::ow-shared.pl
@ -0,0 +1,24 @@
+--- cgi-bin/openwebmail/ow-shared.pl.orig	Tue Nov 26 20:20:51 2002
+++ cgi-bin/openwebmail/ow-shared.pl	Sat Dec 21 01:07:47 2002
+@@ -231,6 +231,9 @@
+ sub readconf {
+    my ($r_config, $r_config_raw, $configfile)=@_;
+ 
+   if ($configfile=~/\.\./) {	# .. in path is not allowed for higher security
+      openwebmailerror("Invalid config file path $configfile");
+   }
+    # read config
+    open(CONFIG, $configfile) or
+       openwebmailerror("Couldn't open config file $configfile");
+@@ -340,6 +343,11 @@
+       }
+    }
+ 
+   # remove / and .. from variables that will be used in require statement for security
+   foreach $key ( 'default_language', 'auth_module') {
+      ${$r_config}{$key} =~ s|/||g;
+      ${$r_config}{$key} =~ s|\.\.||g;
+   }
+    # untaint pathname variable defined in openwebmail.conf
+    foreach $key ( 'smtpserver', 'auth_module', 'virtusertable',
+                   'mailspooldir', 'homedirspoolname', 'homedirfolderdirname',
--- a/mail/openwebmail/pkg-plist
+++ b/mail/openwebmail/pkg-plist
@ -1268,29 +1268,17 @@ www/cgi-bin/openwebmail/maildb.pl
 www/cgi-bin/openwebmail/mailfilter.pl
 www/cgi-bin/openwebmail/mime.pl
 www/cgi-bin/openwebmail/openwebmail-abook.pl
-www/cgi-bin/openwebmail/openwebmail-abook.pl.bak
 www/cgi-bin/openwebmail/openwebmail-advsearch.pl
-www/cgi-bin/openwebmail/openwebmail-advsearch.pl.bak
 www/cgi-bin/openwebmail/openwebmail-cal.pl
-www/cgi-bin/openwebmail/openwebmail-cal.pl.bak
 www/cgi-bin/openwebmail/openwebmail-folder.pl
-www/cgi-bin/openwebmail/openwebmail-folder.pl.bak
 www/cgi-bin/openwebmail/openwebmail-main.pl
-www/cgi-bin/openwebmail/openwebmail-main.pl.bak
 www/cgi-bin/openwebmail/openwebmail-prefs.pl
-www/cgi-bin/openwebmail/openwebmail-prefs.pl.bak
 www/cgi-bin/openwebmail/openwebmail-read.pl
-www/cgi-bin/openwebmail/openwebmail-read.pl.bak
 www/cgi-bin/openwebmail/openwebmail-send.pl
-www/cgi-bin/openwebmail/openwebmail-send.pl.bak
 www/cgi-bin/openwebmail/openwebmail-spell.pl
-www/cgi-bin/openwebmail/openwebmail-spell.pl.bak
 www/cgi-bin/openwebmail/openwebmail-tool.pl
-www/cgi-bin/openwebmail/openwebmail-tool.pl.bak
 www/cgi-bin/openwebmail/openwebmail-viewatt.pl
-www/cgi-bin/openwebmail/openwebmail-viewatt.pl.bak
 www/cgi-bin/openwebmail/openwebmail.pl
-www/cgi-bin/openwebmail/openwebmail.pl.bak
 www/cgi-bin/openwebmail/ow-shared.pl
 www/cgi-bin/openwebmail/pop3mail.pl
 www/cgi-bin/openwebmail/uty/dbmtest.pl