Commit graph

17 commits

Author SHA1 Message Date
nia
01193515a6 prayer: Fix building with OpenSSL 1.1. Disable SSLv3. From Debian. 2020-03-19 11:30:26 +00:00
jlam
41fe1d7e1f mail/prayer: Install manpages into ${PKGMANDIR}.
Patch the project's man/Makefile to use the correct location for
installed manpages under ${PKGMANDIR}.
2017-08-19 00:24:50 +00:00
wiz
4e8a4877f6 Fix build with tidy-5.x. 2017-02-20 09:35:16 +00:00
schnoebe
84bb8a032a Update to 1.3.4;
Add PKG_DESTDIR_SUPPORT;
Add LICENSE

`$Cambridge: hermes/src/prayer/docs/DONE,v 1.66 2011/06/27 13:39:56 dpc22 Exp $

27/06/2010
==========

Release: Prayer 1.3.4

22/06/2011
==========

draft.c fixes:
 Fold long lines of addresses before the entry which reaches 78 characters
 when possible, rather than after the first entry which crosses that
 boundary. Long standing bug bear of mine but several support functions
 needed to be rewritten to use scratch string in place of output buffer.

 Long subject lines which are not RFC1522 encoded need to be folded.
 separately. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.

 RFC1522 is not allowed to fold lines in the middle of a UTF-8 multibyte
 character. Reported by Andrey N. Oktyabrski <ano@bestmx.ru>.

Tidy library:
  Add support for tidyp fork of (apparently abandoned) tidy library.

Fix cross site scripting problem:
  MSIE and Chrome think that <!---> is a complete comment. Allows people to
  hide scripts inside <!---><script>...<!--->. Strip all comments (which is
  something that the old sanitiser had been doing already)

Sieve blocks should check "From: " address in body as well as
envelope sender address. Check "Sender: " as well for completeness.

Linux needs IPPROTO_IPV6 to bind to '0.0.0.0' and '::'

01/11/2010
==========

Mike Brudenell <mike.brudenell@york.ac.uk> reported problem with RFC
2183/RFC 2231 quoting with vey long filenames, or filenames with strange
characters from ASCII range.

20/07/2010
==========

Release: Prayer 1.3.3

08/07/2010
==========

Better handling of complex multipart messages:

 Rather than just displaying the first text/plain or text/html that we can
 find in the top, (leaving people to access sections for the other parts),
 display the entire tree: multipart/alternative are handled as before, but
 with other multipart messages, recurse into the subtrees and repeat. Given:

   1   (Nested multipart)
   1.1 text/html
   1.2 text/plain
   2   text/plain

 we display sections 1.1 and 2. Previously we would display section 2,
 which is a bit of a disaster if section (1) was the original message and
 a listserver has helpfully tagged on a message footer as a separate bodypart

Combine os_*.c back into a single file (which is where I started off
many years back). Eliminates lots of repeated code.

07/07/2010
==========

Bugs
====

os_bind_inet_socket(unsigned long port, char *interface)

  If interface resolves to multiple IP addresses then only binds to the
  first. Should really walk along ai->ai_next and bind to each IP address
  in turn. Unfortuanetly this means that os_bind_inet_socket() needs to
  return an array of sockfds rather than a single int. Parent routines
  probably aren't going to play ball either.

  Most likely cause will be a hostname which generates both IPv4 and IPv6
  addresses. Unfortanately it is a probably that we are going to have
  to solve eventually.


05/07/2010
==========

Fix XSS problems reported by:
  Jacob H. Hilton <jhh40@cam.ac.uk>
  Dr Andrew C Aitchison <A.C.Aitchison@dpmms.cam.ac.uk>

  Rather than trying to spot dangerous tags by simple substring matching in C,
  I now feed the html through Tidy library (http://tidy.sourceforge.net/),
  and then prune unwanted nodes from the parse tree before setting it to
  the pretty printer. The only problem is that the Tidy library doesn't
  provide any public API for manipulating the parse tree (although it does
  provide a public API for walking the tree!?), so I had to dig around to
  find the private functions required to remove and manipulate nodes.

  Javascript embedded into CSS is also a problem: I need to strip off CSS
  character entities before looking for dangerous expressions. The final
  part is still a simple string match: I hope that I don't end up having to
  generate parse trees for CSS as well as the HTML.

