143 lines
3.1 KiB
Text
143 lines
3.1 KiB
Text
$NetBSD: patch-ab,v 1.1 2004/02/09 09:17:50 wennmach Exp $
|
|
|
|
Security patches for jitterbug (taken from Debian GNU/Linux).
|
|
See http://www.debian.org/security/2004/dsa-420
|
|
|
|
--- jitterbug.c.orig Wed Nov 11 13:30:17 1998
|
|
+++ jitterbug.c Wed Jan 14 17:34:04 2004
|
|
@@ -57,7 +57,7 @@
|
|
static int case_sensitive;
|
|
static int messagetype = MTYPE_ALL;
|
|
static int numquotelines;
|
|
-static int addsignature;
|
|
+static int addsignature = 1;
|
|
static int fullheaders;
|
|
|
|
/* these are the user preferences -- reflect changes in dump_globals() */
|
|
@@ -118,7 +118,7 @@
|
|
}
|
|
|
|
|
|
- if (getuid() == 0) return 0;
|
|
+ if (strchr(fname, '/') && geteuid() == 0) return 0;
|
|
|
|
data = load_file(fname, NULL, 0);
|
|
if (!data) {
|
|
@@ -727,6 +727,11 @@
|
|
}
|
|
}
|
|
|
|
+/* return true when the text doesn't have a trailing newline */
|
|
+static unsigned nolastnl(char *txt)
|
|
+{ return *txt && '\n'!=strchr(txt,'\0')[-1];
|
|
+}
|
|
+
|
|
|
|
/* free up an info structure loaded by get_info */
|
|
static void free_info(struct message_info *info)
|
|
@@ -971,6 +976,7 @@
|
|
FILE *f;
|
|
char *name = cgi_variable("auditid");
|
|
char *source = cgi_variable("sources");
|
|
+ char *p;
|
|
char buf[1000];
|
|
int len;
|
|
struct message_info info = zero_info;
|
|
@@ -989,6 +995,14 @@
|
|
|
|
sprintf(buf,"%s %s %s", lp_autopatch(), source, name);
|
|
|
|
+ p = buf;
|
|
+
|
|
+ while (*p) {
|
|
+ if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
|
|
+ fatal("invalid character in expression");
|
|
+ p++;
|
|
+ }
|
|
+
|
|
printf("<hr>\n");
|
|
|
|
f = popen(buf,"r");
|
|
@@ -1012,6 +1026,7 @@
|
|
{
|
|
FILE *f;
|
|
char *name = cgi_variable("decodeview");
|
|
+ char *p;
|
|
char buf[1000];
|
|
int len;
|
|
struct message_info info = zero_info;
|
|
@@ -1028,6 +1043,13 @@
|
|
|
|
sprintf(buf,"%s %s", lp_decoder(), name);
|
|
|
|
+ p = buf;
|
|
+ while (*p) {
|
|
+ if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
|
|
+ fatal("invalid character in expression");
|
|
+ p++;
|
|
+ }
|
|
+
|
|
printf("<hr>\n");
|
|
|
|
f = popen(buf,"r");
|
|
@@ -1271,8 +1293,13 @@
|
|
}
|
|
|
|
smtp_write_data(fd, body);
|
|
- if (sig)
|
|
+ if(nolastnl(body))
|
|
+ smtp_write(fd, "\n");
|
|
+ if (sig) {
|
|
smtp_write_data(fd, sig);
|
|
+ if(nolastnl(sig))
|
|
+ smtp_write(fd, "\n");
|
|
+ }
|
|
if (smtp_end_mail(fd) == -1)
|
|
fatal(smtp_error());
|
|
}
|
|
@@ -1392,8 +1419,13 @@
|
|
if (cc && *cc)
|
|
fprintf(f,"CC: %s\n", cc);
|
|
fprintf(f,"\n%s", body);
|
|
- if (addsignature && signature)
|
|
+ if(nolastnl(body))
|
|
+ fprintf(f, "\n");
|
|
+ if (addsignature && signature) {
|
|
fprintf(f,"%s", signature);
|
|
+ if(nolastnl(signature))
|
|
+ fprintf(f, "\n");
|
|
+ }
|
|
fclose(f);
|
|
close(fd);
|
|
|
|
@@ -2179,6 +2211,7 @@
|
|
int len;
|
|
char buf[1000];
|
|
char *decode = cgi_variable("decode");
|
|
+ char *p;
|
|
|
|
if (guest && !lp_guest_download()) {
|
|
fatal("guest download has been disabled\n");
|
|
@@ -2199,6 +2232,13 @@
|
|
if (decode) {
|
|
sprintf(buf,"%s %s", lp_decoder(), fname);
|
|
|
|
+ p = buf;
|
|
+ while (*p) {
|
|
+ if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
|
|
+ fatal("invalid character in expression");
|
|
+ p++;
|
|
+ }
|
|
+
|
|
f = popen(buf,"r");
|
|
} else {
|
|
f = fopen(fname,"r");
|
|
@@ -2208,7 +2248,7 @@
|
|
fatal("unable to open file");
|
|
}
|
|
|
|
- printf("Content-Type: application/octet-stream\n");
|
|
+ printf("Content-Type: message/rfc822\n");
|
|
if (gzip_encoding || lp_gzip_download()) {
|
|
printf("\n");
|
|
cgi_start_gzip();
|