mhonarc-commits
[Top] [All Lists]

CVS: mhonarc/MHonArc/lib mhamain.pl,2.46,2.47 mhidxrc.pl,2.11,2.12 mhinit.p...

2002-09-03 21:09:39
Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv7466/lib

Modified Files:
	mhamain.pl mhidxrc.pl mhinit.pl mhopt.pl mhtxthtml.pl 
Log Message:
* Strip more tags and attributes that could potentially be used for
  XSS exploits in the HTML filter.  This is a more of a preemptive
  change since no new exploits have been reported.

* DATEFIELDS resource now supports indexed field names.  For example:

    <DateFields>
    received[1]:received[0]:date
    </DateFields>

  The example says that mhonarc should check the second received
  field, then the first received field, and then the first date field
  to determine the date of a message.


Index: mhamain.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhamain.pl,v
retrieving revision 2.46
retrieving revision 2.47
diff -C2 -r2.46 -r2.47
*** mhamain.pl	4 Aug 2002 03:47:06 -0000	2.46
--- mhamain.pl	4 Sep 2002 04:09:30 -0000	2.47
***************
*** 8,12 ****
  ##---------------------------------------------------------------------------##
  ##    MHonArc -- Internet mail-to-HTML converter
! ##    Copyright (C) 1995-2001	Earl Hood, mhonarc(_at_)mhonarc(_dot_)org
  ##
  ##    This program is free software; you can redistribute it and/or modify
--- 8,12 ----
  ##---------------------------------------------------------------------------##
  ##    MHonArc -- Internet mail-to-HTML converter
! ##    Copyright (C) 1995-2002	Earl Hood, mhonarc(_at_)mhonarc(_dot_)org
  ##
  ##    This program is free software; you can redistribute it and/or modify
***************
*** 30,34 ****
  require 5;
  
! $VERSION = "2.5.11";
  $VINFO =<<EndOfInfo;
    MHonArc v$VERSION (Perl $] $^O)
--- 30,34 ----
  require 5;
  
! $VERSION = '2.5.12';
  $VINFO =<<EndOfInfo;
    MHonArc v$VERSION (Perl $] $^O)
***************
*** 719,723 ****
  sub read_mail_header {
      my $handle = shift;
!     my($index, $date, $tmp);
      my($from, $sub, $msgid, $ctype);
      local($_);
--- 719,723 ----
  sub read_mail_header {
      my $handle = shift;
!     my($index, $date, $tmp, $i, $field, $value);
      my($from, $sub, $msgid, $ctype);
      local($_);
***************
*** 782,795 ****
      ##----------##
      $date = "";
!     foreach (@DateFields) {
! 	next  unless defined($fields->{$_});
  
  	## Treat received field specially
! 	if ($_ eq 'received') {
! 	    @array = split(/;/, $fields->{$_}[0]);
  	    $date = pop @array;
  	## Any other field should just be a date
  	} else {
! 	    $date = $fields->{$_}[0];
  	}
  	$date =~ s/^\s+//;  $date =~ s/\s+$//;
--- 782,802 ----
      ##----------##
      $date = "";
!     foreach (@_DateFields) {
! 	($field, $i) = @{$_}[0,1];
! 	next  unless defined($fields->{$field}) &&
! 		     defined($value = $fields->{$field}[$i]);
  
  	## Treat received field specially
! 	if ($field eq 'received') {
! 	    @array = split(/;/, $value);
! 	    if ((scalar(@array) <= 1) || (scalar(@array) > 2)) {
! 		warn qq/\nWarning: Received header field looks improper:\n/,
! 		       qq/         Received: $value\n/,
! 		       qq/         Message-Id: <$msgid>\n/;
! 	    }
  	    $date = pop @array;
  	## Any other field should just be a date
  	} else {
! 	    $date = $value;
  	}
  	$date =~ s/^\s+//;  $date =~ s/\s+$//;

Index: mhidxrc.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhidxrc.pl,v
retrieving revision 2.11
retrieving revision 2.12
diff -C2 -r2.11 -r2.12
*** mhidxrc.pl	23 Nov 2001 20:42:39 -0000	2.11
--- mhidxrc.pl	4 Sep 2002 04:09:30 -0000	2.12
***************
*** 362,367 ****
  
  unless (@DateFields) {
!     @DateFields = ('received', 'date');
      $IsDefault{'DATEFIELDS'} = 1;
  }
  unless (@FromFields) {
--- 362,380 ----
  
  unless (@DateFields) {
!     @DateFields  = ('received', 'date');
!     @_DateFields = ( ['received',0], ['date',0] );
      $IsDefault{'DATEFIELDS'} = 1;
+ } else {
+     local($_);
+     my $f;
+     foreach (@DateFields) {
+ 	s/\s//g;  tr/A-Z/a-z/;
+ 	$f = $_;
+ 	if ($f =~ s/\[(\d+)\]//) {
+ 	    push(@_DateFields, [ $f, $1 ]);
+ 	} else {
+ 	    push(@_DateFields, [ $f, 0 ]);
+ 	}
+     }
  }
  unless (@FromFields) {