  Now passes full test suite at:

  https://secure.grepular.com/email_privacy_tester/

Better vacation screen
  Subject line
  Phrasing

Coping with multiple logins as single user from single browser:
  SessionID stored in HTTP Cookie: second login blats first
    Can store SessionID in URL (Prayer does this if no cookies available)
    Not secure: leaks in HTTP "Referrer" header with links from HTML email.
  Solution: Use HTTP Cookie keyed by PID of login session.

Smaller cleanups:
  Improve gap between words in spell check (Cambridge house style)
  Remove extra blank lines after postpone, restore cycle.
2011-06-30 01:17:37 +00:00
adam
e3053488d1 Changes 1.3.2:
- security fixes
- various bug fixes and small improvements
- new XHTML strict template tree
- add UTF-8 support
- add IPv6 support
- add Raven single sign-on authentication
2010-06-08 12:34:38 +00:00
wiz
0987157b04 Update to 1.0.18.
Fix build problem with db4 following a hint by obache@

04/09/2006
==========

Release: Prayer 1.0.18

Important Security fix:
  os_connect_unix() had a strcpy() which should have been strncpy() to
  prevent buffer overrun. Prayer 1.0.17 was mostly safe.

By 28/06/2006
=============

Release: Prayer 1.0.17

Fix small foulup wuth gethostbyname() calculations when binding Prayer
to specific interfaces.

Cleanups to stop char vs unsigned char warnings with latest c-client.

Make sure that all internal draft messages consistently use CRLF.

Security audit for Prayer frontend following attack:
  Optional Chroot environment (See chroot options in config file).
  Stripped out debugging code.

04/11/2005
==========

Fix small foulups with abook_lookup:
  Couldn't add last address to existing draft.
  Block LDAP metacharacters from search.

By 13/06/2005
=============

Release: Prayer 1.0.16

Fix silly bug when replying to multipart messages where the main message
and the text/plain subpart have different encoding (missing mail_body
call).

Add a limit_vm backstop to stop single runaway process from taking
over the system.

By 10/06/2005
=============

Release: Prayer 1.0.15 (1.0.13 and 14 internal releases only).

list screen doesn't set "current" message to middle of range. Means that
switching between various sort modes works more consistently.

Go fishing for text/plain or failing that text/html bodypart within top
level of multipart/mixed or multipart/alternate message when replying to a
message. Behaviour should now be consistent with cmd_forward and
cmd_display.

Include LDAP and local finger database lookups (latter for Cambridge use only)

Addressbook screen:
  Addressbook sort (can be set on Manage => Preferences => Display)
  Addressbook bulk removal
  Import and Export CSV (Outlook) format address screen

Spellcheck:
  Support native aspell as well as ispell, aspell in ispell compatibility mode.
  Means that Quoted text is not checked if the following is set:
      Manage => Preferences => Extra Compose =>
      Skip quoted text on spell check

By 09/08/2005
=============

Spam whitelist

Test the Referer header on login. Two independant prayer.cf options:
referer_block_invalid and referer_log_invalid

Test the Referer: header before performing a /redirect/ action in
order to protect against URL redirector abuse
  Doesn't work with "Save Target As". Remove entirely

Confirm on expunge.

Cleanup up account_message error reporting so consistent.

Fix format=flowed quoting problems.

Fix memory leak in mailbox download (2 x size of mail folder) until
next transfer or idle shutdown.

25/01/2005
==========

line_wrap_on_send preference not used by draft_init().

Fixed problems with multipart/alternate display and forwarding
2007-06-15 23:28:16 +00:00
rillig
ea701a6795 Fixed ownership of the installed files to allow installation as
unprivileged user. PKGREVISION++
2006-10-23 08:31:29 +00:00
joerg
76470eaa25 Use krb5.b3.mk, don't add libdes to link list. libdes is part of
Kerberos IV and not needed by Kerberos V. Bump revision.
2006-02-27 01:45:25 +00:00
joerg
2bcbb29c0c Fix errno. 2006-01-24 19:55:53 +00:00
schmonz
85e50a7d96 Update to 1.0.12. From the changelog:
* Apparently "mutex" is already claimed by a system header on Solaris.

* File locking on Linux (probably other operating systems) is pretty
    dumb when lots of processes are trying to lock a single file
    for serialisation: all of the processes are woken each time
    that the file is unlocked. Most of the process will simply loop
    inside the kernel and attempt to lock again. Presumably this
    approach makes nonblocking locks and EINTR easier to do, but
    it does mean that you can get occasional load average spikes.
    Add MUTEX_SEMAPHORE to implement System V semaphore based lock,
    which does not have this problem in Linux. Warning: System V
    semaphores are a finite resource, and they are not released
    automatically. See: prayer-sem-prune.

* Quotas now reported in MBytes rather than KBytes.

* Add download links for text/html and text/plain attachments

* Fix bug with body->type TYPEMESSAGE: c-client API very poorly
    documented :(

* Strip out common HTML entity encodings that might be used in
    HREFs with text/html attachments.

* Fix mydb_db3.c to work with DB4.

* Integrate into Tony's funky packaging system for Hermes and PPSW.

* Add interface to automatic spam folder pruning utility that I
    wrote for Cyrus (controlled through special Sieve files).

* Fix uploads where mailboxes contain NUL characters (translate to
    space?)

* Assorted minor bugfixes

* Fix nasty /redirect bug that I managed to introduce by switching
    from url_encode to canon_encode to work around bug in Opera.
    Missing a url_encode: infinite loop from dumb UAs :(. Otherwise
    identical to 1.0.9.

* Few minor bug fixes, covered in CVS history.

pkgsrc changes:
* Rename the source rc.d script in the default RCD_SCRIPTS style.
* Respect ${VARBASE}.
* Avoid the DB_VERB_CHKPOINT flag with latest db4 (where it's been removed).
* Patch from jdc@ for 64-bit big-endian hosts.

XXX rc.d script doesn't stop all the prayer slaves
2005-01-09 00:07:46 +00:00
heinz
dfde78b4ac Compiles and works with db4.
Creates user and group now.
"make reinstall" works again.
No change of ownership of /usr/pkg/sbin anymore.
New RCD script (needs work on non-NetBSD platforms regarding "ps" command
options).
Bump revision.
2004-02-28 23:50:59 +00:00
adam
de30e822c3 Changes 1.0.6 - 1.0.8
* Remove "Feel free to send more messages" text from vacation messages.
* Disable gzip for Opera attachment download.
* Fixed config->prayer_user expansion.
* fatal() shouldn't dump core if root.
* Fixed abook_list boundary condition when current entry is last on page.
* Added message download link for Message/RFC822 sections.
* Fix session_server() ping interval logic.
* Other bug-fixes
2003-07-28 15:51:23 +00:00
jmmv
c14d91c92b Avoid hardcoding /usr/pkg in patch files. 2003-07-02 12:08:20 +00:00
jmc
8127ba8ce1 Oops. make sure the patch can actually apply 2003-06-16 16:57:02 +00:00
jmc
91387f952f Patch so this works correctly with db4 4.1 now 2003-06-16 16:54:03 +00:00
jmmv
bf6c90f318 Honor PKG_SYSCONFDIR. Bump PKGREVISION to 1.
Closes PR pkg/20543 by Kimmo Suominen.
2003-03-02 12:10:46 +00:00
abs
f5d1820a8f Import of prayer 1.0.5
Prayer is a small and fast HTTP to IMAP gateway written entirely in C.
    * Uses persistent connections to IMAP server and support servers.
    * Target folders remain SELECTed: not a simple-minded proxy.
    * Full caching (including sort/thread cache) for each open folder.
    * Up to five persistent IMAP connections (typically one or two in use):
          o INBOX and one other folder
          o Postponed message folder stream
          o Preferences stream
          o Folder transfer stream
          o Various optimisations/sharing to minimise actual IMAP connections
    * Directory cache: single round trip to IMAP server for directory listing.
    * Works well with UW IMAP server (even using Unix format mail folders).
    * Little discernible load on a Pentium III class system running Linux with
      5,000 logins/day (400 logins/hour, 150 concurrent logins)
    * Uses 10% to 20% of the CPU and 400 MBytes of RAM on a PIII class system
      with 23,000 logins/day (1,700 logins/hour, 850 concurrent logins peak)
    * Aggressive HTTP/1.0 and 1.1 connection caching to reduce SSL overhead.
    * Optional gzip compression of pages tunable by IP address range.
2002-12-27 12:52:07 +00:00