Index: mhinit.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhinit.pl,v
retrieving revision 2.36
retrieving revision 2.37
diff -C2 -r2.36 -r2.37
*** mhinit.pl	27 Jul 2002 05:13:13 -0000	2.36
--- mhinit.pl	4 Sep 2002 04:09:30 -0000	2.37
***************
*** 399,402 ****
--- 399,405 ----
  		    split(/:/, $ENV{'M2H_FROMFIELDS'}) : ();
  
+ # Version of @Datefiles in parsed format
+ @_DateFields = ( );
+ 
  ($TSliceNBefore, $TSliceNAfter, $TSliceInclusive) =
      defined($ENV{'M2H_TSLICE'}) ?

Index: mhopt.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhopt.pl,v
retrieving revision 2.30
retrieving revision 2.31
diff -C2 -r2.30 -r2.31
*** mhopt.pl	27 Jul 2002 05:13:13 -0000	2.30
--- mhopt.pl	4 Sep 2002 04:09:30 -0000	2.31
***************
*** 570,576 ****
      $MAIN = 0  if $IDXONLY && $THREAD;
  
!     @DateFields	 = split(/:/, $opt{'datefields'})  if $opt{'datefields'};
!     foreach (@DateFields) { s/\s//g; tr/A-Z/a-z/; }
!     @FromFields	 = split(/:/, $opt{'fromfields'})  if $opt{'fromfields'};
      foreach (@FromFields) { s/\s//g; tr/A-Z/a-z/; }
  
--- 570,575 ----
      $MAIN = 0  if $IDXONLY && $THREAD;
  
!     @DateFields	 = split(/[:;]/, $opt{'datefields'})  if $opt{'datefields'};
!     @FromFields	 = split(/[:;]/, $opt{'fromfields'})  if $opt{'fromfields'};
      foreach (@FromFields) { s/\s//g; tr/A-Z/a-z/; }
  

Index: mhtxthtml.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhtxthtml.pl,v
retrieving revision 2.20
retrieving revision 2.21
diff -C2 -r2.20 -r2.21
*** mhtxthtml.pl	24 Dec 2001 13:10:33 -0000	2.20
--- mhtxthtml.pl	4 Sep 2002 04:09:30 -0000	2.21
***************
*** 38,53 ****
  # Script related attributes
  my $SAttr = q/\b(?:onload|onunload|onclick|ondblclick|/.
! 	    q/onmouse(?:down|up|over|move|out)|/.
! 	    q/onkey(?:press|down|up))\b/;
  # Script/questionable related elements
! my $SElem = q/\b(?:applet|base|embed|form|ilayer|input|layer|link|meta|object|/.
! 	    q/option|param|select|textarea)\b/;
  
  # Elements with auto-loaded URL attributes
  my $AElem = q/\b(?:img|body|iframe|frame|object|script|input)\b/;
- 	    # XXX: What about INS, DEL?
  # URL attributes
! my $UAttr = q/\b(?:href|src|background|classid|data|longdesc)\b/;
! 	    # XXX: What about codebase, usemap?
  
  ##---------------------------------------------------------------------------
--- 38,52 ----
  # Script related attributes
  my $SAttr = q/\b(?:onload|onunload|onclick|ondblclick|/.
! 	         q/onmouse(?:down|up|over|move|out)|/.
! 	         q/onkey(?:press|down|up)|style)\b/;
  # Script/questionable related elements
! my $SElem = q/\b(?:applet|base|embed|form|ilayer|input|layer|link|meta|/.
! 	         q/object|option|param|select|textarea)\b/;
  
  # Elements with auto-loaded URL attributes
  my $AElem = q/\b(?:img|body|iframe|frame|object|script|input)\b/;
  # URL attributes
! my $UAttr = q/\b(?:action|background|cite|classid|codebase|data|datasrc|/.
! 	         q/dynsrc|for|href|longdesc|profile|src|url|usemap)\b/;
  
  ##---------------------------------------------------------------------------

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV